Based on the new HHS Guidance, is Google Analytics HIPAA-compliant?

Update on 3/21/2024: HHS released an updated version of their December 2022 guidance on online tracking technologies on March 18th, 2024. If you're looking for the most recent information, skip to our latest blog, HHS Bears Down: March 2024 Update from HSS on Online Tracking Technologies.

Everyone knows that privacy and security are important topics for healthcare marketers in 2023, but is your organization aware that new guidance about long-standing HIPAA regulations may pose important considerations for your analytics strategy?

In December 2022, the Department of Health & Human Services (HHS), which oversees HIPAA regulations, released new guidance shedding light on how to avoid sharing individually-identifiable personal health information with tracking platforms or technologies like Google Analytics, the Meta Pixel and more. Many healthcare organizations are well aware of how HIPAA-regulations impact their operational practices, but these guidelines and best practices can be overlooked by organizations big and small when it comes to their marketing. This new guidance is worth a deeper look to determine how best to integrate widely-used platforms like Google Analytics into your marketing plans. 

What does HIPAA have to do with platforms like Google Analytics?

A lot! Anytime you view, collect or store data about patients or potential patients — connecting some form of “protected health information” to information that may indicate that person’s medical conditions — you have a special responsibility to protect that information. Some of the more obvious cases may be when you get a form submission on your website containing a patient’s name and their medical condition.

But did you know that even an IP address is considered a form of protected health information, or PHI? This means that when an IP address for a user is stored alongside any sort of information that could indicate their medical condition, potentially even a visit to a website page about a condition like high blood pressure, you may have the same requirements to safeguard this information that you’d have for a new appointment request. As digital marketing adoption becomes more widespread and more healthcare organizations are looking to digital analytics to inform their marketing strategies, regulators are looking to help provide better information to healthcare marketers to guide them around HIPAA regulations. This latest guidance is just another indicator of what the best practices are and will be around digital data tracking and sharing. 

How do you safeguard patient information in your digital analytics?

There are several ways. If the information is stored, it must be encrypted and stored in a server that meets HIPAA-regulated security standards. If it’s transmitted from one place to another, that transmission must also be encrypted. But more than that, healthcare organizations must ensure that anyone who has access to that data handles it appropriately and up to the same standards a nurse or office administrator might within a practice. 

Yes, this includes any agencies who may be assisting with your digital marketing efforts.

To ensure your technology vendors meet these standards:

1. Ask them about how they handle PHI.
2. Establish a Business Associate Agreement (BAA) between yourself and that technology vendor. 

BAA is a contract that certifies both parties understand and uphold certain security standards. It also assigns legal responsibilities in case anything should ever go wrong. Some vendors or platforms may not handle any PHI, which means you don't need a BAA in place with them. It's important to determine whether a vendor will touch that protected information or not. 

Can you get a BAA with Google or Meta or other online tracking platforms?

Some online tracking platforms or technologies may have a process available to establish a BAA. But some of the large technologies and platforms, like Google and Meta, have no such process in place at this point in time. 

Why not? Because they’ve never needed to! Based on widely-held interpretation of HIPAA regulations, the standard data collected by platforms like Google Analytics wasn’t believed to need additional safeguards. 

Their platforms store data in aggregate and, according to widely-held interpretation of HIPAA regulations, the data points they stored did not match the criteria of individually identifiable PHI. There have been situations where healthcare organizations have sent data they shouldn’t have to these platforms, data that also broke the Terms & Services set out by Google Analytics or Meta, but the tools out of the box were widely understood to be HIPAA-compliant without needing a BAA in place. 

However, as guidance and regulations evolve over time, healthcare organizations should continue to review whether their tracking technologies meet those standards and if there are any new concerns to address or adapt to. 

So what do I do to make sure I’m compliant?

Unfortunately, there isn’t an easy answer here. We’d recommend that you bring the new HHS guidance to the attention of your lawyer or in-house compliance teams and discuss the tracking technologies you use for your digital marketing. Get a list of your tracking tools and involve your vendors if you need to — they can help you understand how these platforms work!

At the moment, we’re helping marshal resources and answer questions for our clients, so we wanted to put together those resources in a blog. We’ll update this blog as we gain additional information and clarity or develop new best practices alongside our clients as they consult with legal experts. 

---

Resources to understand Google Analytics and HIPAA compliance

Does Google Analytics collect and store IP addresses?

It depends on which version of Google Analytics you use. 

Universal Analytics does collect and store IP addresses. While you cannot view the IP addresses of users when you use the Google Analytics platform, it is stored on Google’s servers. There are features Universal Analytics users can take advantage of, like IP masking, although these must be manually enabled. 

Google Analytics 4, the newest version of Google Analytics, does not log or store IP addresses. Learn more.

---

Does Google Analytics use cookies to track user data?

This also depends.

Universal Analytics uses first-party and third-party cookies to collect data about users who visit your website.

Google Analytics 4 does not use third-party cookies, only first-party cookies. This is generally considered “cookie-less” tracking, and it meets GDPR and CCPA standards so long as a user is informed and can consent to the usage of those cookies. Learn more.

---

Does Google Analytics store device IDs?

Yes, both Universal Analytics and Google Analytics 4 will assign an individual device ID to each device that visits a website. It uses this data to stitch together a user’s journey across platforms, whether they are using a website, an app or switching around to different devices. This ID is a critical part of the platform and helps show user-level reporting, rather than just hits. Learn more.

---

Will Google Analytics sign a business associate agreement (BAA) with my organization?

As of now, we are not aware that Google Analytics offers a process for healthcare organizations to designate them as a “business associate.” This could change in the future, as Google does offer this option for other products. 

---

If Google Analytics has old data stored that I worry may not be HIPAA-compliant, what can I do about it?

If you have data collected in a Universal Analytics account that you are concerned about, it will stay there even if you remove the tracking code from your website. 

Because Google is sunsetting Universal Analytics in 2023, they plan to erase that old data. Their current timeline is six months after July 1, 2023, but the timeline is farther out for users of Google Analytics 360 (the premium, paid version). 

There are also intervals where user-level data is deleted from the servers, depending on your account settings: 

• User-level data deletion intervals for Universal Analytics can range from 14 months to a setting where it will never erase or expire. Learn more. 
• Google Analytics 4 user-level data will only be retained for 2 months or 14 months, depending on your settings. Learn  more.

You can submit a data deletion request to Google Analytics as well. Learn more about the process here. 

---

What Full Media is doing to respond to new guidance:

If you're still uncertain, take a cue from us! At the moment, we're working to do the following to adapt to old and new HIPAA regulations as they relate to digital marketing. 

Upgrading our clients to Google Analytics Four

Google's deadline of July 1, 2023 put the pedal to the metal for everyone in the digital marketing industry to move to GA4 anyway. But given that we are a healthcare digital marketing agency, GA4's privacy-focused options help ensure that our clients are using a more secure, more transparent data collection model for their patients. View our GA4 roadmap.

Recommending that our clients update their Privacy Policy and consider opt-in tracking

All companies with a website should have a privacy policy, but this is especially important for healthcare organizations. Now is the time more than ever to be open and transparent about how your organization collects and uses data for marketing purposes. Consider offering the option for your website visitors to opt-in to tracking too. This will only create more affinity and trust that your organization does the right thing with its data. 

Speaking to compliance experts and recommending our clients do too

We are actively speaking with legal experts in digital HIPAA-compliance to help inform our plans and keep our clients aware of the latest guidelines. Interpreting regulations can be challenging, so it's always good to have an open line of communication with your in-house or outsourced legal team. 

Continual research

Digital analytics are essential for effective and cost-conscious marketing, which is more important than ever for healthcare organizations. As of now, we think GA4 will be a great option for many of our healthcare clients, but we know that for some clients, they may prefer a more conservative approach. That's why we're looking into ways to help our clients adapt how they use GA4 and potentially look at different mechanisms to collect their data and analytics. This will give our clients options based on how their organization prefers to operate, while ideally preserving their ability to collect valuable data and make great marketing decisions.