GTM is probably unique in your tech stack in that it itself does not collect any data – instead, it provides a container with easily configurable tags, triggers, & variables that allow you to control exactly what tracking tools are on your website and how they send information back and forth. Common tags to have in GTM include:

• Google Analytics: The most popular analytics tool in the world, GA ties directly into GTM with minimal setup.
• Conversion Tracking Pixels: Google Ads, Meta Ads, LinkedIn Ads, and most other digital advertising platforms can use a conversion tracking pixel on your site to improve ad performance. At Hedy & Hopp, we consider these pixels to be a high risk in terms of HIPAA-compliance, since they share user data with third parties.
• Engagement/UX tools: Heatmapping tools like Lucky Orange, A/B testing tools like Optimizely, and countless other tools are routinely installed via Google Tag Manage

A good way to look at GTM through the lens of HIPAA-Compliance is that it can be the vehicle for compliance issues, and that it completely depends on how a specific site is using their tagging setup. A GTM container can manage tags for everything from a Google Search Console verification tag (completely HIPAA-compliant) to a Facebook Pixel that is gathering personal data about users who may be visiting sensitive pages on a site (completely non-compliant!). 

PRO TIP: As a general rule, conversion pixels are concerning in terms of HIPAA-compliance and should be avoided. Learn more about the recent updates in HIPAA guidance by listening to our HIPAA & FTC 101 podcast.

While Google Tag Manager supports some obfuscation options that grant some level of increased data privacy and protection, this is not a watertight approach. Often, the obfuscated data is still being shared with some third party processors. Server-side Google Tag Manager (sGTM) can be a much safer approach, offering more options for data privacy and allowing users to completely control which data is shared (and not shared) with each platform. 

If you want to assess your GTM risk in it’s current set up, a great place to start is by extensively documenting the functionality of each tag in your account. From there, you can assess the risks of each tag and make a plan to improve data privacy. 

PRO TIP: While server-side tagging is not for everyone and does not eliminate issues associated with third party tracking tags, this approach puts more power in the hands of your team to ensure that you are protecting your users’ data.

LinkedIn collects a variety of personal and technical data from its users, including:

• Profile Data: LinkedIn collects information from user profiles, including job titles, industries, company affiliations, educational background, skills, and interests. This data is used to target ads to specific professional audiences based on their profile information.
• Demographic Data: LinkedIn may collect demographic information such as age, gender, location, and language preferences. This data helps advertisers target specific demographics for their campaigns.
• Engagement Data: LinkedIn tracks user engagement with ads, including impressions, clicks, likes, comments, and shares. This information helps advertisers assess the effectiveness and impact of their campaigns.
• Website and Conversion Data: If advertisers use LinkedIn’s conversion tracking or retargeting features, LinkedIn collects data related to website visits, conversions, and actions taken by users on their website. This data helps measure the success of advertising campaigns in driving desired outcomes.
• Ad Interaction Data: LinkedIn collects data on how users interact with ads, such as ad views, interactions, video views, and form fills. This information helps advertisers understand user behavior and optimize their ad creative and messaging.
• Pixel Data: LinkedIn provides a tracking pixel called the Insight Tag that can be placed on advertiser websites. This pixel collects data on website visits, page views, and conversions, enabling better ad targeting and measurement.
• Third-Party Data: LinkedIn may also use third-party data sources to supplement its own data and provide additional targeting capabilities. These sources may include data providers that offer insights on professional attributes, interests, or intent.

Remember – just because a targeting option is available does mean that you should use it. In fact, taking advantage of features that could make your campaigns more effective could be what compromises your HIPAA compliance. 

After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, it really depends on how you use the platform – specifically the Insight Tag. Conversion pixels can compromise HIPAA compliance in a few ways. 

• First, they can collect PHI without the user’s knowledge or consent. This is because conversion pixels can track users across multiple websites, even if they are not logged in. 
• Additionally, conversion pixels are often used to retarget users with display ads. This can be a serious violation, as it can expose sensitive content that individuals have been viewing about specific diseases, illnesses, or conditions.

While LinkedIn only keeps personal data collected from the Insight Tag for 180 days, there is a lot that can be done with this data in that time period. The HHS is also very specific that the sharing of, or even the ability to access any personal health information is a violation.

Pro Tip:

LinkedIn is somewhat unique in that healthcare marketers may be using the platform to reach a different audience than prospective patients. For example, if a healthcare marketer is using LinkedIn to reach HCPs (healthcare professionals) HIPAA may not even apply to those efforts.

That being said, there are also some tactics available in LinkedIn Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing, lookalike audiences and uploading target lists. It is also important to consider other tools that have access to your LinkedIn data, including optimization and data visualization software.

As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.  

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Similar to Google Ads, YouTube relies heavily on the user being signed into their Google Account (which automatically becomes their YouTube account) in order to track behavior across a wide range of touchpoints. This means that YouTube collects the following data on its users:

• Device information: This includes your device’s IP address, operating system, and browser type.
• Search history: This includes the keywords you’ve searched for and the websites you’ve visited.
• Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
• Location data: This includes your approximate location based on your IP address.
• Session data: This includes your web browsing history.

Additionally, even just embedding a YouTube video on a website could be cause for concern, as the iframe sends information back to DoubleClick, the base advertising platform that Google uses. This means that users watching a YouTube video embedded on a third party site could have that video’s contents tied to their Google profile, which could potentially reveal sensitive health information about that user.

After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, YouTube advertising is certainly one that your team should think critically about, especially when you consider the long list of Google’s subprocessors, who could potentially have access to any and all data collected. This is especially true if you’re adding a Google tracking pixel to your website. 

Furthermore, there are also some tactics available in YouTube Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your YouTube data, including optimization and data visualization software.

As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.