Skip to the following sections:
Key HIPPA Requirements for Web Analytics
Examples of Personally Identifiable Information (PII)
Examples of Personal Health Information (PHI)
Difference Between Implied and Explicit PHI
Key HIPAA Requirements Related to Web Analytics
The U.S. Department of Health and Human Services (HHS) has established clear guidelines for HIPAA compliance in relation to web analytics and third-party trackers. According to the HHS HIPAA requirements and the recent March 2024 HHS guidance, healthcare organizations must ensure that their web analytics practices adhere to the following key principles:
- Privacy Rule: The HIPAA Privacy Rule mandates that covered entities and their business associates protect individually identifiable health information (IIHI) from unauthorized access, use, or disclosure. In the context of web analytics, this means ensuring that any data collected does not contain PHI or can be used to identify specific individuals (PII).
It is the mix of PHI with PII that gets us in a non-compliance state. You are allowed to collect PHI or PII separately on your website. The problem is, PHI mixed with PII is pretty helpful from a marketing standpoint. However, if you share this information with a 3rd party, you are now out of compliance as the 3rd party could potentially identify the individual without their permission or knowledge.
- Security Rule: The HIPAA Security Rule requires covered entities and their business associates to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Healthcare organizations must assess the security measures of their web analytics solutions and ensure that data is encrypted, access is limited, and proper security controls are in place.
Because your organization now stores what is considered privileged, private information, it must be secured to protect patient privacy. Proper access controls and encryption should be used. For web analytics purposes, this is usually solved in a straightforward manner with off-the-shelf software.
- Business Associate Agreements (BAAs): If a healthcare organization engages with a third-party web analytics provider, a BAA must be executed. The BAA outlines the responsibilities of the business associate in maintaining the privacy and security of PHI and ensures that they adhere to HIPAA regulations.
The analytics provider is storing and processing data that isn’t technically theirs (i.e. 3rd party). You connected them to your website and gave them permission to operate. You must enter into a BAA to accept responsibility for the privileged information you manage.
- Data Minimization: HIPAA requires covered entities to collect, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose. In web analytics, healthcare organizations should carefully evaluate the data points being tracked and ensure that they are collecting only the information essential for their analytics needs.
This admittedly doesn’t come into play as often on the website analytics portion but an example of this might be a patient form that’s asking too much info for what its intended use is.
Identifying Sensitive Data in Web Analytics
Types of Personally Identifiable Information (PII)
PII refers to any data that can be used to identify a specific individual, either on its own or when combined with other data. It encompasses a broad range of information that can identify an individual in various contexts. PII is protected under various laws depending on the context and jurisdiction, such as the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the U.S.
Examples of PII (in the context of web analytics):
- Full name
- IP Address
- Home address
- Email address
- Phone number
- Vehicle identifiers
- Device attributes or serial numbers
- Biometric elements, including finger, retinal, and voiceprints
- Other identifying numbers or codes
Types of Protected Health Information (PHI)
According to the HHS, PHI is individually identifiable health information including demographic data, that relates to:
the individual’s past, present, or future physical or mental health or condition
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual
Examples of PHI Identifiers (in the context of web analytics):
- Geographical elements
- Dates related to the health or identity of individuals
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Digital identifiers, such as website URLs
- Photographs of a patient’s face
Additionally, there is a difference between explicit and implied PHI – both of which constitute a violation.
Implied PHI
The user visits a page with something like “your-practice.com/services/condition-name/” or in other words, a specific condition page.
Explicit PHI
The users submits a contact form that contains health information (listed above)
Penalties for Non-Compliance
Non-compliance with HIPAA regulations can result in financial penalties for healthcare organizations. The HHS Office for Civil Rights (OCR) is responsible for enforcing HIPAA rules and can impose significant fines for violations. Here’s a summary of what you can expect:
- Penalty Ranges: The penalties for HIPAA violations can range from $100 to $50,000 per violation, depending on the level of culpability. For example:
- Tier 1: Violations due to ignorance can result in fines ranging from $137 to $34,464 per violation.
- Tier 2: Violations due to reasonable cause but not willful neglect range from $1,379 to $68,928 per violation.
- Tier 3: Violations due to willful neglect that are corrected within 30 days range from $13,785 to $68,928 per violation.
- Tier 4: Violations due to willful neglect that are not corrected within 30 days can incur penalties of $68,928 per violation, up to an annual maximum of $2,067,813.
- Maximum Annual Penalties: The maximum annual penalty for identical violations can reach up to $1.5 million.
- Additional Consequences: Beyond financial penalties, non-compliance can lead to reputational damage, loss of patient trust, and negative publicity. This can have long-lasting impacts on a healthcare organization’s credibility and market standing.
- Enforcement: The OCR enforces these penalties by investigating complaints, conducting compliance reviews, and performing education and outreach to foster compliance. In cases of non-compliance, they may impose civil monetary penalties or reach settlement agreements with the offending parties (HIPAA Journal) (HIPAA Journal) (HIPAA Guide)
Author’s Note – in discussing this point with a HIPAA law team, I learned that the cost penalty isn’t actually the scary part. It’s basically a slap on the wrist from a budget standpoint. Additionally, depending on severity, there’s usually a cooldown period where the organization can fix the mistake (typically 30 days). Finally, OCR is often going after bigger fish because the government only has so many resources to go after offenders. This is not an endorsement to not comply, but more of a look into how this actually plays out in the real world. However, what’s much more likely is the damage to reputation and trust in your organization both internally and externally. Data privacy matters, a lot.
Summary
Rest assured, most modern HIPAA-compliant web analytics solutions are designed to handle these compliance requirements effectively. However, understanding the nuances of HIPAA law is crucial for healthcare organizations to ensure they’re meeting all necessary standards and protecting patient privacy. While the technical aspects of compliance are often managed by these solutions, being aware of the legal framework helps organizations make informed decisions and maintain trust with their patients and stakeholders.
