BLOG
How to Make GA4 Web Analytics HIPAA Compliant
In today's digital landscape, privacy and data protection are of utmost importance. Covered entities under HIPAA (Health Insurance Portability and Accountability Act) need to ensure that they are taking the necessary steps to protect electronic protected health information (ePHI) while still gaining valuable insights from analytics.
How to Make GA4 Web Analytics HIPAA Compliant
In today’s digital landscape, privacy and data protection are of utmost importance. Covered entities under HIPAA (Health Insurance Portability and Accountability Act) need to ensure that they are taking the necessary steps to protect electronic protected health information (ePHI) while still gaining valuable insights from analytics.
What are these identifiable ePHIs that may be collected from your website that may be introduced by third-party tracking code and may implicate you of HIPAA violations, according to the new HIPAA guidelines?
“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
This article will deal specifically with ePHIs that may now make you non-compliant based on new risks introduced by online tracking technologies, as the Office of Civil Rights (OCR) at the Department of Human & Health Services (HHS). In this article we will discuss ways to make Google Analytics 4 (GA4) compliant, considering that GA4 commands close to 89% of web analytics platform market share.
After covering how to make analytics platforms HIPAA compliant, we will then move to HIPAA compliance for third-party marketing platforms, such as Facebook Ads and Google Ads in our next blog post.
Google Analytics 4 Settings
GA4 collects a vast range of user data to provide insights into user behavior on your website or app. Web URLs and IP addresses, for instance, contain valuable information about an individual’s online activities, including their browsing history and potentially sensitive healthcare searches that may link individuals with past, current or future health conditions, now considered protected health information.
While GA4, a positive upgrade for privacy concerns, compared to the earlier Google’s Universal Analytics (UA), makes it closer to being HIPAA compliant, there are additional steps that you need to take to ensure full compliance.
We are mostly concerned with two identifiers recently added to the new list of 18 HIPAA identifiers: unique identifiers (such as IP address and client ids) and page URLs (such as page location, page path, page title, and query parameters that may contain health specific queris and/or unique identifiers). When the latter is combined with a unique identifier, it has the potential to link individuals to a health condition, treatment or payment.
There are a few steps you need to take to ensure compliance:
- Redact email & query parameters – GA4 allows you to prevent sending email and any personally identifiable information (PII) to Google. This is a good practice in general because you do not want to send any personally identifiable information that can easily be mapped to their health-specific page visits and clearly violate HIPAA. Once you redact any PII that you might be collecting via query parameters, make sure you preview redacted data to ensure, GA4 does not contain any PII in the URLs tracked and stored by GA4.
- Turn off user-id and user-provided data collection – If your website visitors can login to your website, you may be generating user IDs that may then be a personal identifier that can again be linked to health-specific services, conditions, treatment or payment pages to violate HIPAA.
If you do have the ability for visitors to login to your website, ensure user-ID and user provided data collection is turned off for your website.
Note: Interested to learn more about user IDs? Here’s a great article that walks through ways to enable user-IDs so you learn how to disable it for your healthcare website.
- Turn off Google Signals – If user data is not available, Google will map signed-in Google customers who have opted in for ad personalization with third-party data for rich user, cross-device and cross-browser tracking. This allows reporting identities to be linked to individuals and will therefore result in a HIPAA violation.
- IP anonymization – We know that Google Analytics collects IP information (though temporarily now under the revamped Google Analytics 4 (GA4)) when a visitor visits your website. The good news? GA4 automatically truncates the last 4 octets of your IP address so if your ip can not really be traced back to your network location. The bad news? Well even though your IP address is never really logged or stored, it is transmitted to allow for location data before it is discarded. To redact IP addresses completely, you will have to rely on server side Google Tag Manager setup.
However, if you do not want to go through a server side setup, but want to be extra cautious, you may want to mask city-level data by turning off granular location and device data collection for regions you want to be compliant in. For HIPAA, it would make sense to turn off granular location off for all US states in order to make users’ locations even less identifiable.
Note – As an aside, remember that IP addresses cannot track an individual device, only a network connection. However, other device specific data (referred to as a ‘user-agent’ variable, collected by GA4 may allow you to connect IP and ‘user-agent’ data to a specific device though.
- Minimum Period for Data Retention – Ensure your data retention for events and users is set to its minimum possible of 2 months. This allows for your GA4 data collection to adhere to the HIPAA minimum necessary rule, which states that under “the HIPAA minimum necessary rule, HIPAA-covered entities are required to make reasonable efforts to ensure that uses and disclosures of PHI is limited to the minimum necessary information to accomplish the intended purpose of a particular uses or disclosure.”
- Reporting Identity – Finally, for reporting identity under data display settings in your GA4 admin panel, ensure that you select device ID as the reporting identity, instead of the default Blended or Observed.
Note that device ID combined with IP can still be a personal identifier, which when linked to health conditions, treatments or payment page location can lead to a HIPAA violation. However, with granular location turned off and IP addresses automatically truncated, this is less of a concern unless your legal department advises a stricter adherence to HIPAA, in which case, you should consider a server-side tag management setup (see below).
Server Side Tag Management
While the above settings will allow for some safeguarding against HIPAA violations, these measures are not absolute and fool proof in protecting your against non-compliance. More importantly, redacting data means that you might lose important elements from your attribution analysis or reporting.
Instead, we strongly recommend a server-side tag management setup to provide you with greater control over your data streams, while also allowing you to safely navigate the third-party cookie free era that we are now entering. Most importantly, server side tag management can help you balance data anonymization (which inevitably leads to data being made less usable for marketing purposes) with usefulness of data.
Learn more about server-side tag management security and control for HIPAA-compliance in our next blog post.
Alternatives to Server-Side Tag Management
A final word on alternatives for server side tag management. There are HIPAA-compliant analytics platforms, such as those provided by Adobe or Matomo that can be configured for HIPAA compliance. However, migrations to these platforms will require a cost assessment and additionally will require some ongoing management to keep your web & app data analytics HIPAA compliant.
There are also customer data protection (CDP) platforms, such as Freshpaint, Rudderstock, and PikWikPro, that allow for secure data storage, custom audience insights, customer data exports and custom activations and other advanced integrations that are required to keep customer data useful for marketing while keeping ePHI safe from third-party (and presumably HIPAA non compliant) platforms. While most offer a freemium service, HIPAA compliance usually comes with a price tag.
Conclusion
GA4 Settings adjustments, server side tag management, HIPAA-compliant analytics platforms and CDPs are all viable options for healthcare organizations and price points will differ based on number of applications or websites being managed, integrations with third-party marketing platforms, need for data warehousing, analysis & visualization capabilities, hosting provider, privacy & security needs, consent management needs and management.
At the end of the day, the difference between the solutions will depend on your risk tolerance and resulting comfort level with the tradeoff between anonymizing ePHI and usefulness of customer data for marketing purposes.
At Webtage, we take HIPAA requirements, along with technology stack, into account to determine the best HIPAA-compliant MarkTech solutions for your organization. Talk to us to discuss your healthcare MarTech compliance needs.
Contact us for FREE 1 Hour Web Consultation
Schedule your free consultation today to discuss how our website technlogies sercices can benefit your enterprise.
Get in Touch