There has been a big shift in what a HIPAA compliant website looks like when it comes to analytics and tracking information. It can be challenging for practices to navigate their options.
Join Scott Zeitzer and Ashley Hohensee from P3 and host Michael Roberts as they walk us through their own journey to find a new analytics solution and their recommendations for practices.
Visit P3 Practice Marketing for more about how orthopedic, spine, and neurology practices can expand their reach.
Michael: Welcome to the Health Connective Show. I’m your host, Michael Roberts, and today I am joined by two long time collaborators, Scott Zeitzer and Ashley Hohensee. We’re going to talk about the way that health care sites need to pay attention to their web analytics setup, to make sure that they are HIPAA compliant.
Scott, Ashley, welcome. Welcome back to the show. Welcome to the new show. This is a whole new thing, a whole new experience. So you may have heard us collaborate previously on a podcast called The Paradigm Shift of Healthcare, where we focus on how health care was changing to become more consumer-centric. Of course, we started that show about 8 or 9 months before Covid hit, so the phrase paradigm shift became much more profound. It had a completely different meaning, of course, by the time that we were through.
So yeah, this is the new show. So welcome to the both of you.
Scott: Thank you.
Michael: So as this is a new show, can you start off? Let’s start off by having the two of you tell us what it is that you’re doing. You know, we talk about this is a show about health care and sort of like how we’re kind of bridging the gaps and all of that sort of stuff. And, and P3 is specifically targeted towards orthopedic practices. Scott I’ll let you take it from there.
Scott: Sure. Yeah. P3 is something I came up with a while ago and it came out of a lot of conversations I had with orthopedic surgeons. So first of all, P3 we only work in the ortho, spine, and neuro area. It came out organically, but we are. I’ll say this without sounding too bad about it, but I consider ourselves to be fairly expert at this area of ortho, spine, and neuro, and the P3 came from really focusing on the three P’s, because you talk to a lot of surgeons and the people that work for them, and they start going off on a lot of things, like, I want to be number one in Twitter or whatever. And I always kind of slow it down. I said, you know what kind of–?
Michael: It’s no longer Twitter. It’s moved on now.
Scott: Right. It’s X. Formerly, I think when I read The Times or The Wall Street Journal, it’s X “formerly known as Twitter.” So you’re right I want to be the number one X doesn’t sound right. But that being said, you’re right. But anyway, getting back to these three P’s it’s I would always tell the surgeon or the office what kind of procedures do you want to focus on? What kind of pathologies do you want to treat, but what kind of people you know, do patients do you want to have? And that’s what we do. We do web and online marketing for ortho, spine and neuro. I’m the dumb owner for quite some time now. And, Ashley, why don’t you talk a little bit about what you do.
Ashley: So I’m the P3 marketing manager. So my role is just to make sure that our clients have what they need for their marketing services, whether that’s, you know, we’re setting up an ad campaign. I’m coordinating with our team to get the website content a little bit, plus marketing for our side as well. So social media, blogging kind of everything. Yeah a little bit of everything. Analytics, reporting, all the good stuff.
Scott: The way that I always describe Ashley, Michael, is I know the big picture of everything that gets done, but get needs to get done. Excuse me, but let’s get Ashley on the phone so we can really explain what we’re going to do and how we’re going to get it done.
HIPAA Compliant Tracking
Michael: That’s a good lead into the more specific of what we’re getting into today. There’s been a pretty big shift in the way that HIPAA, what a HIPAA compliant website looks like when it comes to analytics and tracking information. There’s been a number of different lawsuits. There’s been a number of different cases that have kind of popped up in terms of people not being excited about maybe a Facebook pixel running in the background and collecting a bunch of information that then gets fed over to Facebook and gives them information that they don’t need. So there are these major shifts that are happening. You know, Ashley, can you walk us through the details of that to kind of talk more in depth about what’s happened there?
Ashley: There are a lot of like said, there are a lot of things that have happened, probably the biggest being the HHS guidance on the use of certain tracking tools. They have not come out and said you can’t use Google Analytics. That said, a lot of the things that a lot of the restrictions that they did put forth kind of would lead you to believe, lead you to the conclusion that you shouldn’t be using Google Analytics. You can if you are very careful about what you’re tracking and how. And a lot of it is somewhat, I guess, open to interpretation, right?
Like as far as what would be considered, what could be tracked, what would it be tracked? But, you know, some people are even saying like, it could you could go down to like make the conclusion that say, if somebody went if you have their IP address and they went to a page that was focused on treatment, which is like 99% of a practice’s website is focused on getting someone treatment, is that certainly contact forms, appointment request forms? Those are obvious answers, but there’s even suggestions that it could be farther than that.
And so that’s where it gets really iffy. And you mentioned the Facebook Pixel as well. That has been specifically called out. A lot of organizations have gotten sued over the Facebook Pixel. That’s a lot easier to not use. You can track that other ways. But yeah, Google Analytics is a lot trickier. And it’s kind of the go to for analytics, right? Because it’s free and it’s kind of what everyone uses.
Scott: It’s definitely was the baseline standard. It still is the baseline.
Ashley: Yeah I mean there are a lot of other industries that aren’t health care where that could still make sense. In health care, it’s a little tricky. And there’s also so the HHS and said like you can’t use Google Analytics, but Google itself has said, hey, we’re not HIPAA compliant. We’re not going to sign a business associate agreement, which is a key component of using any kind of tracking service. So that being said, you’ve got to start thinking about alternatives.
Scott: When I was up at the Orthopedic Surgery and Emerging Technologies meeting, you were there with me. I spoke to a lot of surgeons, and it’s funny about how you know the details, and I only know the big picture, as I mentioned before. And one of the things that I basically said to a lot of surgeons who were not aware is I basically said what you just brought up, hey, try to get a business associate agreement. The most basic thing you can from Google, they will not provide it because they know they can’t. They can’t legally provide it. And that’s a big warning sign.
So from an industry standard for, you know, all industries as a whole, sure. Google Analytics is definitely a standard. But I think when it comes to online marketing in medicine, I don’t see how they’re going to maintain themselves as the standard. Michael, what do you think?
Michael: Talking about it being a standard, you know, for smaller businesses, smaller systems that don’t use something like Adobe Analytics or use something like a variety of other systems, and we’ll probably talk a little bit about the one that we use, which is Matomo. But there are a number of different systems out there. But, man, free’s hard to beat, you know, and when it is done well, like (Google) Analytics is a good product. They’ve made people frustrated with all their different changes and there are reasons to use it or not, depending on what your business is. But there are a number of different reasons to use it or not. We’ll keep it that simple.
Awareness of the Issue
Scott, you talked about like, hey, there’s a lot of people that aren’t actually aware that this is a problem. This is something that does need their attention. And, you know, sometimes I think that everybody just thinks like, oh, well, whoever my provider is, they’re probably thinking about this, right? Like they’ve got it squared away somewhere. And that’s it’s a very generous maybe assumption on behalf of, on behalf of a lot of people.
But, you know, this is something that, that we, you know, the three of us worked together in this under health connective, there’s health connective and P3 kind of all in the same company. So you know, this is definitely something that we’ve been talking about quite a bit. The whole concept of HIPAA compliance is very important to us. All of that good stuff. So okay we know we’ve got a problem. Google analytics isn’t going to be our long term solution. You know, I want to just talk some about like what we chose to do and how hard it was to do that because it wasn’t it was like, great, we’re going to make a change. Oh man. This was not an easy thing.
Scott: I remember like, you know, being the owner going, come on, how can this be? And I and now, you know, I go to this meeting where I really do know most of the people there. I’ve been doing this for a long time, and they all gave me that look like, come on, man, how can this be like, no way. And I’m going to tell this to everybody listening, whether you’re a customer of ours or just listening to the conversation, please slow down enough to email, pick up the phone, whatever your current provider of your hosting provider, your web developer, whatever, and ask them specifically, you know, how are you doing analytics and are you using Google Analytics?
And again, I’m not a lawyer. I have a daughter who’s a lawyer, and that doesn’t count for anything. But I’m telling you, it’s not HIPAA compliant. You use Google Analytics. And so we had to stop everything we were doing and make sure that we were going to be compliant. But and so anybody who’s a customer of ours, you’re good. But if you’re not a customer and this is not some scary thing, it can be done. But you got to go talk to your provider about how to get around it.
Working Towards Compliancy
Ashley, why don’t you talk a little bit about what did we have to do? Because it was a lot.
Ashley: Yeah. I mean, I guess first we had our lawyer review the guidance and he was he suggested we should stop using Google Analytics. There are ways we looked into there are ways to modify how you’re tracking information. We just found, like you would have to pare it down so far that like it wouldn’t even be meaningful information at that point. You’re not getting any kind of conversion information or anything like that, so it just was not as useful. Then you start looking into analytics providers who will sign a bar, which is. Very few and far between. It’s not just a Google thing, so just make that clear. It’s not like even you mentioned Adobe Analytics. They won’t sign either. So lots of even paid tools don’t do this kind of thing because they don’t want to assume the risk. You know, rightfully so maybe.
So we found a service called Matomo. And while Matomo itself the cloud hosted version that you could get through them or you would pay them for the service, that version is not HIPAA compliant, but they do offer an option to self host it. And so we were able to host our own version of Matomo on a HIPAA compliant server. So that makes it HIPAA compliant, because the server is with a company that will sign a BAA with us. And so that was the way to do it. And that’s a really simplistic explanation. There’s a lot of even that beyond what I could do. Yeah, that’s a.
Scott: Good place to pause for everybody to kind of suck this information in. It’s like we found an alternative service. That’s great. We thought, oh, we’re done. No we’re not. Now we’ve got to Matomo on our own server that we have to get certified as HIPAA compliant. So when you’re asking like, how are you checking my analytics? Everyone out there, it’s like, oh, well, we don’t use Google. We use whatever it’s like, well, are they HIPAA compliant? Are you on your own compliance server? Those are good follow up questions. I’m sorry to interject that, but I think it’s important because a lot of people are listening, going, oh no, no, no, really, I’ve got to worry about this. But yeah, you do.
If you have if you’re doing online marketing and you’re a most, like most practices, a small business, just trying to figure it out. The easy out was the free service of Google Analytics. It’s not available to you if you want to do analytics. So yeah, we came up with a solution. We’re not the only people out there, I’m sure, who came up with solutions. But so we got part one, part two our own compliance server. Think I want to make sure everybody is clear on that. There was a whole different thing. We went down through Michael. What are we now. Are we now certified HIPAA compliant people or something. What are we now?
Michael: One of the things that is tough about this is that it? Yes, this is something that medical practices needed to worry about. Jared, who is the producer of our show, he and I were talking about this topic coming up, and he was talking about some different healthcare events that he’s been at this year, where this was also the big topic for hospitals, and
Scott: Oh, yes,
Michael: very large organizations. You know, this isn’t just something that like everybody that was using something small had to go figure out, this is this is a health care wide kind of problem.
And the big difficulty here is like, yes, analytics needs to change, but especially depending on the level of sophistication around your advertising, this is where it really gets into that identifiable information. You know, like Bob Smith came to this website and then on Facebook, also clicked on this ad and then came back to the website and all of that activity. Right. Like that’s the activity that we’re as an industry trying to move away from tracking. So, so specifically. Right. You know, not necessarily that Bob Smith did it, but a person that may be of this demographic, that may be of, you know, you’re trying to go to these kind of like more cohorts and more kind of like broader assumptions so that we’re not like looking at each individual person and kind of pulling that information out.
So this is a bigger problem. I don’t want to again, this isn’t like a scare tactic. And like everybody run for the hills kind of thing. But it is it is something that the industry is really needing to think about and really trying to try to play with here. So yeah, so that is me interjecting and leading away from the ongoing saga of us trying to figure out how to get ourselves in a good spot and our clients.
So yeah, so we had the server set up and then we’re kind of throwing around these terms like being HIPAA compliant. And that’s not just something that we can decide. It’s actually something that somebody else needs to help us figure out if we are aren’t. So yeah, actually take it away.
A Broader View of HIPAA Compliance
Ashley: As we started getting into this whole analytics discussion, we were thinking about, you know, talking about are we compliant in other ways? You know, we want to be able to say that we’re providing compliant services, but are we in fact fully compliant. And so we actually said the company that does our HIPAA compliant server recommended this group called Compliancy Group. And while there’s no government level official way of saying like, yes, we are HIPAA compliant, they are a third party organization that will work with you to assess what you are doing in all aspects. And that’s not just marketing companies or third party. That’s even if you’re a medical practice looking to assess your practices, they work with that as well.
They have this whole system in place, this little dashboard that will go through all of your practices from like, what are your internal policies, what are your employees have access to? What are your employees trained on? Do you have BAAs with all the vendors that you work with? You have Bas with all of your customers. In this case, because we are a marketing company that works with multiple practices. Just making sure. Do you know, like what all devices do you have your employees that have access to potential fits? They really go through everything, everything that you do that could potentially touch and make sure that you’re either being, you know, that you have things in place to safeguard that information, that you have the right policies in place, that people have the right training.
And then at the end, once you’ve completed that whole process, which took several months for us to go through everything you do get an official seal of compliance, saying that the third party organization has evaluated us and determined that we are making, as they call it, a good faith effort to be compliant. You know, no one’s ever going to be perfect. Yeah.
Scott: What was the name of that company, guys?
Ashley: Compliancy Group.
Scott: We paid money. We’re not paid, you know, sponsor. Like, you know what I mean? Like, none of that kind of stuff. I’m just saying, like, hey, we paid for it. They did a very good job. They were available to talk to on the phone. So for all the practices out there are going, oh, I can’t believe I have to do this. That was a good group. They did a good job. Yeah. They held our hands well and yeah, it did take time. But I honestly felt when we were done like a sense of accomplishment that, hey, we are HIPAA compliant, we have a seal of approval. Yea. But I think just as important is yeah, we really are like there’s a third party saying it and they were good at holding our hands. So there’s a free little yay for them.
Ashley: Yeah, lots of tools to help you track and continue to track things as you go forward. So definitely something just as an aside, like right. Like Scott said, medical practices, it makes the cost for doing that is like for the peace of mind that you get. And knowing that if you get audited for anything, that you have everything document, everything is documented in their software. It would be it’s very easy. Again, from.
Scott: A really big picture. Marketing a practice used to be a very simple thing, very simple, you know? And now it’s hey man, here’s your website, here’s your content, here’s your reputation marketing. And frankly, if you really want to get anywhere, you really got to think, pay to play ad placement. And if you’re going ad placement, then you got to like, well, how are we going to, you know, do return on investment? Well, we’re going to have to do some form of tracking.
Ding ding ding. You know, the bells start going off on HIPAA compliance because we got to do that in a compliant manner. So these are the things you need to think about and why I always tell people when they’re thinking about getting like doing online marketing or web development for their practice, I’m always like, look, man, you don’t have to use me, but just make sure you do use somebody who’s in the business of medical online marketing, not the local, you know, marketing team that’s based in the city that you’re in, that I know you want to be a good guy and be local, you know, and all that other stuff. It’s like, no, find someone who knows this business because, man, we can have an entire show on the American with Disabilities Act. Forget about HIPAA compliance, which is what this is all.
Major Shifts in Marketing
Michael: Absolutely. There are a lot of things that are pretty profoundly changing about online marketing, sort of in general. I mean, I think that one of the big hot topics right now everybody loves to throw around is and I don’t think that you can go any conversation of marketing or anything like that without saying I at least somewhere in that conversation we’ve got to mention it. But, you know, like the way that search engines are changing, there are some significant, significant changes.
And so some of the things that that you used to focus on as your marketing approach, bring everybody on your website all the time, bring it, you know, make sure the conversion happens there, all that kind of stuff. So many of those avenues are changing now. And so there are going to be it’s going to be harder and harder to attribute. Yes, because of some of these like HIPAA compliant needs and making sure that we’re protecting people’s information, but also just because, hey, Google is going to own more of the game, maybe Bing’s going to get their act together enough to own more of the game. Who knows? They’re at least doing interesting things in the AI space. So there’s a lot of a lot of potential shifts that that could be happening here.
Levels of HIPAA Compliance
So we’re throwing out a lot of things about how, hey, practices need to be thinking about all these digital things to be HIPAA compliant. I moved to a smaller community within the past, past year and a half or so since we last podcasted together, and it’s been hilarious to me. Forget digital things, just the conversations that are happening in the practice where people are talking about a case, people are talking about information of like, you know, I can hear like I can tell you what’s going on in the next room, you know, like who the patient is and like what their case is about.
So this is not just something that we, that people need to evaluate on a digital level. Hey, this is at your very much in the practice as well. And actually we didn’t have nearly as many boxes to check because. Our access to patient health information is still relatively contained, right? We’re not going nearly as deep into this as some others are.
Ashley: Yeah, we definitely have the most we have we have some contact forms on the website. We do some call tracking again, HIPAA compliant for people that have ads or customers. But yeah, we keep the access like not everyone in the company would even know how to access, you know, the contact form information or the call tracking information. So a lot of that we do keep pretty locked down.
Michael: There’s definitely a lot of things there’s a lot of moving pieces here for practices to consider. Definitely work with the groups that are going to help you figure this out. This isn’t something that’s easily done, whether it’s digital or whether it’s just, you know, in real life and.
Scott: Train your staff.
Michael: Yeah. Yeah. Exactly, exactly. So, Scott, Ashley, this is the start of of a new podcast. This is something where the this new show, one of our goals is to have people on fairly regularly to kind of talk about like updates and this kind of stuff. So I do want to I would love to have you back, and I’ll bug the two of you enough to where you’ll have to come back at some point. And we’ll keep on looking at how healthcare marketing is evolving and what practices specifically need to be doing. So thank you both for coming on today.
Scott: My pleasure.
Michael spends a great deal of time with the healthcare industry both professionally and personally, which gives him the perspective of what stakeholders on either side of the care equation need.
He began coding in 2008 and subsequently shifted his attention entirely to online marketing. Michael completed his MBA in 2018, focusing on the intersection of healthcare and marketing.
Scott Zeitzer, president of Health Connective, has been in the healthcare industry for his entire adult life. After earning a masters in biomedical engineering, he sold medical devices (total hips, total knees, trauma devices, and CMF devices) to orthopedists and neurosurgeons for nearly 10 years.
In 1998, Scott started Health Connective to provide web and application development for a variety of business, eventually choosing to focus on healthcare companies.
As the marketing manager, Ashley ensures that our clients’ marketing strategies are put into action. This includes content writing, SEO, online advertising, analytics, and interfacing with the tools, systems, and team members needed to help our clients accomplish their marketing goals.