AHA is Pushing Back: Google Analytics 4 & HIPAA Compliance Updates
Earlier this year, we wrote about GA4 and HIPAA Compliance in light of the new guidance from the Department of Health & Human Services (HHS), but if you’ve been wondering what’s been happening since then, we’re providing some updates!
Some healthcare orgs are switching analytics platforms, some are not.
We’ve been keeping our ear to the ground, listening to hear how the healthcare industry is responding to this change to help determine our own approach and advise our clients well.
Some healthcare organizations are deciding to switch platforms or add on to their tech stack to make Google Analytics 4 more secure. Some clear winners right now in the migration include Piwik Pro, which is a near Google Analytics-clone with GDPR and HIPAA-compliant options, as well as a cookie opt-in system. Another is the data parser, Freshpaint, which replaces your Google Analytics 4 code, processes your data in a HIPAA-compliant way, and then send it on to platforms like GA4 and Meta without passing through any protected health information.
There are special considerations with each platform, including data hosting, additional costs (versus the free GA4) and reworking an organization’s entire analytics and reporting strategy. But both represent good options, especially for organizations with the budget to switch.
Some healthcare organizations are choosing to stay the course with Google Analytics 4, which does not collect or store IP addresses, but does interact with a user’s IP address at the point of collection. These organizations are adopting a wait-and-see approach for now.
The American Hospital Association is pushing back against IP address restrictions.
The American Hospital Association has officially asked HHS to amend and suspend its guidance on tracking pixel, particularly in regard to its provisions on IP addresses, which represent the main rationale for organizations to transition away from GA4.
“Regrettably, the Online Tracking Guidance errs by defining PHI [protected health information] too broadly—specifically, to include all [Internet protocol] IP addresses.”
- May 22 letter to OCR Director Melanie Fontes Rainer from AHA General Counsel and Secretary Melinda Reid Hatton.
If the appeal is successful, it may create a pathway where healthcare organizations, large and small, can continue using the free platform, Google Analytics 4. But there will always be potential pitfalls to consider when using analytics platforms online - it’s important to never send any private health information about a patient to one of these platforms.
However, there’s always the chance that HHS will clarify its guidance by making the restrictions around utilizing IP addresses even stronger and more clear.
So what should my organization do?
Now is the time to consult with experts and consider what options you may want to pursue. Take the time to speak with your legal or compliance teams, vet the HIPAA-compliant analytics options out there and reach out to a digital analytics vendor who can help guide you through the process.
As a HIPAA-compliant and healthcare-focused digital marketing agency, Full Media is a partner to our clients as they navigate this process, helping them research and identify solutions, then execute their analytics strategy. Contact us today if you’re ready to chat or learn more about our expertise with GA4 and HIPAA compliance.