HIPAA compliance is rarely straightforward. But lately—especially with many organizations migrating to Google Analytics 4 ahead of the Universal Analytics July 1 sunset—healthcare stakeholders have had extra questions about what’s happening with Google Analytics 4 and healthcare compatibility.
This post explores the recent healthcare regulatory requirements, Google’s position, and a few of the paths forward.
Recent History: The Health and Human Services Bulletin Re. HIPAA and PHI
In 2022, Meta and several US hospitals were sued under two class-action lawsuits for allegedly violating the United States Health Insurance Portability and Accountability Act, otherwise known as HIPAA. This cast a light on the often shadowy exchange of data in the name of targeting and attribution that can occur as users browse the web.
Following this, the United States Health and Human Services Department (HSS) issued a bulletin to remind covered entities and their business associates of their obligations under the law and relevant regulations. The HHS Department stresses in the opening of the document the following in regard to Protected Health Information (PHI):
Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosure. Source.
The bulletin makes clear that the tracking technology it is speaking about basically encompasses all the common martech integration processes, be it pixel, beacon, fingerprinting script, session replay scripts, IP Address, geolocation, or cookies.
All of these technologies may disclose Individually Identifiable Health Information (IIHI), and that IIHI is often Protected Health Information under HIPAA and the related privacy rules. The document then proceeds to break down tracking on webpages (in both authentication scenarios) and mobile apps.
- Get further HHA guidance on methods for de-identification of protected health information.
- Get more details in our Guide to HIPAA Compliance in Data Collection here.
What counts as Individually Identifiable Health Information (IIHI)?
This is information, including demographic data, that relates to any of the following:
- The individual’s past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual
Google’s Response to the HHA Bulletin
Google’s response to the HHA bulletin in a nutshell: Google Analytics is not HIPAA compliant. Here are their actual words: “Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.”
Google recommends that HIPAA-regulated entities follow the bulletin’s advice on what qualifies as PHI and offers additional steps entities should take to make sure their use of GA is permissible:
- Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI, and may only use Google Analytics on pages that are not HIPAA-covered.
- Authenticated pages are likely to be HIPAA-covered and customers should not set Google Analytics tags on those pages.
- Unauthenticated pages that are related to the provision of health care services, including as described in the HHS bulletin, are more likely to be HIPAA-covered, and customers should not set Google Analytics tags on HIPAA-covered pages.
- Please work with your legal team to identify pages on your site that do not relate to the provision of health care services, so that your configuration of Google Analytics does not result in the collection of PHI. Source.
Bottom line: HIPAA-regulated entities who want to use Google Analytics have the following options, which we’ll discuss further below:
- Sign a Business Associate Agreement
- Ensure no protected health information is captured
- Anonymize protected health data with a proxy serer
- Platform migration
What’s a Business Associate Agreement?
A business associate agreement is a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI. It’s required if business associates may have access to PHI during their work.
Google will sign a BAA for tools withing Google Cloud Platform but will not sign a BAA for tools within the Google Marketing Platform, in which Google Analytics is included.
Could Google Analytics be HIPAA-compliant without a BAA?
For Google Analytics to be HIPAA compliant, you have to jump through a few hoops, and even then, you might have to get outside guidance (i.e., expert determination) on whether your solution is valid. Also, if you put a solution in place to use without a BAA, it requires a complex implementation for incomplete data and may not be worth the effort in most cases. For the business cases where such a complex implementation is required, Further can help.
Solution One: Determine whether you need a BAA. If you don’t, sigh with relief. If you do, proceed to Solution Two
According to HHS, an entity can’t track user attempts to search for services, find doctors, or schedule an appointment with a health care provider (HCP). Some organizations with healthcare stakeholders may have use cases where they discuss a disease state or symptoms (and who have integrations with Google Ads, etc.) but stop short of finding doctors or scheduling appointments. This type of organization could continue using Google Analytics.
Do we recommend using Google Analytics for only part of your website, if, say, you want to do both of the things mentioned above but on different pages? We do not. Your data will be incomplete and likely unusable.
Solution Two: Use GA4 as a BigQuery data collector
To do this, set up server side Google Tag Manager to intercept Google Analytics events before they reach Google’s servers and redirect them into a BigQuery table inside a Google Cloud Platform project. With this setup, the data would never be sent to the Google Analytics servers and will only be recorded in BigQuery. Further can assist with this solution.
Benefits of this solution: Since Google Cloud Platform will sign a BAA (and allow you to determine the region where data is stored), you could store the raw data and access it with a BI tool such as Looker Studio (here are the HIPAA requirements for using Looker) or Tableau.
Drawbacks of this solution: You would lose a few key benefits of Google Analytics, such as conversion modeling, behavioral modeling, Google signals, and the ability to create reports in the user interface.
You would also need to handle cloud administration. That is, within your access control, you’d need to ensure that you are not using parts of GCP that are not covered by the BAA (such as cloud logging).
Solution Three: Choose an Alternative Tool that Will Sign a BAA
There are several tools that have built practices around compliance so that you do not need to cover yourself to the same extent. Bottom line, if a vendor will sign a BAA with you, your stress goes down and up goes the likelihood that your compliance goals are met. If you’d like to chat about some of these alternative options, please contact us below.
Benefits of this solution: You’ll gain a user interface for reporting and less administrative effort.
Drawbacks of this solution: Additional costs and a longer timeline for a platform migration.
What Does All this Mean for Your Business?
If you’re collecting data not just for treatment but for marketing and other purposes, it’s time to get serious about ensuring your marketing technology is HIPAA-compliant and leveraging your data for business decisions. The privacy experts here at Further are ready and qualified to help.
Note: Further provides compliance solutions in the areas of teaching, tools, and implementation to help companies meet regulatory burdens, but we make no claim that the use of such products will bring a company into compliance. Furthermore, we do not act as attorneys.