Collecting and analyzing user data is essential to healthcare businesses that want to build relationships with prospects, better meet their patients’ needs, and gain authority within the industry.

As a healthcare organization subject to HIPAA, you’re walking a fine line when trying to improve the patient experience and ensure your activities are HIPAA-compliant.

Since 2023, HIPAA enforcement has intensified, with over $100 million in fines for pixel tracking violations. Google Analytics remains dominant, but it’s fundamentally incompatible with HIPAA requirements.

In this article, we will show you the analytics vendors and implementations available on the market and explore their advantages and shortcomings concerning HIPAA compliance.

What are the challenges of finding a HIPAA-compliant analytics tool

HIPAA’s strict regulations require careful evaluation of analytics tools. Non-compliance risks heavy fines, with 47% of healthcare marketers reporting issues like reduced ROI and reputation damage.

As of 2025, HIPAA enforcement has surged, with fines up to $63,973 per violation and caps at $2M for repeat issues. In 2024, OCR closed 22 enforcement actions, followed by 10 more in 2025, targeting risk analysis failures.

When it comes to web analytics platforms and HIPAA, your approach depends on whether you collect protected health information (PHI) through your site or app. Data that isn’t considered PHI is outside the scope of HIPAA.

First, sharing PHI for marketing and analytics is not a permitted disclosure under the HIPAA Privacy Rule. To legally send PHI to your analytics platform, you must sign a business associate agreement (BAA) with the vendor, specifying each party’s responsibilities regarding PHI and ePHI and establishing a legally binding relationship.

Many vendors don’t want to sign BAAs. In this case, you must remove all identifiers from the data to use their services, so that it’s no longer considered PHI. But the process of de-identification is long and complicated.

For one thing, HIPAA views many types of URLs as PHI. It would be hard to de-identify all URLs, and doing so would make your analytics unusable. For example, de-identification would negatively impact remarketing and user-based or service-based reporting.

On the other hand, cherry-picking URLs containing PHI would also be difficult, mainly because of how much sites change over time.

If you need to comply with HIPAA, you should evaluate the available healthcare analytics solutions and find the right tool for your needs, even if it means migrating to a new vendor. Below, we will analyze how different vendors approach data privacy in healthcare and help you choose the best option for your organization.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

Why Google Analytics isn’t HIPAA-compliant

Although Google Analytics remains widely used, numerous compliance concerns and recent enforcement actions have made GA4 unsuitable for healthcare organizations.

Let’s consider several ways to implement GA4 and explore the issues associated with each approach.

Client-side GTM and GA4

This setup is not HIPAA-compliant.

Why can’t you send protected health information (PHI) to Google

Organizations covered by HIPAA can’t disclose PHI to tracking technology vendors – this includes sharing and using PHI for marketing purposes. Google uses all data within its systems to develop new services, improve existing offerings, and create personalized advertising experiences. Using a covered entity’s PHI for Google’s scale of operations can be a severe violation of HIPAA’s Privacy Rule.

Google also stores all tracked data in databases located around the world and offers neither on-premise hosting nor bespoke data residency services. Thus, covered entities cannot control where their patient data is stored. HIPAA sees this as a breach of accountability.

Google’s position is unambiguous in their official documentation. According to Google’s Analytics Help Center, “Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI”.

You must make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.

When using client-side GTM, the user’s browser communicates directly with third parties, making it challenging to control the shared information. Depending on how your website or app processes user information, there might be a risk of PHI being shared in HTTP requests.

What are the challenges of defining protected health information (PHI)

Not all health data is PHI. For example, phone numbers or IP addresses alone aren’t PHI, but they become PHI when linked to health conditions or treatments.

The HHS bulletin elaborates on when data may qualify as PHI. Healthcare information collected on a regulated entity’s website or app is generally considered PHI even if:

• The individual does not have an existing relationship with the regulated entity, and
• Data such as IP address or geographic location does not include specific treatment or billing information, like dates and types of healthcare services.

HHS guidance states that authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.

It also clarifies when unauthenticated pages include PHI. Specifically, whether PHI is being disclosed depends on the underlying intentions of the visitor.

For example, if a student visited a regulated entity’s webpage to review its oncology service offerings for a research paper, the collection of identifying information on the student would not be a violation because it is not related to the student’s health care. On the other hand, if an individual visited the same oncology webpage to seek a second opinion on a cancer diagnosis, any identifying information collected would be PHI because it relates to the individual’s past, present, and/or future health.

The bulletin also mentions that mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.

You can’t set GA4 tags on any pages that may fit the definitions provided in the HHS bulletin.

Note: In June 2024, a judge ruled in favor of the AHA, declaring that OCR had overstepped its authority when issuing the guidance. On August 29, the OCR decided not to appeal the district court’s decision.

The court ruling and HHS’ decision not to appeal it do not settle the issue of collecting and using PHI by healthcare organizations. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals. 

While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it easy for PHI to inadvertently leak into your website or app. It’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI. To protect patient privacy and reduce the risk of hefty fines, organizations must remain vigilant about the data they collect and share with analytics vendors.

Learn more about the implications of the court ruling: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

Server-side GTM and GA4

This setup is not HIPAA-compliant.

Server-side GTM, when properly set up, helps you control what data you share with Google. User data is only sent to the server hosting the GTM container rather than being shared with multiple third-party servers. You can remove any PII within the server container before passing the data on to marketing partners.

However, you’ll face two types of issues with this implementation.

Why is it difficult to de-identify protected health information (PHI)

Since you’re not allowed to send PHI to Google Analytics, you must strip all PII/PHI from the data before sending it to GA4. 

De-identifying PHI requires the removal of all 18 HIPAA identifiers (Safe Harbor method) or expert analysis (Expert Determination method) to ensure the data isn’t PHI and doesn’t fall under HIPAA’s Privacy Rule. 

That said, it’s unlikely that you’ll be able to strip all PHI.

IP addresses and device IDs can be easily removed with ssGTM. However, URLs are more complicated to de-identify because you collect a URL title on every visit. The title can contain sensitive information, like the doctor’s name and specialization or a patient’s name, or you can collect search parameters in link decorations.

There are also issues with de-identifying custom dimensions, variables, and event attributes that you assign PHI to. For example, you may track a healthcare app and collect a custom event when someone clicks on a doctor’s image. The event collects the doctor’s name and specialization, which may lead to uncovering the individual’s health issue, thus making this data PHI.

What are the legal risks of using Google Tag Manager in healthcare

Another aspect concerns the legal risk involved with using GTM together with GA4. 

This is reinforced by Google’s Tag Manager Use Policy, which explicitly states that users “will not assist or permit any third party to pass information, hashed or otherwise, to Google that Google could use or recognize as personally identifiable information”.

As a result, you can’t send PII to GA4, and PHI is a subset of PII.

Some people say that you can still safely analyze such data in GA4, and these terms don’t apply because:

• You can host ssGTM on the HIPAA-compliant infrastructure of your choice.
• If you de-identify data, it’s no longer considered PHI.

But there is a lot at stake here. As a HIPAA-covered entity, consult your legal team before implementing this option.

Find out more about Google Analytics and HIPAA: Is Google Analytics HIPAA-compliant?

ssGTM, BigQuery, and data visualization tool

This setup may be HIPAA compliant if you take certain steps.

Another option involves combining ssGTM with BigQuery and a data visualization tool.

This type of setup will only be affected by the ssGTM issue with the difficult de-identification process. But this problem can be mitigated when you work with a HIPAA-compliant data collection tool.

For example, you can set up ssGTM with different tech, including a data collection system, and transfer events directly into BigQuery. With this setup, the data would never be sent to Google Analytics servers and only be recorded in BigQuery, which is HIPAA-compliant. You can store the raw data and access it with a BI tool such as Looker Studio or Tableau.

Streaming events from ssGTM to BigQuery is simple but lacks analytics processing, requiring additional data handling in BigQuery.

Cons

• Loads of maintenance needed, which leads to inflated data team costs.
• De-identification will most likely be necessary with ssGTM, depending on downstream technologies’ compliance with HIPAA. It’s a complex and time-consuming process that requires stricter organizational measures.
• ssGTM lacks transparency – there is no way for end-users to monitor or make decisions about data processing.

Pros

• A lot of talent on the market is proficient at using Google’s products and can support your implementation.
• The setup with ssGTM and BigQuery is quite popular.
• You have the flexibility of your own data warehouse.

Adobe: Enterprise analytics solution

Adobe is the second-biggest enterprise analytics player on the market.

Adobe offers a few products that can help you improve healthcare experiences while protecting patient privacy:

• Adobe Analytics (AA) is an analytics and reporting solution that monitors user traffic and interactions across various marketing channels. AA offers customizable reporting, segmentation and predictive insights, but is complex, costly, and requires specialized expertise, limiting its accessibility.
• Adobe Customer Journey Analytics (CJA) lets you connect cross-channel data, explore the customer journey in full context and apply AI-driven insights, and it resembles GA4. Concerning HIPAA, CJA can easily identify and secure PHI and PII, apply access rules, and create data use audits.
• Adobe Launch is a tag management system and part of Adobe Experience Manager.
• Adobe Real-Time Customer Data Platform (CDP) connects customer data from all your channels into unified profiles that support discovering insights and delivering personalized experiences.

So, do Adobe’s products help you comply with HIPAA?

Providing PHI to Adobe is compliant only if it concerns a HIPAA-ready service, following the license agreement and BAA between Adobe and its client. To check which Adobe’s services are compliant, you can check this list of Adobe’s HIPAA-ready products.

Two analytics setups have been implemented on the market using Adobe’s products:

Adobe Launch and Adobe Analytics

This setup is not HIPAA compliant.

Adobe Analytics is not listed as HIPAA-ready on Adobe’s site. It means that Adobe won’t sign a BAA with you to use AA. As a result, you are not permitted to create, receive, maintain, or transmit PHI through Adobe Analytics.

Adobe Launch and Adobe Customer Journey Analytics

This setup is HIPAA compliant.

Adobe CJA is on the HIPAA-ready list, so you can safely use it as a HIPAA-covered entity and send PHI to it. This setup can be complemented with Adobe CDP for audience creation and activation.

However, since the only way to achieve HIPAA compliance with Adobe is by using CJA, note that this tool’s main advantage is integration with other components in the Adobe Experience Platform. By itself, CJA is far less advanced than AA.

It’s also worth noting that cost considerations are significant with Adobe solutions. Adobe’s enterprise analytics packages typically start at $48,000 annually, making it one of the more expensive options in the market.

Cons

• You are faced with high implementation and subscription costs.
• Adobe’s analytics products are difficult to learn and use.
• You risk single-vendor lock-in due to the amount of other tightly integrated products offered by Adobe.

Pros

• You can sign a BAA.
• You get an all-in-one analytics solution.

Piwik PRO: Full-featured HIPAA analytics

Piwik PRO has emerged as the leading HIPAA-compliant alternative to Google Analytics, purpose-built for organizations operating in highly regulated industries. Piwik PRO provides privacy-friendly analytics and combines accuracy, flexibility, and complete control when collecting and analyzing customer data.

Unlike other vendors that add compliance features later on, Piwik PRO was designed from the ground up with privacy and security requirements in mind, including HIPAA-related features and controls. Piwik PRO also helps you comply with the HHS bulletin on the use of tracking technologies. Because of that, we can easily support your analytics use cases in healthcare.

Here is an overview of our modules, all of which allow you to comply with HIPAA:

• Analytics allows you to analyze the customer journey across websites and apps. You can use advanced analytics features like funnels, user flows, customizable reports and dashboards. And you can always extend the platform’s capabilities through custom development and integrations. You can use raw data exports to send data to any destination. Increased security features allow you to use Analytics in sensitive industries, like healthcare.
• Tag Manager lets you quickly create, test, and deploy tags from customizable templates. You gain greater flexibility in collecting and utilizing their data through smooth integration with other Piwik PRO modules.
• Customer Data Platform (CDP) enhances your ability to act on the insights you draw from your data. You can better understand your customers, provide more personalized experiences, and improve your campaigns.
• Consent Manager is an optional addition for increased transparency, allowing you to collect, manage, and store user consents.

Key HIPAA compliance features

The most important features of Piwik PRO that support HIPAA compliance include:

• Ability to sign a customizable business associate agreement (BAA), allowing you to send all types of PHI to your analytics setup.
• Hosting on HIPAA-compliant Microsoft Azure data centers, where you can choose the specific location of your data.
• ISO 27001 and SOC 2 type II certifications.
• Encryption of ePHI when the data is at rest and in transit.
• Advanced user-permission options that let you put PHI only in the hands of authorized personnel.
• Not sharing ePHI with third parties or reusing it for other purposes.
• Regular privacy and security audits undertaken by external, independent bodies to ensure the highest level of security measures.

Implementation options

Recommended ways for you to implement Piwik PRO modules include:

Piwik PRO Analytics, Tag Manager and CDP

This setup is HIPAA-compliant and provides a complete suite of modules for effective healthcare analytics.

With this option, you can safely collect and analyze PHI and ePHI while respecting the highest privacy and security safeguards. You can analyze the customer journey across all channels, control data collection and adjust it to your needs, and you get to activate the data to improve the patient experience.

Piwik PRO Analytics Suite and a data warehouse

This setup is HIPAA-compliant.

This is a point solution for marketers, combining the capabilities of analytics and activation. You can connect our suite of products with a data warehouse via scheduled raw data exports or API, allowing you to extend the platform’s data analysis functionalities.

Learn more about How to make your website compliant with HIPAA using Piwik PRO.

Cons

• You are using tools from one vendor only.
• There is a client-side tag manager.

Pros

• You can sign a BAA.
• You get an all-in-one analytics solution.
• The costs are low.
• CDP is available for server-side profile activations.
• You have the ability to use Piwik PRO as an analytics endpoint in server-side tracking, which improves data collection, accuracy and control.
• The modules are easy to learn and use thanks to their similarity to the Universal Analytics interface.

Freshpaint: Healthcare Privacy Platform

This setup is HIPAA-compliant but has limitations.

Freshpaint offers its Healthcare Privacy Platform, which serves as a privacy layer between your website and analytics tools.

It captures all tracking data and automatically de-identifies PHI before sending cleaned data to downstream tools. While this approach allows continued use of familiar platforms, it comes with significant trade-offs.

Freshpaint is not an analytics platform itself and must be connected to other tools to create a full analytics setup. Setup and maintenance require significant technical skills, resources, and coordination across multiple teams, which makes using the tool very costly.

You also can’t report on or visualize the data within Freshpaint’s platform, meaning you won’t have access to PHI. As a result, your dataset will be incomplete and therefore not fully accurate.

Cons

• Not a complete analytics platform – requires additional tools for full functionality
• Complex setup and maintenance requiring specialized technical expertise
• Higher total cost when factoring in multiple vendor relationships
• Limited reporting capabilities within Freshpaint itself
• Data accuracy issues due to aggressive PHI filtering
• Ongoing compliance risk if de-identification fails

Pros

• Enables the use of the existing Google Analytics setup
• Healthcare-specific BAA and compliance features
• Advanced PHI detection and filtering capabilities

Using a mix of vendors

This setup may be HIPAA compliant if you take certain steps.

Combining tools from different vendors can get complex. You need to assess your needs very well, understand what each tool offers, and check how it can help you comply with HIPAA.

Generally, your analytics setup should include the following tools:

Data collection system + data warehouse + data visualization tool

We list some popular data collection systems below and link to the relevant information regarding their HIPAA compliance. Aside from that, you will need to verify their specific HIPAA compliance yourself.

Data collection system

Data collection tools like CDPs (e.g., Segment) and BDPs (e.g., Snowplow) vary in complexity and offered capabilities. These vendors offer more than just pure tracking, meaning you need to make a separate assessment of your needs and how these tools fulfill them.

Popular data collection systems (trackers or CDPs) that will sign a BAA:

• Rudderstack
• Tealium
• Segment
• Snowplow – no need for a BAA in the self-hosted version (it’s uncertain whether the vendor would sign a BAA for the cloud)

Data warehouse

A data warehouse holds data that is extracted, loaded, and transformed from one or more operational source systems and modeled to enable data analysis and reporting in your business intelligence (BI) tools.

Popular data warehouse providers that will sign a BAA:

• Snowflake
• Google Cloud Platform (such as Google BigQuery)
• Microsoft Azure (such as Microsoft Azure Data Synapse)
• Amazon Web Services (such as Amazon Redshift)

Data visualization tool

A data visualization tool enables the visual representation of data, allowing for the effective extraction of actionable insights from the data.

Popular data visualization tools that will sign a BAA:

• Looker Studio
• Tableau
• Power BI

Common setups that include different vendors:

• Piwik PRO (data collection, visualization, and CDP) + data warehouse (data copy for science team) + Looker Studio or Tableau (broad data visualization)
• Adobe CJA + CDP + AEP (data collection, activation, and visualization)
• Rudderstack (data collection, CDP) + data warehouse + data visualization tool

Most data collection vendors, such as Freshpaint, allow for GA4 as a destination, so the flow can also look like this:

A data collection system + GA4

However, this setup requires you to de-identify PHI to safely use it.

Cons

• You need to review the HIPAA compliance of each vendor – analyze security and privacy, manage and negotiate cooperation with all three selected vendors, sign a BAA with each of them, etc.
• The connection between the systems may not be seamless – changes or API updates in each of those vendors may break your setup.
• You would require a data analyst or database expert to manage and maintain pipelines.
• The costs are very high – you need to pay for implementation, licensing of multiple vendors, and maintenance.

Pros

• You benefit from diversification of vendors, meaning no vendor lock-in.
• You can combine the benefits and features of each system you implement.

How to choose the right HIPAA-compliant analytics platform

As of 2025, the choice is no longer whether to replace Google Analytics, but which HIPAA-compliant alternative to choose. With enforcement at record levels and mature alternatives available, healthcare organizations that continue using Google Analytics are taking unnecessary legal and financial risks.

Here is a breakdown of key features of the recommended HIPAA-compliant analytics tools that we’ve looked into:

	Piwik PRO	Adobe CJA	Freshpaint	Mix of vendors
HIPAA compliance	Full BAA	CJA only		Multiple BAAs required
Ease of implementation
Secure data handling for organizations in sensitive industries
Cost	$	$$$	$$	$$$
Data ownership	Full control	Adobe ecosystem	Limited	Distributed
Support quality
Built-in analytics capabilities
Integrations with other tools

Compared to other options for analytics in healthcare, Piwik PRO offers the optimal balance of HIPAA compliance, enterprise features, and affordability, with a Google Analytics-like interface for seamless adoption.

The post A review of HIPAA-compliant analytics platforms appeared first on Piwik PRO.

This latest addition complements our existing location in Hong Kong, expanding our global hosting footprint and offering organizations in the Middle East and North Africa (MENA) region a reliable solution for local data residency and high-performance analytics.

Why regional data centers matter

For businesses in regulated sectors such as government, healthcare, finance, energy producers, and telecommunications, choosing the right hosting location is critical. Piwik PRO’s global data center network allows organizations to:

• Comply with local data protection laws, including GDPR, UAE data regulations and Hong Kong’s PDPO.
  
• Improve performance and responsiveness with reduced latency.
  
• Maintain control and security with enterprise-grade cloud infrastructure from trusted providers like Microsoft Azure and Elastx.

Piwik PRO hosting locations

New: UAE North (Microsoft Azure)
Ideal for organizations in the MENA region
Store and process data within UAE borders, meet compliance requirements and benefit from Azure’s security and scalability.

Hong Kong
Serving businesses across Asia-Pacific (APAC)
Supports local data residency and delivers fast, reliable access to analytics across the region.

Other hosting options
We also offer hosting in the U.S., Netherlands, Germany, Sweden (via Elastx), and over 60 Microsoft Azure regions worldwide. Choose between public and private cloud environments to meet your business’s specific compliance and performance needs.

Trusted analytics that put privacy first

Piwik PRO Analytics Suite combines powerful capabilities with ease of use, helping organizations of all sizes gain accurate, actionable insights from their websites, mobile apps and digital products. Built with privacy and compliance at its core, our platform supports key privacy laws (like GDPR, HIPAA, and CCPA) out of the box.

• Reliable and accurate data – Track user behavior and conversions with unmatched precision, even in the face of modern privacy challenges.
  
• Easy to use – Enjoy a user-friendly interface, intuitive dashboards and seamless workflows for marketers, analysts and developers alike.
  
• Privacy-first – Collect and activate data without compromising user trust or regulatory compliance.
  
• Fully integrated – Leverage built-in tag management, consent management and customer data platform (CDP) features.

Choose the hosting strategy and analytics platform that fits your business

With Piwik PRO, you get more than just compliant hosting—you get a robust analytics platform designed to deliver insights you can trust. Whether you’re focused on data residency, performance, or secure analytics, our flexible deployment options help you stay in control.

Contact us today to find the best hosting and analytics setup for your business.

The post Piwik PRO expands global hosting options with new data center in the UAE appeared first on Piwik PRO.

Collecting and analyzing user data is essential to healthcare businesses seeking to build relationships with prospects, better meet their patients’ needs, and gain authority within the industry. 

However, in 2025, HIPAA enforcement has expanded beyond internal systems and EHRs to include what happens in users’ browsers, making compliance more complex than ever. As a healthcare organization subject to HIPAA, you’re walking a fine line when trying to improve the patient experience while ensuring your activities remain compliant. 

Vendors have been adjusting to the shifting landscape of privacy-oriented analytics and their clients’ expectations. Many of them change their offers accordingly. 

At the same time, the dominant analytics vendors are not necessarily the most compliant options for healthcare providers. The stakes have never been higher, with U.S. healthcare firms paying over $100 million in fines between 2023 and 2025 due to pixel tracking violations.

In this article, we will explain why finding a HIPAA-compliant analytics provider should be a top priority and outline the key factors to consider when selecting your vendor. We will also compare popular analytics vendors, examining their advantages and capabilities in terms of HIPAA compliance.

Current enforcement landscape and recent developments

The HIPAA compliance landscape for analytics has evolved dramatically in recent years. Here is a breakdown of the most important developments:

Updated penalty structure 

HIPAA fines in 2025 range from $137 to $63,973 per violation for unknowing violations, with annual caps reaching $2,000,000 for repeat violations. There are four tiers of penalty structures, with the highest one concerning uncorrected willful neglect reaching $2,134,831 in 2024. Just last year, Montefiore Medical Center faced a $4.75 million penalty and a two-year corrective action plan after potential security rule violations.

AHA court victory

In June 2024, a US district court ruled in favor of the American Hospital Association’s lawsuit against HHS guidance on online tracking technologies. On August 29, the OCR decided not to appeal the district court’s decision. However, the victory’s scope is more limited than many healthcare organizations initially believed. 

The ruling only invalidates the part of the guidance stating that combining an IP address with a visit to a general health information page constitutes PHI. Other parts of the ruling, such as those relating to authenticated pages, including patient portals, remain valid. 

Additionally, HHS can enforce certain instances of combining HIPAA identifiers with health information, for example, an ad click ID connected with a scheduled doctor appointment shared with an ad platform like Google. 

Tracking pixels on major hospital websites

The Markup investigated the top 100 hospitals in the US and discovered tracking technologies on the appointment scheduling pages of 33 hospitals, meaning they were sending appointment data to Facebook, along with users’ IP addresses. 

Two lawsuits were immediately filed against Meta and health systems, including the University of California San Francisco and Dignity Health. This investigation revealed the widespread nature of non-compliant practices across major healthcare institutions.

 It sparked a wave of litigation that continues today, with healthcare organizations facing class action lawsuits for using tracking pixels. 

Increased HIPAA enforcement 

OCR has launched two enforcement initiatives in recent years – one targeting noncompliance with the HIPAA Right of Access in 2019, and the more recent focusing on noncompliance with the risk analysis provision of the HIPAA Security Rule. OCR Director confirmed that 22 enforcement actions were closed by OCR in 2024 with either settlements or civil monetary penalties, making it one of the busiest years for HIPAA enforcement.

This year has also begun with a large number of financial penalties, with a further 10 announced by the end of May 2025. 

Beyond financial penalties, malpractice involving healthcare data can also damage patients’ trust and affect their relationship with their healthcare provider.

The Federal Trade Commission (FTC) involvement

The Federal Trade Commission has issued orders in several cases relating to healthcare providers, including ordering the telehealth company Cerebral to pay a $7 million fine and limit the use of consumer health data for advertising purposes. 

The April 2024 ruling establishes precedent for how the FTC will address healthcare data misuse in the digital advertising space. A common legal basis for the FTC’s involvement is the FTC Act, which prohibits unfair or deceptive trade practices. Consequently, even if an organization isn’t directly covered by HIPAA, it may still face federal oversight for the misuse of healthcare data.

The challenge of finding a HIPAA-compliant analytics platform

Healthcare organizations seeking analytics solutions face a complex landscape of regulatory requirements, technical limitations, and vendor constraints that make compliance particularly challenging.

Signing a business associate agreement (BAA)

When it comes to web analytics platforms and HIPAA, your approach depends on whether you collect protected health information (PHI) through your site or app. Data that isn’t considered PHI is outside the scope of HIPAA. 

To legally send PHI to your analytics platform, you must sign a business associate agreement (BAA) with any vendor matching the definition of a business associate. A BAA specifies each party’s responsibilities regarding PHI and ePHI and establishes a legally binding relationship. 

Many vendors don’t want to sign BAAs because doing so would make them directly liable for compliance with certain HIPAA provisions, requiring them to implement comprehensive security measures. 

It’s vital to accurately identify which vendors and partners qualify as business associates under HIPAA. Some relationships may seem less directly related to healthcare operations, but they still involve access to PHI. Watch out for unnecessarily entering into BAAs with other HIPAA-covered entities or third-party service providers who have no access to PHI.

PHI de-identification

If your business associate, such as an analytics vendor, doesn’t offer a BAA, you must remove all identifiers from the data to use their services, so that it’s no longer considered PHI. HIPAA’s Privacy Rule provides two de-identification methods for health information: Expert Determination and Safe Harbor. De-identified data created following these methods does not fall within the definition of PHI. 

The process of de-identification is lengthy and complex, presenting numerous technical and practical challenges.

Even on unauthenticated webpages, your website can be in violation of HIPAA if it gathers information that may contain PHI. This creates practical challenges because, even without a login, tracking an IP address or geolocation on these pages can be considered PHI, as it suggests an individual’s interest in a specific healthcare condition or service.

It’s unlikely that you’ll be able to strip all PHI. Healthcare organizations face particular challenges with:

• IP addresses and device IDs that can be removed, but leave gaps in analytics capabilities
• URL titles that can contain sensitive information, like doctor names and specializations
• Custom tracking events that may inadvertently collect PHI through standard analytics implementations

Additionally, de-identifying all URLs would limit the usability of your analytics. De-identification would negatively impact remarketing and user-based or service-based reporting. On the other hand, cherry-picking URLs containing PHI is nearly impossible, given the dynamic nature of data collected and processed by websites and platforms.

Read more about PHI and PII: How they impact HIPAA compliance and your marketing strategy.

The evolving analytics landscape presents both opportunities and challenges for healthcare organizations. Recent developments in privacy-focused analytics platforms, server-side tracking solutions, and healthcare-specific analytics tools have created new options for organizations seeking HIPAA-compliant alternatives.

With increased regulatory scrutiny and evolving technology, healthcare organizations must take a proactive approach to analytics compliance. This includes conducting regular audits of all digital tracking technologies, implementing robust data governance frameworks, and staying current with emerging privacy regulations that may impact analytics practices. The cost of non-compliance has never been higher, making it essential to invest in proper HIPAA-compliant analytics solutions.

Is Google Analytics HIPAA-compliant?

The analytics landscape has matured significantly since Google completed its transition from Universal Analytics to GA4 in July 2023. Google Analytics remains the most widely used enterprise analytics platform. 

However, following the 2022 HHS guidance on the use of tracking technologies, Google Analytics is no longer recommended for use in the healthcare industry. 

Google offers its marketing technologies for free because it gets access to data collected by businesses that implement its services. The tech giant uses data within its systems to develop and improve its services and personalize their advertising experience. This business model is fundamentally incompatible with HIPAA requirements.

Google does not offer a business associate agreement (BAA), meaning you can’t share PHI with them. Google also explicitly forbids customers subject to HIPAA from using Google Analytics and sharing PHI with them.

Find out more about Google Analytics and HIPAA: Is Google Analytics HIPAA-compliant?

Is Adobe Analytics HIPAA-compliant?

Adobe has a list of HIPAA-ready services, but only certain products are compliant. To check which of Adobe’s services are compliant, you can check this list of Adobe’s HIPAA-ready products. 

• Adobe Analytics is not listed as HIPAA-ready on Adobe’s site. It means that Adobe won’t sign a BAA with you to use AA, and you can’t collect or share PHI through Adobe Analytics.
• Adobe Customer Journey Analytics (CJA) is on the HIPAA-ready list, so you can safely use it as a HIPAA-covered entity and send PHI to it.

Find out more about Adobe Analytics and HIPAA: Is Adobe Analytics HIPAA-compliant?

Popular HIPAA-compliant analytics platforms

The healthcare analytics landscape has undergone a fundamental shift. Many analytics tools still cannot adequately address HIPAA compliance requirements and don’t sign BAAs. However, this shift also presents opportunities – HIPAA-covered organizations have a chance to reassess the tools they use for analytics and marketing, and futureproof their compliance.

The market for HIPAA-compliant analytics has matured significantly, offering healthcare organizations various options to meet their analytical needs while maintaining regulatory compliance. 

Let’s review some popular analytics options that can meet the needs of healthcare organizations.

Piwik PRO Analytics Suite

Piwik PRO Analytics Suite is a privacy-focused analytics and data activation platform that helps businesses collect, analyze, and put user data into action. The platform is tailored for industries with strict data compliance requirements, such as healthcare, and enables them to enhance their marketing effectiveness and deliver better user experiences. 

Key strengths:

• HIPAA compliance with the ability to sign a customizable BAA
• Strong data ownership and governance tools
• Data encryption in transit and at rest, secure HIPAA-compliant hosting with Microsoft Azure, advanced anonymization options, granular access controls and more
• Comprehensive suite including analytics, tag management, consent management, and customer data platform
• ISO 27001 and SOC 2 certifications, including a HIPAA compliance assessment
• Competitive pricing and access to support & implementation services
• Ability to combine strong privacy compliance with effective analytics and data activation capabilities

Best for:

Organizations seeking an all-in-one platform with high data autonomy, configurable privacy settings, and seamless compliance with HIPAA and other regulations such as GDPR and CCPA.

Adobe Customer Journey Analytics (CJA)

Adobe Customer Journey Analytics (CJA) enables you to connect and normalize cross-channel data into actionable profiles, explore the customer journey in its full context, and apply AI-driven insights to deliver personalized experiences at scale.

Key strengths:

• Adobe CJA can identify and secure PHI and PII, apply access rules, and create data use audits to handle patient data
• The platform uses AI and machine learning to offer real-time insights into customer journeys, helping healthcare providers understand and optimize their patients’ experiences
• Strong integration with Adobe Experience Platform

Best for:

Large organizations with existing Adobe infrastructure and the technical expertise to implement the platform and fully leverage its capabilities.

Matomo

Matomo is an open-source analytics platform that can be self-hosted to support HIPAA compliance. While it provides full control over data, the task of maintaining compliance, including secure hosting and audit logging, falls entirely on the user.

Key strengths:

• Self-hosted option allows HIPAA-compliant configurations
• No data sampling, full data ownership
• Limited out-of-the-box support for enterprise security standards

Best for:

Organizations with technical resources to manage and secure their own analytics infrastructure.

Mixpanel 

Mixpanel offers product analytics with HIPAA-compliant options through a separate agreement and an enhanced security tier. Its event-based tracking is ideal for understanding user behavior within digital applications.

Key strengths:

• HIPAA-compliant plans available on request
• Powerful segmentation and retention analysis
• Modern UX with flexible dashboards

Best for:

Healthcare product teams focused on app engagement and retention metrics.

Amplitude

Amplitude is a product analytics platform designed for in-depth behavioral insights across digital experiences. It offers a HIPAA-compliant plan with enhanced security, making it suitable for healthcare and life sciences companies that handle PHI. Amplitude’s strength lies in its robust analytics capabilities, such as cohort analysis, retention tracking, and real-time collaboration.

Key strengths:

• HIPAA-compliant enterprise tier available upon request
• Advanced behavioral analytics, funnels, and retention tracking
• Built-in identity resolution and user journey mapping
• Scalable architecture with real-time event ingestion
• SOC 2 Type II and ISO 27001 certifications

Best for:

Healthcare organizations and digital health startups that need granular product insights to optimize patient or user engagement without sacrificing compliance.

Heap Analytics

Heap provides automatic data capture, making it easy to analyze user behavior without manually setting up event tracking. HIPAA compliance is available on select enterprise plans, featuring security protocols including data encryption, access controls, and audit logs.

Key strengths:

• HIPAA-compliant deployment available on request, including a BAA
• Advanced retroactive analysis and journey visualizations
• Automatic event capture that reduces implementation complexity
• ISO 27001 and SOC 2 certifications

Best for:

Teams seeking rapid setup and detailed behavioral analytics with minimal developer input – ideal for growth and product teams in HIPAA-regulated environments.

Freshpaint

Freshpaint is a healthcare-focused tool that functions as a filter routing data to analytics and marketing tools while providing a strict layer of privacy controls and compliance enforcement. It’s not an analytics platform in itself and doesn’t offer reporting or visualization options – it must be connected to other tools to create a full analytics setup.

Key strengths:

• Built for HIPAA compliance – BAA signed by default
• Real-time data routing with automatic PHI filtering
• Visual tagging interface for non-technical users
• Consent enforcement across third-party tools
• SOC 2 Type II and HITRUST CSF certification

Best for:

Healthcare and health tech companies with the resources and skills to implement a plug-and-play analytics integration layer that ensures downstream compliance and simplifies consent governance.

COMPARISON

The comparison of 9 HIPAA-compliant web analytics platforms

Compare the main features of Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe CJA and Piano Analytics.

Download the full comparison

Best practices for selecting a HIPAA-compliant analytics vendor

The ideal HIPAA-compliant analytics platform depends on specific organizational needs, technical capabilities, and resource constraints. Organizations seeking comprehensive functionality with minimal complexity may prefer integrated solutions that provide complete analytics suites with built-in compliance features. Those with specific technical requirements or existing tool investments might benefit from platforms that offer flexibility and integration capabilities.

The key is matching platform capabilities with organizational requirements while ensuring robust compliance measures that protect patient data and support long-term analytical goals. Success depends not just on the platform choice but on proper implementation, ongoing maintenance, and adherence to evolving regulatory requirements.

Here are key aspects to consider when choosing the right HIPAA-compliant analytics provider:

Essential compliance requirements

1. Business associate agreement (BAA)

• Ensure the vendor will sign a comprehensive BAA covering all required services and data types.
• Check that the BAA includes specific provisions for data processing, storage, and transmission.
• Verify that the BAA includes breach notification and incident response procedures.

2. Data hosting and residency

• Confirm data is hosted in a HIPAA-compliant infrastructure with proper certifications.
• Evaluate data residency options, including the ability to choose specific geographic locations.
• Verify that encryption standards for data at rest and in transit meet HIPAA requirements.

3. Security certifications

• Look for SOC 2 Type II certification as a baseline security standard.
• Learn if the vendor holds ISO 27001 compliance, which demonstrates a comprehensive approach to security management.
• Consider vendors that undergo regular third-party audits.

Technical evaluation criteria

1. PHI handling capabilities

• Identify whether the platform automatically collects and protects standard PHI, such as IP addresses and page URLs.
• Evaluate built-in data minimization features that limit PHI collection to necessary elements only.
• Look for robust data retention management tools with automated deletion capabilities.
• Determine if the platform provides granular access controls to limit the exposure of PHI to authorized personnel.

2. Integration and implementation

• Assess the complexity of the migration from your existing tools, such as Google Analytics.
• Find out what pre-built integrations are available, including connectors to popular healthcare technology tools.
• Discover the available customer support, onboarding, and implementation services.

3. Reporting and analytics features

• Verify if the platform provides the specific healthcare metrics your organization requires.
• Learn what advanced features are available – for example, funnel analysis, custom reporting, customizable dashboards and others you need.
• Determine the options available for extending platform capabilities, such as data exports or custom development.

Vendor assessment framework

1. Financial considerations

• Consider the total cost of ownership, including potential integration costs with existing systems.
• Factor in implementation costs, training, and ongoing support.
• Consider vendors that provide good value through all-in-one solutions to reduce costs.

2. Risk management

• Ensure the vendor doesn’t share data with third parties or reuse it for other purposes.
• Find out if the vendor provides regular security updates and proactive compliance monitoring.
• Assess incident response and breach notification procedures.
• Factor in whether the vendor prioritizes healthcare clients and understands industry-specific needs.

3. Scalability and futureproofing

• Determine if the vendor offers modular functionality, such as analytics, tag management, and CDP capabilities, within a single platform.
• Assess the solution’s scalability to determine how well it can grow in line with your organization’s increasing data volume and complexity.
• Learn how the vendor stays current with evolving HIPAA requirements.

The path forward

Despite numerous challenges, healthcare organizations are finding ways to maintain effective analytics while ensuring compliance with regulations. There are solutions for healthcare providers and organizations that want to run a modern digital business with all the necessary marketing tools to optimize and grow.

Healthcare providers must invest in compliant vendors and establish a compliance strategy to unlock the full potential of data-driven marketing, analytics, and advertising while safeguarding patient privacy.

The challenge of finding HIPAA-compliant analytics platforms reflects the broader transformation of healthcare digital marketing in the post-2022 regulatory environment. Organizations that successfully navigate these challenges will be those that prioritize compliance from the outset, invest in specialized solutions, and maintain ongoing vigilance as regulations continue to evolve.

HIPAA compliance doesn’t have to limit your marketing or analytics activities. Piwik PRO provides healthcare institutions with actionable marketing insights, ensuring regulatory compliance, and securing patient data. 

Learn more about how Piwik PRO can support your organization in HIPAA-compliant analytics: 

The post HIPAA-compliant analytics in 2025: Your complete vendor comparison and selection guide appeared first on Piwik PRO.

To meet these evolving needs, we’re excited to share some important updates about our platform. Over the next six months, we’ll be transitioning our free Core plan to the new Business plan. Our Enterprise plan will be divided into three tiers offering different levels of flexibility, scalability and support. 

With these changes, we will help organizations of all sizes unlock better insights, get more business value from analytics and prioritize user trust. 

Highlights:

• The free Core plan is going away. All Core accounts will be transitioned to the Business plan in December 2025.
• The Business plan is ideal for small to mid-sized organizations looking for a cost-effective platform with access to practical insights and privacy compliance.
• The Enterprise plan will be divided into three tiers, each corresponding to a different stage of organizational growth – from companies seeking deeper marketing insights to enterprise-grade organizations operating in highly regulated industries.
• Regardless of the plan you use, our platform provides access to integrated analytics and insights, as well as privacy compliance and data activation, enabling you to futureproof your data strategy and support your organization’s growth.
• Our new pricing will take effect on August 4, 2025.

Why these changes matter

As a result of these changes, all our customers will be able to maximize the benefits of a unified platform that combines analytics, tag management, consent management and data activation. By providing transparent pricing and a steady path to grow, companies can get started easily and scale confidently with a single data ecosystem rather than multiple standalone tools. 

Here is how a single unified platform delivers more value:

• Eliminates data silos and ensures consistency
• Streamlines compliance and reduces legal risk
• Accelerates time-to-insight and action
• Reduces total cost of ownership and complexity
• Enables advanced use cases through shared context

Rather than a one-size-fits-all approach, we’ve created distinct pathways that align with different organizational maturity levels, security requirements, and growth journeys.

Whether you’re a growing business taking your first steps into advanced analytics or a large enterprise requiring extensive flexibility and control, our new pricing structure ensures you have access to the right combination of features, support, and scalability. 

The Business plan: Perfect for growing organizations

Our new Business plan is best for smaller organizations that want to transition to privacy-compliant analytics and make more confident marketing decisions. 

This plan gives you:

• Up to 2 million monthly actions
• 25 months of data retention
• EU-operated hosting in Sweden
• Full compliance with GDPR, CCPA, LGPD and more
• Complete analytics suite and basic data activation
• Ability to add more features, like integrations, support or implementation services

The Business plan will become available to everyone this summer, with a new entry-level plan starting from just €35 per month, making it the most powerful and cost-effective option on the market. 

The Enterprise plan: Scalability and flexibility for complex needs

We’ve expanded our Enterprise plan to better suit organizations with more sophisticated analytics, data activation, and privacy needs. Starting at €366 per month when billed annually, each tier builds upon the capabilities of the previous one. 

Data Fundamentals

The first tier is designed for privacy-conscious, emerging organizations that are building their privacy-first data foundation. It’s ideal for businesses looking for an integrated platform that handles data collection, analysis, and activation while ensuring compliance. 

Key features:

• 1M to 100M monthly actions
• 25+ months of data retention
• 1000 profiles per month for data activation
• 5 domains for consent management
• 75 custom reports and dashboards
• Choice of data centers (Germany, Netherlands, Sweden, US, Hong Kong)

Trusted Insights

The mid-tier is designed for organizations with more advanced data needs. It’s ideal for growth-oriented, privacy-focused organizations seeking advanced analytics, integration across channels, and data activation to broaden their reach and engagement. 

Key features:

• 1M to 500M monthly actions
• 25+ months of data retention
• 4000 profiles per month for data activation
• 10 domains for consent management
• 150 custom reports and dashboards
• Extended data lookback period (12 hours)
• HIPAA compliance with BAA
• Account management and support
• Ability to review and negotiate contract terms

Secure Intelligence

The top tier is developed for organizations in highly regulated industries that require data governance and sovereignty. It’s ideal for enterprises that need the highest-grade security, unlimited reporting and activation capabilities, and maximum flexibility and customization.

Key features:

• Starting from 2M actions with no upper limit
• 37+ months of data retention
• Unlimited data activation profiles
• 15+ domains for consent management (customizable)
• Unlimited custom reports and dashboards
• 24-hour data lookback period
• HIPAA compliance with BAA
• Private cloud hosting options
• Account management & support and personalized product training
• Full contract negotiation capabilities

Next steps for Core users

If you’re currently using one of our Core plans, here is what you can expect:

• New and current free Core users: Your plan will stay active through December 2025. After that, you’ll be able to upgrade to the Business plan. You can expect additional benefits by switching plans early – we will provide more details about it soon.
  
• Users with a paid Core subscription: You’ll receive a personalized offer to seamlessly transition to the Business plan. Our team will work closely with existing customers to ensure a smooth transition that maintains or enhances your current capabilities.

To a smarter future powered by complete privacy-first data

We believe that data-driven growth and privacy compliance go hand in hand, so regardless of your chosen plan, you can count on powerful capabilities, reliable performance and strong privacy foundations as your business grows. 

Get started with the plan that fits your company’s needs:

The post Introducing new pricing: More analytics value and privacy compliance as you grow appeared first on Piwik PRO.

Choosing a platform that doesn’t match your needs or available resources can put sensitive patient information at risk, leading to costly compliance violations and loss of patient trust. As a healthcare organization, you must consider privacy and security-related aspects, such as security protocols, certifications, data protection and anonymization features, hosting options, and regulatory compliance. At the same time, your selected platform should meet your expectations in terms of usability, product capabilities, data integration options, analytics, and reporting features, and others. 

In this comparison, we will analyze the leading HIPAA-compliant web analytics platforms, including Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe Customer Journey Analytics and Piano Analytics. We will cover essential criteria such as data security, encryption standards, business associate agreements (BAAs), integration capabilities, hosting options, data anonymization features, reporting and analytics features, customer support options, and much more. 

By understanding how these platforms stack up, you’ll be better equipped to select a solution that not only meets your compliance requirements but also allows your organization to turn healthcare data into actionable insights.

COMPARISON

The comparison of 9 HIPAA-compliant web analytics platforms

Compare the main features of Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe CJA and Piano Analytics.

Download the full comparison

How to find the right HIPAA-compliant web analytics platform for your healthcare organization

For each platform, we outline and compare features from the following categories:

General overview

The first section includes an overview of each platform’s HIPAA compliance status, privacy and security measures, available plans, pricing, and product capabilities. This helps you quickly understand the overall suitability of the solution for your needs.

Data privacy and security

Data privacy and security features directly impact how protected health information (PHI) is handled. Key elements such as data control, the availability of business associate agreements (BAAs), regulatory compliance adherence, access controls, audit logs, server-side tagging, encryption, anonymization, hosting environment, backups, security certifications, and integration with consent management systems collectively ensure that patient data is protected against unauthorized access and breaches.

Data collection flexibility

Data collection flexibility determines how different platforms accommodate the diverse technical environments and tracking requirements of healthcare organizations. The availability of JavaScript tags and software development kits (SDKs), support for custom variables and dimensions, data freshness and retention policies, and the number of properties or custom domains that can be tracked show how well the platform can capture relevant user interactions without compromising compliance.

Data processing and connectivity

Data processing and connectivity features such as raw data access, reporting APIs, data sampling methods, and integrations with business intelligence (BI) and data visualization tools enable healthcare organizations to analyze data effectively and integrate analytics insights into broader decision-making workflows. The availability of direct integrations with a customer data platform (CDP) and tag manager further enhances the ability to comprehensively manage and activate patient data.

Reporting features

Reporting features determine how well healthcare teams can derive insights from the collected data. In this section, we outline features like access to detailed reports and metrics, customizable dashboards, event and goal tracking, funnel and product analytics, user flow visualization, session logs, real-time data, calculated metrics, automatic insights, and user-level reporting.

Support and customer care

Support and customer care options play a vital role in successful platform adoption and ongoing compliance. Basic support, such as help centers, community forums, and email assistance, provides foundational help, while more extensive services, like dedicated support specialists, personalized implementation, and onboarding, ensure that organizations can tailor the platform to their specific HIPAA requirements and operational needs.

Overview of web analytics vendors offering HIPAA compliance

Our comparison includes the following vendors:

Tealium

Tealium is an enterprise customer data platform and tag management leader, specializing in secure, compliant, and real-time customer data management across large organizations. With certifications such as HIPAA, ISO 27001, and SOC 2, plus private cloud hosting options, Tealium is tailored for large organizations with complex data governance and compliance requirements. It is the best fit for enterprises needing granular control over customer data and seamless integration across multiple channels.

Adobe Customer Journey Analytics (CJA) 

Adobe CJA is an enterprise analytics solution designed to unify and analyze customer journeys across multiple channels in real time. Integrated deeply within the Adobe Experience Cloud, CJA provides advanced segmentation, visualization, and reporting capabilities while maintaining strong privacy and compliance controls, including HIPAA readiness. It is particularly well-suited for large enterprises that require comprehensive cross-channel insights and already leverage Adobe’s ecosystem for marketing and customer experience management.

Piano Analytics

Piano Analytics (formerly AT Internet) is a European-focused analytics platform that emphasizes privacy, compliance, and actionable digital insights. It supports GDPR compliance and flexible data hosting options, providing detailed web and product analytics along with segmentation and reporting features. Piano Analytics is ideal for organizations in Europe or those with stringent privacy requirements seeking a robust analytics solution tailored to digital content and marketing performance.

Mixpanel

Mixpanel is an advanced product analytics tool offering interactive dashboards and experimentation tools that empower product managers and marketers to optimize user engagement and feature adoption. It provides real-time event tracking, cohort analysis, and user segmentation, helping product and marketing teams optimize patient engagement and retention while maintaining compliance. Mixpanel is a good fit for healthcare SaaS and digital health companies that need actionable behavioral analytics combined with HIPAA safeguards.

Matomo

Matomo is an open-source web analytics platform. It was founded in 2007 and was known as Piwik until 2018, when it rebranded. Matomo enables organizations to control their analytics data while complying with GDPR and other privacy regulations. Its customizable dashboards, heatmaps, and session recordings provide rich insights into user behavior. Because there is no option to sign a BAA, HIPAA-covered organizations need to self-host their analytics if they choose Matomo. The platform is suitable for companies seeking an open-source alternative to mainstream analytics tools.

Amplitude

Amplitude provides advanced behavioral analytics designed for growth-driven digital businesses. It enables healthcare organizations to analyze patient journeys, retention, and product usage with advanced segmentation and predictive analytics. Amplitude’s strong privacy controls, data governance and integration options make it suitable for large healthcare enterprises and digital health teams focused on growth and compliance. 

Heap

Heap is a digital insights platform that gives teams a complete understanding of customers’ digital journeys to improve conversion, retention, and customer satisfaction. It automatically captures all user interactions and supports HIPAA compliance through BAAs, data encryption, and privacy controls. Its retroactive analytics and journey analysis capabilities allow healthcare teams to gain insights without manual event tagging, reducing implementation complexity. Heap is ideal for healthcare organizations seeking fast deployment and comprehensive analytics while ensuring PHI security.

Freshpaint

Freshpaint is a healthcare-focused platform built with privacy and HIPAA compliance in mind. It can be used to collect website and app data while preventing the sharing of protected health information (PHI) with non-compliant tools, such as analytics or ad platforms. Using cryptographic hashing and anonymous user IDs, Freshpaint enables organizations to analyze complete visitor journeys without exposing individual identities. At the same time, because it serves as an intermediary to prevent PHI from being sent to non-compliant tools, it requires significant technical skills and resources to set up and maintain.

Piwik PRO

Piwik PRO Analytics Suite is a digital analytics and data activation platform that helps businesses collect, analyze, and put user data into action. The platform includes integrated analytics, tag manager, consent management, and customer data platform capabilities, allowing healthcare providers to safely connect first-party data from various touchpoints. It offers compliant data encryption, secure hosting with Microsoft Azure, customizable BAAs, advanced anonymization options, and more. Recently certified as HIPAA-compliant through its SOC-2 Type II audit, Piwik PRO is ideal for healthcare institutions seeking actionable marketing insights without compromising HIPAA compliance.

COMPARISON

The comparison of 9 HIPAA-compliant web analytics platforms

Compare the main features of Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe CJA and Piano Analytics.

Download the full comparison

The post The comparison of 9 HIPAA-compliant web analytics platforms appeared first on Piwik PRO.

Although often marketed as a privacy safeguard, EU hosting alone does not ensure full legal protection or true data sovereignty. For organizations committed to long-term compliance, user privacy, and robust data governance, understanding the difference between data hosting and data sovereignty is more important than ever.

In this article, we’ll unpack the nuances between EU hosting and EU data sovereignty, explain why this distinction is especially relevant in light of current EU-US data transfer dynamics, and show solutions that are designed to deliver genuine sovereignty, building a foundation of trust, transparency, and compliance in a shifting legal landscape.

EU hosting is not the same as EU sovereignty: Legal risks remain

Many analytics vendors highlight their use of EU-based data centers to signal compliance with European privacy laws. However, if the services are owned or controlled by non-EU entities, particularly U.S. companies, your data may still fall under foreign jurisdiction.

Under the U.S. CLOUD Act, American authorities can legally compel U.S.-based companies to provide access to customer data, no matter where it is stored. This creates a significant compliance risk for organizations seeking to align with EU data protection standards.

To enable lawful data transfers outside the EU, many providers rely on the EU–U.S. Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs). While both mechanisms are currently valid, they remain under ongoing legal scrutiny.

The DPF, like its predecessors, Privacy Shield and Safe Harbor, could be invalidated by the Court of Justice of the EU (CJEU). If that happens, most organizations will revert to SCCs, just as they did after the Privacy Shield was struck down. Yet even SCCs come with limitations: they don’t offer full protection from U.S. government surveillance, a concern equally relevant to the DPF.

Some providers, such as Microsoft, offer both mechanisms to give customers flexibility. However, neither fully resolves the underlying legal uncertainty that comes from using cloud services under foreign ownership, even when the data itself never leaves the EU.

Data Transfers: DPF vs. SCCs – What’s the Difference?

Under the General Data Protection Regulation (GDPR), there are different ways to transfer personal data outside the EU legally. The Data Privacy Framework (DPF) is one of them — it’s an adequacy decision (Article 45), meaning the EU considers certain countries (like the U.S., under the DPF) to offer enough protection.

Another option is using Standard Contractual Clauses (SCCs), legal contracts approved by the EU Commission (Article 46). You don’t need both – just one is enough.

Some companies, like Microsoft, use both: they’re certified under the DPF and offer SCCs. Why? Because the legal landscape can change, having SCCs adds a backup layer of protection.

True data sovereignty means more than simply storing data within the EU. It requires that both the data and the organizations handling it remain entirely under the EU’s legal jurisdiction, free from foreign ownership or extraterritorial influence. 

For example, even if data is physically stored in a European data center, using infrastructure operated by a non-EU company, such as a U.S.-based cloud provider, can expose that data to foreign laws like the U.S. CLOUD Act. This creates similar risks to storing the data outside the EU, as foreign authorities may still compel access, undermining EU privacy protections. To achieve real sovereignty, organizations must ensure that data stays in the EU and within infrastructure owned and managed by EU-based providers bound solely by EU law.

Learn more:

• EU-US data transfers uncertainties: How an EU-based analytics platform can improve your marketing performance
• Norwegian DPA warns against EU-US data transfers – what it means for your website analytics
• The Story Behind Safe Harbor and Privacy Shield

Compliance implications of data sovereignty

Data sovereignty isn’t just a legal formality – it’s a strategic safeguard. Under the GDPR, any transfer of personal data to a third country must not undermine the level of protection guaranteed within the EU. This means organizations must ensure that data remains shielded from unauthorized access, even when stored or processed abroad. Sovereign infrastructure plays a key role here, reducing the risk of foreign jurisdictions, including intelligence agencies, compelling access to sensitive data.

This is particularly critical in sensitive sectors like healthcare, finance, public services, and education, where user trust and legal exposure are tightly linked.

Read more:

• 17 new privacy laws around the world and how they’ll affect your analytics
• PIPEDA & CPPA: How the Canadian privacy laws impact your analytics [Updated]
• Everything you need to know about the New York Health Information Privacy Act (NYHIPA)
• Data privacy laws in the United States and how they affect your business [UPDATED]

What Piwik PRO and Cookie Information deliver

Piwik PRO and Cookie Information offer a privacy-focused analytics and consent management platform developed entirely under EU jurisdiction. Both tools are designed to meet GDPR requirements, but achieving true data sovereignty – where data remains inaccessible to foreign entities – depends on the underlying infrastructure.

This level of sovereignty is fully realized with the Piwik PRO Enterprise plan, which allows hosting on Elastx, a fully EU-owned provider. This ensures that both the data and the technology stack are governed solely by EU laws.

For organizations prioritizing maximum legal protection, it’s crucial to choose a solution that combines EU-based infrastructure with EU ownership. This not only addresses growing concerns around EU-US data transfers but also supports long-term compliance and regulatory certainty.

However, deploying an EU-based analytics tool alone isn’t enough. Consent management must also be handled within the EU to avoid undermining your compliance efforts. If a consent platform transmits data to the U.S. or other external jurisdictions, your data remains possibly exposed. The solution: integrate your analytics with a consent platform that is fully managed and hosted in the EU. Together, they create a unified, privacy-first marketing system that upholds user trust and data protection standards.

Headquartered in Copenhagen with data centers across the EU, Cookie Information is a trusted choice for marketers who value both compliance assurance and performance optimization.

Find out more about Piwik PRO and Cookie Information:

• Implement your data privacy strategy with Piwik PRO Analytics Suite
• Piwik PRO is a PIPEDA-compliant analytics vendor
• Integrating Piwik PRO and Cookie Information CMP is now easier than ever
• Collect and activate more of your data: The benefits of combining Cookie Information and Piwik PRO

Benefits of EU-sovereign analytics

Adopting a truly EU-sovereign analytics solution significantly reduces the risk of legal exposure to foreign surveillance laws and strengthens compliance with global privacy regulations such as the GDPR, the California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD). When combined with additional safeguards, including strong data transparency, robust user consent mechanisms, and responsible data handling practices, data sovereignty becomes a cornerstone of long-term legal stability. This holistic approach not only supports regulatory compliance but also fosters user trust and enables sustainable, privacy-conscious marketing strategies.

Key benefits of an EU-sovereign analytics stack include:

• Minimizing legal risk from non-EU surveillance frameworks
  
• Ensuring alignment with major privacy laws, including GDPR, CCPA, and LGPD
  
• Strengthening user trust through transparent and compliant data handling
  
• Enabling ethical marketing through anonymized, consent-based insights
  
• Securing sustainable legal certainty for data-driven strategies

Evaluating your analytics setup

You should evaluate whether your organization’s analytics tools genuinely comply with EU data protection laws or if they are simply hosted in EU-based data centers owned by non-European providers.

Whether your organization is just beginning its privacy journey or requires the highest level of data protection, Piwik PRO and Cookie Information offer scalable solutions to meet a range of compliance needs. Both provide free standard plans – Piwik PRO Business and Cookie Information – with EU-based data hosting via established cloud providers.

However, data residency alone doesn’t equal data sovereignty. What truly matters is who controls access to your data and under which jurisdiction. For organizations that require full legal assurance that their data remains beyond the reach of foreign laws, especially in light of evolving developments in the U.S., Piwik PRO Enterprise offers hosting on EU-owned infrastructure, helping organizations maintain sovereignty and comply with the strictest privacy regulations.

This is a pivotal moment for businesses to evaluate their hosting strategy. With legal frameworks like the EU-U.S. Data Privacy Framework under increasing scrutiny and potential invalidation, now is the time to make strategic, forward-looking choices. These are not decisions that can be made in haste – having control over your hosting environment today means being prepared for tomorrow’s regulatory challenges.

Ultimately, it’s up to each organization to determine its level of control. You have a choice – and now is the time to make it.

The post EU hosting vs. EU sovereignty: Why the difference matters for privacy-first analytics appeared first on Piwik PRO.

Tools that rely on third-party cookies and unclear data practices can lead to compliance challenges and loss of control over customer information. Although Google initially announced plans to phase out third-party cookies in Chrome by 2025, recent updates suggest that cookies will remain in use for the foreseeable future. This regulatory and technical uncertainty highlights the need for analytics solutions that offer long-term stability, transparency, and user privacy.

Privacy-compliant platforms like Piwik PRO give Shopify merchants a reliable and secure way to collect and analyze data, without compromising compliance, control, or customer trust.

The importance of privacy in ecommerce

Online shoppers are increasingly aware of how their data is tracked and used. In an environment where data breaches, aggressive targeting, and a lack of transparency are all too common, trust is easily destroyed.

Adopting a privacy-first analytics approach allows Shopify businesses to:

• Build credibility by handling data transparently and ethically.
  
• Comply with international regulations such as GDPR, CCPA, and others.
  
• Reduce the risk of fines and legal action due to noncompliance.
  
• Future-proof data collection strategies as third-party tracking becomes less effective.

Privacy is no longer just a legal obligation — it’s a fundamental part of the customer experience.

Seamless privacy compliance with Shopify 

With Piwik PRO’s anonymous tracking mode, you can keep collecting valuable insights — even when users don’t give consent. Integrated with Shopify’s Privacy API, it ensures your analytics remain compliant with GDPR, CCPA, and other regulations, without sacrificing essential data. That means you continue to understand customer behavior while fully respecting user preferences.

Challenges with traditional analytics tools

Many Shopify merchants have long been relying on popular platforms like Google Analytics. However, these tools come with serious limitations, especially in today’s privacy-aware environment:

• Compliance complexity: Setting up tools like Google Analytics to comply with GDPR or CCPA requires extra effort and technical resources.
  
• Loss of data control: Merchants using third-party platforms often give up ownership of their customer data. This data often supports larger ad networks, not your business goals.
  
• Data monetization risks: It’s not uncommon for platforms to sell or share user data to support their own advertising ecosystems — something Piwik PRO explicitly does not do.
  
• Ad blocker interference: Widespread use of ad blockers can disrupt tracking scripts, leading to inaccurate or incomplete data.
  
• Reliance on cookies: As tracking cookies become less relevant, analytics tools must adapt. Platforms that rely heavily on third-party cookies will continue to lose ground.

Benefits of privacy-compliant analytics for Shopify stores

Solutions like Piwik PRO offer Shopify merchants a powerful alternative to traditional analytics tools, emphasizing control, reliability, and privacy.

1. Complete data ownership and control

Piwik PRO ensures your analytics data stays in your hands. It’s securely hosted in a privacy-compliant cloud environment located in the region of your choice. Unlike platforms that feed data into ad ecosystems, Piwik PRO does not sell or share your customer information.

2. Vendor independence

With Piwik PRO, your analytics operate independently from the business models of Big Tech. Your data isn’t used to fund third-party advertising platforms — you remain in full control of your customer insights.

3. Resilient, cookieless tracking

Piwik PRO supports server-side tracking and cookieless data collection, offering accurate insights even as traditional methods become less reliable. This adaptability makes it a smart choice for navigating the uncertain future of online tracking.

4. Consent-aware Shopify integration

While the Piwik PRO Shopify app doesn’t offer a built-in consent manager, it integrates seamlessly with Shopify’s Privacy API. This allows it to respect analytics consent gathered through Shopify’s native privacy tools or compatible third-party platforms, helping you stay compliant without adding a separate consent solution.

5. Accurate data, no sampling

Google Analytics often uses data sampling on high-traffic sites, which can distort reporting. Piwik PRO avoids this by capturing every visit and event, ensuring the accuracy of your analytics, regardless of your store’s size.

6. Ad blocker resistance

Thanks to its privacy-friendly design, Piwik PRO is less likely to be blocked by privacy tools and extensions. This leads to more complete data collection and a clearer picture of customer behavior.

WEBINAR

Piwik PRO for ecommerce:
Get data-driven insights to boost your online sales

Watch the webinar recording and learn how to use Piwik PRO Analytics Suite to improve user experience, optimize product pages, and drive more sales.

Watch the webinar

How to implement privacy-compliant analytics on Shopify

Getting started with privacy-first analytics doesn’t have to be complicated. Follow these steps to ensure compliance and data integrity:

• Choose a trusted provider: Select a solution like Piwik PRO that’s purpose-built for data privacy and regulatory compliance.
  
• Integrate consent management: Use a third-party consent tool compatible with Shopify’s Privacy API to collect and manage user permissions.
  
• Adopt modern tracking methods: Implement first-party and cookieless tracking to ensure long-term reliability.
  
• Be transparent with users: Clearly communicate your data policies and give users control over their privacy preferences.
  
• Stay up to date: Regularly audit your analytics setup to ensure continued compliance with evolving regulations.

Conclusion

As data privacy laws become more stringent and customer expectations shift, Shopify merchants can no longer rely on outdated analytics tools. Solutions like Piwik PRO offer not only compliance but also accurate, secure, and future-ready data collection.

By taking control of your data, respecting user privacy, and reducing dependence on third-party vendors, you can build a stronger, more resilient business. Privacy compliance isn’t just a legal safeguard — it’s a competitive advantage.

The post Why Shopify stores need privacy-compliant analytics appeared first on Piwik PRO.

While Google Analytics 4 (GA4) remains a popular default, many merchants discover its limitations too late: missing transactions, inconsistent reporting, lack of flexibility, and difficulty activating data outside Shopify.

Piwik PRO offers a powerful alternative. With full data accuracy, built-in tools for segmentation and activation, and seamless Shopify integration, it’s built for businesses that want more than just page views.

Why GA4 often falls short for Shopify merchants

Google Analytics 4 is designed for general-purpose web and app tracking, not for the specific needs of ecommerce platforms like Shopify. Here are some common challenges:

• Missing or delayed ecommerce events: GA4 sometimes fails to track all Shopify interactions reliably, especially without a custom setup.
  
• Lack of built-in reporting for Shopify-specific metrics: To obtain meaningful sales data, you often need an extra configuration or GA4 BigQuery exports.
  
• Data sampling and thresholds: In some cases, especially for larger stores, Google samples data or hides it entirely due to user privacy thresholds.
  
• Limited activation options: GA4 keeps your data within the Google ecosystem. Activating it in external platforms or marketing tools often requires workarounds or extra software.

Learn more: How to install Piwik PRO app for Shopify

Key differences: Piwik PRO vs. Google Analytics

Choosing the right analytics platform can make or break your data strategy. Here’s how Piwik PRO stacks up against Google Analytics 4, from data accuracy and privacy to Shopify integration and activation capabilities.

Read more:

• What is ecommerce analytics and how can you use it to grow your business
• Explore the benefits of ecommerce analytics with Piwik PRO Analytics Suite
• Reports in Google Analytics 4 and Piwik PRO: Everything you should know 

Why Piwik PRO stands out for reliable Shopify analytics

1. Accurate tracking from day one

Piwik PRO delivers clean, accurate data with no sampling. You’ll get the full picture of your store’s performance, capturing every transaction and visitor journey, without the uncertainty often introduced by GA4.

2. Data you can activate, not just analyze

What good is analytics data if it can’t drive action? With Piwik PRO, you can segment and send audience data to external platforms — ad networks, CRMs, email platforms without relying on third-party tools or cloud workarounds. This capability turns insights into revenue.

External data activation

Piwik PRO helps you to unlock the full potential of your data across all marketing channels. Activate your Shopify analytics data on external platforms and marketing tools:

• Direct integration with email marketing platforms for targeted campaigns
• Seamless data export to advertising platforms for enhanced audience targeting
• Real-time data synchronization with CRM systems for improved customer relationship management
• Custom API connections for specialized marketing tools and platforms

3. Built for ecommerce

Piwik PRO’s integration with Shopify ensures accurate event tracking and full compatibility with the platform’s privacy and data-sharing features. You’ll get the key data you need to drive conversions and improve customer experience.

4. More control, fewer limitations

Piwik PRO gives you full control over your data, which can be securely stored in the EU or a region of your choice. Most importantly, it’s never shared, sold, or used to train advertising algorithms.

5. Privacy support when you need it

Piwik PRO helps you comply with regulations like GDPR and CCPA automatically. Its anonymous tracking mode integrates with Shopify’s Privacy API and respects consent collected through any compatible platform.

Read more:

• What is ecommerce analytics and how can you use it to grow your business
• Explore the benefits of ecommerce analytics with Piwik PRO Analytics Suite

When to choose Piwik PRO over Google Analytics

Consider switching to Piwik PRO if:

• You’re frustrated by GA4’s limited Shopify event tracking and inconsistent reporting
  
• You need clean, unsampled data you can trust
  
• You want to activate analytics data across external marketing platforms
  
• You need more flexibility, transparency, and control than Google Analytics offers

Conclusion

Google Analytics 4 can feel like a black box, especially for Shopify merchants who need precision and performance. If you’re looking for a platform that gives you reliable insights, full data control, and the power to activate your data anywhere, Piwik PRO is the better choice.

It’s more than just privacy compliance. It’s analytics that work for your business.

The post Piwik PRO vs. Google Analytics for Shopify: A comparison appeared first on Piwik PRO.

Get up and running in minutes and start tracking the full customer journey across devices and sessions. With a built-in Customer Data Platform (CDP) included at no extra cost, you’ll gain deeper insights and the ability to activate data across external platforms – no coding required.

Why use the Piwik PRO Shopify app?

Robust, cookieless analytics without compromise

• Track the full customer journey across sessions and devices with accurate, unsampled data. Piwik PRO’s cookieless tracking integrates directly with Shopify’s checkout and product pages, ensuring every conversion is attributed to the right source.
• Gain actionable insights into which marketing channels drive genuine results, optimizing your ad spend where it matters most.
• Make confident investment decisions with reliable first-party data.

Built-in CDP for external data activation

• Segment your customers based on behavior, purchase patterns, and more.
• Activate high-value segments, such as cart abandoners or frequent buyers, through external platforms like email and ad tools.
• No extra cost for CDP access, unlike many competing platforms.

Customizable real-time dashboards

• Visualize performance across products, customer segments, and marketing channels. Create dashboards tailored to your business needs and monitor trends as they happen – all in one place.

Set up in minutes

• Install the app directly from the Shopify App Store.
• Automatically connect key store data without technical setup or manual code implementation.
• Use Piwik PRO Business or go with Enterprise for advanced use cases.

What you’ll unlock with Piwik PRO

Customer journey and funnel analysis
Track how users move from ad click to checkout. Identify drop-off points, top-performing products, and key conversion paths in your Shopify store.

Audience segmentation and activation
Leverage the built-in CDP to create segments based on real customer behavior and activate them outside Shopify in email, ad, or CRM platforms.

Actionable ecommerce insights
Get more out of your data with enhanced metrics around product performance, inventory movement, and high-converting customer types.

Full data ownership
Piwik PRO ensures you maintain full control of your data, which is stored securely and transparently.

The seamless setup

Getting started with Piwik PRO takes just minutes:

1. Install the app from the Shopify App Store
2. Create your Piwik PRO account
3. Connect your store with an automated setup – all essential values are pre-configured for you
4. Start collecting insights immediately with your privacy-compliant analytics dashboard

Free to install. Works with all Piwik PRO plans.

The post Introducing Piwik PRO app for Shopify: Advanced analytics with built-in CDP appeared first on Piwik PRO.

Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information.

Keeping HIPAA compliant and protecting patient information requires healthcare organizations to understand the differences between PII and PHI. Especially if they want to use such data to promote their services or improve the digital customer experience.

This blog post explains what differentiates PHI from PII and the key identifiers that change health information into PHI under HIPAA. You will also learn how your organization can protect PHI and run compliant marketing activities.

PHI vs PII

PII Defined

PII stands for personally identifiable information, an American legal term for any information that identifies, links, or relates to a person. The definition of PII can vary depending on the context, such as specific federal or state laws or industry regulations.

Generally, PII refers to:

• Full name
• Home address
• Email address
• Social security number
• Passport number
• Driver’s license number
• Credit card number
• Date of birth
• Telephone number
• Owned properties, e.g., vehicle identification number (VIN)
• Login details
• Processor or device serial number
• Media access control (MAC)
• Internet Protocol (IP) address
• Device IDs
• Cookies

US government agencies and non-governmental organizations often reference PII. Currently, despite ongoing discussions and proposals, there is no comprehensive federal legislation protecting personally identifiable information (PII) in the United States. Various state laws have been enacted to address data privacy, such as those in Delaware, Iowa, Maryland, and Tennessee, which are taking effect in 2025. Also, there are specific federal regulations and laws, like the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), that focus on restricting the sale of sensitive data to certain foreign entities.

The National Institute of Standards and Technology (NIST) provides guidelines on the concept of PII, though they are not legally binding unless specifically referenced in a regulation.

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Medical, educational, employment, and financial information all fall under PII. However, the line between PII and other kinds of information is vague. As the US General Services Administration stresses, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

What is PHI in healthcare?

Healthcare organizations deal with sensitive information concerning people’s health. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).

The definition of protected health information is broad. PHI and electronically protected health information (ePHI) mean any identifiable data about the patient, including name, address, date of birth, SSN, device identifiers, email addresses, biometrics, lab or imaging results, medical history, and payment information.

Thus, PHI is a subset of PII that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.

What are HIPAA-covered entities?

Covered entities are specified in the HIPAA Privacy Rule as health plans, healthcare clearinghouses, and healthcare providers.

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:

1. Name
2. All geographic subdivisions smaller than a state (street address, city, county, zip code)
3. Dates, including birthdate, admission date, discharge date, and date of death
4. Telephone number
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan beneficiary numbers
10. Account number
11. Certificate/license number
12. Vehicle identifiers and serial numbers, including license plate number
13. Device identifiers and serial numbers
14. Web URL
15. IP address
16. Biometric identifiers, including fingerprints and voice
17. Full face photo
18. Any other unique identifying number, characteristic, or code

As a result, not all health information acquired by organizations constitutes PHI. For example, phone numbers and residential addresses alone are not PHI. But if this data is connected with details about a health condition, treatment plan, or other particular health information, it would transform from PII to PHI.

In a Bulletin, the Office for Civil Rights (OCR) at the HHS states that healthcare information collected on a regulated entity’s website or app generally is considered PHI even if:

• The individual doesn’t have an existing relationship with the regulated entity.
• Data such as IP address or geographic location doesn’t include specific treatment or billing information like dates and types of healthcare services.

The original version of the bulletin assumed that anyone visiting a covered healthcare provider’s website was, is, or will be a patient of the provider. The updated bulletin from March 2024 attempted to clarify these provisions. It introduced subjective intent standards for classifying IP addresses as protected health information (PHI). While maintaining that IP addresses combined with health-related webpage visits could constitute PHI, the update added examples distinguishing scenarios like job postings (non-PHI) from cancer care pages (potential PHI) based on inferred user intent.

However, this created operational challenges for hospitals, as determining visitor intent on unauthenticated pages remained impractical. The updated bulletin did not substantively modify HHS’s core position that IP addresses linked to health-related content could trigger HIPAA obligations, despite the ongoing AHA lawsuit.

The HHS provides examples of what parts of a website or app can contain PHI:

• User-authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.
• Some unauthenticated pages include PHI. Whether PHI is being disclosed depends on the visitor’s underlying intentions and whether the page visit relates to the individual’s health care.
• Mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.

For more details on what qualifies as PHI, visit the HIPAA journal.

The American Hospital Association (AHA) and co-plaintiffs filed a lawsuit on November 3, 2023, challenging the HHS Office for Civil Rights’ December 2022 bulletin. They argued that the HHS bulletin unlawfully expanded HIPAA’s scope by treating data like IP addresses collected from public-facing hospital websites as PHI, exceeding statutory authority and bypassing proper rulemaking procedures.

In June 2024, a judge ruled in favor of the AHA. The ruling stated that HHS overstepped its authority by expanding the definition of PHI to include IP addresses combined with website visits. On August 29, the OCR decided not to appeal the district court’s decision.

Learn more: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

However, it’s crucial to emphasize that the ruling doesn’t vacate other parts of the guidance. The court’s decision was very narrow and only issued in a specific case concerning IP addresses combined with visit data. It doesn’t mean healthcare organizations can downplay HIPAA requirements, freely track users, or ignore HHS’s guidance. Other parts of the bulletin remain in place, like those relating to authenticated pages, such as patient portals.

The issue of protecting PHI in the context of analytical tools hasn’t been settled once and for all. The fundamental issues surrounding the collection and use of PHI by healthcare organizations remain unchanged. While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it alarmingly easy for PHI to inadvertently leak into your website or app. Therefore, it’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI that maintains the status quo. To protect patient privacy and reduce the risk of hefty fines and loss of trust, organizations must remain vigilant about the data they collect and share with analytics vendors.

The requirements for processing PHI help protect patient privacy and make care coordination easier. The HIPAA Privacy Rule ensures that PHI is shared and used only with patient permission or for care coordination between covered entities. Identifiable health information is not considered PHI unless that organization is a HIPAA-covered entity.

PII and PHI penalties and compliance

Another important area in understanding PII and PHI is the penalties for non-compliance with applicable regulations. As PHI applies specifically to HIPAA-covered entities that possess identifiable health information, using the terms interchangeably can lead to compliance issues. PII and PHI penalties are primarily financial, but in severe cases they may also include incarceration.

PII

To help organizations manage and protect PII appropriately, the National Institute of Standards and Technology (NIST) created the “PII confidentiality impact level” standard, allowing entities to categorize PII into low, moderate, or high-risk levels. The levels are determined by evaluating the potential harm to individuals and the organization if the PII ends up in the wrong hands.

What is high-impact PII for some could be at a low impact level for others. Each organization will have different needs depending on the types of PII they are storing and the way it is organized. For example, Social Security Numbers are more sensitive than phone numbers and may be categorized at a high confidentiality impact level. In addition, a breach involving the information of 30 people will likely be less impactful than one involving 300,000 people.

When a PII breach occurs, businesses must report the incident. US lawmakers have introduced legislation requiring companies to notify the government within 24 hours of a data breach. Many states do not have strict deadlines when businesses report a violation to the government. Data breach notification laws vary state by state. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving PII. Check out the list of Security Breach Notification Laws.

Deliberate, unauthorized disclosure of PII to others may result in incarceration and fines of up to $5,000.

PHI

The HIPAA Security Rule strictly regulates PHI breaches. It “establishes national standards to protect individuals’ electronic personal health information created, received, used, or maintained by a covered entity.”

HIPAA penalties are primarily financial and can be applied to healthcare providers, health plans, healthcare clearinghouses, and all other health organizations and business associates who have violated HIPAA rules.

In the case of PHI, HIPAA-covered entities that face a data breach are legally required to notify the HHS and state agencies within 60 days of the breach. If the breach impacts more than 500 residents of a state, organizations must notify major local media outlets through a press release.

In addition, covered entities must send a written notice in the mail to all impacted individuals and post information on the homepage of their website for at least 90 days. Specific requirements vary by state.

The penalties for HIPAA violations are divided into four tiers based on the level of culpability and intent behind the violation. Each level sets out criminal penalties, a fine, and a jail term, if applicable. HIPAA violation fines can be issued up to a maximum of $25,000 per violation category per calendar year. The minimum penalty is $100 per violation.

How to protect PHI in analytics

Health organizations are obligated to protect their patients’ PHI under HIPAA. You must apply a few safeguarding practices while collecting and processing data online.

1. Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and every company you’ll share your clients’ PHI with that meets the definition of a “business associate.” If you are a health organization and choose to send PHI to a business associate, you must have a written BAA requiring the associate to comply with HIPAA standards. If you don’t want to create a business associate relationship with the vendor or the vendor will not provide a satisfactory BAA, you cannot disclose PHI to that vendor without individuals’ authorization.

2. Provide breach notification to affected individuals, the Secretary, and the media (when applicable).

3. Address the use of analytics and other data platforms in your risk analysis and risk management processes. They are crucial components of HIPAA compliance, aimed at identifying and mitigating threats to electronic protected health information (ePHI).

4. Implement administrative, physical, and technical safeguards following the HIPAA Security Rule to protect PHI.

Administrative safeguards

Purpose: Focus on policies, procedures, and training to ensure the security of ePHI.

Examples:

• Conducting regular risk analyses to identify potential security threats.
• Implementing policies for workforce training and security management.
• Establishing procedures for emergency situations and incident response.
• Defining roles and responsibilities within the organization related to security.

Physical safeguards

Purpose: Protect the physical environment where ePHI is stored or accessed.

Examples:

• Implementing facility access controls, such as locks and alarm systems.
• Securing workstations and devices that handle ePHI.
• Establishing policies for the proper disposal and reuse of electronic media containing ePHI.

Technical safeguards

Purpose: Implement technologies to secure ePHI from unauthorized access or breaches.

Examples:

• Access controls to ensure only authorized personnel can view or modify ePHI.
• Audit controls to track and monitor access to ePHI.
• Data integrity measures to prevent unauthorized alteration or destruction of ePHI.
• Encryption and secure transmission protocols for ePHI sent over electronic networks.

5. Work with vendors that support values such as privacy by design. Privacy by design is an approach that integrates data privacy considerations into the design of systems, products, and services from the beginning rather than as an afterthought, ensuring data protection is prioritized alongside functionality. Following these values will help you fully control your data and understand what data you collect, store, and transfer.

6. If you can’t sign a BAA with the vendor, de-identify your PHI for research purposes or marketing by removing all 18 HIPAA identifiers. HIPAA-compliant de-identification methods include Expert Determination and Safe Harbor. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.

It’s important to think through both the legal aspect of data collection in terms of what legal agreements need to be in place with vendors to be in compliance with HIPAA, and the technical aspect of data collection – what data can be stored and where, as well as what data needs to be anonymized prior to storage.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

The obligations of healthcare companies that deal with PHI don’t stop there. HIPAA defines five major rules that all organizations that store, record, or share PHI and ePHI must follow. Read them here:

• Privacy Rule
• Security Rule
• Enforcement Rule
• Breach Notification Rule
• Omnibus Rule

Piwik PRO provides healthcare organizations with fully HIPAA-compliant analytics. Our platform allows you to securely collect and analyze PHI and ePHI and provide better and more personalized patient experiences.
By signing a BAA with us, you can safely send all types of PHI to your analytics setup. If you prefer, you can de-identify all PHI before sending it to our platform. Either way, you can ensure compliance with regulations.

On top of that, we offer the highest privacy and security safeguards to strengthen your data protection. Learn more about HIPAA compliance with Piwik PRO.

HIPAA marketing compliance: Best practices

When exploring HIPAA-compliant marketing strategies, you must first ensure that you disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. You must obtain explicit written authorization from patients before using their PHI for marketing purposes, which requires a specific, signed consent form. You don’t need authorization to provide essential healthcare services.

Covered entities must have a BAA with the analytics or marketing vendors that they share PHI with. They should also use tools that employ robust security features like user authentication, access controls, audit logs, and end-to-end encryption.

Most analytics platforms, including Google Analytics 4, don’t permit the use of PHI data in their products. These platforms don’t offer BAAs for their standard versions and are not configured to support HIPAA compliance out-of-the-box. It means you must either make an extra effort to avoid passing any trace of PHI to your analytics, or switch to a HIPAA-compliant analytics platform, such as Piwik PRO Analytics Suite.

Read more: Piwik PRO is officially HIPAA-certified!

Remember that data collected from marketing pages and used in retargeting campaigns may constitute PHI. Aside from the 18 types of HIPAA identifiers, including names, addresses, and medical records, user IDs and IPs used for retargeting can easily become PHI. In most cases, using this information for marketing also requires the patient’s authorization and a platform that offers a BAA.

Consider investing in a safe first-party data strategy to use PHI in a way that fully respects HIPAA. Combining data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, and offline sources, opens up many possibilities. 

Here are some tips for building a HIPAA-compliant data ecosystem:

• Use HIPAA-compliant customer data platforms (CDPs) to centralize and manage data from various sources, creating accurate and trusted patient profiles and focusing on first-party data.
• Utilize consent management platforms (CMPs) to manage consent forms and ensure data flows align with patient preferences.
• Limit access to authorized personnel only using role-based access controls to prevent unauthorized exposure.
• Implement policies for retaining and deleting PHI in accordance with HIPAA guidelines.
• Adopt policies and procedures for HIPAA compliance beyond technical measures.
• Inform patients about data collection and use, ensuring transparency and trust.
• Clearly communicate the benefits of sharing PHI to enhance patient engagement.
• Regularly monitor data access and changes, maintaining an audit trail to ensure compliance.

I highly recommend using server-side tagging on your website if you’re running digital marketing campaigns that send users to your site. Server-side tagging allows you to scrub PHI/PII from any user data ingested before sending that data back to the vendor.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

Learn more about server-side tagging and tracking with Piwik PRO.

There are many different demands for compliant marketing and analytics under HIPAA. Read more:

• Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
• HIPPA privacy guidance on marketing

Final thoughts

Understanding the scope of PII and PHI will help you to maintain HIPAA compliance and protect patient data, especially if you use third-party platforms like analytics. You will also be able to run compliant marketing activities.

To avoid the potential risks of using popular ad platforms or analytics tools in a highly regulated sector such as healthcare, consider employing marketing strategies that revolve around HIPAA-compliant platforms rather than big tech products that put you at risk of breaches and hefty fines. A first-party data strategy can benefit your organization and help you build a relationship with your patients grounded in trust.

If you’d like to learn more about data activation under HIPAA, contact us. We’ll be happy to present some compliant use cases to you.

Unlock better insights and stronger data control in healthcare — see Piwik PRO in action:

The post PHI and PII: How they impact HIPAA compliance and your marketing strategy appeared first on Piwik PRO.