Tom Fanelli & April Wier – HIPAA WordPress Hosting: Everything You Need to Know

by | Jul 23, 2024 | Meetup News | 0 comments

Learn how to prepare your WordPress websites to comply with HIPAA regulations.

ABOUT THE PRESENTATION

This presentation is on HIPAA compliance for WordPress websites. It is an important topic for healthcare providers and the agencies and freelancers that work with them. In this recorded webinar, you’ll get an overview of HIPAA requirements, learn about the compliance chain, and get a summary of common technical considerations for HIPAA-compliant hosting and website management. Our two speakers, Tom Fanelli and April Wier, provided practical guidance and tips to help you navigate this complex landscape.

ABOUT THE PRESENTERS

Tom Fanelli is the founder of Convesio and an expert in HIPAA compliance. Along with Convesio’s compliance-trained team, Tom has helped dozens of healthcare businesses ensure that their WordPress website is HIPAA-compliant.

April Wier is the director of Sugar Five Design and the lead educator at Medical Marketing Unlocked, the only on-demand course designed to help marketers increase their revenue by unlocking the medical market without being a HIPAA expert.

RESOURCES

Website: https://convesio.com

Checklist: https://convesio.com/knowledgebase/article/the-ultimate-hipaa-compliance-website-checklist/

YouTube: https://www.youtube.com/@convesio

SUMMARY

HIPAA Compliance for WordPress Websites: Key Insights from Industry Experts

The West Orlando WordPress meetup group recently hosted a webinar on HIPAA compliance for WordPress websites, featuring experts Tom Finelli and April Weir. This crucial topic is essential for healthcare providers, agencies, and freelancers working in the medical field. Here are the key takeaways from the presentation:

Understanding HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is designed to protect healthcare information and ensure its portability. The act includes comprehensive rules for privacy, security, and breach notification. Covered entities, which primarily include healthcare providers and health plans, bear the main responsibility for HIPAA compliance.

The Compliance Chain

Business Associate Agreements (BAAs) play a crucial role in maintaining HIPAA compliance. A compliance chain is formed when BAAs are issued between covered entities and their vendors. To effectively manage this process, it’s essential to have a visual workflow that illustrates where Protected Health Information (PHI) flows within your business operations.

Common Compliance Gaps

Several common compliance gaps were identified during the presentation. These include failure to encrypt data both in transit and at rest, lack of proper authentication measures, inadequate physical security at data centers, and insufficient backup and recovery processes. Addressing these gaps is crucial for maintaining HIPAA compliance.

Technical Requirements for WordPress Websites

The experts outlined six key technical requirements for HIPAA-compliant WordPress websites: 1) Data encryption (both in transit and at rest), 2) Named user accounts and multi-factor authentication, 3) Physical security measures at the data center, 4) Backup redundancy and recovery processes, 5) Business Associate Agreements with all parties accessing data, and 6) Regular audits and staff training.

Best Practices for WordPress

To maintain HIPAA compliance, it’s recommended to limit risk by avoiding storing PHI in WordPress when possible. Additionally, staying up-to-date with WordPress, plugin, and security updates is crucial. Using HIPAA-compliant forms and email providers is also essential. The experts advised caution when using tracking pixels and analytics tools, as these can potentially compromise patient privacy.

Key Considerations for Agencies and Medical Professionals

Agencies working with healthcare providers should be prepared to sign BAAs and follow best practices for HIPAA compliance. Medical professionals, on the other hand, should ensure that their agencies fully understand HIPAA responsibilities. Recent guidance prohibits sharing browsing data with third-party marketing platforms without proper safeguards, adding another layer of complexity to HIPAA compliance in digital marketing.

By following these guidelines and working with knowledgeable partners, healthcare providers and agencies can navigate the complex landscape of HIPAA compliance for WordPress websites. Remember to always consult with legal and compliance experts for specific advice tailored to your situation.

TRANSCRIPTION

Welcome everyone to the third Thursday Meetup of the West Orlando WordPress meetup group. I’m Brian Walton, a co-organizer and host. West Orlando WordPress is an official WordPress Meetup Group affiliated with the WordPress Orlando and WordCamp US meetup groups. Today’s presentation is on HIPAA compliance for WordPress websites. This is an important topic for healthcare providers and the agencies and freelancers that work with them. In this pre-recorded webinar, you’ll get an overview of HIPAA requirements, learn about the compliance chain, and get a summary of common technical considerations for HIPAA-compliant hosting and website management.

Our two speakers, Tom Finelli and April Weir, will provide practical guidance and tips to help you navigate this complex landscape. Tom Finelli is the founder of Kinsta and an expert in HIPAA compliance. Along with Kinsta’s compliance-trained team, Tom has helped dozens of healthcare businesses ensure that their WordPress websites are HIPAA compliant. April Weir is the director of Sugar Five Design and the lead educator at Medical Marketing Unlocked, the only on-demand course designed to help marketers increase their revenue by unlocking the medical market without being a HIPAA expert.

At this point, I’d like to invite everyone to mute their microphones and enjoy the presentation. Stay tuned afterward for the Q&A session.

Welcome everyone, it’s great to see everybody here today. We have an awesome presentation for you on a topic that has been kind of near and dear to my heart for almost a year now. A little bit of background on this: April, who is our co-presenter today and really the HIPAA person, the expert that got me involved in this and even brought it to my attention – I mean, it was probably over a year ago that there was a need in the space for HIPAA-compliant WordPress hosting. So really, April is the genesis and the reason why we’re even here today. So thank you, April. It feels like this is a culmination of a lot of learning and work and dialogue between us, so it’s a great moment.

We’re going to take you through a bunch of stuff today. We’re going to talk about an overview of HIPAA, the compliance chain, common compliance gaps, some technical requirements of hosting, and then we’re going to open it up for Q&A. Just a disclaimer here: you really always should do your own due diligence with your own legal team and your own compliance teams when you are dealing with any compliance, privacy, HIPAA, any of that type of stuff. So I really suggest this is a disclaimer that this is not legal advice. Really, you should consult with your experts on your team.

I do want to make a point that we have a couple different audiences with us here in the group, which is some of you are from agencies and some of you are from medical professional offices. So we’re going to tailor this into the topic and the presentation as we go. You might hear things that are framed directly for medical professionals; you may also hear us talk about agencies. It’s really important to both of these groups – very important actually – because medical offices need really good agencies to work with, and agencies need to understand what’s happening when they’re working with medical offices in terms of how to handle compliance and protected health information.

Alright, so my name is Tom Finelli. I’m the CEO and co-founder of Kinsta. We are a scalable WordPress hosting company, and many of you probably know who we are and have worked with us in the past. I am joined with April. I’m going to stop talking, turn it over to April. She’s going to do her introduction, and we’ll get started.

Yeah, I think our very first conversation we ever had when we first met, HIPAA crept in there somewhere because I’m a little bit of a nerd when it comes to this. HIPAA can be a little overwhelming, and I heard when I first joined the greater WordPress community and marketing community that you should not touch HIPAA with a 10-foot pole. I’m a little bit rebellious, and if you tell me I can’t do something, it makes it super attractive to me. So I picked up my first client and did a deep dive and found why people were saying that, but also there are ways to do it safely.

Just to give you kind of a quick overview, HIPAA is the Health Insurance Portability and Accountability Act of 1996. It’s really there to protect our healthcare information and make it more accessible so we can take it with us. It’s portable from one doctor to another, and there are rules set about to make sure that our information is private and secure. And if it becomes insecure, what do we do about it? Because we have breach notification rules and enforcement rules. So privacy, security, what happens when the horse gets out of the barn, and what do we do to the people who let that happen?

Key terms, okay. The guidelines, like I said, are just making sure we can move it, keep it safe. We’ve got a link here to, you know, you can go and see and read more about what the government has to say. The government has a lot to say about this. This is a very complex topic, and there’s a lot of vaguery around it. There are, if you keep it simple, you can pretty much navigate 99% of all situations you will ever be in, and it really starts with the covered entity.

So the covered entity is the primary place where healthcare information is either being generated or it’s being processed. So that would be like your healthcare providers, your health plans, people who process claims, those kinds of things. Generally, it’s going – the ones that we’re going to encounter is going to be patient health information that’s generated in the clinical setting or through lead generation. So clinical setting obviously for the medical professionals, lead generation for the agencies or the in-house marketing person.

So when you’re doing business from a healthcare setting with outside vendors or anyone who’s going to be accessing that information, you need a business associate agreement. As an agency owner, I’m a business associate. The covered entity would be my client who I’m working with, and I’m to make sure that my agreement, my business associate agreement, says basically when I access your information to help you, I have certain responsibilities. And then if I’m accessing that patient health information, do I know what that is and do I know how to protect it?

And so here’s one of the things that happens when we’re dealing with medical information: there’s a lot of arguments around what is protected health information and what is not. PHI is kind of the catchall for all the different PHIs that are around privacy. So we have patient health information, private health information, protected health information – PHI. You will hear that described different ways. It’s all the same idea: what is your private information that is protected when you’re interacting with a covered entity?

And so here’s some examples: names, phone numbers, email addresses, you know, your social security number, account numbers, even – and Tom can go into this a little bit later – even your IP addresses. So there’s a lot that we need to make sure that we are either not touching or that we’re touching appropriately and put fences around our behavior.

Now, who do you need a BAA from, or who do you need to give a BAA to? Any vendor who comes in contact with that data. And so like an example might be, obviously, you know, your agency, your web host, your email provider, payment processor.

All right, so when you issue a BAA to someone as an agency, you establish what is in effect a compliance chain. And so let’s look at what a possible compliance chain might look like. Here we have the covered entity, which would be, you know, let’s just say the doctor’s office. Here we have the marketing agency, and here we have your web host like Kinsta. And let’s say the covered entity has signed up with an email marketing company, right? So everybody needs a list, and if they don’t have it through their EMR, then maybe they’re going through something like Active Campaign.

So as the marketing agency, I want to access their email marketing app. I want to make sure that, you know, their templates are set up, that I can help segment their list, but that information is protected, right? So for me to access their information, I need to issue a BAA. And something else to think about is Active Campaign also needs to issue the BAA. And just because a product says it’s HIPAA compliant does not mean that your account is HIPAA compliant. You still need to, even after you sign up for the service, you need to request the BAA.

Okay, so in that case, the compliance chain is the BAA is from the email marketing company to the covered entity and from the marketing agency to the covered entity. Now as a marketing agency, I also provide Kinsta hosting to my clients, which means that I sign up for it and I’m their liaison and I take care of everything. My provider of choice is of course Kinsta, and so when I am getting hosting from Kinsta, if I am to have PHI processed on those websites, then I need to have a BAA from Kinsta to me. Then I need to have a BAA from me to the covered entity. So the compliance flows through me, but it maintains the chain.

So we don’t want to break the chain anywhere. If something happens at my level, so let’s say that I have a breach somehow, you know, something’s been hacked or there’s been some type of violation where protected health information has come out when it was under my responsibility, then I have certain things that I have to do. And it is my responsibility one, to notify the covered entity and to set up in motion the breach notification process because in the compliance chain, I was the link of the chain that was weak. But if the chain is complete, then let’s say the covered entity now has responsibilities, you know, of notifying certain people.

So the big thing about the compliance chain is we want to know where the PHI is flowing and whose responsibility is it at the time, you know, as it’s flowing through the chain. One of the things you really want to do is have a visual workflow or a visual representation of where PHI is flowing in your business or, if you’re a marketer, where are you touching it, where are you interacting with it.

So here’s one of the ways that PHI could be flowing through, let’s say, a doctor’s office. So you’ve got your electronic health records, you know, you’ve got an accounting system, billing system, they might have an app where, you know, the patients talk to their doctors, and then, you know, obviously they’re going to be processing insurance. They’re going to hopefully have a vendor or partner like us who’s going to be taking care of their marketing.

Now it’s really good to know also to have a patient flow of when you’re, especially if you’re a marketer, how are you touching all the things. So you might have a flow like this, but it would look like we’re touching their email marketing, we’re touching leads that are coming in through social media, we’re touching when we manage their email list. So it’s really important to know all the ways that you as an agency touch patient health information and as you as a healthcare provider touch patient health information, and where do those things cross. Because that’s the way that we’re going to identify risks and put fences around things so that we can prevent breaches.

Breaches can be a pretty big deal, you know. The penalties can be pretty enormous. As you see here, this is updated for 2024, penalties tier one: if you had no knowledge and it didn’t really affect anybody but you just, you know, somebody uncovered a breach but it didn’t really get out, it was just exposed, right? You might only have a $137 penalty if it wasn’t egregious. Now if you didn’t have any knowledge and it affected millions and millions of people, it could go up to $2 million. For some of us, a $2 million violation or penalty is career-ending. For some people, that just might be a line item in their shareholder report, but for me, if I were to get a penalty, that would be a pretty serious deal.

And the penalties, as you can see per violation, they go up depending on your level of care that you have taken. Most of what they’re looking for when you’re being audited or when you’re being assessed for violations is how much protections did you have in place, how much did you know, and how are you, how did you work to prevent this, right? So if you didn’t put any work in to prevent this, like we’re talking willful neglect, your penalties are going to be much higher. And willful neglect that’s not corrected, that’s the big thing. But most of this can be prevented with just the right policies and plans and the right partners.

The partners that you put in place need to know what they’re doing, and one of the things that I have found as a marketer and as somebody who’s worked really close with healthcare providers is it’s extremely difficult to find a hosting company that knows what they’re doing. There are plenty of people out there doing HIPAA, but they don’t all know what they’re doing. And so it’s really on us to make sure that we are partnering with the right people. And so I’m going to hand this off to Tom where he can talk a little bit more about what goes into being that type of partner.

Thanks, April. Great stuff. We see a lot of covered entity medical practices coming to us looking for help getting their WordPress site HIPAA compliant. So there’s really three keys to HIPAA compliance from our perspective. So it’s the hosting in the infrastructure, your website platform, and in this case that is WordPress, and it’s ensuring that you have a continuous process in place so that you can monitor, audit, and manage everything regarding your website and your hosting infrastructure.

I’m going to rattle through some things here that we think are really important components of HIPAA compliance for medical websites. First off, you – this is an infrastructure thing and a infrastructure and tools that you need to have in place – data encryption. This is a big one, and there’s two terms here: there’s data encryption in transit and there’s data encryption at rest. And so what that means is that when data is transmitted through your website, like your forms that you might have, that data needs to be encrypted. So that needs to have an SSL or a secure socket layer in the transmission. So you have to have an SSL on your website.

The more tricky one and the less common one is you’re having your data encrypted at rest. And so this means things like encrypting your database, encrypting your backups. Those both need to be encrypted to meet the HIPAA requirements to have encryption in both transit and rest. In fact, interesting little sidebar here: let’s say that your backup is exploited or your database is stolen and it’s encrypted, that’s not even considered a breach under HIPAA. So if your data is encrypted, it is unusable. Encryption really helps you avoid some of the potential breaches that you might have on your hands.

Authentication – this is more of a tools and process at the site level, and this is a great recommendation for anyone using WordPress. You need to have named users and you have to have multi-factor authentication or two-factor authentication. Now why is this important? One of the things you need to have with HIPAA is you’ve got to have audit logs. So if you have a general user like support at your company or webmaster at your company, you can’t tie that back to a user. So without a named user in your site and that user having two-factor authentication, you really don’t know if someone, when they’re logging in, if it’s that person. Also, if it is a person, if they’re using a generic user login, you can’t tie that back to John Smith in your organization.

So one of the first things we do when we audit sites for HIPAA is we look and see are there any of these generic users like admin, do they – and we set up for customers multi-factor authentication. That could be email, it could be, you know, your – you get a code via email, your authenticator app, however you want to do it. This is a good security thing to have in place.

The next one, a little more complicated, physical security at your data center. So where is the physical server being hosted? Can anyone just walk in and walk up to the box and access it, or are there access controls? Is the data center compliant with HIPAA standards around access controls? Do they have badged entry? Are there biometrics in place? Do they have two-factor authentication, badge and biometrics to get into the actual physical presence of the server? So that’s really important to make sure you’ve got all the physical safeguards in place that are required by HIPAA.

Another really important component of HIPAA is having accessibility to your records. So this means backup redundancy and recovery processes. So having things like off-site backups that are encrypted, having a recovery process – what do you do if, you know, a meteor hits the data center? How do you get your backup of your data? You have to ensure that you’ve got accessibility of this data and that you can recover it and you have redundancy in place for this. Very important that you have good backup policies.

Again, we talked about a business associate. I want to unpack this a little bit more, and I think I’ve got a slide also for this again to talk about it, but everybody that’s in that chain that April talked about has to be covered under this business associate agreement. If you give access to your website to a designer or a support person or an engineer – I’ll give you a really good example for those of you in the WordPress space, this is a real-world example – let’s say you’ve got a problem with a plugin on your website, you’re having an error. I mean, you know, drop in support. If you’ve ever had the plugin company say, “Give us a user on your website so I can troubleshoot this,” that is a breach of HIPAA information if you give a user access to a site and that’s a medical site, of course, give a user access that is – you don’t have a BAA in place with. So you better have a BAA in place with that plugin developer if you’re going to give them access.

So all parties accessing this data – I’ll give you another really good example. We’ve partnered with Cloudflare, and we talked a little bit about IP addresses are considered PHI, and that is true because an IP address can be tied back to an individual visitor. And if that visitor is on your website browsing pages about, you know, knee replacement surgery, HHS says you can vaguely infer between that browsing behavior and that IP address a medical condition with that person. And so that is considered protected health information.

Well, IP addresses all flow through Cloudflare because Cloudflare, for security purposes and encryption purposes, is in front of your website. Well, I’ve got news for you – you can’t get a BAA with Cloudflare unless you’re an Enterprise client. So Kinsta has that BAA with Cloudflare. So we have a BAA with the data centers, with the providers that are integrated into our system that might have exposure. So we have coverage of all of your components that you need to have in place, and we ensure that we meet those.

So that’s really important when you’re assessing vendors that you’re going to work with. You know, we see security plugins all the time, and those security plugins might send your IP addresses. You know, another good example of this is a lot of us love this plugin WordFence. Well, WordFence sends a daily or weekly summary with a bunch of the top IP addresses that it blocked. Those IP addresses could be considered protected health information, and if you just got them in your company email for your webmaster that’s not – you don’t have a BAA with, then again, you’ve broken the chain of custody of that protected health information.

Then lastly, regular audits. This is something that you’ve got to have processes in place, and if you’re a covered entity or medical professional, you know this. You probably have annual training on how to handle protected health information. At Kinsta, we have those same processes in place, so we train our team members on this. If you’re an agency doing this, you need to have your team members trained on how to handle protected health information, and you need a process in place to monitor what’s happening, particularly in the context of what we’re talking about – your website. Is it secure? Have no additional unnamed users been added? So there’s a whole process to audit your website to ensure you’re not out of compliance on any of this. So you need someone to be doing that on a regular basis.

What are the best practices for WordPress? I am a huge proponent – and this may seem like, well gosh Tom, it almost sounds like we don’t need, you know, to do this – I am a huge proponent of limiting risk as much as possible. This means doing things that are the best practices but also trying to just avoid putting PHI in WordPress. I don’t think that avoids you from the potential of having a HIPAA violation, but it certainly reduces the risk.

So what do I mean by this? Okay, I’m going to tell you stay on top of all your WordPress updates and plugins and security practices, put in two-factor authentication, do all of that stuff, but how do we avoid PHI in WordPress? Well, if you have a medical record system that gives you embeddable forms, don’t use forms like Gravity Forms in WordPress. If you have other tools that you know are HIPAA compliant, like scheduling tools for instance, embed those on your website, have your BAA with those tools and extend them to your website to limit any exposure you might have in your WordPress native database.

Now if you’re doing something like – by the way, there’s a bunch of compliance around WooCommerce that you need because you might be a pharmacy, you might be a dispensary, you might be a wellness spa. You may be all sorts of commerce-based. You can’t get out of having that data in WooCommerce, so you have to ensure you have things like database encryption and all of this stuff in place. But I like to avoid PHI in WordPress as the first layer of defense.

There are other things that you can do like, for instance – this is a real big gap that I see – a lot of people love things like SendGrid, which is an email provider. SendGrid is not HIPAA compliant and will not issue a BAA. So what does that mean? Well, if you are using WordPress forms, a lot of us love to get our forms and the submission details in our email. Well, if you have just emailed to a non-BAA covered email provider form data, or you’ve emailed it through a non-BAA covered email service like SendGrid, that’s a violation.

All right, so how do we ensure this? I got two pieces of great news for you. If you’re a medical professional and you use Google or Microsoft for your email, you can get an on-demand BAA right inside their portal. So you automatically have HIPAA compliance for your email. So that’s a great thing a lot of people don’t know about.

The other thing that’s really interesting is you can use Microsoft Forms. If you don’t have – let’s say you have a – you have a BAA. By the way, I would also recommend that if you are an agency, unless you really want to be in the middle of a BAA between your website technology and your customer, and that’s a business decision – we see agencies that are like, “I’m going to specialize in HIPAA compliance and I am going to have the BAA with the hosting company and with the form providers.” You could get like Wufoo, for example. They have a HIPAA-compliant form system that you can embed to the site.

You may choose as a business you want to have all of those things covered as the agency. You may also be like, “You know what? I’m just going to cover a BAA for the work that I do and my team, and all the vendor BAAs need to go directly between the vendors.” So I’m going to tell the covered entity, “Go get a Wufoo account. I will implement it on your site and you will have HIPAA compliance.” So that’s a decision for the covered entities on how they want to maintain their information, their compliance, and the agencies you work with.

But to that point, you can get out-of-the-box BAAs with Google and with Microsoft. And if you do that, implement your own Google account. Don’t use SendGrid, because if you send from and to your own email account, you have no issue with the chain of compliance there because you’ve not used – you can send that form to yourself an email as long as you’ve got a HIPAA BAA with your email provider. So that’s a good thing to have.

And even with all of this, you still need HIPAA-compliant hosting, and that’s because you still have a vector of potential liability and exposure there. You’ve got people visiting your site. Even if you’re not collecting patient information, your site’s picking up your IP address. It’s likely storing it in logs somewhere. So you do have that IP address thing, which is way harder to get out of with a hosting company.

Even if you’re not collecting form data, and even if you’re not collecting form data, what are you doing about your Facebook and your marketing and your Google Analytics pixels? Who’s handling that for you? What happens if a marketing agency does a landing page for you? What happens if you have a user that’s added to your website that might have access, or a plugin was installed that’s collecting IP addresses and sending it elsewhere? You have an area of responsibility that you have to make sure your website is HIPAA compliant if you’re a covered entity.

So we’re going to talk a little bit about this, and I’m going to breeze through these a little bit because we kind of covered some of these a little, but data collection forms and email is a big source of frustration for everybody that’s involved in this compliance chain. Your form data needs to be encrypted, and I’m going to give you two things for this. One, it’s really easy if you use Kinsta – your database is encrypted, so your form data is encrypted. But there’s also another great plugin out there called WS Forms, and this allows you to do data encryption into the database without the database being encrypted, but you can encrypt your form into the database. So it’s like double encryption, okay? Or it’s encryption if you’re not going to encrypt your database, which you should. You have to encrypt your form data. Some – there’s some Gravity Forms, if you use Gravity Forms, there’s some encryption plugins that are out there.

Avoid storing submissions entirely. This is a great tip. You can disable in plugins like Formidable and Gravity Forms – disable storing this stuff. I know a lot of people like to store this in WordPress because they want to have that repository, but if you’ve got Microsoft Office and your covered entity has an Office account for their email and they’ve got a BAA, if you send that to an inbox in Microsoft Office, you basically have all of your options covered there. You’re not storing it in WordPress, you’re sending it out of WordPress, don’t store any email log of it in WordPress, and you’ve basically sent that – you’re shuttling that information through in an encrypted manner because you’re submitting it encrypted and it’s being transmitted through email encrypted. You’re now shuttling that data through the WordPress website and it’s not retaining it. And then make sure you have your BAAs in place with your email providers. So that’s some tips that I try to give folks for managing this data in their forms.

All right, this is hot off the presses everyone. By the way, Jono, thank you. Yeah, Code Monkeys does a really good Gravity Forms encrypted form solution that is for HIPAA compliance.

Tracking pixels – all right, everyone pay a lot of attention here because this is so hot off the presses. I’m going to do a video on this soon, but new guidance just came out at the beginning of July on this from HHS. There is a lot of questions here around can I put a Facebook pixel on my website and do retargeting? No, you cannot. And here’s why, and I’m going to explain to you why this is relevant even with Google Analytics.

If you put a Facebook pixel on your website and your potential patients are browsing your website, that data is being sent back to Facebook and it is now married with that person’s identity. So you have shared browsing data relevant to potential symptoms, causes, medical conditions to Facebook that they can now identify because they know that that’s John Smith browsing your website. So that is a no-no because Facebook will not issue a BAA. So you cannot disclose browsing data on your site. Now you can disclose it if they’re like employees or non-symptom pages, but we’re splitting hairs at that point.

That’s what just came down from HHS. They just said if they are potential patients browsing information on your website about medical conditions, you cannot share that pixel data with third parties. That’s any retargeting pixels, Google ad pixels, any third-party marketing platforms that are enriching data. That is a big proceed-with-caution sign for marketers.

Here’s the other thing: Google Analytics has a feature that allows them to tie people’s browsing data from their desktop, because they’re logged into Google, to their cross-device session data on their phone. So if they’re browsing your site on your phone, then they come on your desktop, Google can tie those two together because that user was logged in to their mobile device and their Google account when they browsed your site. That is also a no-no. You have to turn that ability off. There’s advanced attribution tracking and all this stuff in Google, and what is tricky about it is they were really forced to do this through GDPR, I believe, but they didn’t use to do it, then they did it on new accounts, and so you have to check your Google account to see if it’s compliant.

All right, BAAs and agencies – this is another important topic, and I think it’s really important because as a medical professional, you need a really good agency to rely on for all things WordPress updates, marketing tools. You need agencies that know the type of stuff we’re talking about here. You need to make sure – ask your agency, “Do you – are you going to sign a BAA?” Because you got to have that if you’re going to have access to my website because you’re going to have access to IP addresses at the least. You need to make sure that they know how to follow the best practices. As agencies, don’t put in webmaster support, these generic things. Make sure you’ve got two-factor authentication. Make sure your agencies are trained in how to handle and dispose of the protected health information in proper ways. That’s all really important for you.

As an agency, just because you do not provide HIPAA-compliant services does not mean that you are not on the hook for responsibility from HHS if it ever comes down. Just because you – if you work with medical professionals and you’re an agency, you really need to understand you have responsibility here, even if you don’t offer HIPAA-compliant agency services and even if you have not signed a BAA.

Well, that wraps up my part. We do have some free offers for you. We have a HIPAA compliance checklist, and then April offers a course called Medical Marketing Unlocked. It’s really for agencies. I don’t know if you mind if I give a little pitch on this. She’s offering a tremendous value, a discount on this. If you’re an agency on the phone with us and you’re interested in offering HIPAA compliance services and you want training on how to do every aspect of that, soup to nuts, this training is world-class. I’ve been through it, and it’s really, really great. April, I don’t know if you want to say anything else about your course?

Mostly, it is – it’s really hard to learn all of this on your own because there’s so much information and there’s – it seems like a big hill to climb. And what I did was took my experience of having learned it on my own and distilled it into an easy-to-understand, easy-to-digest plan of getting just a really good overview so you can feel safe and secure going out and knowing how to navigate this and how to even like find good providers and knowing how to assess them. And that’s how I know that I feel comfortable sitting here with Kinsta because I’ve learned how to assess my providers.

Thank you, everyone. We really appreciate it. We thank you all for attending, and look for an email from us on our upcoming webinar on WooCommerce. Thanks, everybody.

Wow, that was fantastic. So we really appreciate that Tom and April gave us such a great presentation, allowed us to put that out. What a fantastic presentation.

[End of transcript]

The following two tabs change content below.
Rob is a founder of West Orlando WordPress and an online business coach and digital marketing consultant at Webidextrous.com.