How can I optimize my healthcare website while being HIPAA compliant?
This interview is part of Kameleoon's Expert FAQs series, where we interview leaders in data-driven CX optimization and experimentation. Our guest, Jude Nwachukwu Onyejekwe, is a marketing analytics specialist at Hedy and Hopp, working with businesses across Africa, Europe, and North America.
Jude has a strong passion for writing and assisting non-technical marketers to thrive in the ever-evolving world of measurement. That’s why he also co-founded DumbData, a marketing and analytics resource hub.
How does HIPAA affect experimentation on my healthcare website?
Over recent years, the experimentation landscape has become more privacy-focused, leading to greater security for healthcare patients.
The Health Insurance Portability and Accountability Act (HIPAA) requires a deeper evaluation of your tools and data practices to ensure compliance. HIPAA has strict compliance criteria that would impact experiments that involve, expose, or require Protected Health Information (PHI).
Privacy and security are taking center stage when running experimentation programs on healthcare websites. If you're testing the layout, messaging, or user flows that don't involve or require PHI, it's safer to proceed without it, or you’ll need to involve a legal advisor.
How do I know if an A/B testing tool is HIPAA compliant?
The first step is determining whether the A/B tool vendor offers a Business Associate Agreement (BAA). However, your decision should be based on more than just the availability of a BAA.
You should assess whether your organization's current plan or budget allows for signing a BAA. It's also important to note that there's a difference between a HIPAA-compliant tool and your specific plan being covered by a BAA.
Additionally, you should verify if the tool offers extra HIPAA-compliant settings that enable control over what personal and PHI data is shared.
Review the vendor's data security measures and accreditations, including storage, data encryption, transmission protocols, certifications, audit logs, and access controls.
A final consideration, which is sometimes overlooked, is data integration. There are instances where the A/B testing tool is HIPAA-compliant, but the third party used to integrate with the tool is not. If the data shared between both platforms includes PHI and health-related data points, this would violate HIPAA.
What other aspects of my optimization work must I ensure are HIPAA compliant?
HIPAA compliance should extend beyond experimentation and analytics. It must be deeply embedded throughout your organization and should be addressed before integrating optimization tools with other platforms.
Start by creating a comprehensive list of optimization tools used within the organization and establish whether they collect or transmit sensitive data. Then, evaluate their associated risk levels, compliance status, and appropriate next steps.
This isn’t a one-and-done exercise—regular audits should review who has access to optimization tools, and legal advisors should be consulted in areas where clarity is needed. Any staff working with sensitive data should undergo HIPAA compliance training, focusing on patient privacy.
The changes you need to implement to protect patient privacy and ensure a secure experience will differ across various areas of optimization. You might need to configure masking settings in session recording tools or avoid collecting session recording and heat mapping data on authenticated patient pages.
Consider all aspects of optimization work, not just A/B testing. For example, during user research, avoid collecting or documenting highly sensitive data that qualifies as PHI.
If you must collect sensitive data, ensure proper consent is obtained, involve your legal team, de-identify it, securely store it in a HIPAA-compliant tool, and monitor access closely.
How can I audit my analytics setup to ensure it’s HIPAA compliant?
Check if there’s a provision to enter into a Business Associate Agreement (BAA) with the analytics vendor. If there isn't any BAA provision, evaluate the privacy and security risks within your analytics setup to determine if any Protected Health Information (PHI) is collected.
Next, review the technical integrations you use with the analytics tool. Then, establish what data points and event data are collected about the user. If data is collected on healthcare-authenticated pages, ensure data redactions are in place.
Review the analytics configuration settings for anything that violates HIPAA compliance. An example is the popular but controversial "user-provided data collection" feature in Google Analytics (GA4).
Communicate HIPAA compliance information across your organization to ensure that personal and PHI data are not sent to your analytics tool.
If you use server-side data collection, such as server-side Google Tag Manager, check if you strip or transform personal data points like IP addresses before sending them to your analytics vendor.
Always seek legal clarification for configuration or implementation changes that seem unclear to you to avoid violating HIPAA guidelines.
How can I ensure HIPAA compliance doesn’t slow down experimentation?
Conducting experimentation while maintaining HIPAA compliance might be challenging and impact the pace of execution. However, I recommend specific actions to facilitate progress and avoid violations.
Ensuring HIPAA compliance is a core consideration at the outset of an experimentation program. Compliance is integral to every aspect of optimization, from the tools you use to the experiments you design and run.
Evaluate and identify potential PHI risks early on so that you can design experiments that avoid or minimize the handling of sensitive data.
One of the most significant factors slowing down experimentation on healthcare websites is insufficient knowledge about HIPAA. That’s why you should ensure your team is well-informed about patient privacy, HIPAA regulations, and the healthcare industry. When hiring an agency, look for expertise in these areas as well.
Provide your team with regular HIPAA and patient privacy training and educational resources. This will also facilitate smoother interactions with legal advisors. Effective communication between testing teams and legal advisors will help resolve privacy challenges rapidly.
Beyond training and knowledge, implement HIPAA-compliant processes such as checklists, quick approval procedures, pre-designed templates for inspiration, and clearly defined scopes of work to expedite the process.
How can I create personalized healthcare experiences while being HIPAA compliant?
HIPAA is not a barrier to creating personalized healthcare experiences for users and patients. It just demands more awareness and integration of patient privacy in your work and a proactive approach during the planning and ideation stages.
As mentioned above, start by reviewing the HIPAA compliance status and risk level of the tools used for personalization.
You can also design experiments or experiences without involving, exposing, or requiring PHI data points. For instance, contextual personalization can be effective when personalizing layouts, messaging, or user flows and doesn't require PHI.
When personalization does require PHI or involves authenticated healthcare pages, it's crucial to consult a legal advisor. They can help you determine whether a BAA is sufficient, seek patient consent, and approach this transparently, giving users control while ensuring safe and secure personalization.
Consider ‘data minimization’ to enhance patient personalization. This involves leveraging HIPAA-compliant settings or configuration options to strip, transform, or de-identify data points considered personal or PHI.
Since privacy and compliance are not "set it and forget it" matters, regular compliance audits, access monitoring, and internal training are essential. These ensure that HIPAA compliance and patient privacy remain central to your personalization program and that potential violations are detected early.