How to use web analytics tools and be HIPAA compliant

For healthcare practitioners, using a web analytics tool helps to measure the performance of their healthcare platforms. But as with all healthcare communication methods, security and HIPAA compliance are legal requirements. Under HIPAA, covered entities are prohibited from sharing protected health information (PHI) with third parties without consent.

Any organization that handles PHI must confirm that the tools they use, including web analytics, are secure. We've recently provided you with a list of web analytics tools that are HIPAA compliant. Now, let's take a closer look at what steps to take to guarantee the HIPAA compliant use of web analytics tools.

Read more: Which web analytics tools are HIPAA compliant?

HIPAA and web analytics

HIPAA, the Health Insurance Portability and Accountability Act, is U.S. legislation created to improve healthcare standards. Title II is most associated with the act and establishes PHI and ePHI (electronic PHI) privacy and security standards. The Privacy Rule sets the guidelines for using and disclosing patient data.

The Security Rule sets the necessary administrative, technical, and physical safeguards to protect PHI/ePHI. The idea is to restrict access to PHI and monitor how it is communicated. Covered entities and their business associates must be HIPAA compliant to protect patients' rights and privacy.

Website analytics tools provide valuable information about current or potential patients. This information may include data about who is seeking or interested in learning more or who searches for what on a hospital's website. The idea is to use the information to improve patient communication, satisfaction, and patient care.

While such solutions offer a valuable way to increase patient engagement and deliver personalized experiences, they also open organizations to potential HIPAA violations. Web analytics data might contain PHI and, therefore, must meet HIPAA requirements. Failure to comply could mean huge fines, long-term rehabilitation plans, and loss of reputation.

Related: HIPAA compliant email: The definitive guide

Risks associated with web analytics in healthcare

Healthcare data contains sensitive, personal information, including medical histories, diagnoses, and treatments, as well as other personally identifiable information (PII).

Data analytics also often involves aggregating and linking data from multiple sources to better understand patients' health. When healthcare organizations use data analytics to extract valuable insights, there's a risk that

• PHI may inadvertently be seen
• Unauthorized individuals may gain access

Patient data is susceptible to breaches (accidental and intentional), cyberattacks, data loss or corruption, user error, and system malfunctions. Furthermore, such risks may be higher when using a third-party vendor to analyze data. Without sufficient security measures, vendor breaches can be costly to a covered entity.

Breaches and HIPAA violations may lead to a monetary fine, a long-term corrective plan, loss of reputation, and lawsuits.

Evaluating web analytics risks in healthcare

Assessing compliance risks starts with a risk assessment to understand the likelihood of a breach. A HIPAA compliance assessment aims to identify an organization's vulnerabilities and threats. It helps covered entities recognize areas that need improvement.

Questions to ask when auditing a web analytics tool:

• What data is being sent to the analytics platform, and how?
• What data is exposed in URLs and query strings?
• Is it possible that PHI is collected by the analytics platform (intentionally or not)?
• What happens to the data once it is collected?
• How is the data being used by the vendor and/or the covered entity?
• What happens to the data after analysis?
• Are there any issues that may affect more than just the accessible data?
• What reputation does the platform vendor have, and is it HIPAA compliant?

Vendor HIPAA compliance ultimately means that information is protected through a signed business associate agreement (BAA). A web analytics tool would be considered a business associate (or vendor) and must sign a BAA.

Learn about: When should you ask for a business associate agreement?

Guide for using web analytics and staying HIPAA compliant

Rather than removing analytics from website design, it is best to be and remain HIPAA compliant.

1. Perform a risk assessment before using web analytics and continuously after first use.
2. Get a signed BAA with the web analytics company you plan to employ.
3. Check that you and the vendor utilize cybersecurity tools. Employ defensive (i.e., perimeter) and offensive strategies to block breaches.
4. Encrypt PHI when in storage (offsite/offline) and transit and minimize data sent and/or exposed.
5. Use strong access controls to private areas of your websites and analytics tools.
6. Limit access to authorized staff and guarantee they understand the responsibilities, regulations, policies, and procedures.
7. Train staff in compliance and security to properly use and read analytics.
8. Obtain written consent from patients when sharing data with analytics companies.
9. Develop a breach notification plan for inadvertent or deliberate breaches while performing analyses.