Google Analytics (GA) has ruled the web analytics market for many years. Its deep feature set contributed to this, but the fact that it is free played a big part. From small businesses to hospitals to corporations, it was the choice of marketers and web teams.
The Government Speaks Out
In December, 2022 the U.S. Department of Health and Human Services (HHS) released a bulletin that changed everything:
Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
The bulletin offers guidance on how to avoid sharing individually-identifiable personal health information (PHI) with tracking technologies like Google Analytics, Meta Pixel, and many more. The issue raised is the possibility of storing a visitor’s IP address alongside of the pages they’ve visited, like a medical condition page, which could indicate their medical condition. That data must be protected the same as any other PHI.
Out of the box, Google Analytics is officially not HIPAA compliant and they will not sign on to a BAA. And any other pixels or tracking codes that gather IP addresses and store them off site aren’t compliant, either (with a few exceptions).
To say that this is a hurdle for marketers is the understatement of the decade.
BAs, BAAs, and HIPAA
Any vendor you work with that will will access, store, or send PHI is referred to as a business associate (BA). To meet HIPAA compliance your organization and the BA must sign a business associate agreement (BAA). Talk to your legal team to find out what’s required in this regard.
Google Analytics (GA) is not designed to be HIPAA compliant and they don’t seem to be interested in that (their official stance).
Alternatives to Google Analytics
There are many web analytics tools and below is just a selection of popular ones that are, or can be, HIPAA compliant.
Freshpaint offers a HIPAA compliant platform that collects all your visitor data backed by a BAA, while letting you still used Google Analytics (or other tools) for analysis and reporting.
Matomo, formerly known as Piwik, is considered a good replacement for Google Analytics due to how similar it is in regards to the reports available and the user interface. It can be installed on your server or hosted by them in the cloud. Sites that use this tool include Ahrefs, Nasa, and the United Nations. Many parts of this tool are free, but you’ll need subscriptions for additional modules to make the most of it.
Piwik PRO is a closed source solution that (sort of) evolved from Piwik and so is comparable to Matomo. It can be installed on your server or hosted by them in the cloud. Pricing is not listed on their website, but is likely similar to Matomo’s as they are close competitors.
If you’re willing to step away from the model that GA established, there are other tools that take different approaches to their reporting. Mixpanel and Pendo, for instance, are popular in eCommerce and follow a product-centric model, following user paths through the marketing funnel. And Celebrus is a first-party data capture tool with options to integrate with fraud prevention and customer data automation tools.
And there are some products newer to the market worth considering, like Heap, Countly, and Plausible.
What’s the Risk?
If a class-action lawsuit is won against a health system regarding HIPAA and tracking technology due to the HHS bulletin, all health systems risk with go through the roof.
Act Now
If your healthcare organization is still using Google Analytics, look into whether you are well covered in regards to HIPAA. Many of your colleagues at other orgs are currently or have recently made the jump, so reach out to them to hear about their experiences. Consult with your legal teams today.