Podcast

Apr 2, 2026

Roetzel HealthLaw HotSpot: How to Stay HIPAA Compliant When Using Health Care Analytics

Host Ericka Adler is joined by Roetzel shareholder Christina Kuta to explore how analytics are used in health care practices and what providers need to know about HIPAA compliance. They discuss how patient data is collected through digital tools like websites and email marketing, and when that data may be considered protected health information. The episode also covers common risks, including improper data sharing with third parties. Additionally, Ericka and Christina share practical guidance on protecting your practice, from understanding what’s being tracked to ensuring vendors meet HIPAA requirements.

To watch the episode on YouTube, click here. To listen, download the episode on Apple Podcasts or click here.

Transcript

Ericka Adler:
Hi everyone, welcome to the HealthLaw HotSpot. I'm Erica Adler, shareholder and leader of the health care practice at Roetzel & Andress, and I'm joined by Christina Kuta, also shareholder and member of our health care practice. Today, we're going to be talking about analytics.

Now, you might be wondering, what does that have to do with the health care practice? But in fact, whether you realize it or not, your practice may be actually gathering analytical information about patients and others through its websites, through marketing emails, and other means. We're going to talk a little bit about how you're collecting it, and how you need to handle it, and what some of your legal obligations might be.

So, thanks, Christina, for being here, of course.

Christina Kuta:
Thanks for having me.

Ericka Adler:
So, let's start off by talking about what kinds of analytics are practices creating, and how are they gathering this information?

Christina Kuta:
Sure, we're using analytics as a broad term. We're lawyers, neither one of us are tech people, so we're using it in this broad term to think about things you can track, information about people. When you're sending out a marketing email, when you're receiving electronic correspondence from patients, if you have a website and people are going to your website, there's traffic.

There are different things that can be tracked electronically and stored and used by health care practices related to all those different electronic communications. That's kind of what we're talking about when we use this umbrella term of analytics.

Ericka Adler:
Okay, perfect. So, once you've gathered all this information, what are the restrictions on what you can do with it for a practice?

Christina Kuta:
So, the biggest thing, and there are a lot of different laws out there, different states have laws regarding collecting personal information, and what you can do with personal information, and those are things that always need to be considered, but for health care practices in particular, there's sort of the big behemoth, which is HIPAA.

I don't need to go into what HIPAA is, I think anyone watching this knows what HIPAA is, but HIPAA basically it protects PHI, which is personally identifiable health information that's somehow related to or in conjunction with some sort of particular information about someone's health. So, things like a name, an IP address, a phone number, you know, someone's social security number, where they live, email address, all those things are considered identifiable information. And when in connection with a health service, or in connection with somebody's health-related information, this can become HIPAA protected.

Ericka Adler:
Okay, so let's talk a very practical example. How might a practice find itself gathering this information in an everyday kind of sense?

Christina Kuta:
A common example that we see a lot of is a practice will have marketing communications or marketing information on a website. They've asked patients if they are willing to receive marketing communications from the practice. They agree, they say, yes, we're happy to do that, and they might send out some sort of email or some sort of information electronically regarding maybe a vendor or a service that the practice can offer. And when patients click on a certain link, or open an email, and they review that information, it can collect certain information about the person that did click on the link. And that can be considered, potentially, depending on what's stored and what's being tracked, HIPAA-protected information. 

So, what the practice uses that information for, and how they disclose that information could potentially implicate HIPAA. Like, for example, we just recently had a client who wanted to send out marketing communications about a service they offer, and this service is of a product that comes from a third party, a vendor they work with.

They wanted to be able to take some of the pixel information and analytic information that they tracked with these marketing blasts and provide it to the third-party vendor so they could use it for their marketing purposes. That right there is an example of a potential HIPAA violation. Tracking that information and giving it to a third party can only be done if it's in a HIPAA-compliant manner.

Ericka Adler:
Okay, makes sense. So then, how do you get permission of the patient, then, to be able to use it that way, and are there restrictions on who you're giving it to, as well?

Christina Kuta:
Sure. So, in the example I just gave regarding the marketing communication and wanting to provide tracked information to the third-party vendor, there's really only two ways that can be done. One is specific authorization the patient has to authorize that information going to that vendor. Consent to receive marketing information is not enough. It has to be a specific authorization of the specific information to that specific vendor that meets certain bells and whistles that are required by HIPAA. 

And it can't be a universal authorization where, you know, I'm authorizing my tracked information to go to any third-party vendors. Doesn't work that way. It has to be detailed for specific information to a specific vendor. That's one way. Another way would be if the third party is considered a business associate of the covered entity, the practice. And oftentimes, I will have people that'll say, oh, I want to provide information to somebody, I'm going to make them a business associate so I can do that. Doesn't work that way. 

What a business associate is, is defined by HIPAA, and it's essentially someone providing a service on behalf of the covered entity. So, for example, if there was information that needed to be collected, and that third-party vendor was actually providing a marketing service or some kind of data aggregation service, let's say, for purposes of the covered entity, then they might be deemed a business associate and are allowed to have access to that information. But they only can do that if the covered entity and the business associate have entered into a HIPAA-compliant written business associate agreement.

Ericka Adler:
Now, whether or not this information is secure is only as good as the company that you're doing business with as well, correct? So, obviously, some diligence needs to be done about these companies that you're entering into these marketing or other relationships with, because just because they sign a business associate agreement with you doesn't really mean they're meeting the standards, right? I mean, some of these companies could be anywhere in the world. And just make you feel good about the precautions that they're taking, but really, they're not taking any.

Christina Kuta:
Yeah, you need to ask questions. You need to find out what sort of electronic health platforms they use, how they're storing data, where they're storing data, are they meeting certain HIPAA requirements related to their actual hardware, software, the  information they're keeping, is it HIPAA compliant? And there's certain certifications that businesses can get to show that they're HIPAA compliant.

You want to see if they have those, and you want to make sure your business associate agreement has everything in it that HIPAA requires, but also other potential terms, such as indemnifications, making sure that the business associate has insurance to cover costs if there happens to be a breach. These are definitely things you want to consider. Just saying, okay, I'll make you a business associate, sign this, isn't necessarily enough to insulate you from a HIPAA violation.

Ericka Adler:
And HIPAA insurance specifically for the practice is always a great idea as well.

Absolutely. Alright, so obviously this is a really complex topic. We really just want to make people aware, if they're not, that they are collecting this information. They may not even be aware that this information is being collected if they're using a vendor that they're doing business with. So, start asking questions. Is somebody that you're working with collecting this information if they're managing your marketing? Managing your website. What is being done with this information? Is it being kept in a secure manner, and are you using it in a way that you've gotten permission to use it? So, basically, a whole host of questions that we're hoping that this podcast will kick off for some of our practices that are listening. Any other advice that you want to share on this topic?

Christina Kuta:
Yeah, definitely make sure you know what's being tracked. Ask questions if you're using a vendor for certain communications.

Ask what they track, what they store, why they're doing it, to be aware of that. Another thing is, while we always recommend working with knowledgeable health care counsel if you have any questions regarding the services or the communications you're providing, another thing you can start for kind of a good initial start is the Department of Human Services has published a guidance document called “Use of Online Tracking Technologies.” If you search for that, you can find it, and it gives you a good kind of high-level overview of what the HIPAA concerns are, and things you should be looking for, and things you should be doing to try to minimize your risk of violating HIPAA.

Ericka Adler:
All right, perfect. Well, if anybody has any questions on this topic, you know where to find Christina, and you know where to find me, please reach out. We're happy to answer any questions. This has been the HealthLaw HotSpot. You can catch more of our podcasts at ralaw.com.