Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney.
Webinar on-demand
A practical guide to digital analytics and advertising under HIPAA
Healthcare organizations use analytics platforms to collect and analyze data about their patients. The data helps them improve the quality of digital services as well as personalize content and advertising. It also contributes to reducing data administration costs.
Using analytics tools in a strictly regulated sector such as healthcare requires a cautious approach, especially if you operate in the US or work with US patients. In this case, make sure that you process and store protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Healthcare entities cannot engage in the impermissible disclosure of PHI to tracking technology vendors. This is particularly important today with the expansion of sensitive information collected by vendors like Google Analytics. Disclosing PHI in a manner consistent with HIPAA is now more critical than ever.
In addition, patients are becoming increasingly aware of their legal rights and data security. A focus on HIPAA compliance can help you maintain patients’ trust.
What is HIPAA?
HIPAA is a federal law that sets standards for processing, storing and disclosing sensitive protected health information. It applies to all forms of protected health information – electronic, written or spoken.
If you want to know more about HIPAA requirements for professionals, check the website of the US Department of Health & Human Services.
Healthcare analytics – is Google Analytics in line with HIPAA?
If you use Google Analytics or similar software, chances are you’re already optimizing your website to better serve your customers. But does your analytics platform satisfy HIPAA compliance obligations?
The short answer is “probably not”. If you’d like to get into the details and explore two possible scenarios, read on.
Using Google Analytics to collect and process PHI and ePHI
In this scenario, you want to use analytics data together with protected health information (PHI and ePHI).
What’s PHI and its electronic version (called ePHI)?
PHI includes health information about an individual’s condition, the treatment of that condition, or the payment for the treatment when other data in the same record set can be used to personally identify the subject of the health information, and it is transmitted and maintained in any form by a covered entity.
Examples of health information include:
- Medical test results
- Prescription or treatment records
- Billing information
- Appointment scheduling information
There is a list of possible identifiers that, when connected with health information, will be considered PHI. Some of them include:
- Geographic data
- Email addresses
- Account numbers
- Web URLs
- Device identifiers and serial numbers
- IP addresses
- Medical record numbers
- Social Security numbers
- Biometric identifiers
In a recent Bulletin, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) provides examples of what parts of a website or app can contain PHI:
- User-authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.
- Some unauthenticated pages include PHI. Whether PHI is being disclosed depends on the visitor’s underlying intentions and whether the page visit relates to the individual’s health care.
- Mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.
For more details, visit HIPAA journal.
If you want to track PHI, Google Analytics won’t meet your needs. Why?
Take a look at the HIPAA disclaimer from Google’s website:
HIPAA disclaimer
Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.
Google states that Google Analytics doesn’t satisfy HIPAA requirements. And you can’t use Google Analytics for any purpose involving PHI if you are:
- A covered entity – hospital, clinics, insurance company, healthcare clearinghouse, etc.
- A business associate – for example, an external company hired to perform legal services, data aggregation, management or data analysis.
Check the specific lists of covered entities and business associates created by the US Department of Health & Human Services.
Moreover, if you want to use a tracking technology (like an analytics platform) that will collect and process PHI, and it fits the definition of a business associate, you need to sign a business associate agreement (BAA) with the vendor. Google doesn’t give you this option.
The sole fact of collecting data requires a BAA. That includes situations when data is collected and then immediately erased or de-identified.
Why Google won’t sign a BAA with you
There are two possible reasons why Google won’t let you sign a BAA with them:
- Google doesn’t offer on-premises hosting and data residency of your choice. It means all data tracked by the platform will be stored in randomly assigned data centers within and outside the US. It breaks the HIPAA’s accountability rule – you don’t know your patients’ exact data location.
- In Google’s terms & conditions, the company describes how it uses tracked data. Google uses the data to develop new services, measure the effectiveness of advertising and personalize content and ads. Using any PHI/ePHI in an advertising context might be a serious violation of HIPAA.
As a result, if you pass any trace of PHI/ePHI into Google Analytics, you’re breaking HIPAA regulations and Google’s terms of service. This may result in the termination of your GA account.
Many ways in which third-party tracking technologies, like Google Analytics, collect and track user information are not apparent to users visiting your website or app. These technologies send information directly to the third parties that developed them. Users’ unique identifiers and other collected information allow Google Analytics to create individual profiles for each user. They may continue to track users and gather information about them even after they navigate away from the original website to other websites. Such practices are particularly egregious when it comes to sensitive information like healthcare data.
Also, take a look at this case from your patients’ perspective. Your visitors trust your website and search for information about their illness, which could be cancer or depression. If later they get ads related to that illness on an unrelated page, you’ll be in trouble. This not only violates HIPAA provisions but also leads to the loss of patients’ trust in your organization.
Using Google Analytics without collecting and processing ePHI or PHI
In this scenario, it’s possible to use Google Analytics in a compliant way. This, however, requires additional work and precaution from your side. You need to make sure that you don’t send any traces of PHI/ePHI to Google Analytics – any mistake may result in fines. This is also the case if you violate HIPAA rules unknowingly.
The OCR’s Bulletin provides additional information about parts of your website that contain PHI. Specifically:
- User-authenticated pages are pages that require a user to log in. They often contain PHI in the form of an individual’s IP address, medical record number, home or email address, dates of appointments, diagnosis, treatment or prescription information, etc.
- Unauthenticated pages are pages that don’t require users to log in. They contain general information about the regulated entity like their location, visiting hours, employment opportunities, or policies and procedures. Tracking technologies on many unauthenticated webpages do not have access to individuals’ PHI, in which case they are not regulated by HIPAA. Examples of situations where PHI is not disclosed include:
- Collection and transmission to a tracking technology vendor of a user’s IP address or other identifying information related to the user’s visit to a regulated entity’s job postings or visiting hours webpages.
- Collection and transmission to a tracking technology vendor of identifying information on a student who visited a regulated entity’s webpage to review its oncology service offerings for a research paper – here, such information is not related to the student’s health care.
On the other hand, PHI disclosures may occur in the following scenarios:
- Collection and transmission to a tracking technology vendor of an IP address, geographic location, or other identifying information on an individual who visited the same oncology webpage as mentioned above to seek a second opinion on a cancer diagnosis – here, it relates to the individual’s past, present, and/or future health.
- Collection and transmission to a tracking technology vendor of identifying information, such as an email address, on appointment scheduling pages, and symptom-checker tools.
The examples provided by the OCR indicate that regulated entities should consider the intent of a website visitor in determining whether identifiable information is PHI and whether the specified disclosure falls under HIPAA. However, the updated guidance does not clarify how a regulated entity may determine a webpage visitor’s intentions. HHS seems to be taking a stance that if covered entities cannot determine the intentions, they should stay on the safe side and treat the information as if it is PHI.
- Mobile apps contain PHI provided by app users and their devices, such as fingerprints, network location, geolocation, device ID, or advertising ID. The updated guidance provides the following example:
- A patient may be using a health clinic’s diabetes management mobile app to track health information, such as glucose levels. The transmission of such a patient’s information to a tracking technology vendor would be a disclosure of PHI, because the patient’s use of the app is related to a health condition (i.e., diabetes) and is coupled with PII (i.e., name, IP address, device ID).
How to send healthcare data to Google Analytics
Every website or app for a healthcare organization that uses an analytics platform has a basic analytics tag that sends information with page URLs and page titles to analytics.
So, if your visitor types “cancer” in the search box and clicks on any URL that contains this phrase, analytics collects the page URL and the page title. If this data connects with a visitor identifier (like an IP address), the connected data is considered PHI and it may lead to an HIPAA violation.
In short, make sure that no PHI finds its way into analytics.
Take a look at these sample URLs:
- https://healthclinics.com/your_account_john_hill/stomatologist_nelson_green
- https://healthclinics.com/url8554
The first URL contains PHI – your patient’s name and their doctor’s name and specialization. Meanwhile, the second URL is scrapped from PHI and shows only a universally unique identifier. Make sure your settings and site architecture are properly configured so that the first URL switches to the second one before it reaches your analytics.
There are many other ways to pass PHI during a patient visit through custom dimensions, which are basically placeholders for values you scrape off your website during your patient’s visit. This placeholder could be any data point your team chooses to collect, even the current health conditions of your patient.
The HHS’s updated guidance clarifies that if the tracking technology vendor will not sign a BAA, a HIPAA-regulated entity could establish a BAA with another vendor, such as a Customer Data Platform vendor that could de-identify the online tracking information constituting PHI and then provide the de-identified data to the tracking technology vendor.
Anonymous data tracking
You can use Google Analytics in healthcare analytics if you implement it in anonymous tracking mode.
You can implement IP anonymization, which is performed before the user’s IP address is stored in analytics.
In Google Analytics Universal, you can turn on users’ IP anonymization by adding it to your analytics tracking code. In Google Analytics 4, IP anonymization is enabled by default. With IP anonymization, the last three digits of the visitor’s IP are replaced by 0. So, the IP address of 70.01.05.250 will be changed to 70.01.05.0.
But that’s not all. To use anonymous tracking, you should prevent Google Analytics from storing the visitorID in a cookie (so the cookie doesn’t carry forward this ID from page to page). That’s what a tag manager can help with. The tag manager script generates a new visitorID for the same visitor on every loaded page so the user can’t be traced.
Also, use tag manager to set cookieExpires time to 0 (zero) seconds. As a result, these cookies will be temporarily stored in the memory of your browser while it’s open. When visitors close the browser and open it again, they appear as new visitors.
Learn how to ensure your campaigns are HIPAA-compliant: HIPAA, marketing and advertising: How to run compliant campaigns in healthcare.
How an analytics auditor and legal department can help you stay HIPAA compliant
If you don’t feel like a Google Analytics expert, you can hire an analytics auditor. They’ll learn your website architecture and what types of scripts you’re using. Also, they’ll check the implementation and settings of your analytics software and tag manager.
To get yourself prepared for the audit, you can start off with those questions:
- Are you tracking user ids? If yes, how do you use them?
- What data appears in page URLs, titles and query strings?
- What information do you collect in the analytics platform with website forms? How do you use form data in personalization or analytics?
- Have you anonymized/hashed visitors’ IP addresses? Do you avoid tracking GPS or fine-grained location information?
- What other tags and third-party scripts (for example, from your partner’s website) do you use on your website?
Hiring an auditor isn’t a cure for all evils. If you represent a healthcare organization, you probably cooperate with many stakeholders. In this case, ensuring that ePHI/PHI somehow doesn’t connect with unique identifiers may be very troublesome and time-consuming. You must get a qualified expert to document that all identifiers have been removed from information for it to be considered completely de-identified.
Lastly, your legal & security department should regularly review changes in HIPAA regulations. They should also evaluate if your website’s analytics are compliant with US healthcare law.
Additional security measures you should take include addressing the use of tracking technologies in your risk analysis and risk management processes. Implement appropriate administrative, physical, and technical safeguards to protect PHI/ePHI. For example, encrypt ePHI transmitted to your tracking technology vendor.
Don’t forget to provide breach notifications to affected individuals, the Secretary, and, when applicable, the media. This is necessary when PHI is disclosed to a tracking technology vendor without permission and compromises the security or privacy of PHI.
Curious about Google Analytics in the context of GDPR? Read on in our blog post:
Further steps your company can take to stay HIPAA compliant & respect your patients’ privacy
Working with well-configured analytics software and using an anonymous tracking mode may be a good trade-off. That said, you need to remember the liabilities involved in using Google Analytics in an organization regulated by HIPAA organization. Also, take a look at other aspects of using Google Analytics:
- You shouldn’t use Google Analytics in secured post-login areas of your websites and apps. These areas of your websites and apps are typically filled with sensitive user information. And as you already know, Google prohibits sending personal and sensitive data to Google Analytics.
- Anonymous data may be less valuable for those who analyze it. Because it’s stripped of common identifiers, you can’t use it to personalize content for returning visitors – they always appear as new visitors. Also, you can’t analyze patients’ journeys and create detailed conversion attribution.
- Data sampling. If your website is seeing higher and higher traffic, at some point Google Analytics Universal will sample your data. This happens after 500k sessions unless you pay for Google Analytics 360, which does it after 10M sessions. That said, if you want to make strategic decisions based on data, you can’t depend on sampled sets of data. This may lead to biases. In case of important metrics such as readmission rates or staff-to-patient ratio, it’s a no-go. On the other hand, Google Analytics 4 doesn’t sample data.
Get a free 6-month trial of Piwik PRO Analytics Suite covered by a BAA
Simplify HIPAA compliance for your team with a secure analytics platform that works with ePHI, has a user-friendly interface, and integrates with your favorite tools.
Final thoughts
If you don’t want to work with anonymous tracking and get involved in time-consuming analytics audits, there are alternatives.
Read more: Piwik PRO is officially HIPAA-certified!
Piwik PRO Analytics Suite ensures HIPAA compliance. You can collect and analyze PHI and ePHI. This helps you provide an even better and more personalized experience to your patients while respecting the highest privacy and security safeguards.
Be sure to check out the comparison of Piwik PRO and Google Analytics/GA 360.
If you’d like to get in touch with us, feel free to do so. We’ll happily answer your questions and show you the capabilities of our platform.