In December 2022, the U.S. Department of Health and Human Services (HHS) updated its guidance on the use of tracking technologies by HIPAA-covered entities and their Business Associates. The key point of the updated guidance is that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI [Protected Health Information] to tracking technology vendors or any other violations of the HIPAA Rules.” In order to understand the implications of this updated guidance for the usage of platforms like Google Analytics, Adobe Analytics, and many others, it’s important to understand the definition of PHI.
What Is Protected Health Information (PHI)?
The first thing to know about PHI is that the definition is broad. By the full legal definition, PHI means “any individually-identifiable information created or received by a HIPAA-covered entity that relates to the past, present, or future physical or mental condition of an individual, that is transmitted or maintained in electronic media or in any other form or medium.”
Breaking this down further, what does “individually identifiable” mean? HIPAA specifies no fewer than 18 different types of identifiers, which include broad categories like “any unique identifying number, characteristic, or code.”
In the context of website analytics, a Google Analytics Client ID (or analogous ID from similar platforms) would likely be considered a “unique identifying number, characteristic, or code.” As such, when a Google Analytics Client ID is tied to any information about the past, present, or future physical or mental condition of an individual, it represents PHI. For example, a seemingly innocuous event, like a GA4 page_view event where the Page URL contains “diabetes,” could constitute sending PHI to Google Analytics.
The upshot is that it is highly likely that HIPAA-covered entities are passing PHI to Google Analytics, even if they aren’t necessarily violating Google’s long-standing and generally well-known prohibition of what it considers PII. Google does additionally prohibit the passing of PHI into Google Analytics, which only underscores the need to appreciate the full scope of what could be considered PHI.
How Can I Make My Analytics HIPAA Compliant?
Given the level of risk created by this reality, HIPAA-covered entities using Google Analytics and similar analytics platforms must take action. So what actions can HIPAA-covered entities take to reduce their risk profile?
- Remove all analytics platforms from websites and mobile apps
- Reimplement an analytics platform that is fully HIPAA compliant
- Alter the implementation of the current analytics platform such that no PHI is shared impermissibly
Not surprisingly, Option 1 is not a realistic option for any organization wanting to use data to optimize user experiences and business performance.
Option 2 — reimplementing an analytics platform that is fully HIPAA compliant — is a more realistic option. However, it likely comes with significant costs, not only financially but in terms of time, effort, etc. For example, going through a “rip and replace” for an analytics platform is an exercise that typically takes months, not weeks or days. Organizations suffer from “data discontinuity” because historical data is now siloed in a legacy platform. Even after a new platform is technically in place, the learning curve faced by end users means that the new platform won’t be utilized to its full potential until even later. And the “full potential” of these platforms is unlikely to match the full functionality of Google Analytics or Adobe Analytics, because the very changes necessary to make an analytics platform natively HIPAA compliant result in loss of functionality. So, while moving to a HIPAA-compliant platform is a realistic option, it’s an option whose full costs should be carefully considered.
Option 3 — altering the deployment of the current analytics platform to prevent any impermissible sharing of PHI — is one that likely makes sense for many organizations, but one that, in our experience, most organizations are not aware is available. For example, there are third-party solutions which can help organizations take control of their data and implement rigorous governance, such that a platform like Google Analytics never receives any data that would qualify as PHI. While every organization is unique, in general, we believe that this is the best option for HIPAA-covered organizations. The time from problem to solution is shorter; “data discontinuity” is dramatically reduced, there’s no new platform for end users of analytics to learn, and nearly the full functionality of your incumbent analytics platform can be retained.
Merkle | Cardinal Path works with multiple partners that can ease the process of bringing analytics platforms into compliance with HIPAA and the many other regulations that stakeholders are increasingly concerned about. To learn more and chart your organization’s optimal path forward, contact us.