Piwik PRO is a first-party data platform that uses a similar framework to Universal Analytics. The biggest difference between Piwik PRO & other analytics platforms is the data ownership. This means that the owner of the website always retains ownership of the data, which is fairly uncommon in similar products. What the platform collects is entirely dependent on the tool’s setup, but the following are almost always collected:

• Site actions: The primary points of data collection, the events that users take on your site. This could be a button click, a form submission, a video view, or nearly any action you’ve defined on your site.
• Event properties: The additional information attached to events, such as transaction prices, categories, & other information, which can be defined during setup.
• Device information: This can include the model of the device the user is using, the operating system, browser.
• Location data: This includes your approximate location based on your IP address.

Every organization’s definition of HIPAA-compliance is dependent on their legal team’s interpretation of the guidelines set by the U.S. Department of Health and Human Services. That being said, Piwik PRO falls pretty low on the risk scale because they offer self-storage and are willing to enter into a Business Associate Agreement (BAAs).

Piwik PRO is a data-forward, privacy-focused product, whose risk mitigation options go beyond entering into a BAA. That being said, it is a good idea to ensure you have the following in place in order to catch some common missteps:

• Ensure that you have a current, valid BAA in place. Schedule regular check-ins to verify that your BAA is still current.
• Consider any other tools that may be integrated with Piwik PRO – is your configuration sending data to another third party tool? If so, do you have a BAA in place with that vendor? Stay aware of all steps of your data processing, storage, & transmissions and be judicious about integrations that are unnecessary, redundant, or obsolete.
• Remember that as the website owner, it is your responsibility to own the data process & determine where this data goes. Are you storing it on a third party server? If so, is this server HIPAA-compliant? Each endpoint introduces another possibility for liability and risk.

It’s always important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Mixpanel is a first-party data platform that, much like GA4, operates on an event-based framework. What the platform collects is entirely dependent on the tool’s setup, but the following are almost always collected:

• Site actions: The primary points of data collection, site actions are the events that users take on your website. This could be a button click, a form submission, a video view, or nearly any action you’ve defined on your site.
• Event properties: The additional information attached to events, such as transaction prices, categories, & other information, which can be defined during setup.
• Device information: This can include the model of the device the user is using, the operating system, browser.
• Location data: This includes your approximate location based on your IP address.

Every organization’s definition of HIPAA-compliance is dependent on their legal team’s interpretation of the guidelines set by the U.S. Department of Health and Human Services. That being said, Mixpanel falls fairly low on the risk scale, largely because Mixpanel is willing to enter into Business Associate Agreements (BAAs) with its customers.

Mixpanel is a data-forward, privacy-focused product, whose risk mitigation options go beyond entering into a BAA. Mixpanel is built on Google Cloud Platform, which is subjected to regular, independent verification of security, privacy, & compliance controls against HIPAA. That being said, it is a good idea to ensure you have the following in place in order to catch some common missteps:

• Ensure that you have a current, valid BAA in place. Schedule regular check-ins to verify that your BAA is still current.
• Consider any other tools that may be integrated with Mixpanel – is your configuration sending data to another third party tool? If so, do you have a BAA in place with that vendor? Stay aware of all steps of your data processing, storage, and transmissions, and be judicious about integrations that are unnecessary, redundant, or obsolete.

It’s always important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Google Analytics, unsurprisingly, collects a lot of data about your user:

• User ID: This is a unique identifier that is assigned to each user. GA4 uses this ID to track users across multiple sessions and devices.
• User properties: These are additional pieces of information about users, such as their age, gender, location, and interests.
• Events: These are actions that users take on your website or app. For example, an event could be a pageview, a download, or a purchase. These events need to be setup by the owner .
• Sessions: A session is a group of interactions that a user takes on your website or app within a certain period of time.
• Dimensions: These are the different attributes of your data, such as the date, time, and page URL.
• Metrics: These are the measurements of your data, such as the number of users, sessions, and events.

Google Analytics 4 has made a lot of improvements that make it easier for companies to utilize stronger data privacy standards and move further into the age of cookieless tracking. These changes allow the tool to be used more in line with GDPR, CCPA, & other privacy policies. Despite these changes, however, Google Analytics is not HIPAA-compliant, as it still receives and stores PII/PHI, including device IDs, browser information, and location data, and does not offer a BAA. Google even explicitly states that “Google makes no representations that Google Analytics satisfies HIPAA requirements” and instructs users to refrain from exposing the software from any information that could be considered PII/PHI.

There are several ways to make Google Analytics safer with strong data privacy standards. These are available in the Privacy Controls section of your Google Analytics settings. While enabling these settings will not satisfy HIPAA guidelines, it could help safeguard some user data while you determine a path forward (see our blog, Auditing your marketing plan for HIPAA compliance)

• Data collection: You can disable the collection of certain types of data in Google Analytics, such as location data, device information, and user-agent strings.
• Data sharing: You can control how your data is shared with other Google products and services, including Google Ads & YouTube.
• Consent mode: You can enable consent mode, which allows you to collect data from users who have given their consent.
• Data retention: You can control how long your data is retained by Google Analytics.
• User-level data access and portability: You can grant users access to their own data in Google Analytics.

PRO TIP: Server-side tagging is a data tracking method that can help organizations protect user data. While it requires a well thought out digital infrastructure, it can give organizations more control over their data and help them comply with privacy regulations while still using Google Analytics.

GTM is probably unique in your tech stack in that it itself does not collect any data – instead, it provides a container with easily configurable tags, triggers, & variables that allow you to control exactly what tracking tools are on your website and how they send information back and forth. Common tags to have in GTM include:

• Google Analytics: The most popular analytics tool in the world, GA ties directly into GTM with minimal setup.
• Conversion Tracking Pixels: Google Ads, Meta Ads, LinkedIn Ads, and most other digital advertising platforms can use a conversion tracking pixel on your site to improve ad performance. At Hedy & Hopp, we consider these pixels to be a high risk in terms of HIPAA-compliance, since they share user data with third parties.
• Engagement/UX tools: Heatmapping tools like Lucky Orange, A/B testing tools like Optimizely, and countless other tools are routinely installed via Google Tag Manage

A good way to look at GTM through the lens of HIPAA-Compliance is that it can be the vehicle for compliance issues, and that it completely depends on how a specific site is using their tagging setup. A GTM container can manage tags for everything from a Google Search Console verification tag (completely HIPAA-compliant) to a Facebook Pixel that is gathering personal data about users who may be visiting sensitive pages on a site (completely non-compliant!). 

PRO TIP: As a general rule, conversion pixels are concerning in terms of HIPAA-compliance and should be avoided. Learn more about the recent updates in HIPAA guidance by listening to our HIPAA & FTC 101 podcast.

While Google Tag Manager supports some obfuscation options that grant some level of increased data privacy and protection, this is not a watertight approach. Often, the obfuscated data is still being shared with some third party processors. Server-side Google Tag Manager (sGTM) can be a much safer approach, offering more options for data privacy and allowing users to completely control which data is shared (and not shared) with each platform. 

If you want to assess your GTM risk in it’s current set up, a great place to start is by extensively documenting the functionality of each tag in your account. From there, you can assess the risks of each tag and make a plan to improve data privacy. 

PRO TIP: While server-side tagging is not for everyone and does not eliminate issues associated with third party tracking tags, this approach puts more power in the hands of your team to ensure that you are protecting your users’ data.

Like most evaluation efforts when a massive change happens, we start with an audit. Document all of the channels you use, plan to use, are investigating using or/and have used in the last 12 months (to account for changes with seasonality). 

Supplement this list by using third party tools like Wappalyzer to identify any pixels, code, plugins, etc., that may be on your website.

PRO TIP:

It is important not to skip this part. We cannot tell you how many clients have told us that they removed a software but we still saw live tags in GTM or hard-coded on their website There are also many plugins that our clients didn’t even know existed that we were able to identify (and actually remove if needed) through using these tools.

At least in the initial stage, it’s important for marketers to know what applies to them. Covered entities are always beholden to HIPAA, but health-adjacent companies and non-covered entities also need to be aware of the FTC and state laws, where applicable. Most states require companies to reach a number of annual visitors or/and meet a specific revenue goal in that state before they are required to comply, but it does vary. IAPP is a great resource for keeping up with those details. 

First, conduct a monthly traffic report for the last 12 months, and separate out by state. 

• Add Europe to confirm if GDPR needs to be included

Under the state(s) that are relevant to your company, review the following:

• Are companies who follow HIPAA excluded from compliance? If so, and you are a covered entity, then the state’s laws likely do not apply
• How does the state describe “sensitive information”? This can include marital status, sexual orientation and other non-health-specific (but very personal) information. 
• Is consent required from users before any data can be collected (i.e., before any tags are fired)? If so, how is “consent” defined?

You will probably find a lot of softwares that can be excluded from further investigation, like Javascript libraries, fonts and some plugins. But there will be a host of others that, either by nature of the platform or based on your implementation, will cause some issue with privacy – specifically with the “selling” (or sharing) of personal information. 

Below is a guide for the kinds of platforms we have seen make the priority list:

• Analytics tools (i.e., Google Analytics, Mixpanel, Piwik Pro)
• Advertising platforms (i.e., Meta, Google Ads)
• User Experience tools (i.e., Optimizely, Medallia, Lucky Orange, Crazy Egg)
• Website Servers, Hosts, CDNs (i.e., Kinsta, WP Engine, Cloudflare) 
• Customer Relationship Managers/CRM (i.e., Hubspot, Salesforce)  
• Video Embeds (i,e. Wistia, YouTube)
• Product Review platforms (i.e., Yotpo)
• Data Visualization tools (i.e., Marketing Cloud Intelligence (Datorama), Looker Studio)

If this list freaks you out, we see you. It looks like EVERYTHING is a priority! So we broke it down even further to prioritize based on the intent of how the platform is using that data, which makes the list looks a bit more manageable: 

Priority 1: Data shared with additional third parties or/and includes sensitive information

• Analytics tools
• Advertising platforms
• Video Platforms or Embeds 
• Product Review platforms

Priority 2: Data necessary to perform function

• User Experience tools 
• Website Servers & Hosts) 
• Customer Relationship Managers/CRM
• Data Visualization tools 

Ok, that probably still makes your heart race, but what’s important to keep in mind is that the biggest concern for these platforms is based on the information being shared and how. Tools like your Website CMS by nature need to collect IP addresses, so while your company is sharing that “personal” information with a third party, it might not be a big risk for your company since that access is required to work. 

Why do we say that? Although an IP address is still considered PII, it’s not nearly as personal (i.e., 1-to-1) as a diagnosis, a name, or an email address. This is why it’s essential to work with your legal team to determine what platforms are riskier than others based on the agreements in place.

As a marketer, your first instinct may be to say that all of these softwares, tools and platforms are necessary. And that might be the case. In our experience, however, there are usually software or tactics that are duplicative or have a more compliant alternative. Think critically about what your marketing is doing for you and embrace the opportunity for refinement that you now have.  

Here are some questions to ask yourself while evaluating the priority tools:

• Has this tool provided me with information that helped me improve a marketing tactic or initiative? 
• Has this tool impacted my bottom line? Is it a tool that has generated leads or improved customer experience? What data do I have to prove it?

If you said “no” to either of these questions, definitely consider removing those tools and tactics and you’ll be on your way to a cleaner, more compliant marketing plan and website. If you responded yes to any of these questions, then the next step is an important one – so keep reading! 

PRO TIP:

Consider if any of the tools are duplicative. If you can consolidate tools to limit the number of third party tags and tools on your website, we would always recommend doing so.

This is the big one – the future of your marketing activation and evaluation. This last part will take some time and collaboration from your organization and marketing partners. The main question here is how you can modify the implementation or replace the tool to improve compliance. Some tools may offer anonymization, for example, which would be worth exploring. 

Each marketer will implement various tools in various ways (too many variables for this post!). Here are a few best practices that helped us get our clients up to par (without losing their minds). 

• Get Business Associate Agreements (BAA) in place for the platforms that have access to your customer’s PHI. Not all of them will sign one (we’re looking at you, Google and Meta), but those that will sign one should be looked into.
• Consider moving to server-side analytics
  • Pixels are helpful and make optimization really easy and automated. But they are also a primary culprit in why advertising and analytics platforms can be risky. Moving to server-side analytics or incorporating a Customer Data Platform (CDP) might be the way to go if you have the proper IT infrastructure and resources in place. 
  • Moving to server-side doesn’t automatically absolve your website of data privacy concerns, but it could be the first step in a privacy-forward approach to data collection and storage.
• Remove pixels and rely more on manual UTMs and short links. It might seem like a step back for senior marketers, but ensuring that Meta, Google, Microsoft and other advertising platforms have no access to user data is a critical component to compliance, especially for platforms that don’t have the option of a BAA or updated terms.
• Take an extra step in updating tag configurations and settings for tools and platforms that offer such settings, to anonymize or remove specific PII from website visitors
  • Be sure to confirm what they mean by anonymization, and that they don’t really mean pseudonymization. Also, be sure to confirm that data is anonymized before it’s shared and that the third party in no way has access to the actual data). 
• Make sure consent banners and your website’s Privacy Policy have been updated to account for what website data is shared and how (and what privacy regulations you need to follow).

PRO TIP:

If you’ve not done so already, this is the time to make absolutely sure your legal team is aware and involved in these discussions. With the number of nuances with HIPAA privacy, it’s critical that your company’s legal team has the opportunity to engage and provide input on updates, specifically on privacy policies and  the company’s overall data privacy approach.

Once these changes are in place, consider the next 30-60 days as a trial period. Are you missing any data for evaluation? Any new questions arising with the data you can see? It’s a good reminder that any change that you make will take some adjusting, but that doesn’t mean insights can no longer be found.

PRO TIP:

Don’t forget to update your data visualization dashboards to account for any new placements, accounts or configurations!

LinkedIn collects a variety of personal and technical data from its users, including:

• Profile Data: LinkedIn collects information from user profiles, including job titles, industries, company affiliations, educational background, skills, and interests. This data is used to target ads to specific professional audiences based on their profile information.
• Demographic Data: LinkedIn may collect demographic information such as age, gender, location, and language preferences. This data helps advertisers target specific demographics for their campaigns.
• Engagement Data: LinkedIn tracks user engagement with ads, including impressions, clicks, likes, comments, and shares. This information helps advertisers assess the effectiveness and impact of their campaigns.
• Website and Conversion Data: If advertisers use LinkedIn’s conversion tracking or retargeting features, LinkedIn collects data related to website visits, conversions, and actions taken by users on their website. This data helps measure the success of advertising campaigns in driving desired outcomes.
• Ad Interaction Data: LinkedIn collects data on how users interact with ads, such as ad views, interactions, video views, and form fills. This information helps advertisers understand user behavior and optimize their ad creative and messaging.
• Pixel Data: LinkedIn provides a tracking pixel called the Insight Tag that can be placed on advertiser websites. This pixel collects data on website visits, page views, and conversions, enabling better ad targeting and measurement.
• Third-Party Data: LinkedIn may also use third-party data sources to supplement its own data and provide additional targeting capabilities. These sources may include data providers that offer insights on professional attributes, interests, or intent.

Remember – just because a targeting option is available does mean that you should use it. In fact, taking advantage of features that could make your campaigns more effective could be what compromises your HIPAA compliance. 

After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, it really depends on how you use the platform – specifically the Insight Tag. Conversion pixels can compromise HIPAA compliance in a few ways. 

• First, they can collect PHI without the user’s knowledge or consent. This is because conversion pixels can track users across multiple websites, even if they are not logged in. 
• Additionally, conversion pixels are often used to retarget users with display ads. This can be a serious violation, as it can expose sensitive content that individuals have been viewing about specific diseases, illnesses, or conditions.

While LinkedIn only keeps personal data collected from the Insight Tag for 180 days, there is a lot that can be done with this data in that time period. The HHS is also very specific that the sharing of, or even the ability to access any personal health information is a violation.

Pro Tip:

LinkedIn is somewhat unique in that healthcare marketers may be using the platform to reach a different audience than prospective patients. For example, if a healthcare marketer is using LinkedIn to reach HCPs (healthcare professionals) HIPAA may not even apply to those efforts.

That being said, there are also some tactics available in LinkedIn Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing, lookalike audiences and uploading target lists. It is also important to consider other tools that have access to your LinkedIn data, including optimization and data visualization software.

As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.  

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Similar to Google Ads, YouTube relies heavily on the user being signed into their Google Account (which automatically becomes their YouTube account) in order to track behavior across a wide range of touchpoints. This means that YouTube collects the following data on its users:

• Device information: This includes your device’s IP address, operating system, and browser type.
• Search history: This includes the keywords you’ve searched for and the websites you’ve visited.
• Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
• Location data: This includes your approximate location based on your IP address.
• Session data: This includes your web browsing history.

Additionally, even just embedding a YouTube video on a website could be cause for concern, as the iframe sends information back to DoubleClick, the base advertising platform that Google uses. This means that users watching a YouTube video embedded on a third party site could have that video’s contents tied to their Google profile, which could potentially reveal sensitive health information about that user.

After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, YouTube advertising is certainly one that your team should think critically about, especially when you consider the long list of Google’s subprocessors, who could potentially have access to any and all data collected. This is especially true if you’re adding a Google tracking pixel to your website. 

Furthermore, there are also some tactics available in YouTube Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your YouTube data, including optimization and data visualization software.

As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Of all of the platforms you may be using, it’s possible that Meta is the one collecting the most information about your users. This is largely because users who see your ads are already registered users of Meta’s platforms, meaning that Meta has extensive profiles on each customer, even before they may view your ad. 

• Information about users from their profiles: everything the user has added or posted, their activity on social media platforms, their friends, likes, groups, and browsing history on sites that have a Meta Pixel installed.
• Device information: This includes your device’s IP address, operating system, and browser type.
• Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
• Location data: This includes your approximate location based on your IP address.

More data can be collected if you have a Meta Pixel installed on the site that your ads are driving to. This pixel links events and conversions on your website to specific ads, as well as specific user profiles. Some of that data can even be passed through the click-through URL, meaning that data is shared with your analytics platform, such as Google Analytics.

After the updated guidance from the Department of Health and Human Services was released, there were two notable companies that faced scrutiny from the FTC, both of which were using Facebook marketing tactics. BetterHelp and GoodRx both settled for large sums after these allegations surfaced. The scariest part? They were using Facebook and Instagram ads in very common use cases. And while compliance isn’t really a black & white concept, from our perspective, Meta is a very risky platform that should be among the first platforms marketers evaluate. 

Furthermore, there are also some tactics available in Meta Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your Meta data, including optimization and data visualization software.

Some risks can be mitigated in Meta ads by taking advantage of options to enhance data privacy. These options include never using remarketing audiences and foregoing the Meta Pixel. This could disrupt how you’re currently evaluating marketing effectiveness, so if Meta is a platform you must keep to grow your business, there are ways to still leverage this channel with limited data sharing risks.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible. 

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Google Ads collects a variety of data about its users, including:

• Device information: This includes your device’s IP address, operating system, and browser type.
• Search history: This includes the keywords you’ve searched for and the websites you’ve visited.
• Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
• Location data: This includes your approximate location based on your IP address.
• Session data: This includes your web browsing history.

Additionally, Google Ads can collect personal information, including names, email addresses, phone numbers, and location data when using Enhanced Conversions and Customer Audience Data Imports.

According to the updated guidance from the Department of Health and Human Services, there isn’t a clear yes/no answer. However, knowing that Google Ads will not sign a Business Associate Agreement (BAA), we think using Google Ads, specifically when using conversion tags, does pose a risk.

Furthermore, there are also some tactics available in Google Ads that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your Google Ads data, including optimization and data visualization software.

As with anything HIPAA related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible. Some risks can be mitigated in Google Ads by taking advantage of options to enhance data privacy. These options include using server-side tagging, never using audience imports, remarketing audiences, or enhanced measurement, and not tagging pages that could potentially pass PII/PHI in URL parameters.

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Microsoft Ads collects a variety of data about its users, including:

• Device information: This includes your device’s IP address, operating system, and browser type.
• Search history: This includes the keywords you’ve searched for and the websites you’ve visited.
• Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
• Location data: This includes your approximate location based on your IP address.

Microsoft uses this data to serve ads that are relevant to your users, track the performance of ad campaigns, and improve its own ad platform’s performance.

You can see a full list of the data collected and accessed through the UET tag in their privacy section (“What data does UET collect once I install it on my website?), but that list will get longer with the new UET update set for June 29.

Additional Considerations

There are some tactics available in Microsoft Ads that aren’t unique to that platform but are never HIPAA-compliant. These include remarketing and lookalike audiences. Conversion pixels also may render your ads non-compliant, depending on their usage. It is also important to consider other tools that have access to your Microsoft Ads data, including optimization and data visualization software.

The updated guidance from the department of Health and Human Services, there isn’t a clear yes/no answer. However, knowing that Microsoft Ads will not sign a Business Associate Agreement (BAA) and doesn’t have the same kind of privacy configurations you can leverage in Google Ads platform, we think using Microsoft Ads, specifically placing their UET pixel on your website, does pose a risk.

As with anything HIPAA related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible. It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.