Is Google Analytics a HIPAA Threat?

Google Analytics is not HIPAA compliant. Does that mean you should not use GA if you are subject to HIPAA? Is Google Analytics a HIPAA threat?

First, let’s be clear on what it means to be HIPAA compliant. Your desk is not HIPAA compliant. Your computer is not HIPAA compliant. Neither is Google Analytics. Here’s what Google says: “Please remember that to protect user privacy, Google Analytics policies and terms mandate that no data be passed to Google that Google could recognize as personally identifiable information (PII), and no data you collect using Google Analytics may reveal any sensitive information about a user, or identify them.” We have seen this quote used as evidence that GA is a threat to your HIPAA compliance, but let’s get a grip. What this really says is that Google won’t take responsibility if you send personally identifiable information to them, so don’t do it.

What is HIPAA compliance?

HIPAA, The Health Insurance Portability and Accountability Act,  makes it illegal to disclose individually identifiable health information. This could include a person’s name, address, license plate number, birth date, Social Security number, and any other identifying information. This type of information cannot be shared along with health information, past or present.

A medical record showing that James Smith was treated for an eye infection must not be shared with anyone. Equally, a blog post mentioning that a patient, a professional tuba player from Dodge City, Kansas, got an eye infection from sleeping with his contacts in — well, that could also be a HIPAA violation, because it is possible that there might be just one contact-wearing professional tuba player from Dodge City. In both cases, the information has been shared.

How could Google analytics be a HIPAA problem?

Google Analytics can give you some very useful information. Imagine that you are a realtor. You see that someone from Dodge City visited your website five times last week. They checked out a dozen properties and you can see the price range and the type of architecture they have in mind. You get a call from someone in Dodge City and, since you got some advance warning, you are able to tell them about some other properties that might meet their needs.

The information you got from Google Analytics allows you to provide exceptional customer service, and you make the sale.

Now suppose that instead your medical website got a visit from a young woman from Dodge City. You can see that she visited the ob-gyn clinic page, a blog post about unplanned pregnancies, and a page about abortion services. You can also see that this same individual visited the appointment request page for the ob-gyn clinic. Checking your files, you see an appointment request from a young woman in Dodge City. Have you exposed her private information to Google?

An example of this kind was used in an article about the HIPAA concerns with Google Analytics.

I’m going to say that you have not provided any personally identifiable information to Google at this point. You may have enough data to be able to surmise that this young woman — who has given you her name, address, and insurance information — is considering an abortion, but you have that data stored securely. None of it went to Google.

Make sure you’ve configured your analytics correctly

Google used to collect a lot more information than they currently do, but it is still possible to share too much. For example, you could give your customers ID numbers which you share with Google. You could hook up your point-of-sale system with GA and use customer ID numbers to track purchases and payments. Don’t do that if you are a HIPAA covered entity.

You don’t have to collect demographic information, either.

Otherwise, you would only be sharing information with Google through analytics if you name your web pages after your patients — “What James Smith Learned about His Eye Infection!” at the URL https://www.james-smith-eye-infection would do it.

Don’t worry

We checked with our Googler, just to be sure. “Google understands privacy,” he said tartly, and then proceeded to prove it with an explanation of the security of the data.

There are some things that are worth worrying about if you are subject to HIPAA:



, ,




Leave a Reply