HIPAA considerations for Google Analytics and Alternatives

PII and data thresholding

It is explicitly against Google Analytics terms and conditions to supply Google with personally identifiable information (PII). Fore example, neither unhashed usernames nor email addresses can be used as User IDs or supplied as custom dimensions.

When exploring Google Analytics 4 (and you have Google Signals turned on to allow inclusion of demographic data and other audience functionality) you may see Thresholding applied warnings on certain reports. Thresholding is intended to prevent anyone from narrowing down targeting so much that it becomes possible to identify individual users based on characteristics or behavior.

Google Analytics has applied thresholding to one or more cards in this report and will only display the data in the cards when the data meets the minimum aggregation thresholds.

It is not possible to adjust the set thresholds, though the warning may disappear if you specify a longer time period for which the user counts are larger.

Thresholding doe not apply to data exported to BigQuery, but GA4 does not export data from Google Signals (e.g. demographic data) to BigQuery.

HIPAA compliance for web analytics

Here are a few excerpts from the Google Analytics documentation.

Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google’s contracts and policies. Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.

Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI, and may only use Google Analytics on pages that are not HIPAA-covered.

Unauthenticated pages that are related to the provision of health care services, including as described in the HHS bulletin, are more likely to be HIPAA-covered, and customers should not set Google Analytics tags on HIPAA-covered pages.

Business Associate Agreements

Analytics platforms that are willing to sign a Business Associate Agreement (BAA) include

Self-hosted analytics platforms such as Matomo do not require a BAA because they do not and can not see your data; the data stays on your server.

Server side testing and HIPAA

It is possible to be HIPAA compliant and perform either server-side or client-side testing.

Platforms like VWO provide client-side testing including the full range of easy setup A/B and split URL tests, and are willing to negotiate a BAA.

Purely server-side testing technology may not require a BAA because the data is not sent to a third party and stays on your own server. Check your processes though.

Session recording and testing are often performed together. If this is the case, ensure that all sensitive data—name, email, address, card details, etc.—are obfuscated in analytics and recording.

Even when testing and analysis are 100% server-side, some US legislation still requires notification and consent to data collection and usage.

You may also need to do the following to ensure your data is fully secure and your organization is compliant with relevant legislation:

  • Map out where data is stored, who/where it is transferred to and from, and how the data will be used
  • Document what the risks are in the event of a breach
  • Document what actions will need to be taken in the event of a breach.

Legal requirements to notify users of a breach and take remedial action vary by nation and state.

This process is obviously much less complicated if all the data stays on your server. The recent costly and hugely disruptive hack that left large amounts of patient health data belonging to the UK’s National Health Service exposed did not happen on an NHS-owned platform but rather on that of a contractor providing blood testing services.

HIPAA deidentification

If data is not considered PII under HIPAA, either due to the Safe Harbor provision or Expert Determination, then HIPAA compliance is not an issue.

We can help

If you have questions about Google Analytics, other analytics platforms, or HIPAA, especially questions about how these interact with each other, we can help.

LET’S TALK

Trusted consultants to some of the world’s leading companies

Amazon, Facebook, Google, US Army Corp of Engineers, Amgen, Microsoft, Hitachi Data Systems