HIPAA-compliant analytics with Piwik PRO Analytics Suite

The HIPAA rules apply to any individual or organization that meets the definition of a covered entity as stated in HIPAA guidelines.

Covered entities include:

• Health plans – for example, health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
• Healthcare providers that conduct certain business electronically, such as electronically billing your health insurance – including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
• Health care clearinghouses – entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Beyond covered entities, the following must adhere to HIPAA:

• Business associates
• Subcontractors
• Hybrid entities
• Researchers

A business associate can be an individual or company that provides services to a HIPAA-covered entity that requires them to have access to, store, use, or transmit protected health information. Generally, an analytics vendor will be a business associate.

PHI and ePHI is a subset of personally identifiable information (PII) that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.

Examples of health information include:

• Medical test results
• Prescription or treatment records
• Billing information
• Appointment scheduling information

When health information is combined with a personal identifier, the data becomes PHI.

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:

• Name
• All geographic subdivisions smaller than a state (street address, city, county, zip code)
• Dates, including birthdate, admission date, discharge date, and date of death
• Telephone number
• Fax number
• Email address
• Social Security number
• Medical record number
• Health plan beneficiary numbers
• Account number
• Certificate/license number
• Vehicle identifiers and serial numbers, including license plate number
• Device identifiers and serial numbers
• Web URL
• IP address
• Biometric identifiers, including fingerprints and voice
• Full face photo
• Any other unique identifying number, characteristic, or code

This means that not all health information acquired by organizations is considered PHI. For example, phone numbers and residential addresses alone are not PHI. But this data will be considered PHI if it includes health information about an individual’s condition, the treatment of that condition, or the payment for the treatment. It also must be transmitted and maintained in any form by a covered entity.

Specific examples of PHI and ePHI include:

• Information your doctors, nurses, and other health care providers put in your medical record.
• Conversations your doctor has about your care or treatment with nurses and others.
• Information about you in your health insurer’s computer system.
• Billing information about you at your clinic.

Importantly, PII collected on a covered entity’s website or app is considered PHI even if the individual does not have an existing relationship with the entity or the PII does not include specific treatment or billing information. When a covered entity collects such information, it is indicative that the individual has received or will receive health care services or benefits from it.

HIPAA introduced several benefits for the healthcare industry to help transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure that protected health information is shared securely.

People now care about the privacy of their data more than ever. Health information is a special category of personal information because it contains details about users’ conditions that they may not want to disclose. Protecting the privacy of health-related data helps you maintain the trust of individuals whose information you are processing.

Neglecting users’ rights related to HIPAA can negatively affect your business and have a long-lasting impact on how patients view your organization. Since HIPAA is a standard that must be followed by many organizations similar to yours, the lack of compliance can make you lose business to your compliant competitors. Not to mention that any covered entity that violates HIPAA regulations can face civil action lawsuits, criminal charges, and hefty monetary penalties.

HIPAA makes covered entities responsible for complying with a number of rules – the Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule, and Omnibus Rule. The first three rules are particularly important.

The Privacy Rule provides federal standards to protect the privacy of PHI – particularly, it:

• Limits how covered entities may use and disclose individually identifiable health information they receive or create.
• Gives individuals rights concerning their protected health information, including a right to review and obtain a copy of their medical records and the right to ask covered entities to amend the information if it is inaccurate or incomplete.
• Imposes administrative requirements for covered entities, such as training of employees concerning the Privacy Rule.
• Establishes civil penalties.

The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect ePHI. Specifically, they must:

• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit.
• Identify and protect against reasonably anticipated threats to the security or integrity of the information.
• Protect against reasonably anticipated, impermissible uses or disclosures.
• Ensure compliance by their workforce.
• Perform risk analysis as part of their security management processes.

The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.

You must apply a few safeguarding practices while collecting and processing data online. Some requirements you must fulfill include:

• Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and any other business associate. Otherwise, you cannot disclose PHI to that vendor without the individuals’ authorization.
• Address the use of analytics and other data platforms in your risk analysis and management processes.
• Implement administrative, physical, and technical safeguards – such as encrypting PHI transmitted to the analytics vendor and enabling and using appropriate authentication, access, encryption, and audit controls when accessing PHI maintained in the analytics platform infrastructure.
• Work with vendors that support values such as privacy by design to fully control and understand what data you collect, store, and transfer.
• Remove all 18 identifiers from PHI. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.

Note: De-identification of PHI is not necessary with Piwik PRO – you can sign a BAA and send the desired PHI.

You need to carefully select an analytics vendor that would allow you to achieve HIPAA compliance – for example, don’t forget that Google Analytics is not HIPAA compliant.

You must either make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.