HIPAA-compliant analytics with Piwik PRO Analytics Suite
Apply the highest privacy and security safeguards as you collect data and analyze the full customer journey on your website or app.
If you fall under HIPAA, you’re responsible for providing the right safeguard for US citizens’ protected health information (PHI). There are two routes you can take to achieve it when doing analytics. You can either de-identify all PHI in your data or sign a business associate agreement (BAA) with your vendor to ensure the compliant collection and processing of PHI and ePHI. Regardless of which option you choose, Piwik PRO will support you in achieving HIPAA compliance.
How Piwik PRO keeps you aligned with HIPAA
Secure hosting
Know the exact location of your data and keep it on HIPAA-compliant data centers maintained by Microsoft Azure. Choose the US cloud or one of 60+ private cloud locations (dedicated database or dedicated hardware).
Safe backup storage
Keep sensitive information thoroughly protected and get maximum recovery capability. Benefit from replication to another location in the same region.
100% data control
Be the sole controller of granular information on visitors and access it at any time. We never use your data for other purposes or share it with third parties. Decide what ePHI you collect and how you use it to provide the best patient experience.
Audit log & change log
Monitor and review user activity in the analytics platform, such as login attempts, password updates, modification of the settings and API calls, and more. Keep logs of these actions to improve your risk management process. Utilize advanced user-permission options.
Customizable BAA
Sign a business associate agreement (BAA) with us regardless of which hosting option you choose. Ensure joint compliance and liability for the provided services and establish responsibilities concerning PHI/ePHI.
Integrations
Create a holistic view of your patients by combining first-party data from multiple touchpoints. Expand your marketing capabilities through integrations and natively available Tag Manager, Consent Manager, and CDP with data activation features.
Data encryption & transmission
Piwik PRO fulfills HIPAA requirements to encrypt ePHI when the data is at rest. We use 256-bit AES encryption with Microsoft Azure native encryption mechanisms and customer-managed keys, which prevents Microsoft from accessing unencrypted data.
Security measures
Piwik PRO follows ISO 27001 and SOC 2 standards, including HIPAA compliance attested as part of our SOC 2 Type II report. We are regularly audited and pen tested by independent auditors, which translates into enhanced measures for handling sensitive data, preventing data breaches, and much more.
HIPAA compliant settings
Use a feature in our product to switch off the collection of visitors’ IP addresses. With this setting, IP addresses are not collected or stored anywhere in Piwik PRO, allowing you to enhance your HIPAA compliance.
The guide to HIPAA compliance in analytics
Learn how to make your company HIPAA-compliant in analytics, marketing and advertising, and find vendors who take compliance seriously.
“Working with health information means working with sensitive data, which makes privacy compliance the key aspect that healthcare organizations should focus on. Noncompliance with HIPAA regulations could result in sanctions, not to mention the looming loss of users’ trust. Choosing a compliant vendor, like Piwik PRO, helps you avoid those risks because data privacy and security are at the core of our business.”
Lisette Meij
Data Protection Officer at Piwik PRO
Resources on HIPAA-compliant analytics
We’ve gathered our content on HIPAA to help you evaluate your organization’s compliance and understand the requirements to comply with the law. Learn how to collect and process patient data online, what security measures to apply across your organization and tech, and how to find a HIPAA-compliant analytics vendor.
-
The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics
On June 20, 2024, a US district court ruled in favor of the American Hospital Association’s (AHA) lawsuit against the Department of Health and Human Services (HHS) bulletin on using online tracking technologies, declaring it beyond agency authority. The 2022 bulletin sought to inform entities regulated under HIPAA of their obligations concerning the use of…
-
HHS guidance on using online tracking technologies: How to make your analytics HIPAA-compliant
In December 2022, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on online tracking technology to HIPAA-covered entities. The bulletin details healthcare companies’ use of third-party cookies, pixels and other tracking technologies and elaborates on the definition of protected health information (PHI) that HIPAA refers to.HHS’s bulletin…
-
HIPAA, marketing and advertising: How to run compliant campaigns in healthcare
Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.Healthcare organizations deal with tons of sensitive information concerning people’s health. It needs to be handled with proper…
-
A review of HIPAA-compliant analytics platforms
Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.Collecting and analyzing user data is essential to healthcare businesses that want to build relationships with prospects, better…
-
PHI and PII: How they impact HIPAA compliance and your marketing strategy
Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney. Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions…
-
Is Google Analytics HIPAA-compliant?
Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney. Healthcare organizations use analytics platforms to collect and analyze data about their patients. The data helps…
FAQ
Who must follow HIPAA requirements?
The HIPAA rules apply to any individual or organization that meets the definition of a covered entity as stated in HIPAA guidelines.
Covered entities include:
- Health plans – for example, health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
- Healthcare providers that conduct certain business electronically, such as electronically billing your health insurance – including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health care clearinghouses – entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Beyond covered entities, the following must adhere to HIPAA:
- Business associates
- Subcontractors
- Hybrid entities
- Researchers
A business associate can be an individual or company that provides services to a HIPAA-covered entity that requires them to have access to, store, use, or transmit protected health information. Generally, an analytics vendor will be a business associate.
What is PHI and its electronic version (called ePHI) under HIPAA?
PHI and ePHI is a subset of personally identifiable information (PII) that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.
Examples of health information include:
- Medical test results
- Prescription or treatment records
- Billing information
- Appointment scheduling information
When health information is combined with a personal identifier, the data becomes PHI.
The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:
- Name
- All geographic subdivisions smaller than a state (street address, city, county, zip code)
- Dates, including birthdate, admission date, discharge date, and date of death
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary numbers
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers, including license plate number
- Device identifiers and serial numbers
- Web URL
- IP address
- Biometric identifiers, including fingerprints and voice
- Full face photo
- Any other unique identifying number, characteristic, or code
This means that not all health information acquired by organizations is considered PHI. For example, phone numbers and residential addresses alone are not PHI. But this data will be considered PHI if it includes health information about an individual’s condition, the treatment of that condition, or the payment for the treatment. It also must be transmitted and maintained in any form by a covered entity.
Specific examples of PHI and ePHI include:
- Information your doctors, nurses, and other health care providers put in your medical record.
- Conversations your doctor has about your care or treatment with nurses and others.
- Information about you in your health insurer’s computer system.
- Billing information about you at your clinic.
Importantly, PII collected on a covered entity’s website or app is considered PHI even if the individual does not have an existing relationship with the entity or the PII does not include specific treatment or billing information. When a covered entity collects such information, it is indicative that the individual has received or will receive health care services or benefits from it.
Why is HIPAA compliance important?
HIPAA introduced several benefits for the healthcare industry to help transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure that protected health information is shared securely.
People now care about the privacy of their data more than ever. Health information is a special category of personal information because it contains details about users’ conditions that they may not want to disclose. Protecting the privacy of health-related data helps you maintain the trust of individuals whose information you are processing.
Neglecting users’ rights related to HIPAA can negatively affect your business and have a long-lasting impact on how patients view your organization. Since HIPAA is a standard that must be followed by many organizations similar to yours, the lack of compliance can make you lose business to your compliant competitors. Not to mention that any covered entity that violates HIPAA regulations can face civil action lawsuits, criminal charges, and hefty monetary penalties.
How can you stay compliant with HIPAA?
HIPAA makes covered entities responsible for complying with a number of rules – the Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule, and Omnibus Rule. The first three rules are particularly important.
The Privacy Rule provides federal standards to protect the privacy of PHI – particularly, it:
- Limits how covered entities may use and disclose individually identifiable health information they receive or create.
- Gives individuals rights concerning their protected health information, including a right to review and obtain a copy of their medical records and the right to ask covered entities to amend the information if it is inaccurate or incomplete.
- Imposes administrative requirements for covered entities, such as training of employees concerning the Privacy Rule.
- Establishes civil penalties.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect ePHI. Specifically, they must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
- Perform risk analysis as part of their security management processes.
The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.
Is Piwik PRO HIPAA-certified?
Piwik PRO successfully passed a HIPAA compliance assessment as part of its SOC-2 Type II audit. This means Piwik PRO is HIPAA certified.
HIPAA certification proves that Piwik PRO Analytics Suite is a verified solution for customers whose policies mandate partnering exclusively with HIPAA-compliant vendors. This certification demonstrates our commitment to ensuring a HIPAA-compliant analytics suite safeguarding Protected Health Information (PHI).
How can you ensure you have HIPAA-compliant analytics?
You must apply a few safeguarding practices while collecting and processing data online. Some requirements you must fulfill include:
- Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and any other business associate. Otherwise, you cannot disclose PHI to that vendor without the individuals’ authorization.
- Address the use of analytics and other data platforms in your risk analysis and management processes.
- Implement administrative, physical, and technical safeguards – such as encrypting PHI transmitted to the analytics vendor and enabling and using appropriate authentication, access, encryption, and audit controls when accessing PHI maintained in the analytics platform infrastructure.
- Work with vendors that support values such as privacy by design to fully control and understand what data you collect, store, and transfer.
- Remove all 18 identifiers from PHI. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.
Note: De-identification of PHI is not necessary with Piwik PRO – you can sign a BAA and send the desired PHI.
You need to carefully select an analytics vendor that would allow you to achieve HIPAA compliance – for example, don’t forget that Google Analytics is not HIPAA compliant.
You must either make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.
Healthcare organizations that chose Piwik PRO:
Want to learn more about how to make your analytics HIPAA-compliant?
We’re here to help and answer all your questions!