In December 2022, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on online tracking technology to HIPAA-covered entities. The bulletin details healthcare companies’ use of third-party cookies, pixels and other tracking technologies and elaborates on the definition of protected health information (PHI) that HIPAA refers to.
HHS’s bulletin emerged in the wake of numerous class-action lawsuits alleging improper disclosure of patient information filed against major health systems and hospitals. The bulletin urges HIPAA-covered entities to evaluate how they use online tracking technologies.
This article will examine how HIPAA-covered entities can follow HHS’s guidance and their options for HIPAA-compliant and effective approaches to analytics.
HHS’s guidance defines tracking technology as “a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app.” Examples include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts.
The guidance explains that regulated entities disclose various pieces of information to tracking technology vendors through tracking technologies placed on their websites or mobile apps. Some of this data may include individually identifiable health information (IIHI), like someone’s:
- Medical record number
- Home or email address
- Dates of appointments
- IP address or geographic location
- Medical device IDs
- Any other unique identifying code
Healthcare information collected on a regulated entity’s website or app is considered PHI even if:
- The individual does not have an existing relationship with the regulated entity, and
- Data such as IP address or geographic location does not include specific treatment or billing information like dates and types of healthcare services.
According to HHS, the collection of such data indicates that the individual received or will receive services from the covered entity. As a result, it relates to the individual’s past, present, or future health, treatment or payment for it.
The OCR’s bulletin also clarifies what parts of a website or app can contain PHI:
- User-authenticated pages (pages that require a user to log in) often contain PHI in the form of an individual’s IP address, medical record number, home or email address, dates of appointments, diagnosis, treatment or prescription information, etc.
- Unauthenticated pages generally do not have access to PHI and such pages are not regulated by HIPAA. However, there are some exceptions:
- The registration page where an individual creates a login – this will contain PHI after an individual enters credentials, such as a name or email address.
- A page addressing specific symptoms or health conditions, such as pregnancy or miscarriage, or one that permits individuals to search for doctors or schedule appointments – the tracking technology vendor could still collect an individual’s email address and/or IP address on such pages.
- Mobile apps contain PHI provided by app users and their devices, such as fingerprints, network location, geolocation, device ID, or advertising ID. Exceptions include information that users voluntarily download or enter into apps that are not developed or offered by or on behalf of covered entities.
HIPAA-covered entities must:
- Sign a business associate agreement (BAA) with a tracking technology vendor that meets the definition of a business associate before PHI is passed to the vendor. If a covered entity does not want to create a business associate relationship with the vendor or the vendor will not provide a satisfactory BAA, the entity must obtain an individual’s HIPAA-compliant authorization before disclosing PHI to a vendor.
Tracking technology vendors like Google Analytics are business associates if they create, receive, maintain, or transmit PHI on behalf of a covered entity for a regulated function, like healthcare operations, or to provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI.
- Ensure that all disclosures of PHI to tracking technology vendors are permitted by HIPAA. Only the minimum necessary PHI should be shared for the intended purpose.
- Address the use of tracking technologies in their risk analysis and risk management processes. Implement appropriate administrative, physical, and technical safeguards (such as encryption and access, authentication, and audit controls) when they access ePHI stored in the tracking technology vendor’s infrastructure. These controls ensure that ePHI is protected from unauthorized access.
- Provide breach notifications to affected individuals, the Secretary, and the media (when applicable) when PHI is disclosed to a tracking technology vendor in a manner that breaches HIPAA requirements.
In November 2023, the American Hospital Association (AHA) filed a lawsuit against HHS for its guidance on tracking technologies. AHA is challenging OCR’s interpretation of HIPAA, especially its alleged overly broad conception of PHI.
The AHA states that by limiting tracking technologies on sites, essential website tools like analytics platforms will no longer appear on hospital websites. This ultimately harms the patients that OCR’s rule seeks to protect.
Healthcare organizations must inspect the tracking technologies they use, what tools can access PHI and whether they have BAAs in place. If your analytics setup isn’t HIPAA-compliant, you should explore other options.
Your best bet is to find an analytics vendor that will sign a BAA and help you protect PHI on your website. What options do you have?
Analytics platforms differ in their approaches to HIPAA compliance and some are more optimal than others. Below, we list the most popular options and explain their pros and cons.
Google Analytics 4 (GA4) remains the most popular analytics solution, so many companies might view it as the default option. However, the use of GA4 by HIPAA-covered entities puts them at serious risk of security breaches and loss of patient trust.
Crucially, Google doesn’t permit customers subject to HIPAA to use Google Analytics 4:
“Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI, and may only use Google Analytics on pages that are not HIPAA-covered.”
If you send any trace of PHI/ePHI to GA4, you’re violating both HIPAA regulations and Google’s terms of service, which can lead to the termination of your GA account.
Moreover, you won’t be able to sign a BAA for Google Analytics. Google is also open about using tracked data for its own purposes. They apply the data to develop new services, measure advertising effectiveness, and personalize content and ads. Using any PHI/ePHI for marketing or advertising without a BAA can be a serious violation of HIPAA.
And that’s not all. Google doesn’t offer choices for data residency, meaning all the collected data is stored in randomly assigned data centers both within and outside the US. As a result, you don’t know the location of your patients’ data, which HIPAA considers a breach of accountability.
You will need to configure your tag manager or customer data platform (CDP) before sending the data to GA4. Or you can de-identify all PHI. Such data is deprived of identifiers, so it is no longer viewed as PHI, which puts it out of HIPAA’s scope. Of course, de-identified data has its downsides, as it lacks valuable information needed to make your marketing campaigns more effective.
Let’s not forget that the limitations concerning HIPAA don’t end at GA4 or Google Tag Manager. GA4 is often used as a collection tool from which data is passed into a data warehouse or BI tool. Consequently, adding GA4 to your analytics stack damages your whole setup.
Given Google’s approach to PHI and the strict rules set out by HIPAA, using GA4 by HIPAA-regulated entities remains a risky endeavor. It requires ongoing attention and careful maintenance to ensure no PHI finds its way to Google’s platform.
- Lots of talent on the market with experience and knowledge about using GA4.
- You can maintain your GA4 setup and the investment of time and resources into the platform.
- You get the flexibility of your own data warehouse.
- Requires lots of maintenance and technical resources.
- PHI must be de-identified before being shared with Google – the process is time-consuming and error-prone.
- Sharing PHI with Google may result in HIPAA breaches and the termination of your GA account.
- Google uses the collected data for its own purposes.
On-premises analytics refers to deploying and managing analytics infrastructure within an organization’s own physical location or data center. With on-premises hosting, the tracking technology vendor cannot access your infrastructure. The vendor isn’t considered your business associate, so you won’t have to sign a BAA.
Examples of analytics platforms that offer on-premises hosting include Matomo, Snowplow or Countly.
To be HIPAA-compliant, you must follow specific practices to build and maintain your on-premises infrastructure. For example, ensure your infrastructure includes:
- Data backups and recovery options
- Audit and change logs for your data and users
- Secure encryption of data at rest and in transit
Organizations get complete control over the data and flexibility to configure the infrastructure to their requirements. However, on-premises hosting is also costly to maintain and difficult to scale. Whether this option is viable depends on your organization’s needs, budget constraints, and strategic priorities.
Some organizations may opt for a hybrid approach that combines on-premises and cloud solutions to balance control and flexibility, such as the dedicated database – a private cloud offered by Piwik PRO.
- Control over the data and what happens with it.
- You can adjust the setup to your company’s needs.
- High costs.
- Requires maintenance and resources.
- The organization is responsible for failures and security incidents.
More technical organizations can build their analytics setup with a few HIPAA-compliant tools. However, this approach can get complex. You need to evaluate your needs, understand what each tool offers, and check how it can help you comply with HIPAA.
Let’s look at an example of an analytics setup centered around Freshpaint as a data collection tool.
Freshpaint is a data platform that connects customer data from the site or app to marketing and analytics tools through pre-built connections with the most common products. They’ve recently launched the Healthcare Privacy Platform, which is meant to safeguard patient privacy and make marketing stacks HIPAA-compliant.
Freshpaint works as a layer between a website and other systems. It requires additional tools to make your analytics setup complete, such as a data warehouse and data visualization tool. You can also integrate it with analytics platforms like GA4.
Aside from signing a BAA, Freshpaint offers other dedicated HIPAA-compliant features:
- Allow List is an opt-in functionality that allows healthcare marketers to control what data is sent to a given destination.
- Event Verification lets companies see what information is being collected and sent to third-party tracking tools.
- Web Tracker Monitoring provides reporting on website trackers.
These features make Freshpaint’s offering unique, but it does have a fair share of issues.
Freshpaint is only a middleman – it takes in data, cleans it, and then sends it to a specific destination. You can’t report on or visualize the data within the platform. And while it helps you control and restrict the flow of PHI to non-HIPAA-compliant apps and systems, you can’t access and act on PHI within Freshpaint either.
You can use many analytics and marketing tools without identifying information, but this might restrict some of their capabilities. For example, if you exclude some events or URLs from flowing to GA4, your dataset will be missing data and won’t be fully accurate. If you reset visitor IDs or mask IP addresses, it will impact visitor stitching and customer journey analysis.
The bottom line is that Freshpaint lacks the use cases and features of analytics platforms. The setup and maintenance require significant technical skills, resources, and coordination across multiple teams. This also makes using the tool very costly.
Adjusting the platform’s settings requires understanding what metadata and properties are collected by a destination and whether they contain personally identifiable information (PII) or health information that could be viewed as PHI.
If you need to connect Freshpaint to a tool it doesn’t have an integration for, you must create it yourself. Depending on the tool, the process may require a lot of effort and you will have to overcome many technical hurdles to make it happen. And if you want to connect Freshpaint to an analytics platform that’s already HIPAA-compliant, you’re just adding an extra step.
You can also connect Freshpaint to GA4 to strip any PHI from data before sending it to GA4, but your analytics will lack many identifying pieces of information.
The question remains whether GA4 is an optimal analytics platform for your needs beyond simply complying with HIPAA. GA4 has many limitations that vary in degree and affect companies differently. Despite recent improvements, GA4 comes with data sampling, configuration limits, insufficient privacy measures, complicated access to raw data, and missing features, to name a few.
If you’re struggling with GA4 and subject to HIPAA, it’s time to explore alternatives. By considering an all-in-one analytics platform that implements appropriate security measures and is ready to sign a BAA, you’re getting the best of both worlds: comprehensive analytics features and HIPAA compliance.
- Dedicated HIPAA-compliant features, including signing a BAA.
- The ability for HIPAA-compliant companies to use popular marketing and analytics tools.
- The ability to combine the benefits and features of each tool in the Freshpaint setup.
- Avoiding unanticipated switching costs and losing the investment into the existing technology stack.
- The connection between systems may not be seamless – changes or API updates by vendors may break your setup.
- A data analyst or database expert is necessary to manage and maintain the systems and setups.
- Costs are very high – you must pay for implementation, licensing of multiple vendors, and maintenance.
- The setup process is complicated and requires an understanding of HIPAA’s provisions and each destination tool’s specifications.
You can choose a HIPAA-compliant web analytics platform that will provide you with all the resources to collect, analyze and activate data, on top of features that will help you achieve HIPAA compliance. You don’t need to create and maintain resource-heavy and costly setups, and it’s a viable solution for organizations of all sizes with less technical teams.
Examples of HIPAA-compliant analytics vendors include Mixpanel, Heap, Amplitude and Piwik PRO.
Piwik PRO provides analytics software for websites, apps, and digital products with comprehensive integration and activation capabilities. You can sign a BAA with Piwik PRO, meaning you’re free to send all types of PHI and ePHI to your analytics setup. You don’t have to de-identify PHI or restrict its flow to analytics.
With Piwik PRO Analytics, Tag Manager and Customer Data Platform, you can safely collect and analyze PHI and ePHI throughout the whole customer journey and activate the data to improve patient experience.
You can also connect the suite of products with a data warehouse via scheduled raw data exports or API to expand the platform’s data analysis functionalities.
Additionally, you can achieve HIPAA compliance through other features, such as:
- Hosting on HIPAA-compliant Microsoft Azure data centers
- Ability to fully switch off the collection and storage of visitors’ IP addresses
- Encryption of ePHI when the data is at rest and in transit
- Advanced user-permission options to manage who on your team can access PHI
- Safe backup storage with maximum recovery capability
- Not sharing ePHI with third parties or reusing it for other purposes
- ISO 27001 and SOC 2 type II certifications and regular privacy and security audits
Learn how different analytics platforms approach HIPAA compliance: A review of HIPAA-compliant analytics platforms.
- You can sign a BAA.
- You get an all-in-one platform with complete features and capabilities.
- Allows you to collect and use both PHI and de-identified health information.
- The vendor implements multiple high-level privacy and security features.
- Low cost.
- You are using tools from one vendor only.
The HHS guidance on tracking technologies and other recent HIPAA developments give healthcare organizations little room for error on HIPAA compliance. Healthcare providers must remain alert to changes in the digital health industry as regulations and technology are continually evolving.
Above all, they should evaluate their analytics setup and understand their options for achieving HIPAA compliance. If the chosen vendor falls short of the requisite standards, they must be ready to pivot to a partner that meets their analytics needs and prioritizes compliance to avoid damaging breaches.
Reach out to us and find out how Piwik PRO can help make your analytics HIPAA-compliant: