Friday, October 6, 2023
HomeFacebook MarketingHIPAA Considerations with Google Analytics? Take into account These Choices

HIPAA Considerations with Google Analytics? Take into account These Choices


Matt Crowley October 4, 2023

On December 1st, 2022, the HHS Workplace for Civil Rights issued a bulletin associated to using on-line monitoring applied sciences by HIPAA coated entities. This bulletin appeared to be supposed to supply some readability on the obligations of HIPAA coated entities (organizations) when utilizing on-line monitoring applied sciences on their web sites and cell apps. Although this steerage appears to cowl all monitoring applied sciences, they made positive to particularly point out Google Analytics (GA) and the Meta Pixel of their announcement.

On this submit, we discover issues for organizations who’re working, or deliberate to run GA (particularly GA4) on their public dealing with web site and/or app.

A Disclaimer

The topics coated right here finally come all the way down to questions that ought to be answered by your authorized counsel. We aren’t a legislation agency and this shouldn’t be used as authorized recommendation. We strongly advocate searching for steerage out of your authorized counsel and all different related stakeholders resembling privateness, analytics, advertising and marketing and others.

Moreover, it is a subject with many issues and choices, and one of the best path ahead can be distinctive to every group. Take into account this submit an academic useful resource and never an inventory of the paths which might be finest to your group. When you’ve got any questions on how we can assist offer you particular analytics steerage, attain out to data@morevisibility.com.

Why Now?

Although the bulletin was launched nearly a 12 months in the past, the topic is sophisticated and has taken fairly a while for impacted organizations to work by means of many questions that arose resembling:

  • Does this relate to us?
  • What’s the interpretation and utility of the data offered to us?
  • Who ought to be concerned in these discussions?
  • How are we impacted?
  • What’s in one of the best curiosity of these visiting our web site/app?
  • What are the dangers?
  • What are we doing at the moment?
  • What are the choices for transferring ahead?

At this level, most organizations have began to succeed in the latter questions, together with the evaluation of their choices for transferring ahead.

Key Analytics Concerns

Whereas there are lots of crucial authorized, privateness, and different issues, we particularly have been exploring the analytics issues contained within the bulletin. I’ve spoken with many impacted organizations, and we have now navigated by means of a number of of the choices & subsequent steps listed on the finish of the doc. This submit relays a few of my experiences from these discussions and engagements.

Particularly, there are 3 issues to give attention to from an analytics perspective for organizations which might be working, or deliberate to run GA (particularly GA4) on their public dealing with web site and/or app.

  1. The part on “Monitoring on user-authenticated webpages
  2. The part on “Monitoring on unauthenticated webpages
  3. The assertion that “Regulated entities are usually not permitted to make use of monitoring applied sciences in a fashion that will end in impermissible disclosures8 of PHI to monitoring expertise distributors or some other violations of the HIPAA Guidelines.”

Monitoring on user-authenticated webpages

Consumer-authenticated typically refers to pages that require a person login to entry, resembling a affected person portal. GA ought to by no means have been employed behind user-authenticated net pages or app screens. It’s because the GA phrases of service state that you shouldn’t accumulate any personally identifiable data. Moreover, GA has by no means been thought-about HIPAA compliant and due to this fact shouldn’t be used on pages which might be tied to a selected person. Whilst you ought to validate in case your implementation is in battle with this, most organizations we’ve labored with haven’t confronted this challenge as they by no means positioned monitoring on user-authenticated webpages.

Monitoring on unauthenticated webpages

This part accommodates comparatively “new” steerage and interpretations on what constitutes well being data (HI), personally identifiable data (PII), and the mix leading to personally identifiable well being data (PHI).

Particularly, it states that (daring and underline types added by me):

“The login web page of a regulated entity’s affected person portal (which could be the web site’s homepage or a separate, devoted login web page), or a person registration webpage the place a person creates a login for the affected person portal, typically are unauthenticated as a result of the person didn’t present credentials to have the ability to navigate to these webpages. Nonetheless, if the person enters credential data on that login webpage or enters registration data (e.g., title, e mail tackle) on that registration web page, such data is PHI.29 Due to this fact, if monitoring applied sciences on a regulated entity’s affected person portal login web page or registration web page accumulate a person’s login data or registration data, that data is PHI and is protected by the HIPAA Guidelines.”

Within the instance above, although the monitoring happens on an unauthenticated net web page, the monitoring expertise is capturing PHI. As acknowledged within the final part, GA ought to by no means (even based on their very own Phrases of Service) be used to seize PII. So, this isn’t one thing that ought to be occurring or a method employed in your use of GA.

Nonetheless, the following part could be very insightful because it particularly mentions e mail tackle and IP tackle tied to a person i.e. that this might be thought-about PII. That is vital to those that give attention to analytics since these are two information factors (or “dimensions”) we wish to be conscious of. Particularly, if GA is capturing values for both of these two dimensions, and if that’s the case, how they’re being captured, despatched, and saved (daring and underline types added by me):

Monitoring applied sciences on a regulated entity’s unauthenticated webpage that addresses particular signs or well being circumstances, resembling being pregnant or miscarriage, or that allows people to seek for medical doctors or schedule appointments with out getting into credentials might have entry to PHI in sure circumstances. For instance, monitoring applied sciences may accumulate a person’s e mail tackle and/or IP tackle when the person visits a regulated entity’s webpage to seek for obtainable appointments with a well being care supplier. On this instance, the regulated entity is disclosing PHI to the monitoring expertise vendor, and thus the HIPAA Guidelines apply.

As beforehand acknowledged, no group ought to be capturing e mail addresses in GA since that’s PII and towards Googles Phrases of Service. Nonetheless, this part brings up an vital query on IP addresses. Whereas GA4 doesn’t present entry to person IP addresses, there may be some confusion round particularly how IP addresses are technically utilized by GA4 and whether or not or not that’s in battle with their obligations. Whereas that call is as much as the group, there are paths to get rid of this as a priority listed on the finish of this submit.

Regulated entities are usually not permitted to make use of monitoring applied sciences in a fashion that will end in impermissible disclosures8 of PHI to monitoring expertise distributors or some other violations of the HIPAA Guidelines

This part is much too lengthy to summarize right here, although I like to recommend studying it in full on the HHS web site. Nonetheless, from an analytics perspective, this part brings up just a few inquiries to us, together with:

  1. Does Google Analytics retailer what is taken into account to be “well being data” based on this new steerage?
  2. Does Google retailer individually identifiable data based on this new steerage?

Based mostly on these questions, and your group’s authorized, privateness, and different stakeholders selections, you could want to contemplate options to the “customary” implementation of GA4. Whereas there are a number of paths that may be taken, this graphic represents a few of the standing on resolution making by many organizations I’ve spoken to:

What are My Choices?

The excellent news is that there are a myriad of choices so that you can contemplate. The dangerous information is that each one of them include trade-offs. As talked about within the disclaimer one of the best path ahead can be distinctive to every group and could also be listed beneath, or not on this checklist in any respect (as these are a few of the extra frequent approaches being taken).

As proven above, the three most typical paths are to both:

  1. Exchange GA4 with a HIPAA compliant analytics platform
  2. Proceed utilizing GA4 however add a CDP / information governance software in the midst of your web site and GA4 to cease something you establish as PHI information from being ship to GA4.
  3. Proceed utilizing GA4 however alter your implementation to cease something you establish as PHI information from being ship to GA4, with out using a CDP/information governance software.

What Path is Finest for My Group?

That is the final word query and requires deep thought, dialog, and communication throughout stakeholders (authorized, privateness, advertising and marketing, analytics, and so on.) to succeed in a call that’s within the group’s total finest curiosity. There isn’t a “one dimension matches all resolution” right here.

That being stated, I’ll go away you with just a few extra issues to bear in mind:

  1. What are your precise necessities?
    • Keep on GA4, however cease sending the I.P. Deal with to Google Analytics?
    • Get a signed BAA in place to your analytics tooling?
    • Breakaway from utilizing any monitoring code made by Google?
  2. Prices Will Probably Improve
    • When you’ve got been utilizing the free model of Google Analytics and plan on placing new tooling in place, there can be prices.
  3. You Should Now Take into account Internet hosting
    • If you can be migrating to another platform, you’ll have to resolve between cloud and on-premise
    • On-premise: Do you could have the experience to standup and handle servers?
    • Cloud: BAA Concerns
  4. Don’t Overlook about Tag Administration
    • Will you stay on or migrate away from Google Tag Supervisor?
  5. Don’t Overlook about Different Monitoring Know-how on the Web site
    • How will you deal with all your different web site monitoring and advertising and marketing tagging? (Advert pixels, heatmapping, and so on.)

Can We Assist?

We’ve got been serving to many organizations work by means of the analytics facet of this problem. In the event you may use extra help to succeed in one of the best resolution to your group, please attain out to data@morevisibility.com.



Supply hyperlink

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments