五月 08, 2025
Disclaimer: HIPAA law is intricate and open to interpretation. It is crucial to consult with legal counsel when determining the appropriate security measures and data collection practices for your organization. This article addresses Valtech's interpretation and understanding of HIPAA considerations from an evolving DXP (Digital Experience Platform) practice perspective and should not be regarded as legal advice, be relied upon for future guarantees of roadmap or be binding on Valtech in any manner.
In healthcare, trust is everything. Optimizely's integrated suite of content management, personalization, analytics, content marketing and customer data tools (Optimizely One) has long been a contender for large digital ecosystem projects in the U.S. The components are known for their relatively quick time-to-value, popularity with marketing teams, composability and high quality.
Like many platforms, however, the deepening imperatives of privacy and security generated by the 2022 redefinition of HIPAA law had previously positioned Optimizely as an outsider for digital transformations in healthcare.
HIPAA, the crucial 1996 law, ensures privacy for patient healthcare information in payer and provider healthcare domains and anywhere else that patient information travels. In 2022, this was extended to digital tracking on websites for analytics and personalization.
This limitation has been a barrier for organizations wanting to adopt the software for everything from public hospital websites to specialized pharma applications and portals. All of that, however, is about to change with the launch in early 2025 of Optimizely’s "HIPAA-safe" healthcare solution.
What is different with the platform?
In response to the redefinition, Optimizely spent 2024 building a HIPAA practice around their platforms. It has implemented technical changes, business controls, and new legal agreements for three main areas of its platform to provide a higher level of HIPAA safety assurance to its customers and take greater responsibility for protected data.
As a reminder, HIPAA does not offer official certification of technology products. 'HIPAA-safe', as used by Optimizely, hence more likely refer to practices aligned to HIPAA requirements, not a formal certification.
Within certain parameters, Optimizely will now sign Business Associate Agreements (BAAs) to share responsibility for customer data within key parts of its software.
The company has brought the following under their new HIPAA umbrella:
- Their PaaS and SaaS web CMS platforms for building websites.
- Their freestanding Web Experimentation and Feature Experimentation tools.
- Their popular Content Marketing Platform (CMP) — though only with analytics turned off and alternative tracking provided by a “HIPAA-safe” vendor.
These changes allow Optimizely to share responsibility for electronic patient health information (ePHI) covered by HIPAA. For these functions, a large part of what made Optimizely broadly popular in other sectors is now available with what Optimizely presents as a comprehensive set of HIPAA improvements.
What are the limitations?
While the first phase of Optimizely's HIPAA-readiness strategy has revolved around major changes for improved controls and technical safeguards, there are currently minor limitations to a HIPAA environment. This includes restricted access to features where access to ePHI presents a bigger risk, including exports and specific integrations.
Optimizely's current strategy has been to restrict modules or features that would be more complicated to secure for HIPAA compliance. The primary exclusion impacting larger digital transformations is the Optimizely customer data platform (called "ODP"), which typically creates a unified view of the customer and allows for identity resolution across different channels, enabling more unified personalization programs.
Though personalization is still possible via Optimizely Experimentation, it tends to be channel-specific. Any broader omnichannel strategy would require custom integration with a “HIPAA-Safe” CDP. Experimentation itself is only slightly modified and does not support Experiment Collaboration or some of its out-of-the-box integrations to any non-HIPAA-ready systems. There is no change to mainstream functionality for end-users.
Other features not currently supported include:
- Content Recommendations, which use a different personalization engine.
- Content analytics on Optimizely CMP, though this can be relatively easily replaced with custom reports in a “HIPAA-safe” customer analytics tool.
Of these limitations, Content Recommendations is probably the most useful feature not supported, though in healthcare, custom search logic often handles relevancy functions.
HIPAA “safety” implies some shared responsibility
Optimizely has always sold on its ease of use and maintenance. The new platform version can facilitate HIPAA compliance, but compliance can only be achieved in combination with some ongoing customer-specific efforts. First, Customers should always consult their own legal counsel to assess HIPAA compliance in their specific deployment, policies and practices.
To deploy Optimizely's healthcare solution in a custom context, there is an important degree of shared responsibility with solution architects and program managers to ensure architectural and control requirements are followed for customizations built on top of the platform do not introduce HIPAA risk. The platform has capabilities to support HIPAA compliance, but safety is also achieved through ongoing customer-specific efforts. Optimizely's Business Associate Agreements (BAAs) will only take responsibility within the aspects they have documented for this purpose and can control.
Optimizely’s HIPAA-related commitments are also limited to specific features and configurations as documented. Customers are responsible for ensuring that their customizations, third-party integrations, and operational practices independently comply with HIPAA.
What does the roadmap look like?
Optimizely considers their “HIPAA-safe” healthcare strategy a work in progress and plans to investigate further extensions later this year.
It seems likely that if their initial offering is successful, Optimizely may explore the potential future extension of “HIPAA-safe" capabilities to other modules, including the CDP ("ODP").
Other currently unsupported features seem less likely to be included as they relate to more specialized parts of the codebase. But adding CDP would definitely improve the strong foundation available today. That said, many healthcare clients already have a dedicated “HIPAA-safe” CDP in place.
With the current offering, Optimizely is now a viable option within consumer healthcare contexts, and its technical capabilities and client reach will likely only grow going forward. Given Optimizely’s popularity for its power and ease of use, this move into HIPAA safety will likely power a lot of positive change.
Building world-class healthcare experiences
Valtech is a global digital agency focused on experience innovation. We are an Optimizely Premier Platinum Solution Partner with over 350+ Optimizely implementations since 2002.
With twenty years of focus on healthcare across consumer healthcare, pharmaceuticals & medical devices, we bring an unparalleled level of expertise to strategic, creative, and technical opportunities. Our clients include household names in the healthcare industry using a broad set of strategies and technologies.
Please contact us to learn more about how we can help your organization achieve its digital business goals.
