Back to blog

You don’t have to sign a business associate agreement (BAA) with your web analytics vendor to be HIPAA-compliant

Analytics Data privacy & security GDPR Healthcare

Written by

Published August 25, 2021

You don't have to sign a business associate agreement (BAA) with your web analytics vendor to be HIPAA-compliant

Are you having trouble with convincing your web analytics vendor to sign a business associate agreement (BAA)? Don’t worry. There’s a way to use web analytics without a BAA in your hand. In this blog post, we’ll show you how to make it happen.

Before we proceed to our main topic, let’s take one step back and discuss the basics. Here, you can find the answers to a couple of the most important questions regarding HIPAA-compliant web analytics and a business associate agreement (BAA). 

What is a BAA?

A business associate agreement or BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect personal health information (PHI) and comply with the guidelines provided of HIPAA. 

BAAs require that:

  • A company dealing with PHI obtains sufficient assurances from its business associates 
  • The business associate will safeguard the PHI on company’s behalf

What’s more, under the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), any HIPAA business associate automatically becomes subject to audits performed by the U.S. Department of Health and Human Services (HHS) and can be held accountable for any data breaches or improper handling of data.

What should be in a BAA?

HIPAA requires that every BAA contains certain elements. As we can read on the HHS website, the contract must:

  • Describe the permitted and required uses of protected health information by the business associate
  • Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract

Who is a business associate?

A “business associate” is any party outside your company that deals with PHI gathered by your organization. As we can read on the HHS website:

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Further in the text, we find the list of activities performed by a business associate:

Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.

A lion’s share of the third-party web analytics vendors would fall into the definition of business associate provided by the HHS. Especially those who operate in a cloud environment and have direct contact with data collected by their clients or even use the data to improve their own services.  

Why convincing your healthcare web analytics vendor to sign BAA might be a problem

First, handling data in line with HIPAA introduces advanced data protection demands, difficult to meet for many standard web analytics platforms. It’s especially true when it comes to hosting, data encryption or SSO methods.

Second, signing a BAA introduces high responsibilities for both sides of the contract. As business associates, web analytics vendors are directly liable under HIPAA and can become subject to penalties (both civil and criminal!) in case of unauthorized use and disclosure of PHI. 

Is Google Analytics HIPAA-compliant? Read our in-depth analysis to find out

We believe that following our guidelines will help it go smoother for you. If you have any questions about these issues or want to know more about our product, just…

Web analytics for healthcare with no requirement to sign a BAA

There’s a way to work around this problem. Instead of convincing your vendor to sign a BAA with you, you seek a web analytics platform that allows you to store all the PHI collected by your analytical software on your own servers and not send any data containing PHI to a third party. 

Thanks to that, your web analytics provider won’t have any access to PHI of your patients and won’t be considered your business associate. So there will be no need to sign a BAA. 

What’s more, this might also allow you to implement your own compliance procedures, for instance: take advantage of selected encryption methods demanded by HIPAA or log into the system using SAML, LDAP or other SSO technique. Your technical team should already have a wealth of technical experience in deploying HIPAA-compliant applications. This means that in many cases you’ll be able to do a much better job in safeguarding your patients’ data than a third party. 

Storing data on-prem is a great way to comply with HIPAA, but that’s not the only option you have. Some analytics vendors, including Piwik PRO, allow you to store PHI on HIPAA-compliant cloud servers and are happy to sign a BAA with you. This way you can respect the provisions of the law, while limiting the costs related to hosting and reducing the time needed for product implementation. You can learn more about it from our HIPAA compliance page.

Web analytics in healthcare –  final thoughts

Healthcare is an industry with some of the most restrictive regulations on handling user data. But there’s no need for companies doing business in this sector to deprive themselves of valuable analytics insights. 

With the right platform, you’ll be able to fulfil all the obligations imposed on you by HIPAA and at the same time not compromise the quality of the data you collect.

If you’d like to expand your knowledge on this subject, you can also get in touch with Piwik PRO experts. We’ll be happy to provide you with answers to your questions about HIPAA-compliant web analytics. 

You can also follow our blog to stay up to date with the latest news about data privacy, security, and other important topics.

Additional reading:


Karolina Lubowicka

Senior Content Marketer and Social Media Specialist

An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts by this author