Back to blog

Is Google Analytics HIPAA-compliant?

Analytics Healthcare

Written by

Published January 26, 2021 · Updated October 3, 2022

Is Google Analytics HIPAA-compliant?

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney.

Healthcare organizations use analytics platforms to collect and analyze data about their patients. The data helps them improve the quality of digital services as well as personalize content and advertising. It also contributes to reducing data administration costs.

Using analytics tools in a strictly regulated sector such as healthcare requires a cautious approach, especially if you operate in the US or work with US patients. In this case, make sure that you process and store protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

In addition, patients are becoming increasingly aware of their legal rights and data security. A focus on HIPAA compliance can help you maintain patients’ trust.

What is HIPAA?

HIPAA is a federal law that sets standards for processing, storing and disclosing sensitive protected health information. It applies to all forms of protected health information – electronic, written or spoken.

If you want to know more about HIPAA requirements for professionals, check the website of the US Department of Health & Human Services.

Healthcare analytics – is Google Analytics in line with HIPAA?

If you use Google Analytics or similar software, chances are you’re already optimizing your website to better serve your customers. But does your analytics platform satisfy HIPAA compliance obligations?

The short answer is “probably not”. If you’d like to get into the details and explore two possible scenarios, read on.

Using Google Analytics to collect and process PHI and ePHI

In this scenario, you want to use analytics data together with protected health information (PHI and ePHI).

What’s PHI and its electronic version (called ePHI)? The list includes but is not limited to:

  • Geographic data
  • Email addresses
  • Account numbers
  • Web URLs
  • Device identifiers and serial numbers
  • IP addresses

For more details, visit HIPAA journal.

If you want to track this type of data, Google Analytics won’t meet your needs. Why?

Take a look at the HIPAA disclaimer from Google’s website:

HIPAA disclaimer
Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.

Google states that Google Analytics doesn’t satisfy HIPAA requirements. And you can’t use Google Analytics for any purpose involving PHI if you are:

  • A covered entity – hospital, clinics, insurance company, healthcare clearinghouse, etc.
  • A business associate – for example, an external company hired to perform legal services, data aggregation, management or data analysis.

Check the specific lists of covered entities and business associates created by the US Department of Health & Human Services.

Moreover, if you want to use software (like an analytics platform) that will collect and process PHI, you need to sign a business associate agreement (BAA) with the vendor. Google doesn’t give you this option.

Why Google won’t sign a BAA with you

There are two possible reasons why Google won’t let you sign a BAA with them:

  • Google doesn’t offer on-premises hosting and data residency of your choice. It means all data tracked by the platform will be stored in randomly assigned data centers within and outside the US. It breaks the HIPAA’s accountability rule – you don’t know your patients’ exact data location.
  • In Google’s terms & conditions, the company describes how it uses tracked data. Google uses the data to develop new services, measure the effectiveness of advertising and personalize content and ads. Using any PHI/ePHI in an advertising context might be a serious violation of HIPAA.

As a result, if you pass any trace of PHI/ePHI into Google Analytics, you’re breaking HIPAA regulations and Google’s terms of service. This may result in the termination of your GA account.

Also, take a look at this case from your patients’ perspective. Your visitors trust your website and search for information about their illness, which could be cancer or depression. If later they get ads related to that illness on an unrelated page, you’ll be in trouble. This not only violates HIPAA provisions but also leads to the loss of patients’ trust in your organization.

Using Google Analytics without collecting and processing ePHI or PHI

In this scenario, it’s possible to use Google Analytics in a compliant way. This, however, requires additional work and precaution from your side. You need to make sure that you don’t send any traces of PHI/ePHI to Google Analytics – any mistake may result in fines. This is also the case if you violate HIPAA rules unknowingly.

How to send healthcare data to Google Analytics

Every website or app for a healthcare organization that uses an analytics platform has a basic analytics tag that sends information with page URLs and page titles to analytics.

So, if your visitor types “cancer” in the search box and clicks on any URL that contains this phrase, analytics collects the page URL and the page title. If this data connects with a visitor identifier (like an IP address), the connected data is considered PHI and it may lead to an HIPAA violation.

In short, make sure that no PHI finds its way into analytics.

Take a look at these sample URLs:

  • https://healthclinics.com/your_account_john_hill/stomatologist_nelson_green
  • https://healthclinics.com/url8554

The first URL contains PHI – your patient’s name and their doctor’s name and specialization. Meanwhile, the second URL is scrapped from PHI and shows only a universally unique identifier. Make sure your settings and site architecture are properly configured so that the first URL switches to the second one before it reaches your analytics.

There are many other ways to pass PHI during a patient visit through custom dimensions, which are basically placeholders for values you scrape off your website during your patient’s visit. This placeholder could be any data point your team chooses to collect, even the current health conditions of your patient.

Anonymous data tracking

You can use Google Analytics in healthcare analytics if you implement it in anonymous tracking mode.

In Google Analytics Universal, you can turn on users’ IP anonymization by adding it to your analytics tracking code. The anonymization takes place before the user’s IP address is stored in analytics. As a result, the IP address of 70.01.05.250 will be changed to 70.01.05.0. In Google Analytics 4, IP anonymization is enabled by default.

But that’s not all. To use anonymous tracking, you should prevent Google Analytics from storing the visitorID in a cookie (so the cookie doesn’t carry forward this ID from page to page). That’s what a tag manager can help with. The tag manager script generates a new visitorID for the same visitor on every loaded page so the user can’t be traced.

Also, use tag manager to set cookieExpires time to 0 (zero) seconds. As a result, these cookies will be temporarily stored in the memory of your browser while it’s open. When visitors close the browser and open it again, they appear as new visitors.

If you don’t feel like a Google Analytics expert, you can hire an analytics auditor. They’ll learn your website architecture and what types of scripts you’re using. Also, they’ll check the implementation and settings of your analytics software and tag manager.

To get yourself prepared for the audit, you can start off with those questions:

  • Are you tracking user ids? If yes, how do you use them?
  • What data appears in page URLs, titles and query strings?
  • What information do you collect in the analytics platform with website forms? How do you use form data in personalization or analytics?
  • Have you anonymized/hashed visitors’ IP addresses? Do you avoid tracking GPS or fine-grained location information?
  • What other tags and third-party scripts (for example, from your partner’s website) do you use on your website?

Hiring an auditor isn’t a cure for all evils. If you represent a healthcare organization, you probably cooperate with many stakeholders. In this case, ensuring that ePHI/PHI somehow doesn’t connect with unique identifiers may be very troublesome and time-consuming.

Lastly, your legal & security department should regularly review changes in HIPAA regulations. They should also evaluate if your website’s analytics are compliant with US healthcare law.

Curious about Google Analytics in the context of GDPR? Read on in our blog post:

Further steps your company can take to stay HIPAA compliant & respect your patients’ privacy

Working with well-configured analytics software and using an anonymous tracking mode may be a good trade-off. That said, you need to remember the liabilities involved in using Google Analytics in an organization regulated by HIPAA organization. Also, take a look at other aspects of using Google Analytics:

  • You shouldn’t use Google Analytics in secured post-login areas of your websites and apps. These areas of your websites and apps are typically filled with sensitive user information. And as you already know, Google prohibits sending personal and sensitive data to Google Analytics.
  • Anonymous data may be less valuable for those who analyze it. Because it’s stripped of common identifiers, you can’t use it to personalize content for returning visitors – they always appear as new visitors. Also, you can’t analyze patients’ journeys and create detailed conversion attribution.
  • Data sampling. If your website is seeing higher and higher traffic, at some point Google Analytics Universal will sample your data. This happens after 500k sessions unless you pay for Google Analytics 360, which does it after 10M sessions. That said, if you want to make strategic decisions based on data, you can’t depend on sampled sets of data. This may lead to biases. In case of important metrics such as readmission rates or staff-to-patient ratio, it’s a no-go. On the other hand, Google Analytics 4 doesn’t sample data.

Final thoughts

If you don’t want to work with anonymous tracking and get involved in time-consuming analytics audits, there are alternatives.

Piwik PRO Analytics Suite ensures HIPAA compliance. You can collect and analyze PHI and ePHI. This helps you provide an even better and more personalized experience to your patients while respecting the highest privacy and security safeguards.

If you’d like to get in touch with us, feel free to do so. We’ll happily answer your questions and show you the capabilities of our platform.

Author

Karolina Lubowicka

Senior Content Marketer and Social Media Specialist

An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts by this author