Is Google Analytics HIPAA compliant? How can I find out?

Question

I'd really like to implement Google Analytics at my work on web software that is required to be HIPAA compliant. But I'm wondering if it's against the rules. Does anyone know how I can find out? I've searched Google, but there isn't much there on the subject. In the mean time I'm going to be reading up on HIPAA Privacy.

Our system is used to manage healthcare documents and PDFs. There's no specific patient information, but there is information relating to certain plans to a specific client/company might have. All we would like to do with Analytics is determine the browsers using our system, what documents are most frequently used and what times of the day we're the busiest. We have no intention of collecting any other information.

We would probably end up using custom event reporting as well.

Update: I'm going to do some more research, but wanted to post this link which was extremely helpful: http://www.hipaa.com/2009/09/hipaa-protected-health-information-what-does-phi-include/

---

My Solution:

Since I only need to track custom events and basic user activity/browser data. What I ended up doing is embedding an iframe on the page

<iframe id="analyticsFrame" name="analyticsFrame" src="/analytics.htm" border="0" height="0" width="0"></iframe>

Source of analytics.htm:

<script type="text/javascript">
    //keep analytics going gaining access to the top window
    var top = null,
        parent = null;
</script>
<script type="text/javascript" async="" src="https://ssl.google-analytics.com/ga.js"></script>
<script type="text/javascript">
  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-xxxxxxxx-xx']);
  _gaq.push(['_setDomainName', 'domain.com']);
  _gaq.push(['_trackPageview']);

  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[1]; s.parentNode.insertBefore(ga, s);
  })();

</script>

Then I used a custom event recording function...

// see http://code.google.com/apis/analytics/docs/tracking/eventTrackerGuide.html for documentation
function trackEvent (eventType, action, label) {
    if (document.getElementById('analyticsFrame')) {
        self.frames['analyticsFrame']._gaq.push(['_trackEvent', eventType, action, label]);
    }
}

The whole idea is to try to lock GA out of the main window, limiting it to within the iframe so it can still gather data on users, but nothing related to the content. Then I record whatever events I want to record.

Answer 1

If your ePHI is shared with Google, then you need to have a Business Associates Agreement with them. Google will probably not sign a BAA with you, so that is probably not an option. The only option that remains is not to share any ePHI with them.

It is hard to tell, from your question, whether you are sharing ePHI with them or not. I am not entirely sure, but merely having health insurance might be considered ePHI, which means if your "client/company" can ever be mapped to a person, then it might be considered ePHI. I will assume that you have ePHI in your content for the rest of my answer. If you cannot be sure you do not have ePHI in your content, you should assume that you are covered until you can prove otherwise. This basic question "is it HIPAA covered or not" is the real issue here. Shameless plug: this issue covered carefully in O'Reillys Meaningful Use and Beyond which I wrote (look in chapter 12 does HIPAA cover me?). Because you cannot get a BAA with Google, you must not share, or practically speaking, be in danger of sharing, ePHI with them. If I was your lawyer (and I am both IANAL and IANYL) then I would be concerned that you start using a service like Google Analytics in a channel that does not have ePHI today, and do not re-evaluate that use even after that channel gets ePHI. Make good decisions for what you are doing, and for what you will be doing.

But there is probably a workaround. All you have to do is be sure you are not sharing PHI, and apparently, all you want is to collect data regarding information that is not HIPAA covered (I am assuming that the documents that you are talking about are publicly available non-client specific documents).

To accomplish this, create an hidden iframe in each page of the site that might contain PHI. Inside that iframe, load a document that does nothing except launch google analytics. Ensure that you do not follow googles instructions on making iframe google analytics work "properly". This will allow you to gather brower data on all of your users on every page, without tracking the pages they load or the content of those pages. To Google it should look like you are loading the same page, again and again. Then, assuming you have a single "general documents page" that links to the documents, but contains no ePHI, you can also include the analytics code on that page. This should tell you what document links are being clicked.

Essentially, without knowing how your site is constructed, this is one guess about how you could create a "analytics zone" on your site that would ensure you never made a PHI mistake. I may be wrong about how your site is constructed, but given any reasonable architecture, there may be a way to get this "zone" effect without screwing things up totally.

Answer 2

I'm not sure if Google Analytics is HIPAA compliant or not--but there are other options that can be compliant. Piwik is an open source project that does Google Analytics style tracking, but you can store the data and code on your own secure servers so you don't have to have to jump through all the hoops of dealing with other businesses.

Update: (Not legal advice) HIPAA only covers 'protected health information'. Google Analytics just tracks hits, some session info, and maybe a generic user ID, so HIPAA doesn't really apply to it. Because of that, it doesn't appear that you'd have to have a signed BAA.

Answer 3

HIPAA regulates Protected Health Information (PHI). You mentioned that there was no "specific patient information" but if there is patient information at all you need to make very sure that it is made anonymous in the right way to conform to the HIPAA regulations. Just removing someone's name is not enough; you need to do more to avoid violating patient privacy.

If there's no patient data whatsoever in your documents, or if the patient data has been sufficiently anonymized, there shouldn't be any HIPAA issues using Google Analytics. As with just about everything HIPAA-related, it's not the tool that's compliant or not, it's what you do with the tool.

Due to the tricky nature of the HIPAA regulations, I would definitely recommend getting your corporate legal counsel involved. There can be hefty fines for privacy violations, so it's better to be safe than sorry.

Answer 4

The short answer is that Google Analytics is not HIPAA compliant. So, if anything they collect has PHI, then you'd be in violation.

There are other ways to collect the browser type. Even a simple database call that inserts the browser type on each page load would be a simple enough solution. Then, you could run better reports from that data than Google Analytics would provide.

Answer 5

Google Analytics is not HIPAA compliant. Even sending page titles to Google Analytics can be seen as a HIPAA violation, if the page titles are descriptive enough. From Google:

Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.

Source: https://support.google.com/analytics/answer/6366371?hl=en