HIPAA is a hot topic right now. Last year an investigation from the nonprofit newsroom The Markup revealed that many hospitals illegally disclose protected health information with Meta through Meta pixels on their websites. After the investigation was published, Meta was questioned by the US Senate about its collection of protected information, and many lawsuits were filed against healthcare providers for HIPAA violations (including a class action involving Meta itself).
These lawsuits could cost HIPAA-covered entities a lot of money, so this is a good time to look into HIPAA and what it means for website analytics.
- What is HIPAA?
- What is the Privacy Rule?
- What is PHI?
- What this means for web analytics
- Is Google Analytics HIPAA compliant?
- How about mobile apps?
- Is cookie-less analytics the solution?
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law of the United States adopted in 1996. HIPAA aims to protect the privacy and security of protected health information (PHI) and to ensure its portability from one healthcare provider to another.
HIPAA only applies to specific entities: healthcare providers, healthcare insurance plans, and healthcare clearinghouses (that is, intermediaries for the exchange of health information). If your organization does not fit these criteria, you do not need to worry about HIPAA, even if you process health information.
This does not mean you can do whatever you want with health information. Other rules may apply: for instance, California’s CCPA includes rules for processing health information and other categories of sensitive information.
What is the Privacy Rule?
The Standards for Privacy of Individually Identifiable Health Information (commonly referred to as Privacy Rule) is a federal regulation issued by the U.S. Department of Health and Human Services. The Rule implements HIPAA by mandating a set of standards for protecting PHI.
In practical terms, the Privacy Rule is one of the benchmarks for HIPAA compliance. The Security Rule is another benchmark that mandates certain organizational and technical measures to keep PHI safe.
One of the central points of the Privacy Rule is disclosure limitation. Certain disclosures of PHI are allowed because they are essential to the provision of healthcare and the functioning of the healthcare system. For instance, your hospital can send your medical bills to your insurance plan or forward them to another hospital where you receive care. All other disclosures require written authorization from the person the information refers to.
What is PHI?
PHI is the information that is covered and protected by the HIPAA and Privacy Rule. The notion of PHI under HIPAA is complex because it combines three distinct requirements:
- it relates to the health conditions of an individual or the provision of health care (= it is health information)
- it relates to an identifiable individual (= it is personally identifiable information- PII for short)
- it is created by a healthcare provider or another entity covered by the HIPAA
The three conditions are cumulative. For instance, if a website provides medical information but not healthcare services, HIPAA does not apply to it, even though it may gather personally identifiable health information through its web analytics.
PHI being personally identifiable is the trickiest requirement. HIPAA contains no definition of personally identifiable information (PII). Still, the Privacy Rule offers some guidance by listing identifiers that make information PII (which can be removed to de-identify it). The list is long and includes IP addresses and any other unique identifying number.
What this means for web analytics
The Privacy Rule is a severe problem for cookie-based analytics. Sharing PHI for the purpose of web marketing and web analytics is not a permitted disclosure under the Privacy Rule and therefore requires written authorization.
The U.S. Department of Health and Human Services also clarified that consenting to cookie banners and similar pop-ups is not a valid authorization to disclose PHI. And because there is no realistic way for a website to collect written authorization from every visitor, the only way to respect the Privacy Rule is to not forward PHI at all.
However, Google Analytics and other cookie-based analytics services include unique identifiers in their cookies. This is how those services gather important metrics such as unique visitors. Suppose an entity covered by HIPAA indiscriminately implements cookie-based analytics on its website. In that case, there is a good chance that an unauthorized disclosure of PHI will occur, resulting in a HIPAA violation.
Is Google Analytics HIPAA compliant?
Implementing cookie-based analytics in a HIPAA-compliant way is possible, but it takes a lot of effort. Google is quite open about this: the documentation for Google Analytics does not claim that the service is HIPAA-compliant out of the box, warns clients not to forward any PHI to Google, and encourages customers to refer to legal professionals to ensure that Google Analytics is implemented in a HIPAA compliant way.
So how do you implement cookie-based analytics while respecting the HIPAA and the privacy rule?
These U.S. Department of Health and Human Services guidelines are a good start. The Department warns to be very careful with authenticated pages - pages visitors can only access after authentication. To be on the safe side, you should disable tracking on these pages altogether (as suggested by Google Analytics’ documentation). You should also disable tracking on any page where a visitor can book an appointment, whether the page is authenticated or not.
But are non-authenticated pages fair game? Not really. Unauthenticated pages where patients can book appointments are off-limits as well. And pages that provide information about specific health conditions or therapies may also allow Google (or any other provider of cookie-based analytics) to collect health information. So whether or not you can track visitors on a non-authenticate page ultimately depends on its content.
Bottom line: if HIPAA covers you, you should disable tracking on all authenticated pages. As for non-authenticated pages, you should carefully evaluate each and every one of them based on their content. You will likely want to involve a legal professional, which can be costly if you don’t have an in-house legal team.
In some cases, a rigorous assessment may conclude that you need to disable tracking for a significant portion of your website, impacting the quality of the insights you get. For instance, hospital websites often feature many pages that provide information about specific health conditions and therapeutic options. Disabling tracking on each of them will substantially impact the quality of the analytics for that website.
How about mobile apps?
The same exact rules apply to mobile apps: under the Privacy Rule, you are not allowed to disclose PHI for marketing or analytics purposes.
In practice, the situation for mobile apps is even worse. Many common software development kits (SDKs) come with built-in trackers. SDKs are a huge privacy issue in general: the development of apps is often outsourced, and as a result, many companies unknowingly track their users. If HIPAA covers you, this can result in a violation of the Privacy Rule.
Is cookie-less analytics the solution?
It depends. Cookie-less does not necessarily mean privacy-friendly because there are other ways to track visitors. If you fingerprint visitors or track them through their IP, then you can still disclose PHI to your web analytics provider- which is the core legal issue at play.
Your best option is privacy-friendly analytics services that simply do not track the user and provide insight without fingerprinting visitors or using clever re-identification tricks.
We built such a tool. Simple Analytics was designed with privacy in mind from the very beginning. It does not track users or needs personally identifiable information to work- all while providing the customer with quality insights to grow their business and improve their online presence. Check our ‘what we collect’ page and our legal documentation to see for yourself. If this sounds good to you, feel free to