In Dec 2022, the Office of Civil Rights (OCR) at the Department of Health & Human Services (HHS) put out a statement that the use of third-party online tracking technologies, such as Google Analytics, Google Ad Conversion Tracking, Facebook pixels, etc., that pass along protected health information (PHI) to these third-party vendors, is a violation of HIPAA.

Under HIPAA, “covered entities” (which basically include any healthcare provider, health plans, or healthcare clearinghouses) are responsible for correcting this.

In this regard, HIPAA coverage has been extended to protect any online visitor who visits a healthcare website, not just a patient or a person known to your healthcare organization.

If this visitor visits any website pages that contain healthcare conditions, treatments, or provider research, that signal could be included in the website’s URL. The URL with health-specific data, along with the visitor’s IP address or other identifiers, could now point to a past, current, or future health concern of a potentially identifiable individual (PII).

This PII, when mapped to a health condition, is PHI and protected under HIPAA.

We are offering a server-side tag solution hosted on a cloud service (typically GCP) with connectors to cloud data warehouses, such as Big Query, that allows us to strip web data points of any PHI before it reaches any third-party martech stack.

When you work with Luminessee, here are some of the benefits you’ll enjoy:

New Market: First, this is a relatively new regulation (introduced on Dec 22, with warnings being issued in July 2023), so there are only a handful of providers that provide this solution. Most solutions are product-based solutions from companies such as Freshpaint, Tealium, Ruddestack, etc. Their HIPAA solutions come at a hefty price.

Service-based Model: We offer a server-side tag setup as a service-based model that relies on utilizing a HIPAA-compliant tech stack and a Business Associate Agreement (BAA) with service providers when necessary. In that sense, we are not a product-based model; rather, we are offering a service-based solution.

Skilled Team: We recently became certified in using a server-side tag management solution to create an intermediary server owned by the domain that also owns the website. We also have a bench of highly qualified tech analytics consultants, cloud experts, and data warehousing experts to help us develop robust solutions.

Web Tech Compliance Solutions: In addition to analytics and marketing tech compliance, we also offer services to make web technology stack HIPAA compliant. A website collects ePHI in the form of appointment bookings, insurance information, patient registration, medical release requests, insurance checks, etc. Our solution allows the ePHI collected by the website and stored in a database to be encrypted “at rest” and “in transit.”

Server-Side Tag Management Across Industries: Interestingly, as online web technologies move away from third-party data collection, having a first-party data collection environment is a must for many industries (including e-commerce businesses) that must protect personally identifiable information (PII) to be compliant with GDPR, CCPA, etc.