Are Your Analytics HIPAA Compliant?

While you are likely aware of all of the ways you need to maintain HIPAA compliance in your office and day-to-day interactions with patients, did you know that HIPAA extends to your online presence, as well?

Google Analytics has long been used by marketers in every industry to measure and assess website traffic. However, the U.S. Department of Health & Human Services (HHS) recently issued new guidance on the use of tracking and analytics tools on healthcare-focused websites, and it has serious implications for marketers. While the bulletin does not expressly state that Google Analytics is not compliant, the compliance requirements outlined in the bulletin are leading many healthcare marketers to conclude that it is not a compliant analytics tool. Choosing to err on the side of caution, we have heard from multiple practices and healthcare organizations that they are abandoning Google Analytics, and we have chosen to do the same for our own clients.

What do you do when one of the key items in your toolbox is no longer available? Going without analytics tracking altogether means that you miss out on key data that can inform your practice’s marketing strategy. On the other hand, you don’t want to run into issues for using a non-compliant service on your website. 

Luckily, though options are limited at this time, there are ways to track traffic on a medical practice or hospital website in a HIPAA compliant manner. This is something we’ve figured out for our own clients, and we are happy to pass along what we learned to you.

Why are there HIPAA compliance issues with Google Analytics?

For starters, Google itself has made it known that the Google Analytics service makes no claims of being HIPAA compliant. A key sticking point is that they will not sign a Business Associate Agreement (BAA) in connection with the use of Google Analytics.

It is important to note that the HHS bulletin does not expressly state that Google Analytics cannot be used, ever. That said, the bulletin does state the following:

“Regulated entities disclose a variety of information to tracking technology vendors through tracking technologies placed on a regulated entity’s website or mobile app, including individually identifiable health information (IIHI) that the individual provides when they use regulated entities’ websites or mobile apps. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code. All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.”

The bulletin makes it clear that the use of Google Analytics on authenticated webpages, i.e., those collecting information submitted via a form, is not HIPAA compliant. 

However, even if you are one of the rare practices that does not have any sort of form submission option on your website, that doesn’t necessarily mean you have the go-ahead to use Google Analytics. Google’s documentation on the matter states:

“Unauthenticated pages that are related to the provision of health care services, including as described in the HHS bulletin, are more likely to be HIPAA-covered, and customers should not set Google Analytics tags on HIPAA-covered pages.”

While it’s a bit of a gray area, the general goal of most pages on a medical practice or hospital website is to help patients procure healthcare services.

For our own purposes, we consulted with not only our lawyer, but also other marketing experts in the healthcare industry. The general consensus was to remove Google Analytics in favor of another analytics tool that would be willing to attest to HIPAA compliance and sign a BAA. Your organization’s legal team may interpret the bulletin differently. Regardless, there are options.

Implementing a HIPAA Compliant Analytics Solution

Your practice has a few different options when it comes to how you implement analytics in a compliant manner. However, keep in mind that most HIPAA compliant options will come with a cost. Make sure you factor that into your practice’s marketing budget.

Option 1: Change how you use Google Analytics.

If your practice really wants to stick with Google Analytics, there may be some options for doing so in a compliant manner.

Google is forcing Analytics users to switch to the new version of their service, GA4, by July 2023. It is a lot different from the Universal Analytics you are accustomed to using, but is more customizable and might help you better anonymize the data you collect. It still might be a good idea to avoid running Google Analytics on pages that capture potential PHI, like online forms, per Google’s own guidance.

There are also tools on the market that can help you feed your website data into Google Analytics in a compliant manner. Freshpaint is one company that has come forward with a solution to anonymize the data before it goes into Google Analytics using ID masking and allowlists.

Option 2: Self-host analytics software on a HIPAA compliant server.

This option may be the most cost-effective if you have very large web properties to track, or multiple websites within a health system that all need tracking.

Analytics tools like Matomo and Fathom Analytics may not be fully HIPAA compliant if you use their cloud-hosted versions (and these companies typically won’t sign a BAA). However, you can self-host them on a HIPAA compliant server like HIPAA Vault, Atlantic.net, or Liquid Web. If the hosting provider meets HIPAA requirements and will sign a BAA, this will allow you to track analytics in a compliant way.

It will be a bit more of a lift upfront for your team to get this set up. If you are a small practice without in-house IT, this might not be the best option for you. But, if it is important for your healthcare organization to maintain data ownership and have control over where your data is stored, self-hosting is the best option.

(Full disclosure: We are using HIPAA Vault to self-host Matomo Analytics for all of our healthcare clients using analytics services. We felt that this was the best option for providing analytics tracking for the large volume of clients whose websites we maintain.)

Option 3: Choose a cloud-hosted analytics provider that is HIPAA compliant.

In our research of the analytics options on the market, there were not many cloud-hosted analytics tools that claimed to be HIPAA compliant and would be willing to sign a BAA. There are several analytics tools that are compliant with the EU’s General Data Protection Regulation (GDPR). While there may be at least some overlap with GDPR and HIPAA, there are separate requirements for HIPAA compliance that many of these analytics tools cannot attest to just yet.

One HIPAA compliant analytics tool that did come highly recommended was PIWIK Pro. While there is a free plan with PIWIK Pro, you will need the paid Enterprise plan for the HIPAA compliant version. Pricing is quoted based on monthly actions tracked on your website. It may be relatively cost-effective for a single site, but be aware that the annual cost can rise if you have several websites to track or a very large website.

Since the HHS guidance on analytics use is still relatively new, it’s possible that more HIPAA compliant analytics tools will enter the market over time. However, we strongly recommend choosing one of the currently-available options so that you can minimize the risk for your practice as soon as possible.

Questions to Ask a New Analytics Provider

If you are considering different analytics providers, but aren’t 100% sure if the service is compliant, here are some questions you can ask:

1. What types of data do you collect?

It’s important to know what data the analytics tool will be tracking. Specifically, is it collecting and storing potential PHI, such as IP addresses or form data? If the answer is yes, that doesn’t automatically mean it is not HIPAA compliant, but it does mean that they must have certain security measures in place to maintain compliance.

2. How are you storing and protecting collected data?

The analytics provider should be storing data in a secure manner, and no one should have access to that data unless absolutely necessary. HIPAA compliant hosting requirements for protected data include having a strong firewall, encrypted VPN, multi-factor authentication, an SSL certificate, and SOC 2 Type 2 and SOC 3 Type 2 certifications.

3. Are you willing to sign a BAA?

If you are considering an analytics service that does collect potentially sensitive information, and they are not willing to sign a BAA, then you should not use that service. Even if the tool meets all of the technical requirements to comply with HIPAA, any third party handling ePHI must sign a BAA to be compliant.

Finally, if you are talking to an analytics company that doesn’t know anything about HIPAA or what is required, that’s a good sign that you should not use that service. HIPAA is much too complex, and the risks are too high for your practice to take a chance like that.