Are Google Call Tracking Numbers HIPAA Compliant?

The answer is NO. The Google call tracking numbers have no BAA, and the data about who calls you, their origin and sometimes even the recordings are stored on non-HIPAA compliant servers. This makes them non-HIPAA compliant. Which means they may not meet the specific requirements set by the Health Insurance Portability and Accountability Act (HIPAA) for handling Protected Health Information (PHI). Here’s a more detailed breakdown of the concerns and what you need to consider:

1. What is Call Tracking?

• Google Call Tracking is a feature that allows businesses to track phone calls generated through their digital ads or websites. When users click on a phone number or call directly from an ad, Google provides a unique tracking number that can capture call data, such as the source of the call, call duration, and caller information.

2. Why Are Call Tracking Numbers Not Automatically HIPAA Compliant?

• PHI Exposure Risk: If a patient’s personal health information (e.g., medical history, symptoms, diagnosis, treatment plans) is discussed over the phone, and a Google call tracking number is used, the call data could potentially be logged and stored in a way that exposes sensitive health data.
• Data Storage: Call tracking services like Google typically store data such as phone numbers, call duration, and call recordings in cloud-based databases. This data, if associated with PHI, may not meet the strict security and encryption standards required for HIPAA compliance.
• Lack of Business Associate Agreement (BAA): Google does not offer a Business Associate Agreement (BAA), which is a crucial component for HIPAA compliance. The BAA is required when a third-party vendor (like Google) handles or stores PHI on behalf of a healthcare provider. Without a BAA, the vendor is not legally bound to follow HIPAA requirements, making the use of Google Call Tracking numbers for healthcare-related calls a potential violation of HIPAA.

3. Potential Risks to HIPAA Compliance

• Call Recordings: If call recordings are used, they may contain PHI, and unless the call tracking system is fully encrypted and ensures secure storage, these recordings might not be HIPAA-compliant.
• Unencrypted Data: Data from calls, such as phone numbers, may be stored in a way that is not properly encrypted, making it susceptible to breaches.
• Third-Party Access: If the call data is stored on Google’s servers or any third-party server, there is a risk of unauthorized access if proper security measures are not implemented, such as end-to-end encryption and access controls.

4. What You Can Do to Ensure HIPAA Compliance

• Use HIPAA-Compliant Call Tracking Solutions: There are HIPAA-compliant call tracking services specifically designed for healthcare providers, such as CallRail (HIPAA solution is $150/month+) , RingCentral ( HIPAA compliant service is $120/mon + Phone fees, typically $49/number) , and PatientGain.com (Included for free with PLATINUM Service– However if you are a very busy clinic, you may incur extra charges – Contact PatientGain for details) . These platforms are built to handle sensitive data in a way that meets HIPAA’s encryption, storage, and privacy requirements.
• BAA with Vendors: Ensure that the call tracking service you choose offers a Business Associate Agreement (BAA), which is mandatory for HIPAA compliance when a third-party vendor handles any PHI.
• Phone System Management: If using Google’s call tracking or any similar service, avoid discussing PHI over those calls, or consider using secure communication channels for patient-related inquiries.

5. What About Google Ads and Call Extensions?

• Google Ads call extensions allow phone numbers to appear in ads, and calls made to those numbers could be tracked. Using call extensions without PHI in the conversation will avoid HIPAA violations. However, if PHI is shared during the call, this introduces risks if the data is not secured and handled properly.
• If you’re using Google Ads for a healthcare practice, it’s important to consider how call data is managed, and avoid storing or sharing PHI through Google’s systems.

---

Summary:

• Google Call Tracking Numbers are not HIPAA-compliant because Google does not offer a Business Associate Agreement (BAA) and the data may not meet HIPAA’s stringent data security and encryption standards.
• Call recordings and other call data may potentially expose PHI, creating HIPAA compliance risks.
• To ensure compliance, healthcare practices should opt for HIPAA-compliant call tracking solutions that are specifically designed to protect patient data and offer the required security measures and BAAs.

If Google Call Tracking Numbers are not HIPAA compliant, how does PatientGain.com’s PLATINUM service track new patient calls and determine how many new patient calls are being received ?

PatientGain.com’s PLATINUM service for healthcare practices includes HIPAA-compliant call tracking to help practices track and measure the effectiveness of their marketing efforts, including determining how many new patient calls are being received. Unlike Google’s Call Tracking Numbers, which are not inherently HIPAA-compliant, PatientGain ensures that all call tracking processes follow HIPAA regulations by securing and encrypting sensitive patient data. Here’s how PatientGain tracks new patient calls in a compliant way:

1. HIPAA-Compliant Call Tracking Setup

• Dedicated Tracking Numbers: PatientGain provides healthcare-specific call tracking numbers that are HIPAA-compliant. These numbers are uniquely assigned to your practice, enabling the tracking of inbound calls specifically for your practice’s marketing campaigns. PatientGain stores all call data in HIPAA compliant servers. In addition there are no calls recorded per HIPAA guidelines, as recorded calls can be easily downloaded on private cell phones, and if the cell phone is lost, you have to report HIPAA PHI leakage. No Call Recording: To prevent PHI leakage—such as staff downloading recordings onto unencrypted personal devices—PatientGain does not record patient calls.
• No PHI Collected: Unlike general call tracking services, PatientGain’s system does not capture or store any Protected Health Information (PHI) during the call unless explicitly authorized. This ensures that the system complies with HIPAA’s Privacy and Security Rules. Any call data, like duration of calls etc is stored in AWS HIPAA compliant servers, with strict access controls.

2. Tracking New Patient Calls

• New Patient Identification: PatientGain’s platform can differentiate between new patient calls and existing patient calls based on the phone number and other contextual data, and AI agent built by PatientGain. New patient calls can be tracked by capturing the first-time interaction with your practice (e.g., the first time a phone number is dialed or the first time an individual calls). Repeat callers, sales calls etc are subtracted and an “Effective” new leads are created every month.
• Call Source Attribution: PatientGain can identify the source of the call (e.g., whether it came from Google Ads, website, or another marketing channel) and assign it to a specific campaign or marketing effort. This allows the SPOC based marketing dashboard to measure the effectiveness of marketing in generating new patient leads. This is a live dashboard and customers have direct 24/7 access to this dashboard. If there are excessive new missed calls, the AI agent alerts the practice owner.
• AI Based Auto-Engagement: If you are using PLATINUM Plus service, then Missed-Call-App is included. The PatientGain Missed Call App is a HIPAA-compliant, AI-powered tool designed for healthcare practices to automatically text patients back when a call goes unanswered. It prevents lead leakage by immediately engaging potential new patients, allowing them to book appointments or get information even when staff are unavailable.

3. Automated Call Logging

• Call Data Reporting: PatientGain automatically logs and records key data for each new patient call, including the call source, date, time, and duration of the call. This information is used to generate actionable reports and insights, helping practices understand how well their marketing campaigns are converting into phone calls and new patient leads.
• Integration with Practice Management System (PMS) OpenEMR: PatientGain can integrate call tracking data with your OpenEMR to automatically create or update patient records (if the call results in an appointment). This streamlines the process of converting new patient inquiries into actual appointments.

4. Detailed Analytics and Call Reporting

• New Patient Call Dashboard: The PatientGain platform offers a dashboard where you can view detailed analytics about the number of new patient calls received, the call duration, and how these calls align with marketing campaigns. You can see how many calls originated from specific campaigns and track which channels are driving the most new patient leads.
• Real-Time Insights: The platform provides real-time data about the calls, so you can track performance on a daily or weekly basis and adjust marketing strategies if needed. This is helpful for identifying trends, evaluating the success of specific campaigns, and improving the overall patient acquisition process.

5. Call Recording and Review

• Call Recording : With PatientGain, no calls are recorded.

6. Campaign Performance Tracking

• Marketing Attribution: PatientGain tracks which marketing efforts are driving new patient calls, enabling you to measure the ROI of each campaign. Whether the calls come from paid search ads, organic SEO efforts, or social media marketing, PatientGain allows you to assess the success of your marketing spend and adjust your strategy accordingly.

7. Customizable Features

• Multi-location Support: If you run a multi-location practice, PatientGain can provide unique call tracking numbers for each location, allowing you to measure the performance of marketing campaigns at each individual site.

---

Summary of How PatientGain Tracks New Patient Calls:

• Dedicated HIPAA-compliant tracking numbers are used for each location.
• New patient calls are identified based on first-time interactions, and source attribution helps determine which campaigns or channels are driving new patient inquiries.
• Automated reporting provides insights into call volume, campaign performance, and the conversion of calls into patient appointments.
• HIPAA compliance is maintained through encryption, data security, and there is NO call recording, ensuring that PHI is is secure during the tracking process.

By using PatientGain’s PLATINUM service, healthcare practices can not only track the volume of new patient calls but also measure the effectiveness of their marketing efforts, optimize their patient acquisition strategies, and ensure HIPAA compliance throughout the process.

Example of a real customer marketing dashboard, with tracking of new patient calls. For example you can see that in the month of January there are total of 649 new recorded patient leads. Out of which 506 are effective leads. You will also notice that majority of patients contact you by phone, rather than booking appointments, sending you text messages or engaging with an AI ChatBot.