In December 2022, the U.S. Department of Health and Human Services (HHS) updated its guidance on the use of tracking technologies by HIPAA-covered entities and their Business Associates. The key point of the updated guidance is that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI [Protected Health Information] to tracking technology vendors or any other violations of the HIPAA Rules.” In order to understand the implications of this updated guidance for the usage of platforms like Google Analytics, Adobe Analytics, and many others, it’s important to understand the definition of PHI.
What Is Protected Health Information (PHI)?
The first thing to know about PHI is that the definition is broad. By the full legal definition, PHI means “any individually-identifiable information created or received by a HIPAA-covered entity that relates to the past, present, or future physical or mental condition of an individual, that is transmitted or maintained in electronic media or in any other form or medium.”
Breaking this down further, what does “individually identifiable” mean? HIPAA specifies no fewer than 18 different types of identifiers, which include broad categories like “any unique identifying number, characteristic, or code.”
In the context of website analytics, a Google Analytics Client ID (or analogous ID from similar platforms) would likely be considered a “unique identifying number, characteristic, or code.” As such, when a Google Analytics Client ID is tied to any information about the past, present, or future physical or mental condition of an individual, it represents PHI. For example, a seemingly innocuous event, like a GA4 page_view event where the Page URL contains “diabetes,” could constitute sending PHI to Google Analytics.
The upshot is that it is highly likely that HIPAA-covered entities are passing PHI to Google Analytics, even if they aren’t necessarily violating Google’s long-standing and generally well-known prohibition of what it considers PII. Google does additionally prohibit the passing of PHI into Google Analytics, which only underscores the need to appreciate the full scope of what could be considered PHI.
How Can I Make My Analytics HIPAA-Compliant?
Given the level of risk created by this reality, HIPAA-covered entities using Google Analytics and similar analytics platforms must take action. So what actions can HIPAA-covered entities take to reduce their risk profile?
- Remove all analytics platforms from websites and mobile apps
- Reimplement an analytics platform that is fully HIPAA compliant
- Alter the implementation of the current analytics platform such that no PHI is shared impermissibly
Not surprisingly, Option 1 is not an option we recommend to any organization wanting to use data to optimize user experiences and business performance.
Option 2 — reimplementing an analytics platform that is fully HIPAA-compliant — is a more realistic option. Analytics platforms like Piano Analytics are HIPAA-compliant out of the box. While transitioning from one analytics platform to another is a major decision, and one that shouldn’t be taken lightly, smart planning can reduce “switching costs” and speed up “time to value.” For example, many elements of analytics infrastructure can be made to be vendor-agnostic, even if they weren’t initially designed to be. For example, data layer elements, tagging logic, data taxonomies, and more don’t necessarily need to be rebuilt from scratch. Instead, with some expertise in both the “legacy” platform as well as your planned new analytics platform, this infrastructure can be made reusable, dramatically easing the burden of a transition.
Option 3 — altering the deployment of the current analytics platform to prevent any impermissible sharing of PHI — is one that often seems intuitive, but in reality is difficult to accomplish. Analytics platforms function on some basic assumptions about how data will be collected. When attempting to “patch” an analytics platform that isn’t natively HIPAA-compliant, organizations often have to take fairly drastic steps to alter the manner in which data is collected. This can have a negative impact on the performance and reliability of the analytics platform. Put simply: by the time you redact any information that could qualify as PHI, will your analytics platform still function as normal? Will it still satisfy your use-cases? This is an option worth considering, but somewhat counterintuitively, can actually be a bigger lift — with less benefit — than simply migrating to a HIPAA-compliant platform.
Every organization’s assessment of the “cost/benefit analysis” surrounding HIPAA-compliance will be different. If you’re grappling with these issues and want to know more, contact us and we’d be happy to help you explore your options.
