Skip to these sections in the article:
Introduction
Real Advice for Executives, Not a Useless SEO Article.
The intent of this guide is to provide clear, concise information on what to do about HIPAA compliance as it relates to web analytics. Until recently, many web analytics solutions were freely available without the need for compliance considerations. The shift towards HIPAA compliant solutions can feel daunting and confusing. By understanding the requirements, options, and best practices outlined in this guide, executives can ensure their organization’s web analytics practices are HIPAA compliant and maintain the insights they provide.
Web Analytics Are Important for the Provider and Patient
To be clear, analytics and tracking are typically good for both parties, the provider and the patient, when executed correctly. A marketing team should not remove tracking capabilities on websites simply because they aren’t informed on compliance. Proper analytics helps the organization make sure they are serving what the patient actually wants, and it helps the patient get the information they need in a timely manner.
Scope of the Guide
It is important to note that this guide focuses specifically on third-party usage and behavior tracking on healthcare websites. It does not cover other technologies such as call tracking systems, online schedulers, SMS solutions, CRM, online forms, email marketing/automation, web chat, or reputation management tools. While these technologies may also have HIPAA implications, they are beyond the scope of this guide and may be included in future articles.
Disclaimer: This guide is not legal advice and should not be considered as such even if we talked to HIPAA law experts to make it. Seek legal counsel if you are unsure about anything we bring up here.
What Are the Compliance Requirements for HIPAA in Web Analytics and Third-Party Trackers (Lawyer Speak)
There are some VERY detailed and thought out posts on this from most reputable healthcare law firms (See Holland and Knight or McDermott Will and Emery) but we tried to summarize the legalese for your convenience. Additionally, the article shared does a great job at explaining the nuances between PHI and PII and what that means for healthcare marketing teams.
Do I need HIPAA Compliant Analytics or a CDP? Can I just use GA4?
If you want to be any sort of effective with your marketing efforts, you certainly need either a CDP or a HIPAA Compliant analytics provider. Gone are the days of quickly installing a Facebook Pixel and a GA4 tag on the site and calling it a day (at least for responsible healthcare organizations).
We cover these questions and how to decide what level you need in this article here.
Is My Organization Large Enough to Warrant Implementing HIPAA Compliant Analytics or a CDP? What Is My Risk Here?
This is a good question that boils down to the comparison between compliance and risk. Compliance doesn’t care about company size but the risk calculation your company’s legal counsel makes might. We wrote more about that situation in an article found here.
Agency Considerations for Purchasing HIPAA Compliant Analytics Solutions
If you’d like to read more about some creative funding options in getting HIPAA compliant analytics up and running, consider using an agency set up to achieve the same result for much less. This is especially helpful if you are a smaller DSO or MSO and don’t have the budget for $30k a year in additional expenses on the marketing budget. Don’t forget, its important to own your data. But if you’re in that awkward middle-ground of size, this could be a viable option. We wrote more on that kind of arrangement in this article.
Top Options for HIPAA compliant analytics
The first step to implementing HIPAA compliant analytics is to find a provider that is willing to sign a Business Associate Agreement (BAA), ensuring that they adhere to the strict privacy and security requirements mandated by HIPAA.
We’ve taken the time to analyze and meet with several popular options to help you make an informed decision. Here’s a breakdown of their features, costs, and overall impressions.
Analytics Providers:
Quick Comparison Table
Tool | Pricing (annual) | Sessions/Users | Projects | Key Features | HIPAA Compliant | Auto-Capture |
Heap | $8,640+ | 400k sessions/yr | 2 included | Full-feature analytics, Heatmaps, Session replays | Yes (Pro Plan) | Yes |
Full Story | $37,000+ | 100k sessions/yr | Unlimited | Session replays, Heatmaps, Funnels | Yes | Limited |
Mixpanel | $10,000+ | 100k MAU, 5M events/mo | Unlimited | Insights, Funnels, Retention analysis | Yes (Enterprise) | No |
Piwik Pro | $18,000+ | 5M events/mo | Unlimited | User journeys, Heatmaps, Analytics | Yes | No |
Mouseflow | $6,900+ | 200k sessions/mo | 50 | Session Replay, Heatmaps, Funnel Analysis | Yes (200k sessions) | No |
Detailed Analysis
Heap
Pricing and Plan Details:
- Pro plan: $8,640/year for 400k sessions/year
- Includes 2 projects (clients), $2,000/year for additional projects
- Session pricing is cheaper as you pay for more
- Session replay add-on: $1,400/year for 200k sessions/year
- Data retention: 1 year, can pay for more
Pros:
- Full-feature analytics with auto-capture
- Heatmaps and session replays
- User journey and funnel analysis
- Automatic and custom labeling
- Data export capabilities
- Flexible pricing based on session volume
Cons:
- Additional cost for extra projects (comes with 2, $2,000/year per project).
- This is really only applicable if you have multiple brands.
Verdict:
- Heap offers a robust mix of analytics and experience optimization features.
- Its auto-capture functionality and lookback analysis make it stand out from competitors.
- Seems to be a simpler onboarding process
Full Story
Pricing and Plan Details:
- Advanced package: $37,000/year for 100k sessions
- Enterprise package: ~$55,000/year (often negotiated down) for ~500k sessions
- Unlimited websites and projects
- Data retention: 1 year for analytics, 1 month for session replay
Pros:
- Comprehensive feature set including session replays and heatmaps
- Funnels, segments, retention analysis, journeys
- Unique tabbed browsing feature
Cons:
- Higher cost for similar features to Heap it seems
- Limited data retention for session replay (1 month)
- $5,000 onboarding fee
Verdict:
- Full Story offers features similar to Heap but at a higher price point.
- The upcoming demo may reveal unique advantages. I will update this post if that’s the case.
Mixpanel
Pricing and Plan Details:
- Enterprise plan: Minimum $10,000/year
- 100,000 monthly active users or 5 million events per month
- BAA (Business Associate Agreement) available at Enterprise level
- Group analytics: Additional 20% of contract value
- Implementation partners available for $3,000-$5,000 setup fee
- Self-serve onboarding for contracts under $20,000/year
Pros:
- Strong technical data analysis capabilities
- Experiment running and reporting which is convenient
- Migration service from GA4
Cons:
- Requires upfront tracking setup
- May need onboarding partner
Verdict:
- Mixpanel offers powerful data analysis tools but may require more technical setup and knowledge to fully utilize.
- Recently came out with session replays which is a good move I think
- The go-to for many HIPAA compliant digital marketing agencies – likely a good sign or they have a fat agency referral system. Not sure which is which.
PiwikPro
Pricing and Plan Details:
- Starting at $18,000/year for Enterprise plan
- 5M events/month
- Unlimited websites, apps, and users
- Data retention: 25 months
Pros:
- Impressive analytics features
- User journeys, Heatmaps, click and scroll maps
- Option for public or private cloud storage
- Europe-based (potential GDPR advantage)
- Includes Tag manager and consent manager modules which is an interesting advantage against the competition.
- Detailed audit log for individual sessions
Cons:
- No session replay feature
Verdict:
- PiwikPro offers a strong analytics package, especially appealing for those prioritizing European data regulations.
Mouseflow
Pricing and Plan Details:
- Enterprise plan: $6,900/year for 200k sessions/month, 10 websites (additional websites can be added)
- Unlimited users
Pros:
- Focuses on user experience with session replay and heatmaps, funnel analysis
- Unique “Friction Score” feature
- Coming out with user journeys soon
Cons:
- Limited analytics capabilities compared to some competitors
- Website limit in pricing structure – if this is part of your business model
Verdict:
- Mouseflow is strong in user experience analysis but may not be comprehensive enough for full analytics needs.
Other notable options that we did not review in depth but may in the future:
- Ruler Analytics
- Pendo
- Amplitude
- Penrod – HIPAA compliant CRM platform that integrates with Salesforce
Analytics Options – Summary
- Heap seems to offer the best balance of features, pricing, and ease of use for most businesses, especially those needing robust auto-capture and flexible analytics.
- Mixpanel offers the best GA4 replacement for HIPAA compliance and is continuing to crank out compelling features for healthcare organizations at a fair price.
- Full Story provides comprehensive features but at a higher price point, suitable for larger enterprises or those prioritizing advanced user journey analysis.
- PiwikPro stands out for its focus on data privacy and compliance, making it an excellent choice for businesses with European data regulation concerns.
- Mouseflow offers a cost-effective solution for agencies primarily focused on user experience analysis, though it may lack some advanced analytics features.
Note, this article does not cover that in some cases, each option has charges for data warehouse needs. Some come with it, some don’t. In my search, this was not a factor I recorded for all providers but could update this article to provide in the future.
Top Options for HIPAA compliant Customer Data Platform (CDP)
An increasingly common method for large organizations to be extra sure their data is kept safe is to use a Customer Data Platform or CDP. The CDP gives the organization the most control over their data and is the vessel that can send data to your data warehouse for retention.
We’ve taken the time to analyze and meet with several popular options to help you make an informed decision. Here’s a breakdown of their features, costs, and overall impressions.
CDP | Pricing (Annual) | Users/Events | HIPAA Compliant | Key Features | Implementation Complexity |
Freshpaint | $30,000-$50,000+ | Up to 150k unique monthly visitors (on base plan) | Yes | Healthcare focused, Server-side connections, Default-off state | Low (No-code) |
Rudderstack | $25,000-$30,000+ | Flexible (Event volume or MTU based) | Yes | 200+ data integrations, Data warehouse focus | Medium to High |
Segment | $30,000+ | Flexible | Yes | 400+ integrations, Protocols for data screening | High (Dev-heavy) |
Freshpaint
Pricing and Plan Details:
- Starting at $30,000/year for up to 150k unique monthly visitors
- $50k/yr+ for more events and nicer features like the maps and video CDP integrations
Key Features:
- Server-side connections
- Default-off state for data sharing
- User friendly tag manager so you always know which vendors are exposing which data
- No-code implementation
- Acts as a go-between for pixel and front-end
Pros:
- User-friendly solution
- Healthcare-focused from the beginning
- Helps maintain lower CPMs by enabling HIPAA-compliant tracking
- Reduces security risks by removing direct pixel installations
Cons:
- Some features may be gated to higher tiers
Verdict: Freshpaint offers the cleanest, most user-friendly solution with a strong focus on healthcare. It’s ideal for organizations prioritizing ease of use and robust HIPAA compliance.
Rudderstack
Pricing and Plan Details:
- Enterprise pricing starts around $25,000 – $30,000/year
- Pricing based on event volume or monthly tracked users
- Typically cheaper than Freshpaint for similar volumes
Key Features:
- 200+ data integrations
- Data transformation capabilities
- Customer profile building in data warehouse
- Data stitching across sources
Pros:
- Flexible pricing based on volume
- No destination gating
- Doesn’t store data themselves (could be a con depending on how you look at it)
Cons:
- Bigger technical lift compared to Freshpaint
- Broader audience focus (not healthcare-specific)
Verdict: Rudderstack offers a powerful solution for organizations with more technical resources and a need for advanced data warehousing and integration capabilities.
Segment
Pricing and Plan Details:
- Enterprise pricing around $30,000/year for 100k monthly unique visitors with BAA
- Free tier available for up to 1k users/month
- $120/month for 10k visitors/month (non-HIPAA plan)
Key Features:
- 400+ out-of-the-box integrations
- Protocols product for data screening (PHI/PII handling)
- Connections product for data governance
- Multiple workspaces and sources/destinations support
Pros:
- Largest network of HIPAA-compliant integrations
- Flexible configuration options
- Powerful data governance tools
Cons:
- Highly developer-dependent
- Requires detailed tracking plan and custom event development
- More complex implementation compared to other options
Verdict: Segment is a robust option for organizations with strong development resources and complex data integration needs, offering the most extensive integration options among the compared CDPs. This is likely the most robust but most complicated.
CDP Options Summary
Based on this analysis:
- Freshpaint is the best option for healthcare organizations prioritizing ease of use and specific HIPAA compliance features. It’s ideal for those who want a no-code solution and are willing to pay a premium for ease of use. Small, resource restricted marketing teams for the MSO and DSO space will likely want this.
- Rudderstack offers a good balance between features and cost, making it suitable for organizations with some technical resources and a need for advanced data warehousing. It’s a strong choice for those looking for flexibility in data handling without the highest price tag.
- Segment is the most powerful and flexible option, best suited for large organizations with significant development resources and complex data integration needs. It offers the most extensive integration options but requires the most technical expertise to implement and maintain.
Remember that while all these platforms offer HIPAA compliance, the implementation and maintenance of HIPAA-compliant setups may require different levels of effort and expertise for each platform.
It’s recommended to request demos and, if possible, trial periods to assess which platform best fits your organization’s specific needs and technical capabilities.
A Cautionary Tale, Moving Forward
As technology continues to advance and the healthcare analytics landscape evolves, it’s crucial for organizations to stay informed about potential changes in HIPAA regulations and their implications for web analytics practices.
Potential Changes in HIPAA Regulations
Generally, our observation is privacy and HIPAA requirements are only going to get harder for marketers, not easier.
As a best practice, healthcare organizations should strive to maintain a strong commitment to data privacy and security, even if certain HIPAA requirements become less stringent. By adopting a proactive and risk-based approach to web analytics compliance, organizations can ensure the ongoing protection of patient data and maintain the trust of their stakeholders.
Overall Conclusion
In this comprehensive guide, we have explored the critical aspects of HIPAA-compliant web analytics and the key considerations for healthcare organizations. By understanding the legal requirements, identifying sensitive data, evaluating compliance options, and implementing best practices, executives can make informed decisions that ensure the protection of patient data while leveraging the power of web analytics.