Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney.
Healthcare organizations use analytics platforms to collect and analyze data about their patients. The data helps them improve the quality of digital services as well as personalize content and advertising. It also contributes to reducing data administration costs.
Using analytics tools in a strictly regulated sector such as healthcare requires a cautious approach, especially if you operate in the US or work with US patients. In this case, make sure that you process and store protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).
In addition, patients are becoming increasingly aware of their legal rights and data security. A focus on HIPAA compliance can help you maintain patients’ trust.
What is HIPAA?
HIPAA is a federal law that sets standards for processing, storing and disclosing sensitive protected health information. It applies to all forms of protected health information – electronic, written or spoken.
If you want to know more about HIPAA requirements for professionals, check the US Department of Health & Human Services website.
If you use Google Analytics or similar software, chances are you’re already optimizing your website to better serve your customers. But does your analytics platform satisfy HIPAA compliance obligations?
The short answer is “probably not”. If you’d like to get into the details and explore two possible scenarios, read on.
In this scenario you want to use analytics data together with protected health information (PHI and ePHI).
Before we start, let’s see what’s qualified under PHI and ePHI.
What’s PHI and its electronic version (called ePHI)? The list includes but is not limited to:
- Geographic data
- Email addresses
- Account numbers
- Web URLs
- Device identifiers and serial numbers
- IP addresses
For more details, visit HIPAA journal.
If you want to track this type of data, Google Analytics won’t meet your needs. Why? Take a look at the HIPAA disclaimer from Google’s website.
Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.
Google states that Google Analytics doesn’t satisfy HIPAA requirements. And you can’t use Google Analytics for any purpose involving PHI if you are:
- A covered entity – hospital, clinics, insurance company, healthcare clearinghouse etc.
- A business associate – e.g. an external company hired to perform legal services, data aggregation, management or data analysis.
Moreover, if you want to use software (like an analytics platform) that will collect and process PHI, you need to sign a business associate agreement (BAA) with the vendor. Google doesn’t give you this option.
There are two possible reasons why Google won’t let you sign a BAA with them:
- Google doesn’t offer on-premises hosting and data residency of your choice. It means all data tracked by the platform will be stored in randomly assigned data centers within and outside the US. It breaks the HIPAA’s accountability rule – you don’t know your patients’ exact data location.
- In Google’s terms & conditions the company describes how it uses tracked data. Google uses the data to develop new services, measure the effectiveness of advertising and personalize content and ads. Using any PHI/ePHI in an advertising context might be a serious violation of HIPAA.
As a result, if you pass any trace of PHI/ePHI into Google Analytics, you’re breaking HIPAA regulations and Google’s terms of service. This may result in the termination of your GA account.
Also, take a look at this case from your patients’ perspective. Your visitors trust your website and search for information about their illness, e.g. cancer or depression. If later they get ads related to that illness on an unrelated page, you’ll be in trouble. This not only violates HIPAA provisions, but also leads to the loss of patients’ trust in your organization.
In this scenario it’s possible to use Google Analytics in a compliant way. This, however, requires additional work and precaution from your side. You need to make sure that you don’t send any traces of PHI/ePHI to Google Analytics – any mistake may result in fines. This is also the case if you violate HIPAA rules unknowingly.
Healthcare organizations have different website architectures and tech stacks. But every website or app that uses an analytics platform has a basic analytics tag. The tag sends information with page URLs and page titles to analytics.
So, if your visitor types in the search box “cancer” and clicks on any URL that contains this phrase, analytics collects the page URL and the page title. If this data connects with a visitor identifier (like IP address), the connected data is considered PHI and it may lead to an HIPAA violation.
In short, make sure that no PHI finds its way into analytics.
Take a look at hands-on examples of the two URLs:
The first URL contains PHI – your patient’s name and their doctor’s name and specialization. Make sure your settings and site architecture are properly configured so that the first URL switches to the second one before it reaches your analytics. The second URL is scrapped from PHI and shows only a universally unique identifier.
We’ve only scratched the surface of the out-of-the-box features offered by any analytics platform on the market. There are many other ways we can pass PHI during a patient visit through custom dimensions, basically placeholders for values you scrape off your website during the visit of your patient. This placeholder could be any data point your data or marketing team chooses to collect, even the current health conditions of your patient.
You can use Google Analytics in healthcare analytics if you implement it in anonymous tracking mode.
In Google Analytics Universal you can turn on users’ IP anonymization by adding it to your analytics tracking code. The anonymization takes place before the user IP address is stored in analytics. As a result, the IP address from 70.01.05.250 will be changed into 70.01.05.0. In Google Analytics 4, IP anonymization is enabled by default.
But that’s not all. To use anonymous tracking, you should prevent Google Analytics from storing the visitorID in a cookie (so the cookie doesn’t carry forward this ID from page to page). Tag manager will help here. The tag manager script generates a new visitorID for the same visitor on every loaded page so the user can’t be traced.
Also, use tag manager to set cookieExpires time to 0 (zero) seconds. As a result, these cookies will be temporarily stored in the memory of your browser while it’s open. When visitors close the browser and open it again, they appear as new visitors.
If you want to learn more about anonymous tracking mode, read this article.
If you don’t feel like a Google Analytics expert, you can hire an analytics auditor. They’ll learn your website architecture and what types of scripts you’re using. Also, they’ll check the implementation and settings of your analytics software and tag manager.
To get yourself prepared for the audit, you can start off with those questions:
- Are you tracking user ids? If yes, how do you use them?
- What data appears in page URLs, titles and query strings?
- What information do you collect in the analytics platform with website forms? How do you use this form data in your personalization or analytics?
- Have you anonymized/hashed visitors’ IP addresses? Do you avoid tracking GPS or fine-grained location information?
- What other tags and third-party scripts (e.g. From your partner’s website) do you use it on your website?
Hiring an auditor isn’t a cure for all evils. If you represent a healthcare organization, you probably cooperate with many stakeholders. In this case, ensuring that ePHI/PHI somehow doesn’t connect with unique identifiers may be very troublesome and time consuming.
Lastly, your legal & security department should regularly review changes in HIPAA regulations. They should also evaluate if your website’s analytics are compliant with US healthcare law.
If you want to evaluate Google Analytics in the context of GDPR, read this blog post.
Working with well-configured analytics software and using an anonymous tracking mode may be a good trade-off. That said, you need to remember about the liabilities involved in using Google Analytics in an organization regulated by HIPAA organization. Also, take a look at other aspects of using Google Analytics:
- You shouldn’t use Google Analytics in secured post-login areas of your websites and apps. These areas of your websites and apps are typically filled with sensitive user information. And as you already know, Google prohibits sending personal and sensitive data to Google Analytics.
- Anonymous data may be less valuable for those who analyze it. Because it’s stripped of common identifiers, you can’t use it to personalize content for returning visitors – they always appear as new visitors. Also, you can’t analyze patients’ journeys and create detailed conversion attribution.
- Data sampling. If your website is seeing higher and higher traffic, at some point Google Analytics Universal will sample your data. This happens after 500k sessions, unless you pay for Google Analytics 360, which does it after 10M sessions. That said, if you want to make strategic decisions based on data, you can’t depend on sampled sets of data. This may lead to biases. In case of important metrics such as readmission rates or staff-to-patient ratio, it’s a no-go. On the other hand, Google Analytics 4 doesn’t sample data.
If you don’t want to work with anonymous tracking and get involved in time-consuming analytics audits, there are alternatives.
The Piwik PRO Analytics Suite ensures HIPAA compliance. You can collect and analyze PHI and ePHI. This helps you provide an even better and more personalized experience to your patients while respecting the highest privacy and security safeguards.
To compare Piwik PRO and Google Analytics/GA 360, take a look at the full comparison.
If you’d like to get in touch with us, feel free to do so. We’ll happily answer your questions and show you the capabilities of our platform.