Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney.
Healthcare organizations use analytics platforms to collect and analyze data about their patients. The data helps them improve the quality of digital services as well as personalize content and advertising. It also contributes to reducing data administration costs.
Using analytics tools in a strictly regulated sector such as healthcare requires a cautious approach, especially if you operate in the US or work with US patients. In this case, make sure that you process and store protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Healthcare entities cannot engage in the impermissible disclosure of PHI to tracking technology vendors. This is particularly important today with the expansion of sensitive information collected by vendors like Google Analytics. Disclosing PHI in a manner consistent with HIPAA is now more critical than ever.
In addition, patients are becoming increasingly aware of their legal rights and data security. A focus on HIPAA compliance can help you maintain patients’ trust.
What is HIPAA?
HIPAA is a federal law that sets standards for processing, storing and disclosing sensitive protected health information. It applies to all forms of protected health information – electronic, written or spoken.
If you want to know more about HIPAA requirements for professionals, check the website of the US Department of Health & Human Services.
If you use Google Analytics or similar software, chances are you’re already optimizing your website to better serve your customers. But does your analytics platform satisfy HIPAA compliance obligations?
The short answer is “probably not”. If you’d like to get into the details and explore two possible scenarios, read on.
In this scenario, you want to use analytics data together with protected health information (PHI and ePHI).
What’s PHI and its electronic version (called ePHI)?
PHI includes health information about an individual’s condition, the treatment of that condition, or the payment for the treatment when other data in the same record set can be used to personally identify the subject of the health information, and it is transmitted and maintained in any form by a covered entity.
Examples of health information include:
- Medical test results
- Prescription or treatment records
- Billing information
- Appointment scheduling information
There is a list of possible identifiers that, when connected with health information, will be considered PHI. Some of them include:
- Geographic data
- Email addresses
- Account numbers
- Web URLs
- Device identifiers and serial numbers
- IP addresses
- Medical record numbers
- Social Security numbers
- Biometric identifiers
In a recent Bulletin, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) stated that personally identifiable information collected on a covered entity’s website or app is PHI even if the individual does not have an existing relationship with the entity. Moreover, it is considered PHI even if the identifiable data (like IP address or geographic location) does not include specific treatment or billing information (like appointment dates). When a covered entity collects such information, it is indicative that the individual has received or will receive health care services or benefits from the covered entity.
For more details, visit HIPAA journal.
If you want to track PHI, Google Analytics won’t meet your needs. Why?
Take a look at the HIPAA disclaimer from Google’s website:
Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.
Google states that Google Analytics doesn’t satisfy HIPAA requirements. And you can’t use Google Analytics for any purpose involving PHI if you are:
- A covered entity – hospital, clinics, insurance company, healthcare clearinghouse, etc.
- A business associate – for example, an external company hired to perform legal services, data aggregation, management or data analysis.
Moreover, if you want to use a tracking technology (like an analytics platform) that will collect and process PHI, and it fits the definition of a business associate, you need to sign a business associate agreement (BAA) with the vendor. Google doesn’t give you this option.
The sole fact of collecting data requires a BAA. That includes situations when data is collected and then immediately erased or de-identified.
There are two possible reasons why Google won’t let you sign a BAA with them:
- Google doesn’t offer on-premises hosting and data residency of your choice. It means all data tracked by the platform will be stored in randomly assigned data centers within and outside the US. It breaks the HIPAA’s accountability rule – you don’t know your patients’ exact data location.
- In Google’s terms & conditions, the company describes how it uses tracked data. Google uses the data to develop new services, measure the effectiveness of advertising and personalize content and ads. Using any PHI/ePHI in an advertising context might be a serious violation of HIPAA.
As a result, if you pass any trace of PHI/ePHI into Google Analytics, you’re breaking HIPAA regulations and Google’s terms of service. This may result in the termination of your GA account.
Many ways in which third-party tracking technologies, like Google Analytics, collect and track user information are not apparent to users visiting your website or app. These technologies send information directly to the third parties that developed them. Users’ unique identifiers and other collected information allow Google Analytics to create individual profiles for each user. They may continue to track users and gather information about them even after they navigate away from the original website to other websites. Such practices are particularly egregious when it comes to sensitive information like healthcare data.
Also, take a look at this case from your patients’ perspective. Your visitors trust your website and search for information about their illness, which could be cancer or depression. If later they get ads related to that illness on an unrelated page, you’ll be in trouble. This not only violates HIPAA provisions but also leads to the loss of patients’ trust in your organization.
In this scenario, it’s possible to use Google Analytics in a compliant way. This, however, requires additional work and precaution from your side. You need to make sure that you don’t send any traces of PHI/ePHI to Google Analytics – any mistake may result in fines. This is also the case if you violate HIPAA rules unknowingly.
The OCR’s Bulletin provides additional information about parts of your website that contain PHI. Specifically:
- User-authenticated pages (pages that require a user to log in) – often contain PHI in the form of an individual’s IP address, medical record number, home or email address, dates of appointments, diagnosis, treatment or prescription information, etc.
- Unauthenticated pages generally do not have access to PHI, but there are some exceptions:
- The registration page where an individual creates a login – it will contain PHI after an individual enters credentials, such as a name or email address.
- A page addressing specific symptoms or health conditions, such as pregnancy or miscarriage, or one that permits individuals to search for doctors or schedule appointments – Google Analytics could still collect an individual’s email address and/or IP address on such pages.
- Mobile apps contain PHI provided by the app user and their devices, such as fingerprints, network location, geolocation, device ID, or advertising ID. Exceptions include information that users voluntarily download or enter into apps that are not developed or offered by or on behalf of covered entities.
Every website or app for a healthcare organization that uses an analytics platform has a basic analytics tag that sends information with page URLs and page titles to analytics.
So, if your visitor types “cancer” in the search box and clicks on any URL that contains this phrase, analytics collects the page URL and the page title. If this data connects with a visitor identifier (like an IP address), the connected data is considered PHI and it may lead to an HIPAA violation.
In short, make sure that no PHI finds its way into analytics.
Take a look at these sample URLs:
The first URL contains PHI – your patient’s name and their doctor’s name and specialization. Meanwhile, the second URL is scrapped from PHI and shows only a universally unique identifier. Make sure your settings and site architecture are properly configured so that the first URL switches to the second one before it reaches your analytics.
There are many other ways to pass PHI during a patient visit through custom dimensions, which are basically placeholders for values you scrape off your website during your patient’s visit. This placeholder could be any data point your team chooses to collect, even the current health conditions of your patient.
You can use Google Analytics in healthcare analytics if you implement it in anonymous tracking mode.
You can implement IP anonymization, which is performed before the user’s IP address is stored in analytics.
In Google Analytics Universal, you can turn on users’ IP anonymization by adding it to your analytics tracking code. In Google Analytics 4, IP anonymization is enabled by default. With IP anonymization, the last three digits of the visitor’s IP are replaced by 0. So, the IP address of 70.01.05.250 will be changed to 70.01.05.0.
But that’s not all. To use anonymous tracking, you should prevent Google Analytics from storing the visitorID in a cookie (so the cookie doesn’t carry forward this ID from page to page). That’s what a tag manager can help with. The tag manager script generates a new visitorID for the same visitor on every loaded page so the user can’t be traced.
Also, use tag manager to set cookieExpires time to 0 (zero) seconds. As a result, these cookies will be temporarily stored in the memory of your browser while it’s open. When visitors close the browser and open it again, they appear as new visitors.
Learn how to ensure your campaigns are HIPAA-compliant: HIPAA, marketing and advertising: How to run compliant campaigns in healthcare.
If you don’t feel like a Google Analytics expert, you can hire an analytics auditor. They’ll learn your website architecture and what types of scripts you’re using. Also, they’ll check the implementation and settings of your analytics software and tag manager.
To get yourself prepared for the audit, you can start off with those questions:
- Are you tracking user ids? If yes, how do you use them?
- What data appears in page URLs, titles and query strings?
- What information do you collect in the analytics platform with website forms? How do you use form data in personalization or analytics?
- Have you anonymized/hashed visitors’ IP addresses? Do you avoid tracking GPS or fine-grained location information?
- What other tags and third-party scripts (for example, from your partner’s website) do you use on your website?
Hiring an auditor isn’t a cure for all evils. If you represent a healthcare organization, you probably cooperate with many stakeholders. In this case, ensuring that ePHI/PHI somehow doesn’t connect with unique identifiers may be very troublesome and time-consuming. You must get a qualified expert to document that all identifiers have been removed from information for it to be considered completely de-identified.
Lastly, your legal & security department should regularly review changes in HIPAA regulations. They should also evaluate if your website’s analytics are compliant with US healthcare law.
Additional security measures you should take include addressing the use of tracking technologies in your risk analysis and risk management processes. Implement appropriate administrative, physical, and technical safeguards to protect PHI/ePHI. For example, encrypt ePHI transmitted to your tracking technology vendor.
Don’t forget to provide breach notifications to affected individuals, the Secretary, and, when applicable, the media. This is necessary when PHI is disclosed to a tracking technology vendor without permission and compromises the security or privacy of PHI.
Curious about Google Analytics in the context of GDPR? Read on in our blog post:
Working with well-configured analytics software and using an anonymous tracking mode may be a good trade-off. That said, you need to remember the liabilities involved in using Google Analytics in an organization regulated by HIPAA organization. Also, take a look at other aspects of using Google Analytics:
- You shouldn’t use Google Analytics in secured post-login areas of your websites and apps. These areas of your websites and apps are typically filled with sensitive user information. And as you already know, Google prohibits sending personal and sensitive data to Google Analytics.
- Anonymous data may be less valuable for those who analyze it. Because it’s stripped of common identifiers, you can’t use it to personalize content for returning visitors – they always appear as new visitors. Also, you can’t analyze patients’ journeys and create detailed conversion attribution.
- Data sampling. If your website is seeing higher and higher traffic, at some point Google Analytics Universal will sample your data. This happens after 500k sessions unless you pay for Google Analytics 360, which does it after 10M sessions. That said, if you want to make strategic decisions based on data, you can’t depend on sampled sets of data. This may lead to biases. In case of important metrics such as readmission rates or staff-to-patient ratio, it’s a no-go. On the other hand, Google Analytics 4 doesn’t sample data.
If you don’t want to work with anonymous tracking and get involved in time-consuming analytics audits, there are alternatives.
Piwik PRO Analytics Suite ensures HIPAA compliance. You can collect and analyze PHI and ePHI. This helps you provide an even better and more personalized experience to your patients while respecting the highest privacy and security safeguards.
Be sure to check out the comparison of Piwik PRO and Google Analytics/GA 360.
If you’d like to get in touch with us, feel free to do so. We’ll happily answer your questions and show you the capabilities of our platform.