In December, the U.S. Department of Health and Human Services (HHS) issued a Bulletin about changes to the Health Insurance Portability and Accountability Act around the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”
Throughout the month of December, Schema App partnered with our Healthcare clients to identify how these new requirements impact their schema markup and how Schema App can help.
What are the requirements?
The new Bulletin defines additional requirements for “tracking technology vendors” who are tracking individually identifiable health information (IIHI), such as medical record numbers, home or email addresses or individual IP addresses.
“Regulated entities disclose a variety of information to tracking technology vendors through tracking technologies placed on a regulated entity’s website or mobile app, including individually identifiable health information (IIHI)19 that the individual provides when they use regulated entities’ websites or mobile apps. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code.20 “
How does this apply to Schema Markup?
Schema Markup is code on your website that helps search engines understand the content on your website. Search engines like Google crawl a website, read the code and reward the page by displaying it as a rich result on the search engine results page.
Many healthcare organizations use Schema Markup to achieve rich results and stand out in search. At Schema App, we help health networks add the Schema Markup to their website.
Example of a Review Snippet Rich Result awarded to a healthcare organization.
How does this HIPAA change apply to Schema App?
Schema App is an end-to-end Schema Markup solution provider that integrates with your website to create, manage and deploy your Schema Markup at scale.
The only information from this list that may be transiently processed in order to deliver the service is the IP address, as required for standard web request routing. Schema App does not store this information as part of its product or customer data.
Why do we use IP Addresses?
Schema App does not store end-user IP addresses as part of its product or customer data. When Schema App delivers structured data or related web resources, network routing information (including IP address and user agent) is processed transiently by infrastructure to route and secure the request — but it is not recorded in application-level systems.
At the infrastructure level, IP addresses may be retained only in AWS Web Application Firewall (WAF) or API Gateway logs when logging is explicitly enabled for security monitoring, incident response, or operational troubleshooting. These logs are automatically deleted in accordance with defined retention policies, and access to them is strictly limited to authorized personnel with elevated privileges and is audited.
This approach ensures that Schema App’s services do not collect or retain individually identifiable information beyond what is necessary for secure delivery and operations, and that Schema App’s logging practices are consistent with privacy expectations for regulated entities.
For healthcare organizations deploying Schema Markup with Schema App, this means that Schema App does not itself introduce online tracking technologies that collect or disclose protected health information (PHI) under the HHS guidance.
HIPAA compliance assessments for website technologies are typically evaluated in the context of the full set of scripts and integrations present on a page. While Schema App’s services are designed to avoid the collection or retention of IIHI, healthcare organizations should continue to assess other technologies deployed on their websites — such as analytics, advertising, or tag-management tools — as part of their broader compliance and governance processes.
For more information, please refer to our privacy policy.
Approaches our Healthcare clients are taking to navigate these HIPAA changes
Our clients are using various approaches to comply with this new HIPAA requirement.
- Reducing the number of tags in Google Tag Manager and/or moving to manage Javascript on their CMS/Webpages directly. You can learn how our Javascript Integration works in detail here.
- Asking Schema App to sign a Business Associate Agreement. If this is required for you, Schema App will review your BAA.
- Considering vendor server side / CMS integrations. At Schema App, we have custom integrations with Adobe Experience Manager, Drupal, WordPress, and Shopify. If yours is not listed, contact us for a suitable integration solution.
Conclusion
In conclusion, Schema App does not store individually identifiable health information (IIHI) as part of its product or customer data. Based on this data handling model, Schema App does not introduce online tracking technologies that collect or disclose PHI under the HHS guidance.
Our team at Schema App is actively helping our healthcare clients navigate these changes. If your organization is currently deploying Schema Markup through Google Tag Manager with Schema App, please reach out to your Customer Success Manager to explore alternative integration methods.
If your healthcare organization is looking to leverage Schema Markup to bolster your digital marketing efforts, we can help. Get in touch with us to learn how we can help your organization stay ahead of the competition and stand out in search.
Ready to leverage Schema Markup to drive traffic to your site?
Martha van Berkel is the co-founder and CEO of Schema App, a semantic technology company that leverages advanced Schema Markup to build Content Knowledge Graphs for enterprise marketing teams. She focuses on helping marketing teams globally understand the strategic value of Schema Markup and thrive in an ever-evolving digital landscape.
Prior to Schema App, Martha was a Senior Manager at Cisco Systems for 14 years, responsible for the global online support strategy. She holds a degree in Applied Mathematics and Engineering, attended MIT for Innovation and Strategy, is a Mother of two, and is an avid rower.