Many online patient portals use Google Analytics to track user engagement. Integrating this well-renowned website analytics service on healthcare websites enables providers to gain valuable insights. The goal goes beyond optimizing site performance. With patients constantly seeking improved healthcare experiences, having an analytics tool is vital to implementing telehealth services tailored to suit the modern needs of patients.
Before integrating Google Analytics, you must determine whether it complies with HIPAA guidelines. After all, you will use it on patient portals and healthcare websites, wherein there’s a higher risk of breaches and unauthorized disclosures of sensitive patient details.
To answer the question, “Is Google Analytics HIPAA compliant?” you must consider several factors, including:
Table of Contents
HHS Guidelines on Online Tracking and HIPAA Compliance
In 2022, the Office of Civil Rights at the US Department of Health and Human Services (HHS) issued a bulletin on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. If your healthcare organization and business associates use Google Analytics on websites and mobile apps, you should look into whether this move could break HIPAA rules.
Online tracking technologies, which collect and analyze user data on websites and mobile apps, can risk exposing protected health information (PHI) to unauthorized persons, leading to criminal activities. Therefore, the HHS warns that tracking technologies, such as cookies, web beacons, tracking pixels, and session replay scripts, should not lead to impermissible disclosures of PHI. As the HHS says, “tracking information could be misused to promote misinformation, identity theft, stalking, and harassment.”
The HHS bulletin emphasizes that data should only be used and handled according to HIPAA rules. If your organization uses online tracking, it should comply with HIPAA, or you risk facing legal penalties and fines.
Is Google Analytics HIPAA Compliant?
Google Analytics is not HIPAA-compliant. As Google Help Center’s HIPAA and Google Analytics show, the website analytics service itself does not claim to satisfy HIPAA requirements. It also does not offer Business Associate Agreements (BAAs) in connection with its service, a legal document required by HIPAA law.
Here’s what Google says about this issue:
Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google’s contracts and policies. Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.
Google Analytics collects and stores information from users, including PHI. Also, if a data privacy breach occurs because of Google Analytics, the HHS may hold your organization and business associates accountable.
Configuring Google Analytics for HIPAA Compliance
If you want to ensure Google Analytics compliance, follow these tips:
Avoid HIPAA-covered pages
Don’t use Google Analytics on pages that are HIPAA-covered. Examples include:
- Patient portals
- Healthcare service portals for appointment scheduling, prescription refills, diagnostic test results, etc
- Telehealth platforms
- Any pages that contain electronic PHI (ePHI)
Avoid Sending PHI and PII
Refrain from exposing PHI and personally identifiable information (PII) to Google Analytics. Google mentions several items considered as PII in Google’s contracts and policies. However, while PHI and what Google considers as PII may overlap, they are not the same. For example, despite not being identified by Google Analytics, medical record numbers are still considered PHI. It’s best to remain vigilant about the data you send, even those not expressly described by Google as PII.
Moreover, follow Google Analytics Best Practices to Avoid Sending Personally Identifiable Information (PII). Remove PII that users enter into search boxes and form fields. When collecting geolocation information, steer clear of GPS or fine-grained location information that can identify individuals. If you use Adsense, you can find other helpful tips on Google Adsense Help.
Only collect essential data
To ensure Google Analytics compliance, collect only essential data related to user interactions and website traffic. Avoid unnecessary data that qualify as PHI, such as IP addresses, patient names, and medical records.
Google says that the basic Analytics page tag collects the page URL and page title of each viewed page. PII may be sent in these URLs and titles. You can configure the analytics service to redact data and remove email addresses. You can also add a code to change the page URLs or alter a page title, which may inadvertently send PII.
Use Google Tag Manager (GTM)
You can use Google Tag Manager to manage tags and track codes across the website without manual coding. The tool lets you track visitor activity without directly collecting PII into the analytics platform.
Follow Best Practices for HIPAA-Compliant Tracking in Healthcare
Striking a balance between using analytics tools and following HIPAA guidelines is necessary. When considering Google Analytics and HIPAA compliance, remember to focus on user experience metrics, avoid collecting sensitive information, and encrypt and store data securely. You can also explore alternative HIPAA-compliant tracking tools.
Potential risks with online tracking are always possible. Online software may lead to cyber security problems. However, you can take steps to protect website visitors’ privacy using strong security measures and HIPAA-compliant data handling practices.
