Patient Privacy is 2025's Most Important Healthcare Trend

I'll admit from the start, it will be one trend (singular), no trends (plural). I'm not big on 2025 predictions, as fun as they might be to see what we get right or get wrong. I can tell you my Evergreen Trend for Healthcare in the Technology, CMS and DXP space. It's patient privacy. Always has been, always will be. While we're on the topic, I will make one predication as well. Why not, if you stick with me until the end.

Let's look where we are first in the landscape of digital front-doors to Healthcare systems the last few years.

A CMS (Content Management System) or DXP (Digital Experience Platform) can serve as a powerful “digital front door” to healthcare by providing patients with immediate online access to information, services, and care options. They enable healthcare providers to curate and personalize content that helps patients navigate “before the walls” care, such as scheduling appointments, accessing health resources, and self-educating themselves on care and options. By unifying patient data and integrating with existing systems, these platforms create a seamless, patient-centric digital experience that fosters engagement and trust even before patients step foot in a physical facility.

As a Technology Agency, Nishtech leverages a lot of tools to make this happen. Some of these tools put us on thin ice with considerations regarding patient privacy and regulatory compliance. These platforms often handle Protected Health Information (PHI), which means they must meet stringent HIPAA requirements for data security, access controls, and confidentiality. Balancing advanced digital capabilities with compliance involves implementing robust safeguards, such as data encryption, role-based access, and Business Associate Agreements (BAAs), to protect PHI while still delivering a seamless, personalized patient experience.

In October 2022, Advocate Aurora Health, a 26-hospital healthcare system in Wisconsin and Illinois, disclosed a data breach that exposed the personal information of 3 million patients. Advocate Aurora Health Inc. has agreed to pay $12.25million to settle a consolidated class action lawsuit that accuses the nonprofit healthcare system of sharing users’ personal information without their consent with third parties like Meta and Google through a tracking pixel.

This incident shook our world. Our clients were leveraging tracking, marketing and analytics tools from Google, Meta, Adobe and others without batting an eye. This sent us into pro-active lockdown mode. Disable it all, turn it all off, remove any potential for incident.

Unfortunately, not everyone did. Not everyone was paying attention. A recent analysis of healthcare websites by Lokker still found widespread use of Meta Pixel tracking code. 33% of the analyzed healthcare websites still use Meta pixel tracking code, despite the risk of lawsuits, data breaches, and fines for non-compliance with the HIPAA Rules. The most common trackers used by healthcare organizations were from Google (googletagmanager.com, doubleclick.net, googleanalytics.com, google.com, googleapis.com, youtube.com), Meta (facebook.com, facebook.net), ICDN (icdn.com), and Microsoft (linkedin.com). 3% of healthcare companies had trackers on pages containing video players, putting them at risk of VPPA lawsuits.

In further research, we found hundreds of breaches and cases under investigation by the U.S. Department of Health and Human Services Office for Civil Rights. They publish their "Wall of Shame" here.

Nishtech is HIPPA Ready

For the dozens of healthcare clients Nishtech supports, initially we took the better-safe-than-sorry approach. This also left our clients and marketing teams blind. How were patients finding care on our sites? How were they using search? How were our campaigns performing? How can we still personalize content to quickly connect patients to the care they are seeking? We've crippled the features and functionality of our DXPs. We lost all our data and insights.

We took a step back and realized patient privacy didn't need to be all or nothing. So we took the appropriate steps to start enabling insights and measurement responsibility and within compliance. How?

1. Understand What Constitutes PHI Under HIPAA and understand where you're collecting it
2. De-Identify and/or Aggregate Data Wherever Possible, most importantly enable IP anonymization
3. Use a HIPAA-Compliant DXP and Vendors or Obtain a BAA - Luckily our 2 biggest tools in the toolshed are Sitecore and Optimizely who in 2024 have announced HIPPA-ready solutions for Healthcare and Life Science Organizations
4. Disable or Carefully Configure Tracking Pixels and Third-Party Scripts
5. Implement “Minimum Necessary” Data Collection
6. Post and Adhere to a Detailed Privacy Policy. Your website’s Privacy Policy should clearly state (1) What data you collect (2) How you use it (3) Whether it’s shared with third parties
7. Regularly Audit and Vet Your Tracking Setup
8. Train Staff and Maintain Policies.
9. Consult Legal Counsel for Complex Cases. It's complex and ever changing.

My 2025 Prediction

If you stuck with me long enough, here's my prediction. The next "META Pixel" high profile, in the news breach will involve AI. 56% of AI tools in healthcare have not undergone comprehensive ethical evaluations before being implemented.

It could come in the form of a chatbot that's using patient input to train it's LLM and logging PHI in unsecured transcripts. It could come in the form of clinics using AI-enabled voice assistants in exam rooms to help document notes.

It may come in the form of AI data analyzers scraping privileged EHR records. It may come in the form of "before the walls" AI powered triage systems that expose and train broader models from diagnostic data.

AI really expands the surface area of attack. So how can you be safe? Not that different from how we've handled the analytics issue. Know your entry points. Trust your platforms and vendors. Disable anything you haven't properly vetted and know is HIPAA ready. Audit regularly. Most importantly, consult your legal counsel.

Let's check back in 2026 and hope I'm wrong and not known as the Nostradamus of Healthcare DXP Predictions.

Sources:

https://www.hipaajournal.com/one-third-healthcare-websites-meta-pixel-tracking-code-2024/
HSS "Wall of Shame": https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Nabla's The Healthcare Leader’s Checklist For Choosing an Ambient AI Assistant With Strong AI Governance: https://go.beckershospitalreview.com/hitwp/selecting-effective-compliant-ai-the-healthcare-leaders-checklist
https://www.who.int/news/item/16-05-2023-who-calls-for-safe-and-ethical-ai-for-health