HIPAA Non-Compliance in Website Analytics

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Non-Compliance in Website Analytics is now a Priority for OCR

Alexander Bentley-Sutherland

On March 18th 2024 OCR updated its guidance on the use of tracking technologies

Many healthcare practitioners overlook a critical aspect of HIPAA compliance analytics tracking on their websites. And as of 18th March 2024 it's time to get serious about tracking software and plugins on your site.

Despite the good intentions of Healthcare Business owners, using analytics tools like Google Analytics, Adobe Analytics, or various plugins on platforms such as WIX, WordPress, or GoDaddy can inadvertently lead to non-compliance if not handled correctly.

It's important not to assume that your current developer or marketing contractors have ensured compliance in this area, especially if they haven’t signed a Business Associate Agreement with you.

But my website doesn't collect PHI

Often, we hear claims that “my website does not specifically collect PHI or ePHI” which is always worrying, because it's simply the Business Owner deciding what is, and what is not, ePHI

Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security HIPAA DIGITAL

Healthcare Website Compliance

HIPAA SEO

HIPAA Non-Compliance in Website Analytics is now a Priority for OCR

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

For example

The analytics and server logs relating to a relative searching a website to find visiting times is obviously not ePHI, nor would be a user searching for a Job

Yet, by the same definition, it’s abundantly clear from HHS guidance that in some cases, analytics and server logs will constitute ePHI For example, a potential patient searching for information on specific medical conditions or treatments on a healthcare provider's website could easily generate ePHI if you know where to look, especially if this user visits the same page multiple times, leaving no doubt about their intentions.

So, unless you’re using very sophisticated page analytics segmentation silos on your website and can tell the intention of a website visitor 100% of the time, you now have a risk that needs to be mitigated.

HIPAA Non-Compliance in Website Analytics is now a Priority for OCR

Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

What does the most popular analytics software have to say?

Let’s take a look at what Google Analytics has to say about whether their data constitutes ePHI:

Google won’t sign a Business Associate Agreement for the use of Google Analytics

You must strip all PII/ PHI from data before sending it to GA4

Google uses all data within its systems to develop new services, improve existing offerings, and creates personalized advertising experiences, which is a breach of HIPAA’s Privacy Rule

Google stores all tracked data in databases located around the world and offers neither on-premise hosting nor bespoke data residency services.

Covered entities cannot control where their patient data is stored, which is a HIPAA breach of accountability

Google Tag Manager’s use policy obliges you to respect Google Analytics’ terms of service and not share any personally identifiable information (PII) with Google.

HIPAA Non-Compliance in Website Analytics is now a Priority for OCR

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

The Solution

Make sure that any PHI collected on your site is visible only to authorized personnel It’s important to educate them on the significance of maintaining the confidentiality of PHI and the potential consequences of violating HIPAA regulations.

Consider collecting less analytics data to minimize the risk of PHI exposure For example:

Don’t set PHI like email, device ID or phone as a user ID or custom dimension Instead, use a hashed version of these identifiers

Mask visitors’ IP addresses to two bytes. This will limit the location data to the country level and make the IP address incomplete HIPAA considers sub-state location data and IP address as PHI

Limit PHI sent in page URLs Sometimes URLs contain data like a doctor’s visit, date of visit, name of illness or other PHI that may be visible to unauthorized personnel.

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Non-Compliance in Website Analytics is now a Priority for OCR

Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

Ensure that patient information is not included in your tracking URL

Make use of IP anonymization and ID masking tools Thus, all user IDs will be masked irreversibly, and GA and other analytics tools won't have access to the data.

Remove personally identifiable information (PII) from user-entered data on your form fields before sending it to Google Analytics This could require a review of your URL structure and data collection forms to remove or obfuscate any fields that may contain PHI

Adjust your Google Analytics account settings to disable data sharing with other Google services.

Google Analytics has settings that control how long user and event data are stored Limiting this period can help maintain HIPAA compliance

How HIPAA Digital can help

Switching over the management of your website to HIPAA Digital is easy and remarkably cost effective. We sign a Business Associate Agreement and switch your existing website over to our systems and HIPAA Compliant Hosting.

Healthcare Website Compliance

HIPAA Non-Compliance in Website Analytics is now a Priority for OCR

Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

And with our Analytics add-on at just $39 p/m you get the peace of mind that your Analytics are Compliant, including:

ePHI Configuration of Analytics

First Party Data Protocols

Access Controls

Visitors’ IP Address Security

Server Log Compliance

IP anonymization and ID masking

Disabled data sharing

Regular Privacy and Security audits

Safe Tag Management System

Pixel Cleansing & Management

Alternatively

Consider what you actually use your analytics for If it's simply to see how many visitors you get and from what locations ask yourself how many times you've used this to make actionable business decisions. If it's never, then do you really need Analytics for the hassle that's about to come with it?

HIPAA Non-Compliance in Website Analytics is now a Priority for OCR

Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

With that said though, you'll still need to pay attention to those server side and plugin visitor logs that are set by default.

Key Takeaways

Assuming that a website doesn't collect PHI will lead to a false sense of security

The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) are the ultimate authorities when it comes to determining HIPAA compliance. Their interpretations and enforcement actions are what truly matter, not just a business owner's opinion or assessment of what constitutes PHI.

This is now an enforcement priority for OCR The best time to look at this is now Healthcare Practitioners need to understand what information is being collected by analytics software and plugins, whether it is covered by HIPAA, and then act based on that analysis.