Skip to main content
Healthcare A/B testing

How to do HIPAA-compliant A/B testing

August 8, 2021
Reading time: 
10 mins
Daniel Boltinsky
Daniel Boltinsky
Kameleoon, Managing Editor, North America

In the world of online marketing, A/B testing is one of the biggest advantages over offline marketing. A/B testing allows you to compare two elements in real-time to evaluate, using actual statistical data, which version works best.

You can test anything on the front end or user side, from an image on your homepage, call-to-action (CTA) buttons on digital ads, or even subject lines in email campaigns.

By taking the time to test, you’re informing and improving your marketing efforts to better suit your audience’s needs and maximizing the return on your marketing investment to drive conversions.

When dealing with Protected Health Information (PHI), healthcare organizations fear that the risks of violating the United States Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act are greater than the rewards of A/B testing. In fact, a 2021 Forrester report found that 33% of executives said concern over customer privacy concerns was the top challenge that prevents them from using data to inform great customer experiences. 

It’s possible, however, and even easy to perform HIPAA-compliant A/B tests when you know what tools to use and when to use them.

Once you understand the HIPAA and HITECH guidelines, you’ll be well on your way to delivering targeted and customized marketing experiences to your users while protecting their data.

1 Does your test require protected data?

You can perform plenty of useful A/B tests while not collecting HIPAA-protected data from your end-users.

This includes:

  • Images and copy on your website and digital ads
  • Call-to-action buttons
  • Email subject lines
  • Website search algorithm
  • Product recommendations


A key thing to remember is PHI is only counted as PHI when it’s possible to identify an individual from it. There’s plenty of available data about users that isn’t personally identifying but still very useful in running customized tests.

For example, you can detect a user is located in Texas and show them a Texas-specific form. HIPAA says only “geographical identifiers smaller than a state” are otherwise counted as protected, so sticking with anything the size of a state or a broader region is acceptable.

Additionally, HIPAA does not apply to people who are not patients or health plan members — this might include prospective leads or people visiting your site for the first time. For instance, if you’re A/B testing an ad on Facebook and targeting new clients, what you’re looking for is which ad performs best (i.e. which ad received the most clicks based on the image or the copy you’re testing).

Although in these situations you do not have to run HIPAA-compliant A/B tests on HIPAA-compliant tools, there are advantages to using compliant tools since you will want to do more specific analytics on your website that you’ll use to inform further marketing efforts. And that information may need to be HIPAA-compliant if they become patients.

By using a HIPAA-compliant tool from the start of your campaign, you’ll ensure all the data you collect is compliant, and you won’t have to question any of your testing results.

Certain activities tests will require using information classified under PHI, like:

  • Sending emails announcing product launches or promotions
  • Sending direct mail to people’s homes or businesses
  • Inviting someone to an event


Under the HIPAA Rule, you cannot use PHI (or ePHI) to send marketing materials unless it’s directly related to the individual’s care or course of treatment. So, if you are collecting a person’s information (e.g. name, email, or mailing address) as long as you receive express consent that falls under the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), you are allowed to market to these individuals.

However, because your marketing falls under HIPAA jurisdiction, once you collect this data, you must encrypt it to remain HIPAA-compliant. Encryption protects the data from hacking and, ultimately, prevents this private information from being read and used.

Lastly, if you’re using third-party software to conduct your marketing — such as an email service provider — it’s incumbent on you to request they sign a HIPAA Business Associate Agreement (BAA).

Once you take these steps, you can conduct your A/B tests confidently, knowing you’re following the HIPAA Privacy Rule.

3 Did you validate your tools for compliance?

An important part of HIPAA is the security rule, which requires you to “protect against threats to the security of PHI.” This doesn’t just mean restricting who can access the PHI — it also means safeguarding how your data is stored and moved around. It’s important to vet the tools you use to make sure your data, and the data you collect, are secure.

You can check for a few things. Many applications in your software stack will be exchanging data to serve the healthcare entity and your patients, and you want to make sure this data transfer happens securely.

  • Ensure everyone resets their passwords every 60 days to be in line with HIPAA mandates.
  • Ensure the data is transferred using, at a minimum, the Transport Layer Security (TLS) 1.2
  • ( data security protocol.
  • Ensure users are automatically logged out after being inactive for 15 minutes.
  • Ensure the vendor of the tools is willing to sign a Business Associate Agreement (BAA)


By checking those four validation points with any tool you’re using that collects PHI, you’re much less likely to have HIPAA compliance problems.

4 Protect healthcare data in your tests

Although adhering to HIPAA standards when A/B testing on medical service platforms is vital, it doesn’t have to slow you down or impede you from making stronger product decisions.

When you have the right tool that takes care of data security for you on all fronts, you can feel more secure with your HIPAA compliance efforts and more easily run A/B tests. Kameleoon is a tool that does all this for you, enabling healthcare practitioners to focus on marketing that converts.

Download Forrester's report on data and CX optimization for healthcare in 2021 to see how your HCO can grow with A/B testing:

New call-to-action
Topics covered by this article
Daniel Boltinsky
Daniel Boltinsky
Kameleoon, Managing Editor, North America