Introduction
The HIPAA compliant analytics situation can get confusing quick but the question that tends to start off the discussion is the title of this blog post. While you should consult with a lawyer for your compliance needs, I hope this post provides a little context into helping you make a good decision.
Can I Configure Common Web Analytics Solutions like GA4 to be HIPAA compliant?
Short answer: Not anymore.
You used to be able to do this but the HHS Guidance from March 2024 specified that the very CAPTURE of the data by a 3rd party is the non-compliant part. If you configure GA4 to capture and then delete certain parts of the data to attempt to remain compliant, that will not be enough. The analytics solution either needs to route through a CDP so that the analytics provider never captures the data in the first place or it must be an analytics solution that is willing to sign a BAA.
HIPAA compliant analytics gets tricky (read:expensive) really quick because the companies that are willing to offer a BAA have to abide by the requirements set forth by HHS to be HIPAA compliant. Additionally, if they’re signing a BAA, they want to protect themselves financially from the legal liability or risk they are agreeing to.
Do I need HIPAA Compliant Analytics or a CDP? Can I just use GA4?
If you want to be any sort of effective with your marketing efforts, you certainly need either a CDP or a HIPAA Compliant analytics provider.
Before diving into the specific providers, it’s essential to assess your organization’s needs and determine whether a Customer Data Platform (CDP) is necessary.
First, you will need a CDP if you plan to do any sort of remarketing efforts as the CDP will facilitate what info can be sent to the remarketing ad platform (typically Google Ads).
Additionally, a CDP gives you ultimate freedom and control of your patient marketing data. You may think of this as insurance against future HIPAA changes in regards to 3rd party analytics and provide a more comprehensive view of your audience. Further, the additional control over the data allows your marketing team more freedom to know what’s working and what isn’t.
If you do not need remarketing efforts, you should be fine with a standalone HIPAA compliant analytics solutions such as that of Mixpanel.