Why Server-side Analytics is Essential for Healthcare

New guidance issued in December by the Office of Civil Rights for HHS has upended analytics and tracking for most healthcare organizations. Across the country, marketing teams and their compliance partners realized that some of the client-side, third-party tracking that underpinned their analytics and powered their advertising was likely a HIPAA violation.

For many in healthcare, this is a first exposure to the concepts of “client-side” and “server-side” tracking – and perhaps a dawning realization that client-side, third-party tracking is deeply problematic for healthcare.  Others may be familiar with the concepts but perhaps not fully understand the distinction.

Among many implications of the new guidance from HHS on the use of digital tracking technologies in healthcare is that server-side analytics (aka server-side tracking) has become a necessity for healthcare. In this post, we’ll look at server-side tracking, how it works and why it’s become so important for healthcare organizations.

How Client-side Analytics Works

Until recently, the “default” implementation method for analytics solutions and digital tracking technologies relied on the user’s device (the “client” in client-side analytics) to facilitate data collection. At a conceptual level, client-side tracking works as follows:

1. JavaScript Tracking Code: Websites or applications embed JavaScript tracking (also known as “tags”) within their pages. When a user visits a site, these elements execute in the user’s browser, depositing a “cookie” – a browser service that stores user data.
2. Data Collection on the User’s Device: The script or tag collects data directly on the user’s device, tracking actions such as IP address, page views, clicks, interactions, conversions and sometimes even form-fill data. In addition to core analytics (such as Google), a typical website may include dozens or even hundreds of tracking tags – each belonging to a different third-party marketing or advertising partner.
3. Data Collected Determined by Third Parties: The specific information collected by each script or tag is determined and controlled by the corresponding third party.
4. Data Sent directly to Third-party Analytics and Advertising Partners: Data collected via client-side scripts and tags is transmitted directly to third-party partners, where it typically is aggregated with other performance data and, in many instances, with data already collected about that specific user by that third party.

The advantage of client-side tracking for site owners and their marketing teams has been three-fold:

• In most instances, implementation was relatively easy – simply drop the relevant tag or script on your site and data collection would begin (acknowledging the over-simplification here).
• Most of the “heavy lifting” in terms of data collection, aggregation, analysis and application was done by these third parties, enabling basic (and sometimes advanced) audience targeting, remarketing, campaign optimization and performance reporting to be delivered by analytics and advertising platform providers on a fairly turnkey basis to their users.
• Rich Contextual Data: Client-side tracking provides direct access to user-specific data that are instrumental in personalizing experiences and analyzing marketing campaigns.

Why Third-Party, Client-side Analytics is a Problem for Healthcare

The rise of increasingly stringent privacy regulations and proliferation of cookie-blocking technologies already were making client-side analytics much less reliable and accurate when, in December of 2022, the Office of Civil Rights at HHS issued a bulletin providing new “guidance” regarding the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates”.

Among the many significant directives included in the bulletin are two that have major implications for the viability of client-side tracking in healthcare:

• Because of the potential to identify an individual website visitor, collection of IP address is now considered to be Protected Health Information (PHI).
• Tracking user visits to web pages that pertain to symptoms, treatments, care providers or appointment options is now considered to be PHI – even if a user does not have an existing relationship with the covered entity and is not logged in to an account.

Client-side tracking scripts and pixels generally collect IP address and URL information by default. Because a client-side implementation includes direct transmission of the collected data to a third party, such implementations do not allow healthcare organizations to alter or suppress the data collected or shared.

In effect, the new HHS guidance rendered most client-side tracking technologies non-compliant with HIPAA. Dozens of class-action lawsuits were filed against healthcare organizations using these technologies (with new ones still being filed weekly). In light of these circumstances, many healthcare organizations removed all client-side tracking technologies, some removed tracking perceived to pose the greatest risk (e.g. the META), some maintained the status quo – but nearly all are in search of a new, HIPAA-compliant solution for analytics and advertising tracking.

How Server-Side Analytics Works

Server-side tracking changes the data collection paradigm at an architectural level, giving the organizations that use it much more control in the process. While third-party, client-side tracking relies on scripts or tags executed in the user’s browser and sends that data directly to external parties, server-side tracking instead collects and processes data on a server controlled by the enterprise, offering centralized governance before any data is dispatched to analytics and advertising platforms. Server-side tracking can be used in conjunction with first-party, client-side tracking, but that’s a level of complexity we’ll save for our next post.

Here’s a conceptual overview of how server-side tracking typically is employed:

1. Data Collection on the Server: In a server-side tracking implementation, data is sent to a server (either local or cloud) designated by the enterprise and not directly to third parties.
2. Data Sharing via API: Server-side data sharing occurs via direct API connection between the enterprise server and a third-party destination. Data sharing via API gives a healthcare organization the ability to control what is shared with whom – essential for HIPAA compliance.
3. Data Hubs: Sharing data via API typically involves use of a Data Hub – a central system that collects all data and handles routing to other systems and platforms. In a healthcare context, a data hub also may be employed in advanced implementations to process, cleanse and de-identify data before sending via API to partner organizations. Of course, in healthcare it is critical that the data hub employed be HIPAA compliant. (We’ll cover all of this in greater detail in our next post.)

Server-side data tracking architecture provides healthcare organizations three options not available via client-side tracking that are critically important when considering HIPAA-compliant data collection:

1. On-premise Analytics: Some healthcare organizations may elect to implement local (aka “on-premise”) analytics solutions. Because data is not shared with any third party, this form of data collection is generally understood to be HIPAA-compliant.
2. Share Only Under BAA: Some organizations may elect to share data only with partners who also sign a Business Associates Agreement (“BAA”), an agreement that binds the partner organization to the same level of privacy protection and care required of Covered Entities. Critical to note here is that major platform providers (such as Google Analytics and Ads, META or Adobe Analytics) do not sign BAAs.
3. De-identify, Cleanse and Selectively Share: In advanced implementations, healthcare organizations can cleanse, de-identify and exercise fine-grained control over exactly what data is shared with any third party. Using this method, an organization can ensure that only cleansed data (non-PHI) is shared with partners that have not signed BAAs, while retaining the ability to collect and utilize full data in a HIPAA-compliant manner. This approach enables healthcare organizations maintain critical marketing and advertising activities that rely on partners that will not sign BAA’s but limiting data sharing to just the critical data required to enable campaign reporting and optimization while simultaneously ensuring no PHI is shared.

Why Server-side Analytics for Healthcare?

We believe that server-side tracking is non-negotiable for healthcare organizations and rapidly becoming essential for enterprise players in every industry. The benefits are clear:

1. Data Privacy and Compliance: In healthcare, data privacy is sacrosanct. Server-side analytics allows organizations to assert and retain control over PHI, reducing the risk of data breaches and ensuring compliance with regulations like HIPAA.
2. Enhanced Control: This approach offers a more controlled and reliable data transmission process, minimizing disruptions caused by client-side issues like interrupted connections or ad blockers.
3. Accuracy and Reliability: Server-side analytics, by capturing data at the source, minimizes potential discrepancies introduced by client-side processes.
4. Reduced Impact on User Experience: Healthcare applications and websites must provide seamless experiences. Server-side analytics operates quietly in the background, reducing the impact on users, especially in critical moments of healthcare interaction.
5. Optimized Application and Device Performance: By shifting the processing load away from the client’s device, server-side tracking enhances application speed and device performance, potentially boosting customer experience and conversion rates.
6. Integration with Existing Systems: In healthcare, interoperability is a major challenge. Server-side analytics can be seamlessly integrated with existing healthcare systems, making it easier to consolidate data from multiple sources. This integration enhances the overall efficiency of healthcare operations.

This isn’t to say that all client-side tracking should be abandoned. We encourage our clients (and all enterprises) to thoughtfully employ client-side tracking to collect first-party data – but not without the controls afforded by server-side architecture. We’ll cover this and much more in our next post – a deep-dive into the essential elements and deployment options for server-side tracking in healthcare.

In the meantime, please don’t hesitate to get in touch with any questions or points of clarification.