27. August 2024
Disclaimer: HIPAA law is intricate and open to interpretation. It is crucial to consult with legal counsel when determining the appropriate security measures and data collection practices for your organization. This article addresses Valtech’s interpretation and understanding of Sitecore HIPAA considerations from an evolving DXP (Digital Experience Platform) practice perspective and should not be regarded as legal advice or binding on Valtech or Sitecore in any manner. Valtech is an experienced innovation company and Platinum Sitecore partner. We implement the Sitecore platform for clients, work collaboratively with Sitecore and many other platforms in the healthcare sector.
An expanded definition for protected patient healthcare information
Digital experiences in consumer healthcare experienced a major shift recently which has raised the bar for security and left many experience platforms running to catch up. In December 2022, the U.S. government's revised interpretation of HIPAA brought significant changes to the digital marketing landscape for healthcare providers and payers. Historically, digital operations in healthcare have centered around safeguarding patient information, particularly data collected through forms or other transactional elements, by ensuring these elements were secure and isolated from exposure through unsecured systems. This data was protected by HIPAA because it could contain “PHI” (Protected Health Information), the class of data defined and protected by HIPAA law.
However, with the new 2022 guidelines, it became evident that behavioral tracking, essential for both analytics and personalization, would also be classified as either protected or PHI. For instance, a user browsing a hospital web site about a medical topic was previously viewed as not generating a PHI record, but now would be viewed as protected or PHI. The combination of a unique identifier (such as an IP address or MAC address) in combination with a captured interest in a medical topic was now in the same category as a diagnosis or confidential conversation with a doctor. This shift in definition prompted Martech vendors, including Sitecore, to reassess and elevate both their technical and legal strategies to meet the heightened standards of patient data protection — with some platforms getting out of healthcare entirely.
Sitecore responds to updated definitions
Sitecore has long been a preferred DXP platform within the healthcare sector due to its robust security features, extreme experience flexibility, and seamless integration capabilities. With the introduction of new SaaS products like Customer Data Platform (CDP) and Personalize, Sitecore’s potential to deliver highly valuable and sustainable personalized experiences for patients and physicians has expanded dramatically. However, the implementation of these advanced features in healthcare was blocked by the implications of the new HIPAA law guidance.
The main areas impacted were behavioral tracking and form-based data collection within various Sitecore products. These processes required a thorough review and some re-engineering to comply with the updated HIPAA guidance. Consequently, Sitecore embarked on developing a revised compliance approach to HIPAA, particularly focusing on their newer SaaS offerings rather than XP and XM. By June 2024, Sitecore had rolled out the technical updates, policies, and training that enabled the company to sign Business Associate Agreements (BAAs) in association with certain products, with responsibilities and obligations as business associate when handling PHI both technically and legally. Such agreements require that the business associate implement appropriate safeguards to prevent unauthorized use or disclosure of PHI.
In response, Sitecore says it has undergone a significant overhaul of its technical infrastructure approach and human resource systems to ensure the highest levels of security, auditability, and data segregation necessary to manage the legal and compliance risks associated with PHI. Sitecore says that through these changes and establishing BAAs with its clients, Sitecore has formally committed to maintaining HIPAA-compliant practices in handling protected health information.
Shared responsibility
For developers and organizations building on Sitecore’s platform, these updates potentially mean that there is now a version of Sitecore that meets the stringent December 2022 HIPAA requirements. The SaaS model’s promise of low-overhead management may now extend to the personalized healthcare interactions, including transactional exchanges with patients. Sitecore's HIPAA-compliance documentation details the shared responsibilities between the platform and developers, emphasizing the need for adherence to best practices in handling PHI when utilizing features like CDP and Personalize.
Healthcare organizations adopting Sitecore must also ensure that they implement proper HIPAA controls, training, and security measures throughout their digital operations. The platform's built-in controls are powerful but require that users are well-versed in HIPAA regulations to prevent potential data leaks, such as mishandling behavioral tracking data from CDP. It’s crucial to explore and understand how these technologies integrate into the broader HIPAA security framework of a given healthcare organization. However, this is only possible because Sitecore has created the framework to adapt to what most healthcare organizations need.
Next generation, regulated experiences
The introduction of CDP, Personalize, and the scaled-down version of Personalize available with XM Cloud opened up new opportunities for healthcare providers that were frustratingly out of reach. These much-needed tools are far more flexible and extensible than the previous Sitecore XP offerings, enabling multi-step journey orchestration, deeper integration with other custom data sources, and a comprehensive approach to omnichannel personalization. The modular nature of CDP and Personalize means that their HIPAA-compliance extends beyond experiences delivered through Sitecore’s DXP, potentially unlocking significant value for healthcare organizations.
Valtech has closely monitored these developments with Sitecore since the new guidelines were introduced and has played a role in advising Sitecore on the technical and legal challenges associated with HIPAA compliance. Based on Sitecore’s announced approach, the opportunity to create compelling, secure consumer healthcare experiences on Sitecore has never been greater. With this combination of new capabilities, enhanced architecture, and rigorous HIPAA security, Valtech offers unmatched strategic and technical expertise to help your organization fully leverage these advancements and establish Sitecore as the foundation for data-driven, contextually relevant customer experiences.
What is your best approach in healthcare to the Sitecore DXP Roadmap?
At Valtech, we are deep in the nuances of integrating Sitecore within the U.S. consumer healthcare. Our approach is rooted in a deep understanding of the technology and a commitment to addressing the unique challenges and opportunities it presents. As things evolve, so too does our strategy, assuring we get the maximum value from the platform. Talk to us about how we can take your Sitecore platform practice — and your digital experiences — to the next level.
