The Health Insurance Portability and Accountability Act (HIPAA) is a restrictive data security law regulating US healthcare organizations’ use of protected health information (PHI). The covered entities and business associates that handle the PHI of US patients are subject to HIPAA, even if they don’t reside in the US. It affects many aspects of how such organizations operate, including how they collect analytical data and what they use it for.
This makes choosing a healthcare analytics platform a bigger challenge, since many popular tools cannot satisfy HIPAA security requirements. We have discussed Google Analytics and its HIPAA compliance issues in previous posts.
This article focuses on a popular advanced analytics tool from another industry giant: Adobe. Find out if Adobe Analytics is HIPAA-compliant.
Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney.
Get a free 6-month trial of Piwik PRO Analytics Suite covered by a BAA
Simplify HIPAA compliance for your team with a secure analytics platform that works with ePHI, has a user-friendly interface, and integrates with your favorite tools.
What is Adobe Analytics
Adobe Analytics is one of the most prominent enterprise analytics tools on the market and part of the Adobe Marketing Cloud. It is a fully featured and advanced web and app analytics solution that allows you to understand the behavior of visitors to your site and app.
Advanced analytics users can customize how they measure the performance of their websites and marketing efforts with the platform. Adobe Analytics can be integrated with other Adobe marketing products like Adobe Campaign or Adobe Target. In addition to advanced segmentation and real-time automation, it offers ad-hoc analysis.
If you’d like to compare different web analytics vendors, check out: The comparison of leading enterprise web analytics platforms: which solution will be right for you?
What HIPAA-compliant analytics provider should offer
Healthcare organizations deal with sensitive information concerning people’s health, called PHI. HIPAA sets safe parameters for using this data in different contexts, including analytics.
While PII is a catch-all term for any information associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information.
Read more about PHI and PII:
PHI and PII: How they impact HIPAA compliance and your marketing strategy
There are two ways to properly safeguard US citizens’ and residents’ PHI when doing analytics.
- You can sign a business associate agreement (BAA) with your vendor to ensure the compliant collection and processing of PHI. Health organizations that send protected health information to business associates must have a written BAA listing the responsibilities of both parties. A BAA ensures joint compliance and liability for the provided services and establishes responsibilities concerning PHI. If the vendor does not offer a satisfactory BAA, you cannot disclose PHI to that vendor without the individual’s authorization.
- Many vendors don’t want to sign BAAs. To use their services without signing such a contract, you must remove all identifiers from the data so it’s no longer considered PHI. However, de-identification takes time and is complex.
For example, HIPAA views many types of URLs as PHI. It might be challenging to de-identify all URLs, and doing so would make your analytics unusable, as de-identification would negatively impact remarketing and user-based or service-based reporting.
Encryption and other protective measures
If you have signed a BAA with your web analytics provider, you must employ encryption and other protective measures like secure hosting, which allows you to know the exact location of your data and keep it in HIPAA-compliant data centers.
Encryption of PHI is essential for ensuring HIPAA compliance. Encryption changes data into a code to prevent unauthorized access. This feature of analytics platforms becomes increasingly necessary when data is transmitted electronically through electronic health record systems, email, or cloud storage.
HIPAA requires that PHI be encrypted during transit and at rest. In other words, any data transmitted between two devices or stored on a computer, hard drive, or other device must be encrypted. Encryption is a crucial component of an effective HIPAA compliance strategy, especially considering the changing landscape of healthcare technology.
Another feature that helps HIPAA compliance is the option to switch off the collection of visitors’ IP addresses. With this setting, IP addresses are not collected or stored anywhere in the analytics instance.
If a vendor follows the ISO 27001 and SOC 2 standards, it further enhances measures for handling sensitive data preventing data breaches, malicious attacks, and unauthorized use of assets.
If your organization is obliged to follow HIPAA, you should work with analytics platforms that support HIPAA-related features, controls, and values, such as privacy by design. Following these values will help you fully control your data and understand what data you collect, store, and transfer.
To see the complete list of HIPAA requirements for analytics platforms, please visit: Is your analytics project HIPAA-compliant? A handy checklist
Adobe Analytics and HIPAA compliance
So, is Adobe Analytics HIPAA-compliant? The short answer is: not if you want to process PHI.
Currently, Adobe Analytics doesn’t satisfy the provisions of HIPAA, since it isn’t equipped to handle the required privacy and security standards.
Adobe Analytics is not listed as HIPAA-ready on Adobe’s compliance site. This means Adobe won’t sign a BAA with you for Adobe Analytics. As a result, you are not permitted to create, receive, maintain, or transmit PHI through Adobe Analytics.
As we may read on their site:
Customers that license HIPAA-Ready Services to process PHI must have a BAA with Adobe that applies to those HIPAA-Ready Services. A customer may provide PHI only with a HIPAA-Ready Service in accordance with the license agreement and BAA between Adobe and the customer. Customers are not permitted to create, receive, maintain, or transmit PHI through Adobe Products and Services that are not HIPAA-Ready Services because Adobe has not designed these services to support the customer and Adobe’s HIPAA compliance.
So, to use Adobe Analytics as a HIPAA-covered entity, you must remove all identifiers from the PHI data.
If we consider additional security measures, the Adobe Analytics security overview notes that Adobe employs various controls to protect customer data, including intrusion detection system sensors, non-routable IP addressing, daily backups, and segregating clients’ data as well as firewalls. But none of them appear to specifically address HIPAA compliance.
In terms of encryption, Adobe states that all communications between data processing centers (DPCs) and regional data collection centers (RDCs) are encrypted. Still, data within a DPC, so at rest, is generally unencrypted, and data in transit is sometimes encrypted as only HTTPS hits are encrypted. This may pose serious risks.
Adobe itself advises users not to use PII. Adobe states that:
Avoid collecting personally identifiable information in Adobe Analytics. Custom variables allow you to collect virtually anything that you can access; however, you must also consider your organization’s privacy policy and applicable laws.
Moreover, Adobe prohibits advertisers from sending sensitive personal information to Adobe, such as medical records.
What about Adobe’s Customer Journey Analytics?
Adobe offers a few products that can help you improve healthcare experiences while protecting patient privacy. Customer Journey Analytics (CJA) is one of them, and it is listed as HIPAA-ready on Adobe’s site. CJA can identify and secure PHI and PII, apply access rules, and create data use audits to handle patient data.
However, it has some limitations as an analytics platform. Unlike Adobe Analytics, CJA is not a self-contained solution but a smaller component of a more complex stack. Rather than being a tool specifically for web analytics, CJA is essentially the reporting layer for any data stored in the Adobe Experience Platform.
If you want to learn more, read: A review of HIPAA-compliant analytics platforms
Reliable enterprise tool for data-driven business decisions for health organizations
Adobe Analytics can theoretically be used in compliance with HIPAA, but in practice this means losing many interesting insights and opportunities to use data to improve your services. Fortunately, other platforms may suit your needs.
Several analytics platforms can support HIPAA compliance by signing a business associate agreement (BAA). Piwik PRO is one of them. It was developed with privacy and security in mind to reduce compliance issues. Because of that, it can easily support your analytics use cases in healthcare. Moreover, it gives you accuracy, flexibility, and complete control when collecting and analyzing customer data. It allows you to grow into a more data-driven organization and become a trustworthy partner.
Piwik PRO offers encryption of PHI when data is at rest and in transit, and PHI is not shared with third parties or reused for other purposes. Additionally, the platform offers hosting on HIPAA-compliant Microsoft Azure data centers, where you can choose the specific location of your data and a feature in the product to switch off the collection of visitors’ IP addresses.
If you want to learn more about how Piwik PRO can support your HIPAA compliance efforts, reach out to us:
