HomeBlogUser PrivacyOptimizing and Personalizing Healthcare Analytics for HIPAA Compliance

Analytics Blog

Supporting Leaders to EVOLVE

Category: User Privacy

Optimizing and Personalizing Healthcare Analytics for HIPAA Compliance

August 13, 2020

Alex Molineux

Download the white paper: Healthcare Analytics and HIPAA: Ways to Minimize Risk and Ensure Compliance

In this post, I’ll be reviewing the Health Insurance Portability and Accountability Act (HIPAA) and how organizations can run effective optimization and personalization programs while navigating HIPAA compliance and associated risks. Our previous two HIPAA-focused posts covered HIPAA and its impact on healthcare analytics, and how to evaluate risk and remove Protected Healthcare Information (PHI ) from your digital analytics tools. If you haven’t yet read them, I recommend starting there, as this post builds off of the knowledge and recommendations previously shared.

The prior posts highlight how common digital analytics tools such as Adobe Analytics and Google Analytics are not, by default, HIPAA-compliant. This is true also for common optimization tools, such as Adobe Target, Optimizely, and Google Optimize. If you run, or are looking to run, an optimization and personalization program on a healthcare provider’s website or app, you need to be careful to ensure your program does not put your HIPAA compliance at risk.

Common Optimization Tools and HIPAA

Our previous posts covered the primary data points most likely to be used by digital analytics tools that are regulated by HIPAA. As a reminder, those data points are:

Geographic data (specifically location data about the user that narrows at a more granular level than State)
Email addresses
Account numbers
Web URLs (specifically those that contain information about a medical condition or other PHI data)
Device identifiers and serial numbers
Internet protocol addresses (IP Addresses)

We discussed these in the context of digital analytics tools, but these data points are equally relevant to optimization tools such as Adobe Target, Optimizely, and Google Optimize. These tools make use of these data points in much the same way as digital analytics tools. Therefore, it’s important to consider how to adjust your optimization tool’s setup to handle the data in a HIPAA-compliant way.

data optimization tools

A number of these data points are likely captured by your optimization tool by default. Like many digital analytics tools, optimization tools are frequently loaded client-side (i.e., you install a third-party javascript snippet on your site that loads your optimization tool on each page of your site a visitor visits). During this process, IP addresses are inherently transmitted, and other data points are captured and shared with the tool. The majority of optimization tools offer IP Anonymization, but it’s important to note that the anonymization happens after the IP address has already been sent back to the optimization tool. It’s also important for you to review this feature within your organization to determine whether the HIPAA risks associated with this approach are acceptable.

For other data points captured, such as a user’s geographic location more specific than their State, most client-side tools won’t have a built-in feature to control this type of data capture in the same way as they allow IP Anonymization. We cover a couple of routes to HIPAA compliance when considering data points such as these in the rest of the post.

image representing data personalization

Choosing the Best Route to Compliance

We recommend two possible approaches to achieving HIPAA compliance for your optimization tool of choice. Which route you choose will depend on a few factors, including:

The types of tests and personalization campaigns you run
How much technical support you have available
Budget available for compliance-related updates

Your responses to these items will help define which of the following two approaches we recommend:

Utilizing a data storage option, such as Tealium Private Cloud
Implementing your optimization tool server-side and ensuring you do not capture any PHI data (the Safe Harbor, de-identification process)

While both approaches will enable your testing program to achieve HIPAA compliance, it’s important to think through which approach best fits your organization. We’ll walk through these considerations in the following sections.

Personalization in the Healthcare Industry

Before jumping into how to achieve HIPAA compliance for your optimization tool, it’s worth pausing to consider personalization. You’ll see, in the following sections, how much personalization you are doing on your sites and applications (or plan to do) plays a big role in how you will tackle HIPAA compliance.

Even if you’re not actively pursuing a personalization strategy on your site now, it’s worth considering it for the future. Click & Tweet!

Even if you’re not actively pursuing a personalization strategy on your site now, it’s worth considering it for the future. Tech-savvy users are increasingly expecting personalized experiences across digital media, and that expectation will expand to their healthcare providers. By implementing personalization on your sites, you can start to explore personalized onsite experiences such as:

Updating site copy and calls-to-action (CTAs) to encourage users to take desired actions. For example, creating accounts if they’ve never created one before, booking in-person/video appointments online if they’re known to be patients and have never booked online before, re-ordering prescriptions when it’s expected that their previous prescription is low, etc.
Tying onsite interactions to follow up email marketing. For example: if a user starts trying to schedule an appointment online, but does not complete the appointment setup, automatically send them an email recommending options to finalize their appointment.
“Closing the loop” for users who’ve received email marketing campaigns. For example, if users are in the audience that received an email campaign with a specific goal in mind (i.e., review your latest test results online), then update the site to recommend they complete this action whether they visit the site via an email link or not. Using the example of users who have test results to review, via personalization we can update site banners or other site copy to direct users to their test results whenever they next visit the site, even if they don’t click on the actual link they received in the email.
Rotating copy and content in primary communication spots on your site. For example, the homepage banner, based on what content users have interacted with in the past. Currently, a lot of sites give the primary communication spots to Covid-19 updates, such as details on symptoms or how to get tested. If a user has already clicked on this content before, there’s no need to promote it to them on every visit. You can personalize the user’s experience by rotating the communications you show them. For example, the next time they visit, highlight how to book a doctor’s appointment by video rather than Covid-19 information, thereby ensuring the user is consistently being informed of all healthcare priorities and opportunities rather than just the one.

There’s a wide range of personalization options for healthcare providers, and the above is only a small set of standard examples. If personalization isn’t something you are actively working on or considering yet, then as you read the rest of the post, it’s worth considering: what data you have available about users, what types of audience segments it makes sense to bucket your users into based off of user types and their expected onsite goals, and what are the overall objectives for your site. Considering these three areas is an excellent first step to starting to work out when, where, and for who you may want to start delivering custom, personalized experiences on your sites.

image representing personalization in healthcare

PHI in Tests and Personalization Campaigns

Now, back to ensuring your testing and personalization program is HIPAA-compliant. First, we recommend reviewing the types of tests and personalization campaigns you run as part of your optimization and personalization program. During the review, you’re looking to understand how frequently you’re making use of data points that are regulated by HIPAA. For example:

Do you frequently build audiences for your A/B tests that make use of geographic locations more granular than State? Is it important for you to test or personalize at the City level?
Do you do one-to-one personalization where individual users see content unique to them, such as their first name in marketing copy?
Are you using a Customer Data Platform (CDP) to trigger email campaigns based on individual user’s site interactions?

You should also be considering how you hope to utilize user data to test and personalize the site for them in future. We’ve helped many clients uplevel their testing and personalization programs and know that, in general, as a client’s personalization efforts mature, it’s likely PHI data will be used in more advanced campaigns. If you’re unsure about when using PHI data in personalization campaigns may become more valuable to you, let us know and we’d be happy to review your testing and personalization program to help understand if, and when, this data will be desired.

If your answer to any of the previous questions is “yes,” you use any of the data points we previously listed in your campaigns, or you plan to use those data points in future campaigns, then we recommend using a data storage solution such as Tealium Private Cloud. We’ll review this option later in the post to explain its benefits.

If you don’t require PHI data for your campaigns now or in the future, while Tealium Private Cloud is still recommended, it’s not essential, meaning it’s more likely we’d recommend the second option recommended above: controlling the PHI reaching your optimization tool via a server-side implementation. We’ve covered this approach in our previous posts, but we’ll review again later with a focus on optimization tools.

We should also note that when and where data is considered PHI may vary from organization to organization, depending on the risk tolerance of each group’s legal team. In some organizations, data may not be considered PHI until you know that the user in question is a patient. If this is the viewpoint your organization takes, then you can run personalization campaigns on the non-authenticated part of your site without making changes to your marketing technology stack for HIPAA compliance, as no data captured on the non-authenticated site will be considered PHI. Data points would only become PHI once a user takes one of the following actions that indicates they are a patient: logs in, attempts to schedule an appointment, or runs a site search. Again, your options here will all depend on the interpretation of HIPAA by your legal team and their risk assessment.

Technical Resource Availability and Budget

It’s important to keep practical considerations in mind when reviewing your HIPAA compliance options. If you don’t have the budget available for a powerful, compliant solution such as Tealium Private Cloud, you may be forced toward option two and the server-side setup approach.

By configuring a server-side setup for your optimization tool of choice, you can carefully manage what data gets sent to the tool. You’ll need to be diligent in the setup and ongoing maintenance of the configuration to ensure no PHI is collected. However, by going server-side you should be able to ensure data, such as granular geographic data and URLs, that contain PHI are not sent to your optimization tool. This method of de-identification (removal of PHI data) is known as the Safe Harbor method and was covered in relation to digital analytics tools in our previous posts.

Server-side implementations of optimization tools are becoming more common and carry a number of benefits that go beyond achieving HIPAA compliance. However, configuring server-side setups is not simple and will require technical expertise. A tag management system (TMS) that can support server-side setups helps simplify the implementation process and ongoing management of a configuration such as this. We recommend Adobe Launch with Adobe Experience Platform, and Tealium iQ + EventStream.

Benefits of Tealium Private Cloud

Tealium Private Cloud allows for a compliant server-to-server method for sending data to optimization tools and also puts you on a path toward a compliant CDP setup. This is a significant benefit to using Private Cloud, as a compliant CDP will allow you to create audiences that make use of PHI data, before pushing these audiences out to your optimization tool.

By going this route, you’ll be able to create audiences and run tests and personalization campaigns that contain PHI data. As we reviewed earlier, it’s common for organizations with advanced testing and personalization strategies to want to make use of these data points in their campaigns. The Private Cloud route (or similar PHI-compliant data solutions) is the only way your testing and personalization campaign can use PHI data in a compliant manner, so it’s definitely worth reviewing if you want to use these data points.

Server-side Setup, Safe Harbor Method and Personalization Campaigns

Utilizing a server-side setup and removing PHI data from your optimization tool (Safe Harbor method) allows you to achieve HIPAA compliance. This approach means PHI data isn’t available to you in your testing and personalization campaign, but there are still many options open to you as you develop audiences for your campaigns.

While one-to-one personalization may not be achievable without individual user identifiers, you can still develop powerful audiences that aggregate users based on behavior. For example, you can use audiences based on marketing channels, or the specific marketing campaign, that brought users to the site. You can also create audiences at an aggregate level through tracked onsite interactions. An audience could be made for all users that clicked the primary CTA on your site’s homepage, or for every user that logged in and attempted to book an online appointment with a doctor.

While these are only a few examples of the type of aggregated audiences you could build in your optimization tool, they hopefully give an indication as to the range of audience types you’ll still be able to build with a tool setup to remove PHI via the Safe Harbor method.

The server-side setup required for the Safe Harbor method also provides some additional benefits beyond compliance. As mentioned earlier in the post, going server-side for optimization is increasingly common as it allows for:

Significantly improved technical performance — no more page flicker when tests load!
Flexibility to test dynamic content — for example, pricing updates
Ability to test non-user interface changes — performance optimizations, brand new site launch
Security to limit external JavaScript code onto your website — valuable in highly secure/sensitive areas

While server-side testing and personalization does require more developer support than traditional client-side testing, the benefits highlighted above are worth considering as you evaluate your overall tech stack and compliance.

Enhance User Experience

Testing and personalization campaigns can have a huge, positive impact on your users through the site enhancements and user experience improvements. We think it’s important that those working in the healthcare industry don’t let HIPAA compliance limit their testing and personalization programs.

Optimization tools are, by default, not HIPAA-compliant and ensuring their compliance is a challenge. While there’s upfront cost and effort to configuring optimization tools for compliance, we strongly believe that the long-term benefits of running an effective testing and personalization program will more than offset the initial efforts.

Optimization tools are, by default, not HIPAA-compliant and ensuring their compliance is a challenge. Click & Tweet!

As you approach compliance in the healthcare industry with your optimization tools, please reach out to us if you need advice, have questions, or need our assistance.

Disclaimer: I’m not a lawyer, and this blog post is based on my own research and interpretation of the Healthcare Insurance Portability and Accountability Act (HIPAA). You’re advised to seek legal counsel that specializes in HIPAA to ensure that your organization conforms to this law. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.

About the Author

Alex Molineux

Alex is Associate Manager of Optimization at Blast Analytics. He leverages his expertise in analytics strategy, implementation and optimization to help clients translate data into actionable insights, and is an expert in a wide variety of analytics and testing tools with a focus on Google Analytics, Google Tag Manager, Tealium IQ & AudienceStream, Optimizely and Google Optimize. Whether you’re looking to build out an analytics strategy to gather insights into your core business questions or you are looking to run an effective A/B testing or personalization campaign, he is able to use his expertise to guide and support you.

Connect with Alex on LinkedIn. Alex Molineux has written 12 posts on the Blast Digital Customer Experience and Analytics Blog.