As a healthcare marketing agency, we are often asked about the HIPAA compliance of certain marketing tools. To address this need, we have created a blog series that examines common marketing tools and software to determine whether or not they pose a HIPAA concern.

This week, we’re taking a closer look at Piwik PRO.

What Is Piwik PRO?

Piwik PRO is an advanced, privacy-focused web analytics platform. Designed as an alternative to platforms like Google Analytics, it offers in-depth insights into website traffic while ensuring user data privacy. Prioritizing data ownership and GDPR compliance, Piwik PRO provides both on-premises and cloud hosting options. It caters to businesses wanting granular data without compromising user trust or regulatory requirements.


Significant features:

  • User Privacy: One of Piwik PRO’s major selling points is its focus on data privacy. Their customers have the option to anonymize or redact IP addresses, respect Do Not Track headers, and provide transparent opt-out options for visitors.
  • Heatmaps: These features provide visual insights into where users are clicking, moving, and scrolling on a webpage.
  • Tag Manager: An integrated tag manager helps users easily add and manage various marketing and analytics tags on their website without the need to modify the site’s code directly.
  • Audience Segmentation: Piwik PRO allows for detailed audience segmentation, enabling marketers to analyze specific subsets of their traffic, such as users from a particular location or users who arrived through a specific marketing campaign.
  • Data Ownership: Unlike many other platforms, Piwik PRO ensures that the data collected remains under the website owner’s control. This is a particularly privacy-forward feature of Piwik PRO
  • Multi-site Analytics: Users can manage the analytics for multiple websites within a single Piwik PRO instance.
  • CDP (Customer Data Platform): Piwik’s CDP is available for premium customers. Piwik’s robust CDP allows users to create robust customer profiles and segmented audiences.
  • Consent Management Platform: Piwik PRO boasts an easy-to-use consent management platform that ensures that website visitors can appropriately select their privacy preferences.

Third party integrations: Piwik PRO supports many integrations with other CMS, data visualization and data storage tools, and marketing platforms like Google Ads.

What Data Does Piwik PRO Collect?

Piwik PRO is a first-party data platform that uses a similar framework to Universal Analytics. The biggest difference between Piwik PRO & other analytics platforms is the data ownership. This means that the owner of the website always retains ownership of the data, which is fairly uncommon in similar products. What the platform collects is entirely dependent on the tool’s setup, but the following are almost always collected:

  • Site actions: The primary points of data collection, the events that users take on your site. This could be a button click, a form submission, a video view, or nearly any action you’ve defined on your site.
  • Event properties: The additional information attached to events, such as transaction prices, categories, & other information, which can be defined during setup.
  • Device information: This can include the model of the device the user is using, the operating system, browser.
  • Location data: This includes your approximate location based on your IP address.

Is Piwik PRO HIPAA-Compliant?

Every organization’s definition of HIPAA-compliance is dependent on their legal team’s interpretation of the guidelines set by the U.S. Department of Health and Human Services. That being said, Piwik PRO falls pretty low on the risk scale because they offer self-storage and are willing to enter into a Business Associate Agreement (BAAs).

Risk Mitigation

Piwik PRO is a data-forward, privacy-focused product, whose risk mitigation options go beyond entering into a BAA. That being said, it is a good idea to ensure you have the following in place in order to catch some common missteps:

  • Ensure that you have a current, valid BAA in place. Schedule regular check-ins to verify that your BAA is still current.
  • Consider any other tools that may be integrated with Piwik PRO – is your configuration sending data to another third party tool? If so, do you have a BAA in place with that vendor? Stay aware of all steps of your data processing, storage, & transmissions and be judicious about integrations that are unnecessary, redundant, or obsolete.
  • Remember that as the website owner, it is your responsibility to own the data process & determine where this data goes. Are you storing it on a third party server? If so, is this server HIPAA-compliant? Each endpoint introduces another possibility for liability and risk.

It’s always important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. If you’re looking to make sure your marketing practices are compliant, let’s talk – we’d love to help!

As a healthcare marketing agency, we are often asked about the HIPAA compliance of certain marketing tools. To address this need, we have created a blog series that examines common marketing tools and software to determine whether or not they pose a HIPAA concern.

This week, we’re taking a closer look at Mixpanel.

What Is Mixpanel?

Mixpanel is a popular analytics platform, similar to Google Analytics. It’s widely used by marketers who want an alternative to Google Analytics, an upgrade to GA’s free version without taking the steep price hike to Analytics 360, as well as product teams wanting to improve their users’ experience. Mixpanel can also offer a more customized analytics or reporting system without going “around the system” in the way you sometimes need to in Google Analytics (Google Analytics was to provide very basic insights out of the box for just about any user who was willing to complete a simple setup guide). 

Mixpanel, however, is not intended for beginners, and instead focuses on marketers & product team members who are looking for a highly customizable product that exists outside of the Google ecosystem. Mixpanel’s popularity has grown further since the release of Mixpanel Marketing Analytics.

Healthcare marketers use Mixpanel to do the following:

  • Analyze patient journeys: Mixpanel can be used to understand the journeys that patients take when seeking care, from initial research to booking appointments. 
  • Segmentation: Marketers can divide audiences into specific segments based on behavior, demographics, pages viewed, or any other number of trackable metrics.
  • A/B testing: Mixpanel allows for robust testing features, allowing marketers to test campaigns, webpages, and more in order to boost conversion rates.
  • Retention: Mixpanel can be used to measure user retention, which can help teams determine how sticky their content is.
  • Flexible and complex attribution: Mixpanel allows for highly customized attribution models, which can be tailored to specific user journeys.

What Data Does Mixpanel Collect?

Mixpanel is a first-party data platform that, much like GA4, operates on an event-based framework. What the platform collects is entirely dependent on the tool’s setup, but the following are almost always collected:

  • Site actions: The primary points of data collection, site actions are the events that users take on your website. This could be a button click, a form submission, a video view, or nearly any action you’ve defined on your site.
  • Event properties: The additional information attached to events, such as transaction prices, categories, & other information, which can be defined during setup.
  • Device information: This can include the model of the device the user is using, the operating system, browser.
  • Location data: This includes your approximate location based on your IP address.

Is Mixpanel HIPAA-Compliant?

Every organization’s definition of HIPAA-compliance is dependent on their legal team’s interpretation of the guidelines set by the U.S. Department of Health and Human Services. That being said, Mixpanel falls fairly low on the risk scale, largely because Mixpanel is willing to enter into Business Associate Agreements (BAAs) with its customers.

Risk Mitigation

Mixpanel is a data-forward, privacy-focused product, whose risk mitigation options go beyond entering into a BAA. Mixpanel is built on Google Cloud Platform, which is subjected to regular, independent verification of security, privacy, & compliance controls against HIPAA. That being said, it is a good idea to ensure you have the following in place in order to catch some common missteps:

  • Ensure that you have a current, valid BAA in place. Schedule regular check-ins to verify that your BAA is still current.
  • Consider any other tools that may be integrated with Mixpanel – is your configuration sending data to another third party tool? If so, do you have a BAA in place with that vendor? Stay aware of all steps of your data processing, storage, and transmissions, and be judicious about integrations that are unnecessary, redundant, or obsolete.

It’s always important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. If you’re looking to make sure your marketing practices are compliant, let’s talk – we’d love to help!

As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.

 

This week, we’re taking a closer look at Google Analytics (GA4).

What Is Google Analytics?

GA4 is the latest version of Google Analytics, the most popular analytics tool in the world. It is also the biggest change to the tool since its original release in 2005. For the first time ever, Google Analytics will not be backwards compatible with previous versions of the platform’s tags. GA4 requires a complete reinstallation of tracking tags, which has many users reevaluating their tracking platforms. Paired with OCR’s recent bulletin which identified IP addresses as PHI, this shift in the ecosystem has made the question of how Google Analytics fits in HIPAA-compliance a hot topic for healthcare marketers

What Data Does Google Analytics Collect?

Google Analytics, unsurprisingly, collects a lot of data about your user:

  • User ID: This is a unique identifier that is assigned to each user. GA4 uses this ID to track users across multiple sessions and devices.
  • User properties: These are additional pieces of information about users, such as their age, gender, location, and interests.
  • Events: These are actions that users take on your website or app. For example, an event could be a pageview, a download, or a purchase. These events need to be setup by the owner .
  • Sessions: A session is a group of interactions that a user takes on your website or app within a certain period of time.
  • Dimensions: These are the different attributes of your data, such as the date, time, and page URL.
  • Metrics: These are the measurements of your data, such as the number of users, sessions, and events.

Is Google Analytics HIPAA-Compliant?

Google Analytics 4 has made a lot of improvements that make it easier for companies to utilize stronger data privacy standards and move further into the age of cookieless tracking. These changes allow the tool to be used more in line with GDPR, CCPA, & other privacy policies. Despite these changes, however, Google Analytics is not HIPAA-compliant, as it still receives and stores PII/PHI, including device IDs, browser information, and location data, and does not offer a BAA. Google even explicitly states that “Google makes no representations that Google Analytics satisfies HIPAA requirements” and instructs users to refrain from exposing the software from any information that could be considered PII/PHI.

Risk Mitigation

There are several ways to make Google Analytics safer with strong data privacy standards. These are available in the Privacy Controls section of your Google Analytics settings. While enabling these settings will not satisfy HIPAA guidelines, it could help safeguard some user data while you determine a path forward (see our blog, Auditing your marketing plan for HIPAA compliance)

  • Data collection: You can disable the collection of certain types of data in Google Analytics, such as location data, device information, and user-agent strings.
  • Data sharing: You can control how your data is shared with other Google products and services, including Google Ads & YouTube.
  • Consent mode: You can enable consent mode, which allows you to collect data from users who have given their consent.
  • Data retention: You can control how long your data is retained by Google Analytics.
  • User-level data access and portability: You can grant users access to their own data in Google Analytics.

 

PRO TIP: Server-side tagging is a data tracking method that can help organizations protect user data. While it requires a well thought out digital infrastructure, it can give organizations more control over their data and help them comply with privacy regulations while still using Google Analytics.

Where do you go from here?

Hedy & Hopp’s Analytics experts can help by auditing your Google Analytics account for you, so reach out if your team is struggling with how to approach what can be quite an undertaking!

We have already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!