Analytics
2.1K members online now
2.1K members online now
Dive into multiple domain (Cross/Sub) tracking, implementing Ecommerce and Enhanced Ecommerce, setting up Event tracking, and Universal Analytics code.
 
Guide Me
star_border
Reply

HIPAA Stance Clarifications

Visitor ✭ ✭ ✭
# 1
Visitor ✭ ✭ ✭

My company is interested in using Google Analytics to gather some basic analytics information on our users' behavior on our site. However, we have privacy concerns with regard to HIPAA. Specifically, we are a fall under the classification of "Business Associate" with regard to HIPAA law.

 

While it is made clear on this page that Google Analytics is not HIPAA compliant, the phrasing on the article around using the service while not sending it Protected Health Information (PHI) is ambiguous. 

 

Here is what is stated:

Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.

I would like to use Google Analytics for tracking non-PHI information that never has the possibility of storing PHI in our product, such as the page URL, or custom events. How should I interpret that desire against the above comment? I would be using "Google Analytics for any purpose or in any manner," but I would not be using "Google Analytics for any purpose or in any manner involving Protected Health Information."

 

Basically, I'm trying to determine if the Google Analytics stance is a clarification of the phrase "sending us any PHI is a HIPAA violation", or is the Google Analytics stance "if your company is a Business Associate, you are violating our Terms of Service by merely using this service, even if you do not send us any PHI."

 

Thanks!

1 Expert replyverified_user

HIPAA Stance Clarifications

Visitor ✭ ✭ ✭
# 2
Visitor ✭ ✭ ✭

Hi Brian,

 

I am not happy with Google's stance on HIPAA compliance with Google Analytics.  Even if you don't want to capture PHI I'm sure anyone could go to our websites and inject PHI into our Google Analytics data if they wanted to.  All it would take is going to your homepage and slapping a parameter at the end of the URL and refreshing the page (eg: www.example.com?ssn=123-45-6789 or s=onetwothreefourfivesixseveneightnine).  Granted, filters can be created to look for these types of thing, but you could never create enough to catch every instance.  Also, what happens if a customer searches for a medical condition in your local site search that appends the term to the URL (eg: www.example.com?search=heartattack)?  PHI again.  What are we supposed to do, create a popup that explains what PHI is and why you shouldn't enter it into the search box?  It's not practical and ridiculous.  And, if you create more sophisticated PHI filters with Google Tag Manager, you are likely sending Google PHI if it works like other TMSs.  Some accept the URL to evaluate if any conditions within the TMS are true before code is injected onto the page.  If GTM works in this same way, their log files capture the URL with PHI in it.

 

I really hope this stance changes soon or we are moving to Adobe because they will sign a Business Associate Agreement.  It's just a ridiculous stance when they work with HIPAA compliance on other services they offer, like BigQuery.  Can we just move the Google Analytics reporting platform to sit on top of BigQuery instead of the default Google Analytics databases?  I'm sure it's not as easy as that, but this is Google we are talking about here.

 

Anyway, good luck figuring this out.  It's a tough road ahead for anyone trying to stay HIPAA compliant on this platform.

HIPAA Stance Clarifications

Rising Star
# 3
Rising Star

 

This is a question that I always push back to clients to check with their own legal department.  I can tell you that many, many healthcare organizations utilize Google Analytics and Google Tag Manager etc.  That said, it usually ends once you get to anything resembling a patient portal.

 

As with PII, PHI should also not be passed into GA, period, end of story.

 

As for other solutions, there are options past Adobe. 

 

1. GA 360 has different data declarations

2. Piwik is open source and is HIPPA compliant  https://piwik.pro/hipaa/

 

Specifically they talk about PHI so again if you are not collecting it..... but always check with legal.   Smiley Happy

 

Best,

 

Theo Bennett

Analytics Evangelist at MoreVisibility | Contact Me
Connect on LinkedIn