HIPAA is a hot topic right now. Last year an investigation from the nonprofit newsroom The Markup revealed that many hospitals illegally disclose protected health information with Meta through Meta pixels on their websites. After the investigation was published, Meta was questioned by the US Senate about its collection of protected information, and many lawsuits were filed against healthcare providers for HIPAA violations (including a class action involving Meta itself).
These lawsuits could cost HIPAA-covered entities a lot of money, so this is a good time to look into HIPAA and what it means for website analytics.
- What is HIPAA?
- Who is covered by HIPAA?
- What is the Privacy Rule?
- What is PHI?
- What this means for web analytics
- Is Google Analytics HIPAA compliant?
- How do I implement cookie-based analytics in a HIPAA-compliant way?
- It's not just about cookies!
- Is cookie-less analytics the solution?
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law of the United States adopted in 1996. HIPAA aims to protect the privacy and security of protected health information (PHI) and to ensure its portability from one healthcare provider to another.
HIPAA aims to protect the privacy and security of protected health information (PHI). It also deals with technical standards for electronic health records, and ensures data portability rights. In a nutshell, it deals with privacy but it is not a privacy regulation in a strict sense.
Who is covered by HIPAA?
Please note that HIPAA covers patient data, not health data as such. This is because HIPAA only applies to specific entities.
HIPAA mainly covers healthcare providers, healthcare insurance plans, and healthcare clearinghouses (that is, intermediaries for the exchange of health information). These entities are referred to as covered entities (CEs).
HIPAA also covers business associates. Business associates are entities that receive PHI from a covered entity on a regular basis, and provide certain services or perform activities for the covered entity, including data analysis. Business associates are also subject to some data protection rules under HIPAA, and need to sign a business associate agreement (BAA) with the covered entities they work with.
Finally, HIPAA also covers subcontractors. Subcontractors work with business associates and basically do a part of their job. You can think of subcontractors as business associates of business associates.
Please note that we are simplifying a bit- there is more to determining whether someone is a covered entity, business associate, or subcontractor. But it is important to note that working for a covered entity does not, in and of itself, make you a business associate. You cannot be a business associate if you don’t receive PHI, no matter who you work for.
If your organization is not a covered entity, a business associate, or a subcontractor, you do not need to worry about HIPAA! But this does not mean you can do whatever you want with that information. Other rules may apply: for instance, California’s CCPA includes specific rules for processing health information and other categories of sensitive information.
What is the Privacy Rule?
The HIPAA mandates certain standards to ensure that PHI are processed in a safe and confidential way. These standards are commonly referred to as the HIPAA Privacy Rule.
One of the central points of the Privacy Rule is disclosure limitation. Certain disclosures of PHI are allowed because they are essential to the provision of healthcare and the functioning of the healthcare system. For instance, a hospital can send your medical bills to your insurance plan or forward your electronic health record to your new hospital.
Other disclosures require a written authorization from the person the information refers to. This is a serious requirement because healthcare providers are (generally) not allowed to refuse their services if you do not authorize the disclosure. In other words, patients cannot be blackmailed into authorizing an unneeded disclosure.
What is PHI?
PHI is the information that is covered and protected by the HIPAA and Privacy Rule. The notion of PHI under HIPAA is complex because it combines three distinct requirements:
- it relates to the health conditions of an individual or the provision of health care (= it is health information)
- it relates to an identifiable individual (= it is personally identifiable information- PII for short)
- it is created by a healthcare provider or another entity covered by the HIPAA
The three conditions are cumulative. For instance, if a website provides medical information but not healthcare services, HIPAA does not apply to it, even though it may gather personally identifiable health information through its web analytics.
PHI being personally identifiable is the trickiest requirement. HIPAA contains no definition of personally identifiable information (PII). Still, the Privacy Rule offers some guidance by listing identifiers that make information PII (which can be removed to de-identify it). The list is long and includes IP addresses and any other unique identifying number.
What this means for web analytics
The Privacy Rule is a big deal for cookie-based analytics.
Google Analytics and other cookie-based analytics services include unique identifiers in their cookies. This is how those services gather important metrics such as unique visitors. However, unique identifiers qualify as PII under the Privacy Rule. This means that cookie data is PHI when the other two requirements from the HIPAA are satisfied (= they are created by a HIPAA covered identity, and they are health information).
Sharing PHI for the purpose of web marketing and web analytics is not a permitted disclosure under the Privacy Rule and therefore requires written authorization.
The U.S. Department of Health and Human Services also clarified that consenting to cookie banners and similar pop-ups does not count as giving a valid authorization to disclose PHI. And because there is no other realistic way to collect a written authorization from every visitor, the only way websites can respect the Privacy Rule is to not forward PHI at all when using a web analytics service.
This runs counter to the design of Google Analytics, because personally identifiable information need to be processed by (and disclosed to) Google for the service to work.
That is not to say HIPAA-covered entities cannot use Google Analytics or any other cookie-based analytics solution. But it’s a lot of work. If you implement cookie-based analytics the way you would on any other website, you are practically guaranteed to violate the HIPAA.
Is Google Analytics HIPAA compliant?
Google Analytics is not HIPAA compliant out of the box. This is why Google is not available to sign a business associate agreement with HIPAA-covered entities.
The company’s own documentation is quite transparent about this. Google makes no claim that the service is HIPAA-compliant, warns clients not to forward any PHI to Google, and encourages customers to refer to legal professionals to ensure that Google Analytics is implemented in a HIPAA compliant way.
How do I implement cookie-based analytics in a HIPAA-compliant way?
These guidelines from the U.S. Department of Health and Human Services guidelines are a good start. The Department warns to be very careful with authenticated pages - that is, pages visitors can only access after authenticating or logging in. To be on the safe side, you should disable tracking on these pages altogether (as suggested by Google Analytics’ documentation as well). You should also disable tracking on any page where a visitor can book an appointment, whether the page is authenticated or not.
But are non-authenticated pages fair game? Not really. Unauthenticated pages where patients can book appointments are off-limits as well. And pages that provide information about specific health conditions or treatments may also allow Google (or any other provider of cookie-based analytics) to collect health information. So whether or not you can track visitors on a non-authenticate page ultimately depends on its content.
Bottom line: if HIPAA covers you, you should disable tracking on all authenticated pages. As for non-authenticated pages, you should carefully evaluate each page based on their content. You will definitely want to get a legal professional involved, which is going to be costly if you don’t have an in-house lawyer or legal team.
In some cases, a rigorous assessment may conclude that you need to disable tracking for a significant portion of your website. This can have a negative impacting on the quality of the insights you get from your web analytics.
For instance, hospital websites often feature informational pages on specific health conditions and forms of treatment. These pages are often meant to be landing pages that attract new visitors, so disabling tracking for them will negatively impact the quality of your web analytics.
So it can be done, but it’s not as simple as tweaking some settings and injecting a line of code here and there. A proper HIPAA-compliant implementation of cookie-based analytics is burdensome, can be costly, and will likely impact the quality of the insights you get.
It's not just about cookies!
The rules for cookies also cover other tracking technologies. For instance, a New York hospital recently settled a HIPAA lawsuit related to the use of tracking pixels on its website.
You should be especially careful with mobile apps. Many common software development kits (SDKs) come with built-in trackers that can caus a Privacy Rule violation. Companies often are unaware of these trackers because their devs don't bother to read the legal documentation, or because development is simply outsourced.
This does not mean that your mobile app cannot touch PHI. But you need to make sure that the app is not disclosing the data to a third party through common built-in trackers.
PHI can be collected in other ways. For instance, APIs for popular services such as Google Maps sometimes collect and disclose personal information. If you embed an API on your website, make sure you know exactly what version of the API you are using and what data the API is collecting and disclosing.
Another common way of breaching the privacy rule is by improper device disposal. If you are covered by HIPAA, you should make sure to remove all PHI from a device’s memory before disposing of it. Actually, do it for any personal information and regardless of HIPAA.
Bottom line: focusing on your web analytics is good, but don’t lose sight of the whole picture.
Is cookie-less analytics the solution?
It depends. Cookie-less does not necessarily mean privacy-friendly because there are ways to track visitors without cookies. If you fingerprint visitors or track them through their IP, then you will still disclose PHI to your web analytics provider- which is the core legal issue at play.
Your best option is privacy-friendly analytics services that simply do not track the user and provide insight without fingerprinting visitors or using clever re-identification tricks.
We built such a tool. Simple Analytics was designed with privacy in mind from the very beginning. It does not track users or needs personally identifiable information to work- all while providing the customer with quality insights to grow their business and improve their online presence. Check our ‘what we collect’ page and our legal documentation to see for yourself.
Simple Analytics is a fantastic tool to comply with the HIPAA because it never, ever collects PII or PHI.
The only personal information used by Simple Analytics is the visitor’s IP address, which is strictly needed for communication (and never stored or used to track). Even this minimal disclosure can be prevented by the customer by using a proxy. This only requires adding a few lines of code to your website.
Proxying allows you to implement Simple Analytics on your entire website without any risk of breaching the Privacy Rule, because we do not receive any personal information from you. This is a much easier and safer path to compliance than evaluating and disabling tracking for individual pages. And of course, since you are not disclosing PHI, you don’t need a business associate agreement!
To be clear, we are not suggesting a legal workaround. You can’t breach the Privacy Rule if you don’t disclose personal information- it’s that simple. A privacy-by-design approach to web analytics is both compliant and ethical.
If this sounds good to you, feel free to give us a try!