Make your tracking HIPAA-compliant

Health Insurance Portability and Accountability Act, or HIPAA, is a U.S. law that primarily aims to protect patients' privacy and security concerning their medical information and health records.

Many marketers and business owners who set up server-side tracking on their websites need to be particularly cautious to ensure that their tracking practices are compliant with HIPAA regulations. This is especially critical if their website collects, stores, or transmits any health-related information. 

Your approach to web analytics platforms and HIPAA depends on whether you collect protected health information (PHI) through your site or app. Data that isn’t considered PHI is outside the scope of HIPAA. 

To legally send PHI to your analytics platform, you must sign a business associate agreement (BAA) with the vendor. This agreement specifies each party’s responsibilities regarding PHI and ePHI and establishes a legally binding relationship.

Many vendors don’t want to sign BAAs. In this case, you must remove all identifiers from the data to use their services so they are no longer considered PHI. But the process of de-identification is long and complicated. 

Stape obtained a HIPAA-compliant certificate and can sign a BAA with you for your peace of mind. We ensure that all handling of protected health information meets the stringent standards required in the healthcare industry. This article explains how to make your tracking setup more efficient and privacy-compliant, ensuring that you gather valuable data insights while respecting user consent and regulatory requirements.

Google Analytics does not comply with HIPAA standardsCopy link to this section

Google Analytics is not inherently HIPAA compliant. This is primarily because it's not designed to handle Protected Health Information (PHI) as outlined under HIPAA guidelines.

Since using Google Analytics might be crucial for some businesses, Stape created a solution for using it in a HIPPA-compliant way. We will discuss it later in the blog post, but first, let’s understand what it means to be HIPPA compliant. 

What is HIPAA-compliant trackingCopy link to this section

Making tracking HIPAA compliant involves ensuring that any tracking methods or tools used in healthcare settings comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations. HIPAA requires protection and confidential handling of protected health information (PHI). Here are vital steps to make tracking HIPAA compliant:

• Use HIPAA-Compliant tools and vendors.
• Do not share Protected Health Information (PHI) with third-party analytics tools like Google Analytics. 
• Implement strict access controls. 
• Anonymize data.

Make tracking and analytics HIPAA compliant using StapeCopy link to this section

Server-side tracking with Stape simplifies the process for businesses to adhere to HIPAA regulations while still using the existing marketing and analytics tools, like Google Analytics. 

To help our clients make their tracking HIPPA compliant, Stape obtained a HIPPA certificate and provides a tool to anonymize or remove PHI and user identifiers from the requests before any analytics tools can access those data. 

1. Business Associate Agreement (BAA) Copy link to this section

You must have a BAA with each vendor if you use third-party services in your tracking setup. This agreement ensures that the vendor will protect PHI to the standards set by HIPAA.

You can sign BAA with Stape to ensure that our handling of your data meets HIPAA compliance standards. By doing so, Stape agrees to maintain appropriate safeguards for protecting sensitive health information, report any breaches consistent with HIPAA regulations, and ensure that any subcontractors or agents also comply with HIPAA requirements. This is crucial for anyone handling Protected Health Information to legally and securely use Stape's services within the scope of their healthcare operations.  

If you want to sign BAA with stape, please email suppport@stape.io, and our team will gladly assist you. Please note that it’s possible to sign BAA for customers on Enterprise or Custom plans, which start from 200 USD/EUR per month. 

2. Implement strict access controlsCopy link to this section

When utilizing server-side tracking, you can strictly manage and regulate which data is shared with each vendor. On the other hand, with web tracking, this level of control is unattainable because third-party scripts must be added to the website to enable browser tracking. If not properly managed, these scripts can easily scrape any information from your website without any restrictions.

By establishing a server-to-server connection, vendors can only access the specific user or event data that you have authorized them to view. The data flow in server-side tagging using server Google Tag Manager looks like this: 

• Deliver data to sGTM using GA4, DataTag/Data Client, or Webshooks. If you decide to use Google Analytics 4 for data transfer to sGTM, you can utilize the Stape Anonimizer power-up to remove any sensitive information.
• Configure which information each vendor receives using sGTM tags. 

3. Encrypt PHI and prevent user reidentificationCopy link to this section

Since you cannot send PHI to Google Analytics or any other third-party tool, you must strip all PII/PHI from the data before sending it. 

You'll first need to configure the Anonymizer power-up to anonymize or remove PHI. You can control how you want to anonymize certain parameters, such as leaving the IP as is, removing certain parts of the IP, or changing it to a static IP from the same country. To configure the Anonymizer power-up, all you need to do is select the checkboxes near each parameter that you want to modify. 

Once you've selected how data should be anonymized, you need to update the tagging server URL for your server-side Google Analytics 4 to include "/anonymize." For example, from sgtm.site.com to sgtm.site.com/anonymize. When requests go through this URL, Stape will automatically remove or anonymize the selected parameters.

Here are the articles about the cases of using these power-ups:

• How to anonymize user data in Google Analytics 4
• The intelligent way to anonymize user data and use consent mode in Google Analytics 4 using GEO headers

Frequently asked questions about HIPAA compliance and trackingCopy link to this section

What is included in Protected Health Information?Copy link to this section

Protected Health Information (PHI) refers to any information in a medical record that can be used to identify an individual and that was created, used, or disclosed while providing a health care service.

It’s a central focus of HIPAA's privacy rules.

This Protected Health information includes:

• names, addresses (including subdivisions smaller than state, like city, county, or zip code), dates (except year) related to individuals (like birth date, admission date, discharge date, date of death), telephone numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers including license plate numbers, device identifiers and serial numbers, web URLs, IP address numbers, biometric identifiers (including finger and voice prints), full-face photographs and any comparable images, and any other unique identifying number, characteristic, or code.
• any part of a patient's medical record or payment history. For example, diagnosis data, treatment information, medical test results, prescription information, and doctor's notes fall under this category.
• the individual’s payment for the provision of health care that contains identifiers. It may cover billing information, insurance policy numbers, payment history, and other details linked to financial transactions for medical services.

Is HIPAA only for healthcare providers?Copy link to this section

No. It actually applies to a broader range of entities:

• Lawyers, accountants, IT consultants, billing companies, data processing firms, or others who have access to PHI through their services to covered entities.
• Third-party administrators that assist health plans with claims processing.
• Consultants that perform utilization reviews for hospitals.Healthcare Providers: This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, and any other entity that transmits any health information in electronic form in connection with transactions for which HHS has adopted standards.
• Health Plans: This category includes insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, Medicare, Medicaid, and other government and private companies that pay for healthcare.

Do HIPAA laws apply to everyone?Copy link to this section

No. Only to those who handle health information. 

However, HIPAA does not apply to all organizations or individuals that might have access to health information. For instance, it doesn't cover employers, life insurance companies, schools, or school districts unless they otherwise qualify as a covered entity or business associate. Similarly, entities like fitness clubs and websites collecting health data from individuals are only covered by HIPAA if they perform functions on behalf of a covered entity.

What is a HIPAA compliance audit?Copy link to this section

HIPAA compliance audits can be conducted internally as part of an organization’s regular compliance checks or externally by government agencies like the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or third-party auditors.

They must ensure that protected health information is properly handled and that access is limited to only those who need it for treatment, payment, or healthcare operations. They are also responsible for checking whether proper documentation is maintained regarding HIPAA policies and procedures and that staff is adequately trained in these policies and procedures.

What are the rules of HIPAA?Copy link to this section

There are three main components of HIPAA:

1. The Privacy Rule:

- Protected health information should be controlled and disclosed.Patients have rights over their health information, including the right to examine and obtain a copy of their health records and request corrections.

2. The Security Rule:

- Policies and procedures should clearly show how the entity will comply with the act. Physical safeguards involve controlling physical access to protect against inappropriate access to protected data. Technical safeguards involve the technology used to protect ePHI and control access.

3. The Breach Notification Rule:

- Entities should provide notification following a breach of unsecured PHI.

Are there any penalties for a HIPAA law violation?Copy link to this section

Yes. These penalties can be significant and vary based on the nature and extent of the violation and the harm caused, including whether willful neglect was involved. Penalties can range from $100 to $50,000 per violation, with an annual maximum of $1.5 million. And among that, companies may also:

• face criminal charges, which can include fines and imprisonment. 
• face civil lawsuits, where affected individuals may sue for damages caused by health information privacy breaches. 
• face reputational damage and the loss of patient or client trust.

ConclusionCopy link to this section

Take into consideration that HIPAA is critical U.S. legislation that can’t be ignored. If you are covered by it, you must adhere to stringent rules aimed at safeguarding patient privacy and the security of health information, especially in electronic forms. Non-compliance can lead to significant penalties, emphasizing the importance of these regulations in maintaining the confidentiality and integrity of health information in the healthcare system.

When correctly configured, server-side Google Tag Manager enhances your control over the data shared with Google. Instead of distributing user data across various third-party servers, it's directed solely to the server hosting the GTM container. Within this server container, you can eliminate any personally identifiable information (PII) before forwarding the data to marketing associates.

Don’t hesitate to contact our support team for further information about your server-side tracking setup on Stape.