Tracking your online marketing performance to gain a greater understanding of ROI and ultimately optimize your efforts is essential to the success of your campaigns. But as a healthcare provider, your patients’ safety and privacy are your #1 priorities. So, you face a unique challenge: How do you track your marketing and performance efforts without violating HIPAA?

Start with Protected Health Information (PHI)

First things first: You need to find out if the technology you want to implement collects or stores PHI.

PHI stands for protected health information and is any private health information that can be used to identify an individual. This information includes, but is not limited to:

• Common identifiers, such as name, address, birth date, social security number, etc.
• Demographic information, such as past, present, or future physical or mental health condition
• The provision of healthcare to an individual
• The payment of a healthcare provision by an individual

Be sure to check out the Department of Health and Human Services HIPAA Privacy Rule page for a more detailed description of PHI.

If the technology you want to use doesn’t collect the PHI of your prospects, you’re free to start tracking, analyzing, and optimizing!

If the technology you want to use does collect the PHI of your prospects, there are some things you’ll need to evaluate.

Is the Technology HIPAA Enabled?

You may be wondering whether a piece of technology is HIPAA-compliant, but violating or not violating HIPAA isn’t so much about the technology; it’s more about how you use it. You can put into place processes that don’t violate HIPAA, or you can put into place processes that do. (Obviously, you want the former!)

What you should look for in a technology is whether it’s HIPAA-enabled. You’ll still have to use the technology in a way that ensures compliance, but enablement will go a long way toward that goal.

One straightforward way of finding out if a tool is HIPAA-enabled is to…

Ask for a Business Associate Agreement

A Business Associate Agreement is a contract between any company or software that transmits or handles PHI and your organization. It protects both entities by outlining privacy terms and ensuring both you and the vendor will comply with HIPAA.

If a technology provider will not provide you with a Business Associate Agreement, it’s very probable that they aren’t HIPAA enabled. This is a red flag and means you may want to find another solution.

The Tools That Could Be Affected by HIPAA Compliance

Wondering what tools might be affected by HIPAA compliance? Here’s our list of the types of marketing-performance tracking software you may be using, and whether they require HIPAA enablement.

Google Analytics

As a healthcare provider, you use Google Analytics to provide insight into who your patients are and to measure the success of your online marketing efforts.

Does it collect PHI?: No

As of January 2018, the Google Analytics Terms of Service states the tool does not track individually identifying information—only aggregated data. By default, Google Analytics does not collect PHI. That means you can use it without worrying about HIPAA compliance.

PPC Conversion Codes

PPC conversion codes are tracking scripts placed on forms and websites that tell your PPC platform(s) whether activity on your site or form came from paid advertising. Popular platforms include:

• Google Adwords
• Bing Ads
• Yahoo
• Facebook

Does it collect PHI?: No

PPC conversion codes do not contain PHI—only anonymous data. So your PPC conversion platforms are HIPAA-enabled by default.

Call Tracking

Call-tracking software allows you to track your calls and attribute them to marketing sources like:

• Digital display ads
• Form-fills on your website
• Pay-per-click advertising

Due to the nature of some of these calls, PHI could be exchanged in a recording or included in a report.

Does it collect PHI?: Yes

To avoid HIPAA violations, your call-tracking provider needs to be HIPAA-enabled.

Recommended tool: CallRail

CallRail is a great call-tracking provider, as they offer a HIPAA-enabled version of their solution, containing features like logging people out after several minutes of inactivity and omitting names and identifying information from reports.

Review Management

Managing online reviews effectively is the lifeblood of any healthcare practitioner. Review-management systems help you reach out to clients for positive feedback on Google and other sites.

Does it collect PHI?: Yes

Your review-management system will contain clients’ names and email addresses, since you’re sending emails to clients to ask them to rate you. You’ll need a HIPAA-enabled solution to handle these interactions.

Recommend tool: Get Five Stars

Get Five Stars is HIPAA-enabled and will provide you with a Business Associate Agreement.

Customer Relationship Management (CRM)

CRMs track your prospects’ activity before they become patients. Doing so helps you understand where they are in the buying cycle, so you can market to them appropriately. CRMs allow everyone in the company to see every interaction a patient or a prospect has had with your organization, so they can be informed when reaching out to those people.

Does it collect PHI?: Yes

Salesforce is one of the popular CRMs on the market today, and it’s HIPAA-enabled. You’ll still need to make sure your processes and strategy concerning Salesforce support compliance.

You Don’t Have to Choose Between Tracking Marketing Performance and HIPAA Compliance

Just because you’re in the healthcare industry doesn’t mean you must scale back on tracking your marketing performance.

Just keep these things in mind: There’s a difference between being HIPAA-compliant and HIPAA-enabled. HIPAA compliance falls on you and your processes, but, to achieve it, you need to be working with HIPAA-enabled solutions.

Always ask for a Business Associate Agreement to ensure HIPAA enablement. If a solution is not willing to provide it, keep searching for one that will.