Is Google Analytics HIPAA Compliant?

Topic

What Is Google Analytics?

Google Analytics is a software tool developed by Google that provides basic site analytics and statistics for marketing and search engine optimization (SEO) purposes. It works by inserting a JavaScript page tag into the code of each page of a website. This tag then runs in the web browser of site visitors, collecting data, which can then be used to create reports.

Website owners use Google Analytics to track website performance and to collect insights into people who visit their site. It can generate reports on the number of users, page views, bounce rates, average session durations, sessions by channel, and more. Site owners can then use this information to determine the top sources of website traffic, quantify the success of marketing campaigns, and track conversion actions (like completing purchases or adding items to a shopping cart). It can even provide information on browser type, where a person is browsing from (city and country), language, the type of device that they are using, and their age group.

Google Analytics is an incredibly important tool for website owners and marketing teams. Without this service, gaining these insights and reports related to website performance would be far more difficult. It is also free, fairly easy to use, and integrates well with other platforms. For these reasons, Google Analytics is the most widely used tool of its kind.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 law that modernized the flow of healthcare information - and, perhaps most famously, protects private medical information from unauthorized disclosure. More specifically, covered entities must maintain and protect certain protected health information (PHI) related to healthcare.

Under HIPAA, covered entities include health plans (including health insurance companies), most healthcare providers, and healthcare clearinghouses that process PHI that they receive from another covered entity. HIPAA also covers business associates of covered entities.

Protected health information includes:

Information that your medical team puts into your medical record
Information about you in the health insurance company’s computer system
Your billing information
Conversations between healthcare professionals about your care or treatment
Most other health information about you that is held by covered entities.

Pursuant to HIPAA, covered entities must put safeguards in place to ensure that they do not improperly disclose or use PHI improperly. They must also limit uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose, such as communicating with another healthcare provider. They should also have procedures in place to limit who can view and access PHI, and train employees about HIPAA. Finally, business associates have to put safeguards in place to protect PHI and ensure that this information is not used or disclosed improperly.

The consequences of violating HIPAA are steep. According to the United States Department of Health and Human Services (HHS), a person subject to these rules who violates HIPAA may face a criminal penalty of up to $50,000 plus one year in prison. These penalties can increase to up to a $250,000 fine and 10 years in prison in more extreme cases.

Given these potential consequences - and the need to protect patients’ and clients’ private information - covered entities should ensure that any information they collect is safeguarded appropriately. This is particularly true for healthcare organizations that maintain websites that use tools like Google Analytics.

Is Google Analytics HIPAA Compliant?

Google itself is clear that Google Analytics is not HIPAA compliant. The tech giant asks customers who are covered entities under HIPAA to refrain from exposing any protected health information (PHI). Google will not certify that Google Analytics satisfies HIPAA requirements and does not offer any agreements that it will comply with HIPAA’s privacy rules.

According to HHS, covered entities are prohibited from using tracking technologies like Google Analytics which would result in improper disclosures of PHI to the technology vendor. HHS advises that all types of information may be considered PHI, even if an individual does not have an existing relationship with a covered entity. This includes information such as:

A medical record number
Home or email address
Dates of appointments
An individual’s IP address or geographic location,
Medical device IDs
Any unique identifying code
Network location
Geolocation
Advertising ID
Fingerprint used for log-in
Home or email addresses
Diagnosis and treatment information
Prescription information
Billing information
Information created for a login on a patient portal

In some cases, the fact that an individual searches for a medical condition or physician on a covered entity’s website may be PHI, even if that person isn’t a patient. That is because information about the individual’s search, their IP address, email address, and other identifying information may be transmitted to Google. For example, if a person visits a healthcare provider’s website to search for information about Parkinson’s Disease, Google Analytics tracking the individual’s search and their IP address could be considered a HIPAA violation.

This reality puts healthcare organizations in a difficult position. Like other website owners, the data collected by tools like Google Analytics is incredibly valuable to them. Yet at the same time, using Google Analytics could put their patients’ private medical information at risk - potentially leading to a HIPAA violation.

Making Google Analytics HIPAA-Compliant

There are workarounds that allow healthcare organizations to use Google Analytics and comply with HIPAA. Essentially, you will need to change the settings so that no PHI is exposed or transmitted to Google.

As an initial step, you can use Google Tag Manager (GTM) to manage your website's tags or tracking codes. You can then remove tracking data for things like IP addresses, patient names, medical records, addresses, appointment dates, diagnosis, location, age, and gender.

Instead of using Google Analytics to collect potential PHI, you can focus on aggregate data, like traffic patterns and user behavior. In this way, you can still get valuable insight into how visitors interact with your website without potentially violating HIPAA.

Of course, this option will not give you all of the data that you might need to optimize your website. There are some tracking tools that are HIPAA compliant. You could opt to use a different company that will sign a business associate agreement with your organization to avoid a potential HIPAA violation.

These issues are incredibly complex. There isn’t an easy solution, given HHS’ guidance and Google’s very clear stance that Google Analytics is not HIPAA compliant and will not sign a business associate agreement. In this situation, an experienced website design and development team - like Inclind - can work with you to find a way to track website data in a way that protects visitors’ PHI and helps you avoid HIPAA violations.

Build & Maintain Your Healthcare Site With Inclind

Running a website as a healthcare organization can be tricky. In addition to providing accurate information, you must also ensure that your patients’ healthcare information is protected. While tools like Google Analytics are helpful for website administrators and marketing teams, they are not HIPAA compliant.

Inclined has years of experience helping healthcare entities design and develop beautiful, accessible, and secure websites. We understand that healthcare providers, insurance companies, and related organizations have different needs. Our website designers and developers will use their skills and know-how to ensure that every aspect of your website functions well - and complies with HIPAA. We can also help you make updates to your existing site to maintain compliance with our website support and maintenance services.

If you're interested in knowing more about our web design, development, and support services, we are always here to chat with you. You can fill out our online contact form or hit the live chat button to speak to one of our experts about your healthcare website.

Team Member

Katie Callahan