Which web analytics tools are HIPAA compliant?

For healthcare practitioners, using a web analytics tool helps to measure the performance of their healthcare platforms. However, under HIPAA, covered entities are prohibited from sharing protected health information (PHI) with third parties without consent and a business associate agreement.

Any organization that handles PHI must ensure that the web analytics tools they use are always secure.

Related: HIPAA compliant email: The definitive guide

What are web analytics tools?

Web analytics tools are software designed to track, measure, and report on website activity. These tools help organizations measure customer reach and behavior, the customer journey, editorial content, and SEO. It can do so by analyzing data like site traffic, visitor sources, and user clicks.

There are two main types of web analytics tools depending on how data is collected and what information is needed:

1. Off-site refers to third-party monitoring (e.g., search engines, toolbars) of visitor activity beyond a website to measure potential audiences.
2. On-site is narrower than off-site and refers to tracking visitor activity of a specific website; data is typically collected by an installed piece of code to generate unique analytics.

By using web analytics tools, organizations can gain insight into what's happening on their websites and learn what's working (and what's not). In turn, they can optimize their users' experiences and increase current and potential engagement and conversions.

HIPAA and web analytics

HIPAA's Security Rule sets the necessary administrative, technical, and physical safeguards to protect PHI/ePHI. The idea is to restrict access to PHI and monitor how it is communicated. Covered entities and their business associates must be HIPAA compliant to protect patients' rights and privacy.

Website analytics tools provide valuable information about current or potential patients. This information may include data about who is seeking or interested in learning more or who searches for what on a hospital's website. The idea is to use the information to improve patient communication, satisfaction, and patient care.

While such solutions offer a valuable way to increase patient engagement and deliver personalized experiences, they also open organizations to potential HIPAA violations. Web analytics data might contain PHI and, if not handled properly, not meet HIPAA requirements. This could mean huge fines, long-term rehabilitation plans, and loss of reputation.

In the news: Sensitive health data shared with tech giants by major pharmacies

What would a HIPAA compliant web analytics tool look like?

To be HIPAA-compliant, a web analytics tool must protect patient information from unauthorized access. Off-site tools should exclude patient data, while on-site tools should only display the minimum necessary information on the public website.

Data must be protected in storage and transit, more than likely through encryption and off-site/offline storage. Healthcare organizations must also tighten access controls with such tools as multifactor authentication. Ultimately, a cybersecurity strategy could (and should) include both offensive and defensive strategies to protect PHI.

HIPAA compliance also means the assurance that information is protected through a signed business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involve PHI. A web analytics tool would fall into this category, so the vendor must sign a BAA.

Learn about: When should you ask for a business associate agreement?

Which web analytics tools won't sign a BAA?

Here are 10 web analytics tools we have looked at that do not or appear not to offer a BAA. Therefore, they may not be HIPAA compliant.

1. Adobe Analytics – an enterprise-level analytics and reporting solution that monitors user traffic and interactions across a variety of marketing channels
2. Amplitude Analytics – an innovative platform that creates a 360-degree view of a customer's journey
3. Contentsquare – an analytics platform that tracks billions of user interactions to create a stronger understanding of customer behavior
4. FullStory – a web-based intelligence system that provides companies with a stronger understanding of how to optimize the digital experience
5. Indicative – a product analytics platform that provides a unified view of a customer journey
6. Matomo – an open-source web analytics that tracks online visits to websites and creates reports
7. Mouseflow – a behavior analytics platform that improves website conversions by providing a complete picture of the visitor experience
8. Similarweb – a market intelligence provider that offers web analytics by rating websites and apps based on traffic and engagement metrics
9. Smartlook – a comprehensive analytics solution that provides qualitative data to optimize websites and mobile apps
10. Woopra – a real-time customer analytics service to optimize a customer's lifecycle

Which web analytics tools will sign a BAA?

Here are three web analytics tools that will sign a BAA and may be HIPAA compliant.

1. Heap – an analytics platform that examines information on the customer journey
2. Looker – a business intelligence and big data analytics platform that allows users to explore, evaluate, and share advanced insights in real time
3. Mixpanel – a web analytics company that tracks user interactions with web and mobile applications

Note that a signed BAA does not guarantee that a web analytics vendor does everything necessary to comply with HIPAA requirements. It is a covered entity's responsibility to take precautions and ensure that its vendors are doing the same.

Technology use that is smart, safe, and HIPAA compliant

It has taken time for healthcare organizations to understand the positive impact of technology and embrace new technologies that leverage data and digital tools to deliver better health outcomes. Web analytics tools are just one example.

One thing that cannot be forgotten while healthcare access to digital technologies grows is the HIPAA Act. Penalties for breaches can be significant, ranging from $100 to $50,000 per violation. The 2015 Anthem, Inc. breach, for example, cost $16 million in HIPAA violations and $115 million from a class-action lawsuit.

But the costs don't stop there. A deliberate or accidental breach could lead to ransom payments, downtime, and angry payments. Especially if any confidential PHI is uncovered by analytics programs.

Avoiding a breach means avoiding such costs to properly treat patients. Patient trust is vital to patient care, which means organizations must always safeguard their identities. This includes all data gathered by healthcare organizations, whether in electronic or physical form.