Is Google Analytics HIPAA-compliant?

© profit_image - stock.adobe.com

When you’re involved in the day-to-day work of managing a health practice or organization, you’re intimately familiar with HIPAA. You probably have a good handle on how to maintain patient privacy under HIPAA in normal business operations, but what about your marketing efforts?

Healthcare marketers also have to be careful to ensure their marketing campaigns and processes stay in line with HIPAA standards. That means crossing your T’s and dotting your I’s when it comes to your website, lead generation techniques, and the tools you use to gather information about prospective and current patients.

That includes your use of Google Analytics and other online tracking platforms.

In December 2022, the Department of Health & Human Services (HHS), which is responsible for overseeing HIPAA, shared updated guidance about the use of online tracking technologies. The HHS statement included guidance about how to avoid disclosing individually identifiable personal health information — that all-important PHI — with tracking platforms such as Google Analytics.

Wondering whether you need to make adjustments to how your practice uses tracking tools? The information below may help you make sense of the HHS guidance and how it relates to your marketing plans.

What’s HIPAA got to do with it?

HIPAA is all-encompassing. Since it’s designed to protect patient privacy and ensure patient information isn’t being distributed beyond the health providers who need it, its guidelines touch everything from your practice’s check-in desk to the contact form(s) on your website.

Any time you view, collect, or store data about patients — or even potential patients — your practice and the people who work there are responsible for protecting that information. But what is covered as protected health information may surprise you. Sure, you’d expect a patient’s name or medical conditions to be protected under HIPAA, but did you know that even an IP address is considered PHI? Because an IP address can be used to track down an individual, when it’s stored alongside other private data — like a condition or service page that individual visited — you now have an obligation to ensure that data is stored and protected in a HIPAA-compliant manner.

This means that you need to have standards in place to keep that information safe, just like you would any other type of patient health information.

What would those standards look like?
Knowing that you need to protect patient information, no matter how or where it’s gathered, how can you put that into practice? Follow these basic guidelines:

• Encrypt it. If you’re storing any type of patient health information, including data gathered through Google Analytics, it must be encrypted. If you’re transmitting that information to another place, the transmission also needs to be encrypted.
• Store it securely. Even after data is encrypted, it must be stored in a server that meets HIPAA security standards.
• Safeguard access. Any person who interacts with patient information should be trained to handle it according to HIPAA practices.

These guidelines govern both those who are employed by your medical practice and also agencies you partner with, including those that handle your marketing campaigns. Ensure your vendors and analytics platforms are meeting standards by clarifying how they handle PHI and establishing a business associate agreement (BAA) between your organization and theirs.

What does a BAA do?
This specialized agreement certifies that both parties understand HIPAA guidelines and requirements, including what constitutes PHI, and will uphold the required security standards. A business associate agreement also assigns legal responsibilities in case something goes wrong.

You only need a BAA with vendors that will handle protected information, so think carefully through the roles your vendors play and the work they do for you.

Circling back to the original premise of this article — do you need a BAA with an online tracking platform? And is it even possible to put one in place?

It’s an interesting question, and the answer is likely to evolve in the coming years. While some tracking tools may already have a process in place to secure a BAA, Google Analytics does not.

That’s not because of a lack of responsibility on their part, though. Because these platforms store data in aggregate, it had been widely interpreted that those data points did not meet the criteria for individually identifiable PHI. However, Google Analytics does interact directly with IP addresses, and so the new guidance from HHS as of December 2022 does call into question whether healthcare organizations can safely use Google Analytics on their websites.

How do we stay in compliance?
The biggest piece of advice we can provide is to stay ahead of any changes in the HIPAA landscape. When new guidelines are released, as they were this past December, review those guidelines and your practice standards with legal counsel or a compliance team. In 2023, healthcare organizations must have a data-informed marketing strategy, which means they need great analytics! But they also need to understand that their data and reporting strategy has to be HIPAA-compliant.

Continually take a sharp look at the tools you’re using to capture information about patients and prospective patients. Ensure that any PHI is carefully gathered, encrypted, and tightly restricted to those who require access. There are a number of analytics tools out there that will sign a BAA and certify that they handle your data in a HIPAA-compliant manner, so if your organization and its attorneys determine that the risk of using Google Analytics simply isn’t worth it, don’t throw the baby out with the bathwater! It’s time to pivot to a new solution.

Rachael Sauceman is the Director of Strategy for Full Media, a Chattanooga, TN-based digital marketing agency specializing in healthcare. Full Media offers a full spectrum of digital marketing capabilities within the healthcare space, including website design, online advertising, SEO, patient experience optimization, and analytics.