CLSI EP12-A<\/strong> (2002) (qualitative test performance protocol) says the evaluator should consult a statistician to determine the number of specimens needed to meet acceptable statistical variation.<\/p>\n CLSI EP17-A2<\/strong> (Evaluation of Detection Capability for Clinical Laboratory Measurement Procedures) notes that consulting a statistician may be helpful when selecting an appropriate model and fit criteria for the analysis<\/p>\n CLSI EP24-A2<\/strong> (2011) (diagnostic accuracy \/ ROC curves) has a section titled \u201cConsult a Statistician\u201d for when study conditions are complex.<\/p>\n NCCLS C28-A2<\/strong> (2000) (reference intervals) says when comparing more than two subclasses, the aid of a statistical consultant should be sought.<\/p>\n NCCLS EP5-A<\/strong> (1999) (precision performance) suggests that a statistician be consulted for appropriate experimental designs.<\/p>\n NCCLS EP5-A2<\/strong> (2004) (precision performance, 2nd ed.) similarly states a statistician should be consulted for experimental designs.<\/p>\n NCCLS EP6-A<\/strong> (2003) (linearity) notes that certain approaches (eg, weighted regression) may require the assistance of a statistician.<\/p>\n NCCLS EP10-A2<\/strong> (2002) (preliminary evaluation) says one solution is to contact a statistician to develop a different design.<\/p>\n NCCLS GP10-A<\/strong> (1995) \u2013 has an explicit \u201cConsult a Statistician\u201d section and also says advance consultation with a statistician is recommended for study planning.<\/p>\n If you would like professional statistical assistance, call or email to schedule a free initial consultation.<\/p>\n LET’S TALK<\/a><\/p>\n Trusted consultants to some of the world’s leading companies<\/p>\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Here are t0 instances in which the Clinical and Laboratory Standards Institute (CLSI) suggests consulting with a statistician. CLSI EP05-A3 (2014) (precision of quantitative measurement procedures) suggests consulting a statistician for unbalanced ANOVA \/ alternative data-analysis approaches. CLSI EP12-A (2002) (qualitative test performance protocol) says the evaluator should consult a statistician to determine the number […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-with-simple-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-246869","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/246869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=246869"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/246869\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=246869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":246870,"date":"2026-02-23T18:44:46","date_gmt":"2026-02-24T00:44:46","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=246870"},"modified":"2026-02-23T18:44:46","modified_gmt":"2026-02-24T00:44:46","slug":"astm-statistics","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/astm-statistics\/","title":{"rendered":"ASTM International and Statistics"},"content":{"rendered":" Here are 10 instances in which the ASTM recommends consulting a statistician.<\/p>\n ASTM D6299<\/strong> (statistical QC\/control charting for analytical measurement systems) notes that for non-Gaussian processes, users should consult a statistician about appropriate transformations\/approaches.<\/p>\n ASTM D6617<\/strong> (laboratory bias detection using a single test result from a standard material) advises users applying the concepts to consult a statistician (and reference related methodology).<\/p>\n ASTM D7366-08(2019)<\/strong> (estimating measurement uncertainty for regression-based methods) explicitly says a statistician should be consulted (e.g., selecting regression software; considering data transformations).<\/p>\n ASTM E178-21<\/strong> (dealing with outlying observations) includes a note that in situations like non-Gaussian behavior, users should consult a statistician for guidance.<\/p>\n ASTM E691<\/strong> (Interlaboratory studies to determine precision) notes that for certain discontinuous\/categorical measurements a statistician should be consulted.<\/p>\n ASTM D1749<\/strong> (Interlaboratory evaluation of test methods used with paper\/paper products) says the task group chair should consult with a statistician during planning and analysis\/interpretation.<\/p>\n ASTM D2904<\/strong> (Interlaboratory testing of a textile test method with normally distributed data) says ILS work should be done after consultation with statisticians experienced in design\/analysis of experiments, and also calls for qualified statistical help for distribution\/normality\/transformations.<\/p>\n ASTM D6300<\/strong> (Determination of precision and bias data for petroleum products\/liquid fuels\/lubricants) says when heterogeneity creates sampling problems,\u00a0 one should consult a trained statistician.<\/p>\n ASTM E2696<\/strong> (Life and reliability testing based on the exponential distribution) says when methodology\/procedure choice needs clarification, the user should consult a qualified mathematical statistician.<\/p>\n ASTM C1215<\/strong> (Preparing\/interpreting precision & bias statements) advises that, since many analysts lack formal statistical training, a trained statistician be consulted if clarification is needed.<\/p>\n If you would like professional statistical assistance, call or email to schedule a free initial consultation.<\/p>\n LET’S TALK<\/a><\/p>\n Trusted consultants to some of the world’s leading companies<\/p>\n\n Here are 10 instances in which the ASTM recommends consulting a statistician. ASTM D6299 (statistical QC\/control charting for analytical measurement systems) notes that for non-Gaussian processes, users should consult a statistician about appropriate transformations\/approaches. ASTM D6617 (laboratory bias detection using a single test result from a standard material) advises users applying the concepts to consult […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-with-simple-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-246870","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/246870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=246870"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/246870\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=246870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":246867,"date":"2026-02-23T17:54:30","date_gmt":"2026-02-23T23:54:30","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=246867"},"modified":"2026-02-23T17:54:30","modified_gmt":"2026-02-23T23:54:30","slug":"psqia","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/psqia\/","title":{"rendered":"Patient Safety and Quality Improvement Act (PSQIA) Expert Determination"},"content":{"rendered":" A PSWP is basically any patient-safety info\u2014data, reports, notes, memos, analyses, etc.\u2014created for and shared with a Patient Safety Organization (PSO), or generated as part of a provider\u2019s internal PSES deliberations and review (including the fact something was reported).<\/p>\n A PSWP is generally confidential, but there\u2019s an explicit exception allowing disclosure of nonidentifiable PSWP if it meets the 42 C.F.R. \u00a7 3.212 nonidentification standard.<\/p>\n As with HIPAA, the PSQIA Safe Harbor provision may require removing valuable information from the work product, information that could be retained if the Expert Determination standard is met. This would allow sharing de-identified lessons learned from RCAs\/near misses across a health system, with a multi-provider collaborative, in educational materials, or in a presentation, without exposing the specific provider or reporter.<\/p>\n The Patient Safety and Quality Improvement Act (PSQIA) says in 42 C.F.R. \u00a7 3.212 that a patient safety work product (PSWP) is nonidentifiable as to a particular provider or reporter if one of two things happens.<\/p>\n Under the Expert Determination method<\/strong>, a qualified person using generally accepted statistical\/scientific methods determines the risk is very small that an anticipated recipient could identify the provider\/reporter (alone or with other reasonably available info), or if specified identifiers are removed in a sort of Safe Harbor provision<\/strong>. In this way the PSQIA statute is analogous to the HIPAA Privacy statute<\/a>.<\/p>\n To explore Expert Determination, call or email to schedule a free initial consultation.<\/p>\n LET’S TALK<\/a><\/p>\n Trusted consultants to some of the world’s leading companies<\/p>\n\n What is a Patient Safety Work Product (PSWP)? A PSWP is basically any patient-safety info\u2014data, reports, notes, memos, analyses, etc.\u2014created for and shared with a Patient Safety Organization (PSO), or generated as part of a provider\u2019s internal PSES deliberations and review (including the fact something was reported). Why deidentify a PSWP? A PSWP is generally […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-with-simple-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-246867","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/246867","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=246867"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/246867\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=246867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":246336,"date":"2025-07-22T17:28:28","date_gmt":"2025-07-22T22:28:28","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=246336"},"modified":"2026-02-22T13:31:02","modified_gmt":"2026-02-22T19:31:02","slug":"crypto","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/crypto\/","title":{"rendered":"Blockchains and Cryptocurrency"},"content":{"rendered":" Here are some blog posts on the inner workings of blockchains and cryptocurrency.<\/p>\n If your company needs expertise in blockchains and cryptocurrency, let’s talk. LET’S TALK<\/a><\/p>\n Trusted consultants to some of the world’s leading companies<\/p>\n\n Here are some blog posts on the inner workings of blockchains and cryptocurrency. Addresses and wallets Monero stealth addresses Monero subaddresses Vanity addresses Ethereum address checksum algorithm Base58 and Bitcoin addresses What’s in your wallet? Recovering an out-of-order seed phrase Probability of typing a wrong Bitcoin address Zero knowledge proofs Elliptic curves used in zero-knowledge […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-with-simple-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-246336","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/246336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=246336"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/246336\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=246336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":245816,"date":"2024-11-08T20:07:17","date_gmt":"2024-11-09T02:07:17","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=245816"},"modified":"2024-11-12T20:27:06","modified_gmt":"2024-11-13T02:27:06","slug":"real-world-data","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/real-world-data\/","title":{"rendered":"Real World Data"},"content":{"rendered":" The term Real World Data<\/strong> is a technical term and is more specific than it sounds. A less catchy but more informative term would be non-clinical trial health data. That is, “real world” contrasts with clinical trials. Not that clinical trials take place in a fictional world, but they do take place in a more restrictive environment than most health care.<\/p>\n Real World Data would include things like electronic health records<\/strong> (EHR<\/strong>) and insurance claims data<\/strong>, data generated from the ordinary course of medical treatment rather than in a controlled scientific study.<\/p>\n Data from randomized controlled trials<\/strong> (RCTs<\/strong>) is great when you can get it. Researchers try to minimize confounding effects and isolate the thing being studied. But maybe nobody has done an RCT to study what you’re interested in. There’s a lot<\/em> more data out there in the form of claims data than data from RCTs.<\/p>\n Real World Data may even be better than RCT data. In order to conduct an RCT, researchers create a necessarily artificial environment. Patients may be more compliant, for example, while participating in a clinical trial than they would be if they have to pick up their prescriptions from a pharmacy.<\/p>\n Real World Data is typically covered under HIPAA, and so you may need an expert determination<\/strong><\/a> in order to use the data. We help clients with this routinely. If you need a HIPAA expert determination, you can contact us<\/a> to set up a free consultation to discuss your needs. We have helped many companies, large and small, to comply with the HIPAA Privacy Rule via expert determination.<\/p>\n Sometimes data does not need an expert determination because it is covered under HIPAA’s Safe Harbor provision<\/a>. However, the restrictions of Safe Harbor are typically too restrictive to make the use of real world data practical. Aside from the 18 explicit rules for Safe Harbor, there is an implicit requirement, informally known as the 19th rule<\/a>, that can be subtle.<\/p>\n The use of real world data involves statistical and legal issues. We are statisticians, not lawyers, but we routinely work with lawyers. We can work with your counsel, or suggest a health care\/privacy attorney that you may want to work with.<\/p>\n","protected":false},"excerpt":{"rendered":" The term Real World Data is a technical term and is more specific than it sounds. A less catchy but more informative term would be non-clinical trial health data. That is, “real world” contrasts with clinical trials. Not that clinical trials take place in a fictional world, but they do take place in a more […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-with-simple-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-245816","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=245816"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245816\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=245816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":245811,"date":"2024-11-08T19:22:42","date_gmt":"2024-11-09T01:22:42","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=245811"},"modified":"2024-11-12T20:28:18","modified_gmt":"2024-11-13T02:28:18","slug":"ftc-hbnr","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/ftc-hbnr\/","title":{"rendered":"Federal Trade Commission Health Breach Notification Rule"},"content":{"rendered":" The Federal Trade Commission (FTC) Health Breach Notification Rule (HBNR) requires vendors of public health records (PHR) to notify data subjects, the FTC, and “prominent media outlets” within 60 days of discovering a breach of security involving PHR.<\/p>\n In April of 2024 the FTC clarified that the rule also extends to entities that are not covered by HIPAA. In other words, not being a HIPAA covered entity does not mean that you’re exempt from breach notification requirements.<\/p>\n You can find the text of the rule here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" The Federal Trade Commission (FTC) Health Breach Notification Rule (HBNR) requires vendors of public health records (PHR) to notify data subjects, the FTC, and “prominent media outlets” within 60 days of discovering a breach of security involving PHR. In April of 2024 the FTC clarified that the rule also extends to entities that are not […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-with-simple-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-245811","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=245811"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245811\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=245811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":245810,"date":"2024-11-08T18:29:58","date_gmt":"2024-11-09T00:29:58","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=245810"},"modified":"2024-11-08T18:29:58","modified_gmt":"2024-11-09T00:29:58","slug":"real-and-complex-fourier","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/real-and-complex-fourier\/","title":{"rendered":"Convert between real and complex Fourier series"},"content":{"rendered":" Let f<\/em> be a function with period 2L<\/em>. To convert between the Fourier series<\/p>\n in terms of complex exponentials and the Fourier series<\/p>\n in terms of sines and cosines, the conversions are as follows.<\/p>\n Let f be a function with period 2L. To convert between the Fourier series in terms of complex exponentials and the Fourier series in terms of sines and cosines, the conversions are as follows.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-245810","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=245810"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245810\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=245810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":245617,"date":"2024-07-12T17:16:48","date_gmt":"2024-07-12T22:16:48","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=245617"},"modified":"2024-07-12T17:16:48","modified_gmt":"2024-07-12T22:16:48","slug":"hipaa-and-analytics","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/hipaa-and-analytics\/","title":{"rendered":"HIPAA considerations for Google Analytics and Alternatives"},"content":{"rendered":" It is explicitly against Google Analytics terms and conditions to supply Google with personally identifiable information (PII). Fore example, neither unhashed usernames nor email addresses can be used as User IDs or supplied as custom dimensions.<\/p>\n When exploring Google Analytics 4 (and you have Google Signals turned on to allow inclusion of demographic data and other audience functionality) you may see Thresholding applied<\/strong> warnings on certain reports. Thresholding is intended to prevent anyone from narrowing down targeting so much that it becomes possible to identify individual users based on characteristics or behavior.<\/p>\n It is not possible to adjust the set thresholds, though the warning may disappear if you specify a longer time period for which the user counts are larger.<\/p>\n Thresholding doe not apply to data exported to BigQuery, but GA4 does not export data from Google Signals (e.g. demographic data) to BigQuery.<\/p>\n Here are a few excerpts from the Google Analytics documentation<\/a>.<\/p>\n Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google\u2019s contracts and policies. Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.<\/p>\n \u2026<\/p>\n Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google\u2019s access to, or collection of, PHI, and may only use Google Analytics on pages that are not HIPAA-covered.<\/p>\n \u2026<\/p>\n Unauthenticated pages that are related to the provision of health care services, including as described in the HHS bulletin, are more likely to be HIPAA-covered, and customers should not set Google Analytics tags on HIPAA-covered pages.<\/p><\/blockquote>\n Analytics platforms that are willing to sign a Business Associate Agreement (BAA) include<\/p>\n Self-hosted analytics platforms such as Matomo<\/a> do not require a BAA because they do not and can not see your data; the data stays on your server.<\/p>\n It is possible to be HIPAA compliant and perform either server-side or client-side testing.<\/p>\n Platforms like VWO<\/a> provide client-side testing including the full range of easy setup A\/B and split URL tests, and are willing to negotiate a BAA.<\/p>\n Purely server-side testing technology may not require a BAA because the data is not sent to a third party and stays on your own server. Check your processes though.<\/p>\n Session recording and testing are often performed together. If this is the case, ensure that all sensitive data\u2014name, email, address, card details, etc.\u2014are obfuscated in analytics and recording.<\/p>\n Even when testing and analysis are 100% server-side, some US legislation still requires notification and consent to data collection and usage.<\/p>\n You may also need to do the following to ensure your data is fully secure and your organization is compliant with relevant legislation:<\/p>\n Legal requirements to notify users of a breach and take remedial action vary by nation and state.<\/p>\n This process is obviously much less complicated if all the data stays on your server. The recent costly and hugely disruptive hack that left large amounts of patient health data belonging to the UK’s National Health Service exposed did not happen on an NHS-owned platform but rather on that of a contractor providing blood testing services.<\/p>\n If data is not considered PII under HIPAA, either due to the Safe Harbor provision<\/a> or Expert Determination<\/a>, then HIPAA compliance is not an issue.<\/p>\n If you have questions about Google Analytics, other analytics platforms, or HIPAA, especially questions about how these interact with each other, we can help.<\/p>\n LET’S TALK<\/a><\/p>\n Trusted consultants to some of the world’s leading companies<\/p>\n\n PII and data thresholding It is explicitly against Google Analytics terms and conditions to supply Google with personally identifiable information (PII). Fore example, neither unhashed usernames nor email addresses can be used as User IDs or supplied as custom dimensions. When exploring Google Analytics 4 (and you have Google Signals turned on to allow inclusion […]<\/p>\n","protected":false},"author":10,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-with-simple-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-245617","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=245617"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245617\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=245617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":245608,"date":"2024-07-12T16:11:50","date_gmt":"2024-07-12T21:11:50","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=245608"},"modified":"2024-07-12T16:16:23","modified_gmt":"2024-07-12T21:16:23","slug":"web-analytics-and-statistical-bias","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/web-analytics-and-statistical-bias\/","title":{"rendered":"Web analytics and statistical bias"},"content":{"rendered":" The people who block ads and cookies differ from those who don’t by more than just their aversion to ads and cookies.<\/p>\n Around 30% of users<\/a> actively block ads. Sometimes this also means blocking the JavaScript that drives analytics.<\/p>\n Technologically savvy, privacy-conscious users are more likely to use VPNs, ad blockers, etc. This group may skew younger and higher income. Therefore the missing 30% will not be a random sample from the overall population.<\/p>\n This becomes most important when these tech-informed users are the target audience, both in terms of ad targets and analytics. This could impact analytics to the point where Google Analytics is not helpful in measuring sales, even though may still provide some useful metrics in terms of inbound traffic.<\/p>\n On the other hand, sometimes the target audience is less likely than usual to block ads or cookies, such as large governmental, educational, or corporate organizations that enforce the use of a browser like MS Edge, which does not block third party cookies by default. Another example would be ads aimed at older or lower income users who are less likely to be blocking.<\/p>\n Studies on the percentage of people blocking first or third party cookies deliver wildly variable results, which suggests true figures are not well understood.<\/p>\n This study<\/a> suggests that around 40%-60% of users accept all cookies, 20% reject all the cookies they can, and the remainder reject some cookies and not others.<\/p>\n In the majority of cases using standard cookie walls, first party cookies would be treated as essential and therefore no opt-out needs to be given. The exception would be sites using first party cookies for analytics, which are a small minority.<\/p>\n Firefox, Safari, and Brave block third party cookies by default. That’s probably somewhere around 21% of users<\/a>. No major browsers block first party cookies by default because that can significantly degrade functionality.<\/p>\n Conclusions drawn from biased samples can be misleading.<\/p>\n We can help you mitigate, or at least be aware of, the limitations of biased data. It may be possible to change your testing strategy to reduce bias, or to use statistical techniques to reduce the impact of bias.<\/p>\n Reach out today for help with biased web analytic data.<\/p>\n LET’S TALK<\/a><\/p>\n Trusted consultants to some of the world’s leading companies<\/p>\n\n Sample bias The people who block ads and cookies differ from those who don’t by more than just their aversion to ads and cookies. Around 30% of users actively block ads. Sometimes this also means blocking the JavaScript that drives analytics. Technologically savvy, privacy-conscious users are more likely to use VPNs, ad blockers, etc. This […]<\/p>\n","protected":false},"author":10,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-with-simple-sidebar.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-245608","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/comments?post=245608"}],"version-history":[{"count":0,"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/pages\/245608\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.johndcook.com\/blog\/wp-json\/wp\/v2\/media?parent=245608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}},{"id":245609,"date":"2024-07-11T19:13:25","date_gmt":"2024-07-12T00:13:25","guid":{"rendered":"https:\/\/www.johndcook.com\/blog\/?page_id=245609"},"modified":"2024-07-29T10:29:05","modified_gmt":"2024-07-29T15:29:05","slug":"client-side-server-side","status":"publish","type":"page","link":"https:\/\/www.johndcook.com\/blog\/client-side-server-side\/","title":{"rendered":"Client-side versus server-side testing"},"content":{"rendered":" There are two different ways to test a page. The most common approach, client-side testing<\/strong>, sends all users the same the page, but then JavaScript running on the client loads changes that alter the page for some users. This has the advantage of being simple to set up.<\/p>\n The other way is server-side testing<\/strong>. With this approach the server sends a variant version of the page to some users directly, and that’s all they load. This approach can be quicker. And it allows for complex, far-reaching ideas to be tested. But it is typically much more complex to set up, and caching can also be impacted.<\/p>\n The following sections go into client-side and server-side testing in a little more detail.<\/p>\n If you’re just changing the color of a button or what’s in a headline, a client-side test is going to be quicker to set up and the results will be just as good.<\/p>\n Here are some scenarios when you might choose to test server-side.<\/p>\n![\"Amazon,](\"https:\/\/www.johndcook.com\/client_logos5.png\")
\n\n","protected":false},"excerpt":{"rendered":"What is a Patient Safety Work Product (PSWP)?<\/h2>\n
Why deidentify a PSWP?<\/h2>\n
What does PSQIA say?<\/h2>\n
Expert determination<\/h2>\n
\n","protected":false},"excerpt":{"rendered":"Addresses and wallets<\/h2>\n
\n
Zero knowledge proofs<\/h2>\n
\n
Proof of work<\/h2>\n
\n
Elliptic curves<\/h2>\n
\n
Quantum computing<\/h2>\n
\n
Miscellaneous<\/h2>\n
\n
\n<\/p>\n","protected":false},"excerpt":{"rendered":"![\"f(x)](\"https:\/\/www.johndcook.com\/crfourier1.svg\")
<\/p>\n![\"{f(x)](\"https:\/\/www.johndcook.com\/crfourier2.svg\")
<\/p>\n![\"\n\\begin{align*}\n](\"https:\/\/www.johndcook.com\/crfourier3.svg\")
<\/p>\n","protected":false},"excerpt":{"rendered":"PII and data thresholding<\/h2>\n
![\"Google](\"https:\/\/www.johndcook.com\/google_thresholding.png\")
<\/p>\nHIPAA compliance for web analytics<\/h2>\n
Business Associate Agreements<\/h2>\n
\n
Server side testing and HIPAA<\/h2>\n
\n
HIPAA deidentification<\/h2>\n
We can help<\/h2>\n
\n","protected":false},"excerpt":{"rendered":"Sample bias<\/h2>\n
Cookie acceptance statistics<\/h2>\n
Statistical help<\/h2>\n
![\"Harry](\"https:\/\/www.johndcook.com\/dewey-defeats-truman.jpg\")
<\/p>\n\n","protected":false},"excerpt":{"rendered":"Client side<\/h2>\n
\n
Server side<\/h2>\n
\n
Client-side advantages<\/h2>\n
Server-side advantages<\/h2>\n
\n