Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.
SUMMARY
- Healthcare organizations paid over $100 million in HIPAA fines between 2023-2025 due to pixel tracking violations, with individual penalties now reaching up to $2.1 million for willful neglect.
- Google Analytics is fundamentally incompatible with HIPAA requirements because Google won’t sign a business associate agreement (BAA) and explicitly prohibits healthcare organizations from sharing PHI through their platform.
- Even unauthenticated healthcare websites can violate HIPAA if they collect data like IP addresses or track visits to health-related pages, as this information can be considered protected health information (PHI).
- Several mature HIPAA-compliant alternatives now exist, including Piwik PRO, Adobe Customer Journey Analytics, and specialized platforms like Freshpaint, each offering BAAs and healthcare-specific security features.
Collecting and analyzing user data is essential to healthcare businesses seeking to build relationships with prospects, better meet their patients’ needs, and gain authority within the industry.
However, in 2025, HIPAA enforcement has expanded beyond internal systems and EHRs to include what happens in users’ browsers, making compliance more complex than ever. As a healthcare organization subject to HIPAA, you’re walking a fine line when trying to improve the patient experience while ensuring your activities remain compliant.
Vendors have been adjusting to the shifting landscape of privacy-oriented analytics and their clients’ expectations. Many of them change their offers accordingly.
At the same time, the dominant analytics vendors are not necessarily the most compliant options for healthcare providers. The stakes have never been higher, with U.S. healthcare firms paying over $100 million in fines between 2023 and 2025 due to pixel tracking violations.
In this article, we will explain why finding a HIPAA-compliant analytics provider should be a top priority and outline the key factors to consider when selecting your vendor. We will also compare popular analytics vendors, examining their advantages and capabilities in terms of HIPAA compliance.
Current enforcement landscape and recent developments
The HIPAA compliance landscape for analytics has evolved dramatically in recent years. Here is a breakdown of the most important developments:
Updated penalty structure
HIPAA fines in 2025 range from $137 to $63,973 per violation for unknowing violations, with annual caps reaching $2,000,000 for repeat violations. There are four tiers of penalty structures, with the highest one concerning uncorrected willful neglect reaching $2,134,831 in 2024. Just last year, Montefiore Medical Center faced a $4.75 million penalty and a two-year corrective action plan after potential security rule violations.
AHA court victory
In June 2024, a US district court ruled in favor of the American Hospital Association’s lawsuit against HHS guidance on online tracking technologies. On August 29, the OCR decided not to appeal the district court’s decision. However, the victory’s scope is more limited than many healthcare organizations initially believed.
The ruling only invalidates the part of the guidance stating that combining an IP address with a visit to a general health information page constitutes PHI. Other parts of the ruling, such as those relating to authenticated pages, including patient portals, remain valid.
Additionally, HHS can enforce certain instances of combining HIPAA identifiers with health information, for example, an ad click ID connected with a scheduled doctor appointment shared with an ad platform like Google.
Tracking pixels on major hospital websites
The Markup investigated the top 100 hospitals in the US and discovered tracking technologies on the appointment scheduling pages of 33 hospitals, meaning they were sending appointment data to Facebook, along with users’ IP addresses.
Two lawsuits were immediately filed against Meta and health systems, including the University of California San Francisco and Dignity Health. This investigation revealed the widespread nature of non-compliant practices across major healthcare institutions.
It sparked a wave of litigation that continues today, with healthcare organizations facing class action lawsuits for using tracking pixels.
Increased HIPAA enforcement
OCR has launched two enforcement initiatives in recent years – one targeting noncompliance with the HIPAA Right of Access in 2019, and the more recent focusing on noncompliance with the risk analysis provision of the HIPAA Security Rule. OCR Director confirmed that 22 enforcement actions were closed by OCR in 2024 with either settlements or civil monetary penalties, making it one of the busiest years for HIPAA enforcement.
This year has also begun with a large number of financial penalties, with a further 10 announced by the end of May 2025.
Beyond financial penalties, malpractice involving healthcare data can also damage patients’ trust and affect their relationship with their healthcare provider.
The Federal Trade Commission (FTC) involvement:
The Federal Trade Commission has issued orders in several cases relating to healthcare providers, including ordering the telehealth company Cerebral to pay a $7 million fine and limit the use of consumer health data for advertising purposes.
The April 2024 ruling establishes precedent for how the FTC will address healthcare data misuse in the digital advertising space. A common legal basis for the FTC’s involvement is the FTC Act, which prohibits unfair or deceptive trade practices. Consequently, even if an organization isn’t directly covered by HIPAA, it may still face federal oversight for the misuse of healthcare data.
The challenge of finding a HIPAA-compliant analytics platform
Healthcare organizations seeking analytics solutions face a complex landscape of regulatory requirements, technical limitations, and vendor constraints that make compliance particularly challenging.
Signing a business associate agreement (BAA)
When it comes to web analytics platforms and HIPAA, your approach depends on whether you collect protected health information (PHI) through your site or app. Data that isn’t considered PHI is outside the scope of HIPAA.
To legally send PHI to your analytics platform, you must sign a business associate agreement (BAA) with any vendor matching the definition of a business associate. A BAA specifies each party’s responsibilities regarding PHI and ePHI and establishes a legally binding relationship.
Many vendors don’t want to sign BAAs because doing so would make them directly liable for compliance with certain HIPAA provisions, requiring them to implement comprehensive security measures.
It’s vital to accurately identify which vendors and partners qualify as business associates under HIPAA. Some relationships may seem less directly related to healthcare operations, but they still involve access to PHI. Watch out for unnecessarily entering into BAAs with other HIPAA-covered entities or third-party service providers who have no access to PHI.
PHI de-identification
If your business associate, such as an analytics vendor, doesn’t offer a BAA, you must remove all identifiers from the data to use their services, so that it’s no longer considered PHI. HIPAA’s Privacy Rule provides two de-identification methods for health information: Expert Determination and Safe Harbor. De-identified data created following these methods does not fall within the definition of PHI.
The process of de-identification is lengthy and complex, presenting numerous technical and practical challenges.
Even on unauthenticated webpages, your website can be in violation of HIPAA if it gathers information that may contain PHI. This creates practical challenges because, even without a login, tracking an IP address or geolocation on these pages can be considered PHI, as it suggests an individual’s interest in a specific healthcare condition or service.
It’s unlikely that you’ll be able to strip all PHI. Healthcare organizations face particular challenges with:
- IP addresses and device IDs that can be removed, but leave gaps in analytics capabilities
- URL titles that can contain sensitive information, like doctor names and specializations
- Custom tracking events that may inadvertently collect PHI through standard analytics implementations
Additionally, de-identifying all URLs would limit the usability of your analytics. De-identification would negatively impact remarketing and user-based or service-based reporting. On the other hand, cherry-picking URLs containing PHI is nearly impossible, given the dynamic nature of data collected and processed by websites and platforms.
The evolving analytics landscape presents both opportunities and challenges for healthcare organizations. Recent developments in privacy-focused analytics platforms, server-side tracking solutions, and healthcare-specific analytics tools have created new options for organizations seeking HIPAA-compliant alternatives.
With increased regulatory scrutiny and evolving technology, healthcare organizations must take a proactive approach to analytics compliance. This includes conducting regular audits of all digital tracking technologies, implementing robust data governance frameworks, and staying current with emerging privacy regulations that may impact analytics practices. The cost of non-compliance has never been higher, making it essential to invest in proper HIPAA-compliant analytics solutions.
Is Google Analytics HIPAA-compliant?
The analytics landscape has matured significantly since Google completed its transition from Universal Analytics to GA4 in July 2023. Google Analytics remains the most widely used enterprise analytics platform.
However, following the 2022 HHS guidance on the use of tracking technologies, Google Analytics is no longer recommended for use in the healthcare industry.
Google offers its marketing technologies for free because it gets access to data collected by businesses that implement its services. The tech giant uses data within its systems to develop and improve its services and personalize their advertising experience. This business model is fundamentally incompatible with HIPAA requirements.
Google does not offer a business associate agreement (BAA), meaning you can’t share PHI with them. Google also explicitly forbids customers subject to HIPAA from using Google Analytics and sharing PHI with them.
Find out more about Google Analytics and HIPAA: Is Google Analytics HIPAA-compliant?
Is Adobe Analytics HIPAA-compliant?
Adobe has a list of HIPAA-ready services, but only certain products are compliant. To check which of Adobe’s services are compliant, you can check this list of Adobe’s HIPAA-ready products.
- Adobe Analytics is not listed as HIPAA-ready on Adobe’s site. It means that Adobe won’t sign a BAA with you to use AA, and you can’t collect or share PHI through Adobe Analytics.
- Adobe Customer Journey Analytics (CJA) is on the HIPAA-ready list, so you can safely use it as a HIPAA-covered entity and send PHI to it.
Find out more about Adobe Analytics and HIPAA: Is Adobe Analytics HIPAA-compliant?
Popular HIPAA-compliant analytics platforms
The healthcare analytics landscape has undergone a fundamental shift. Many analytics tools still cannot adequately address HIPAA compliance requirements and don’t sign BAAs. However, this shift also presents opportunities – HIPAA-covered organizations have a chance to reassess the tools they use for analytics and marketing, and futureproof their compliance.
The market for HIPAA-compliant analytics has matured significantly, offering healthcare organizations various options to meet their analytical needs while maintaining regulatory compliance.
Let’s review some popular analytics options that can meet the needs of healthcare organizations.
Piwik PRO Analytics Suite
Piwik PRO Analytics Suite is a privacy-focused analytics and data activation platform that helps businesses collect, analyze, and put user data into action. The platform is tailored for industries with strict data compliance requirements, such as healthcare, and enables them to enhance their marketing effectiveness and deliver better user experiences.
Key strengths:
- HIPAA compliance with the ability to sign a customizable BAA
- Strong data ownership and governance tools
- Data encryption in transit and at rest, secure HIPAA-compliant hosting with Microsoft Azure, advanced anonymization options, granular access controls and more
- Comprehensive suite including analytics, tag management, consent management, and customer data platform
- ISO 27001 and SOC 2 certifications, including a HIPAA compliance assessment
- Competitive pricing and access to support & implementation services
- Ability to combine strong privacy compliance with effective analytics and data activation capabilities
Best for:
Organizations seeking an all-in-one platform with high data autonomy, configurable privacy settings, and seamless compliance with HIPAA and other regulations such as GDPR and CCPA.
Adobe Customer Journey Analytics (CJA)
Adobe Customer Journey Analytics (CJA) enables you to connect and normalize cross-channel data into actionable profiles, explore the customer journey in its full context, and apply AI-driven insights to deliver personalized experiences at scale.
Key strengths:
- Adobe CJA can identify and secure PHI and PII, apply access rules, and create data use audits to handle patient data
- The platform uses AI and machine learning to offer real-time insights into customer journeys, helping healthcare providers understand and optimize their patients’ experiences
- Strong integration with Adobe Experience Platform
Best for:
Large organizations with existing Adobe infrastructure and the technical expertise to implement the platform and fully leverage its capabilities.
Matomo
Matomo is an open-source analytics platform that can be self-hosted to support HIPAA compliance. While it provides full control over data, the task of maintaining compliance, including secure hosting and audit logging, falls entirely on the user.
Key strengths:
- Self-hosted option allows HIPAA-compliant configurations
- No data sampling, full data ownership
- Limited out-of-the-box support for enterprise security standards
Best for:
Organizations with technical resources to manage and secure their own analytics infrastructure.
Mixpanel
Mixpanel offers product analytics with HIPAA-compliant options through a separate agreement and an enhanced security tier. Its event-based tracking is ideal for understanding user behavior within digital applications.
Key strengths:
- HIPAA-compliant plans available on request
- Powerful segmentation and retention analysis
- Modern UX with flexible dashboards
Best for:
Healthcare product teams focused on app engagement and retention metrics.
Amplitude
Amplitude is a product analytics platform designed for in-depth behavioral insights across digital experiences. It offers a HIPAA-compliant plan with enhanced security, making it suitable for healthcare and life sciences companies that handle PHI. Amplitude’s strength lies in its robust analytics capabilities, such as cohort analysis, retention tracking, and real-time collaboration.
Key strengths:
- HIPAA-compliant enterprise tier available upon request
- Advanced behavioral analytics, funnels, and retention tracking
- Built-in identity resolution and user journey mapping
- Scalable architecture with real-time event ingestion
- SOC 2 Type II and ISO 27001 certifications
Best for:
Healthcare organizations and digital health startups that need granular product insights to optimize patient or user engagement without sacrificing compliance.
Heap Analytics
Heap provides automatic data capture, making it easy to analyze user behavior without manually setting up event tracking. HIPAA compliance is available on select enterprise plans, featuring security protocols including data encryption, access controls, and audit logs.
Key strengths:
- HIPAA-compliant deployment available on request, including a BAA
- Advanced retroactive analysis and journey visualizations
- Automatic event capture that reduces implementation complexity
- ISO 27001 and SOC 2 certifications
Best for:
Teams seeking rapid setup and detailed behavioral analytics with minimal developer input – ideal for growth and product teams in HIPAA-regulated environments.
Freshpaint
Freshpaint is a healthcare-focused tool that functions as a filter routing data to analytics and marketing tools while providing a strict layer of privacy controls and compliance enforcement. It’s not an analytics platform in itself and doesn’t offer reporting or visualization options – it must be connected to other tools to create a full analytics setup.
Key strengths:
- Built for HIPAA compliance – BAA signed by default
- Real-time data routing with automatic PHI filtering
- Visual tagging interface for non-technical users
- Consent enforcement across third-party tools
- SOC 2 Type II and HITRUST CSF certification
Best for:
Healthcare and health tech companies with the resources and skills to implement a plug-and-play analytics integration layer that ensures downstream compliance and simplifies consent governance.
COMPARISON
The comparison of 9 HIPAA-compliant web analytics platforms
Compare the main features of Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe CJA and Piano Analytics.
Best practices for selecting a HIPAA-compliant analytics vendor
The ideal HIPAA-compliant analytics platform depends on specific organizational needs, technical capabilities, and resource constraints. Organizations seeking comprehensive functionality with minimal complexity may prefer integrated solutions that provide complete analytics suites with built-in compliance features. Those with specific technical requirements or existing tool investments might benefit from platforms that offer flexibility and integration capabilities.
The key is matching platform capabilities with organizational requirements while ensuring robust compliance measures that protect patient data and support long-term analytical goals. Success depends not just on the platform choice but on proper implementation, ongoing maintenance, and adherence to evolving regulatory requirements.
Here are key aspects to consider when choosing the right HIPAA-compliant analytics provider:
Essential compliance requirements
1. Business associate agreement (BAA)
- Ensure the vendor will sign a comprehensive BAA covering all required services and data types.
- Check that the BAA includes specific provisions for data processing, storage, and transmission.
- Verify that the BAA includes breach notification and incident response procedures.
2. Data hosting and residency
- Confirm data is hosted in a HIPAA-compliant infrastructure with proper certifications.
- Evaluate data residency options, including the ability to choose specific geographic locations.
- Verify that encryption standards for data at rest and in transit meet HIPAA requirements.
3. Security certifications
- Look for SOC 2 Type II certification as a baseline security standard.
- Learn if the vendor holds ISO 27001 compliance, which demonstrates a comprehensive approach to security management.
- Consider vendors that undergo regular third-party audits.
Technical evaluation criteria
1. PHI handling capabilities
- Identify whether the platform automatically collects and protects standard PHI, such as IP addresses and page URLs.
- Evaluate built-in data minimization features that limit PHI collection to necessary elements only.
- Look for robust data retention management tools with automated deletion capabilities.
- Determine if the platform provides granular access controls to limit the exposure of PHI to authorized personnel.
2. Integration and implementation
- Assess the complexity of the migration from your existing tools, such as Google Analytics.
- Find out what pre-built integrations are available, including connectors to popular healthcare technology tools.
- Discover the available customer support, onboarding, and implementation services.
3. Reporting and analytics features
- Verify if the platform provides the specific healthcare metrics your organization requires.
- Learn what advanced features are available – for example, funnel analysis, custom reporting, customizable dashboards and others you need.
- Determine the options available for extending platform capabilities, such as data exports or custom development.
Vendor assessment framework
1. Financial considerations
- Consider the total cost of ownership, including potential integration costs with existing systems.
- Factor in implementation costs, training, and ongoing support.
- Consider vendors that provide good value through all-in-one solutions to reduce costs.
Google Analytics is free, so healthcare organizations should expect to pay more for a HIPAA-compliant analytics solution.
2. Risk management
- Ensure the vendor doesn’t share data with third parties or reuse it for other purposes.
- Find out if the vendor provides regular security updates and proactive compliance monitoring.
- Assess incident response and breach notification procedures.
- Factor in whether the vendor prioritizes healthcare clients and understands industry-specific needs.
3. Scalability and futureproofing
- Determine if the vendor offers modular functionality, such as analytics, tag management, and CDP capabilities, within a single platform.
- Assess the solution’s scalability to determine how well it can grow in line with your organization’s increasing data volume and complexity.
- Learn how the vendor stays current with evolving HIPAA requirements.
The path forward
Despite numerous challenges, healthcare organizations are finding ways to maintain effective analytics while ensuring compliance with regulations. There are solutions for healthcare providers and organizations that want to run a modern digital business with all the necessary marketing tools to optimize and grow.
Healthcare providers must invest in compliant vendors and establish a compliance strategy to unlock the full potential of data-driven marketing, analytics, and advertising while safeguarding patient privacy.
The challenge of finding HIPAA-compliant analytics platforms reflects the broader transformation of healthcare digital marketing in the post-2022 regulatory environment. Organizations that successfully navigate these challenges will be those that prioritize compliance from the outset, invest in specialized solutions, and maintain ongoing vigilance as regulations continue to evolve.
HIPAA compliance doesn’t have to limit your marketing or analytics activities. Piwik PRO provides healthcare institutions with actionable marketing insights, ensuring regulatory compliance, and securing patient data.
