View All Blog Posts

Data Storage for Universal Analytics and HIPAA Compliance

A 3-step guide for navigating tracking and measurement priorities for healthcare marketers

With the new HHS/OCR bulletin surrounding HIPAA guidelines, healthcare marketers who use Google Analytics for measuring digital tactics have had to shift focus from the impending Google Universal Analytics (UA) data retirement (on July 1, 2023) to considering how their current (and future) data is being collected and stored. While Google will keep all UA data for at least 6 months after this date marketers cannot lose sight of what their plan is for storing this data before it’s gone forever.  

The challenge: The HHS/OCR bulletin has many marketers questioning whether they should continue using Google Analytics as their third party tracking technology at a time when they may still be working on their full migration to GA4 (especially now that Google is automatically installing GA4 for Google Ads conversion tracking) and their plan to store UA data. What do they prioritize? What precautions do they need to take? Who else needs to be involved in the decision? 

The bottom line: Regardless of what tracking platform marketers plan to use, UA data IS going away in a few months, and a plan to save and store relevant data must be made and started as soon as possible. 

Our recommendation is to take your UA data storage plan into consideration as you plan to safely and compliantly store and track your future data.

Step 1: Determine the data you need to keep and review on a regular basis

Deciding to keep everything will likely be a challenge for most marketers, unless you have an in-house data engineering team who can store and organize all past UA data into a data lake of sorts. Depending on how large your website is and how far back you want to review data, you could be exporting (literally) millions of rows of data, spread across multiple spreadsheets, making data retrieval and analysis incredibly difficult (if not impossible).

We recommend first determining what data you want to look at on a regular basis, and how it needs to be analyzed to make this data storage process as seamless (and as useful) as possible. For example, if you use mobile vs. desktop traffic to inform your advertising spend, you’ll want sessions by device saved by week or month. However, if you really only reference mobile vs. desktop traffic to understand trends over time, you likely only need sessions by device by year. Moving a dimension to yearly will likely save you thousands (if not tens of thousands) of rows of data to later have to sort through and aggregate.

Doing this step first will also help you better evaluate your options for tracking and storing data in the future – it’s a good exercise (and discipline) to root your organization on the data that really matters and have a plan in place to retrieve it easily.

Where do I begin?

When considering what’s important, always begin with your business objectives and the website KPIs you’ve established to measure success. If you have not done so already, start this discussion today and include your marketing, sales, IT teams and leadership if needed, to ensure you’re not leaving out any core metrics that other departments require to determine success or opportunities.

Step 2: Determine where UA data will be stored and how it must be accessed

Since this data will no longer be available in your Google Analytics account, the data you want to keep will need to go somewhere. This is where your technical and IT teams come into play. As long as it’s useful and works for what you need, we recommend sticking with whatever system you have in place for future data tracking and storage (see Step 3!)instead of building something separate.

A few options for storing this data include Google’s BigQuery, Amazon Web Services (AWS), or even spreadsheets with pivot tables, if you don’t have a lot of data.

Next, think about how you want to access this data (and who else will need access). Tools like Looker Studio, Tableau or Power BI can be really helpful in aggregating and visualizing your core metrics, as they are straightforward and more user-friendly than complex servers that may require a more technical or experienced hand. Setup and maintenance is fairly simple once you have your core metrics and KPIs established (remember Step 1!).

Finally, test, test, test! Once your data has been stored and accessible, it’s important that you play around with it to make sure you have the right dimensions and filters available. Do this before the deadline to avoid any gaps or issues in future reporting and analysis!

Not sure if you have the right data? Here’s a tip: find a recent request from a colleague and try finding the answer in an older time frame from the UA data you stored. Were you able to access that data? Any missing information? Was there any additional or manual work you needed to do to find the answer?

Step 3: Determine how you’re going to track and store your data (in a compliant way) moving forward.

You can learn more about Hedy & Hopp’s guidance for understanding the new guidelines and ways to make tracking compliant here. But the key things that matter for storing and accessing UA data relate to where your data can be stored moving forward in consideration of your success metrics (see Step 1).

For marketers currently using Google Analytics, we see a few options:

  • Continue using GA4/GTM,  but move to server-side storage (or other tracking technology) (best for companies that have an in-house IT/data engineering team and are comfortable with GA4)
  • Continue using GA4/GTM and implement a cloud-based tag manager or buffer (called a Customer Data Platform, or CDP) that will sign BAA and only pass non-IHII data to third parties
  • Remove Google Analytics completely and implement a new tracking mechanism – either self hosted OR with a company that will sign a BAA (i.e., Piwick PRO)

Throughout the decision making process it’s important to consider how your new setup can account for past analytics data storage, too, if possible. Ideally, the quicker solution for UA data will also be a compliant one.


Where do you go from here?

If this seems doable, great! Our hope is that this 3-step guide will help you stay on top of what’s coming and feel confident that you know what needs to happen and who to involve in your organization.

However, there is a LOT to think about, and we know that you may need to shift focus to other priorities. If you are feeling overwhelmed, don’t have the time, or are just not sure how to start, please reach out to us! We’d love to help you evaluate your current set up and get you on the right path forward.



About the Author

The Hedy & Hopp analytics team is the cornerstone to patient-centered activation. This team is responsible for building measurement plans and data visualizations that provide useful and action-oriented insights for all of our marketing campaigns. Insightful and curious, for this team of lovable geniuses, decision science is their marketing happy.

More from this author
Next Blog Post

HIPAA & FTC 101 For Marketers

After Jenny’s two-part series on the new HHS bulletin and movement from the FTC from…