HHS Issues Updated Warning About Web Trackers in Health Marketing

  • The Department of Health and Human Services has issued a new bulletin about the use of web trackers in health marketing
  • The new document is primarily a reminder for health brands to stay complaint, but does contain some new guidance
  • Compliance with patient privacy laws and HIPAA regulations is crucial for healthcare providers engaging in digital marketing
  • There are options available for health brands to still utilize powerful marketing tools without compromising patient privacy

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued another clarification about what health companies can and cannot do in their digital marketing efforts. While the lengthy bulletin mostly serves to reiterate pre-existing OCR policy on the matter, it does contain some interesting new tweaks.

Most in healthcare and health marketing are aware that, in recent years, the federal government has put additional emphasis on the nexus of medical information and digital tracking tools. Last year’s spate of fines against digital health companies followed good independent reporting, repeated government warnings, and a number of class-action lawsuits.

At issue is the risk that tracking tools—like Facebook pixels—pose to patient data privacy. While commonplace across most digital marketing in almost every other industry, these technologies collect and compile information about users that can comprise protected health information (PHI) and individually-identifiable health information (IIHI). Because most health companies are considered “covered entities” under HIPAA, undisclosed transmission of this PHI and IIHI from the health company’s site to a tech platform like Meta Ads or Google Analytics would then constitute a HIPAA violation. 

OCR frames its newest bulletin as a “reminder that it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.” 

The sole major change that comes with this new document from OCR is a subtle one that, despite its intention to clarify a point, might actually make things more confusing. Trackers on health-related websites can be problematic in part because they combine a user’s IP address with information that may pertain to their health history—for instance, a Facebook pixel could transmit back to Meta that a certain person was researching certain medical treatment options, thus divulging that that user may have that condition. That would be a violation.

But not all of the content on a health company’s site is necessarily related to the administration of care. Were a user looking at a hospital website simply to learn about its visiting hours (perhaps they have a family member in that hospital), that would not constitute PHI. OCR’s new guidance states that such informational pages are not subject to these tracking restrictions, although it seems like it would be very difficult to parse this level of intent on a case-by-case basis were a health system be targeted with penalties. 

The best course of action here is to ensure that any basic information not related to treatment be siloed from areas of the site where a user’s mere visitation could be considered PHI.

While this new bulletin does not represent a substantial change in HHS policy, it should serve as a key reminder for health companies that this scrutiny is not going away. The timing of this reminder, as law firm Foley & Lardner points out, is nearly defiant: HHS is still facing a lawsuit from the American Hospital Association. The AHA argues that, in its initial statement on the subject from 2022, HHS overstepped its bounds by defining PHI in a broad new way without warning. The suit claims that action put health providers in a difficult legal position. 

Compliance is paramount, and HHS is not taking its eye off the ball. Any healthcare provider engaged in digital marketing should take a thorough accounting of its current practices and build an actionable framework to ensure that it is safeguarding PHI with respect to patient privacy and the law. To stay compliant, health brands should also seek solutions that safeguard against PHI transmission, like a HIPAA-compliant customer data platform. 

If you’re interested in learning more about how you can continue running a successful digital marketing program without running afoul of patient privacy laws, it also helps to work with an agency like ADM, which has specialized expertise in this complicated space and continually stays abreast of the latest policy changes and technological solutions.