Collecting and analyzing user data is essential to healthcare businesses that want to build relationships with prospects, better meet their patients’ needs, and gain authority within the industry.

As a healthcare organization subject to HIPAA, you’re walking a fine line when trying to improve the patient experience and ensure your activities are HIPAA-compliant.

Since 2023, HIPAA enforcement has intensified, with over $100 million in fines for pixel tracking violations. Google Analytics remains dominant, but it’s fundamentally incompatible with HIPAA requirements.

In this article, we will show you the analytics vendors and implementations available on the market and explore their advantages and shortcomings concerning HIPAA compliance.

What are the challenges of finding a HIPAA-compliant analytics tool

HIPAA’s strict regulations require careful evaluation of analytics tools. Non-compliance risks heavy fines, with 47% of healthcare marketers reporting issues like reduced ROI and reputation damage.

As of 2025, HIPAA enforcement has surged, with fines up to $63,973 per violation and caps at $2M for repeat issues. In 2024, OCR closed 22 enforcement actions, followed by 10 more in 2025, targeting risk analysis failures.

When it comes to web analytics platforms and HIPAA, your approach depends on whether you collect protected health information (PHI) through your site or app. Data that isn’t considered PHI is outside the scope of HIPAA.

First, sharing PHI for marketing and analytics is not a permitted disclosure under the HIPAA Privacy Rule. To legally send PHI to your analytics platform, you must sign a business associate agreement (BAA) with the vendor, specifying each party’s responsibilities regarding PHI and ePHI and establishing a legally binding relationship.

Many vendors don’t want to sign BAAs. In this case, you must remove all identifiers from the data to use their services, so that it’s no longer considered PHI. But the process of de-identification is long and complicated.

For one thing, HIPAA views many types of URLs as PHI. It would be hard to de-identify all URLs, and doing so would make your analytics unusable. For example, de-identification would negatively impact remarketing and user-based or service-based reporting.

On the other hand, cherry-picking URLs containing PHI would also be difficult, mainly because of how much sites change over time.

If you need to comply with HIPAA, you should evaluate the available healthcare analytics solutions and find the right tool for your needs, even if it means migrating to a new vendor. Below, we will analyze how different vendors approach data privacy in healthcare and help you choose the best option for your organization.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

Why Google Analytics isn’t HIPAA-compliant

Although Google Analytics remains widely used, numerous compliance concerns and recent enforcement actions have made GA4 unsuitable for healthcare organizations.

Let’s consider several ways to implement GA4 and explore the issues associated with each approach.

Client-side GTM and GA4

This setup is not HIPAA-compliant.

Why can’t you send protected health information (PHI) to Google

Organizations covered by HIPAA can’t disclose PHI to tracking technology vendors – this includes sharing and using PHI for marketing purposes. Google uses all data within its systems to develop new services, improve existing offerings, and create personalized advertising experiences. Using a covered entity’s PHI for Google’s scale of operations can be a severe violation of HIPAA’s Privacy Rule.

Google also stores all tracked data in databases located around the world and offers neither on-premise hosting nor bespoke data residency services. Thus, covered entities cannot control where their patient data is stored. HIPAA sees this as a breach of accountability.

Google’s position is unambiguous in their official documentation. According to Google’s Analytics Help Center, “Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI”.

You must make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.

When using client-side GTM, the user’s browser communicates directly with third parties, making it challenging to control the shared information. Depending on how your website or app processes user information, there might be a risk of PHI being shared in HTTP requests.

What are the challenges of defining protected health information (PHI)

Not all health data is PHI. For example, phone numbers or IP addresses alone aren’t PHI, but they become PHI when linked to health conditions or treatments.

The HHS bulletin elaborates on when data may qualify as PHI. Healthcare information collected on a regulated entity’s website or app is generally considered PHI even if:

• The individual does not have an existing relationship with the regulated entity, and
• Data such as IP address or geographic location does not include specific treatment or billing information, like dates and types of healthcare services.

HHS guidance states that authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.

It also clarifies when unauthenticated pages include PHI. Specifically, whether PHI is being disclosed depends on the underlying intentions of the visitor.

For example, if a student visited a regulated entity’s webpage to review its oncology service offerings for a research paper, the collection of identifying information on the student would not be a violation because it is not related to the student’s health care. On the other hand, if an individual visited the same oncology webpage to seek a second opinion on a cancer diagnosis, any identifying information collected would be PHI because it relates to the individual’s past, present, and/or future health.

The bulletin also mentions that mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.

You can’t set GA4 tags on any pages that may fit the definitions provided in the HHS bulletin.

Note: In June 2024, a judge ruled in favor of the AHA, declaring that OCR had overstepped its authority when issuing the guidance. On August 29, the OCR decided not to appeal the district court’s decision.

The court ruling and HHS’ decision not to appeal it do not settle the issue of collecting and using PHI by healthcare organizations. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals. 

While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it easy for PHI to inadvertently leak into your website or app. It’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI. To protect patient privacy and reduce the risk of hefty fines, organizations must remain vigilant about the data they collect and share with analytics vendors.

Learn more about the implications of the court ruling: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

Server-side GTM and GA4

This setup is not HIPAA-compliant.

Server-side GTM, when properly set up, helps you control what data you share with Google. User data is only sent to the server hosting the GTM container rather than being shared with multiple third-party servers. You can remove any PII within the server container before passing the data on to marketing partners.

However, you’ll face two types of issues with this implementation.

Why is it difficult to de-identify protected health information (PHI)

Since you’re not allowed to send PHI to Google Analytics, you must strip all PII/PHI from the data before sending it to GA4. 

De-identifying PHI requires the removal of all 18 HIPAA identifiers (Safe Harbor method) or expert analysis (Expert Determination method) to ensure the data isn’t PHI and doesn’t fall under HIPAA’s Privacy Rule. 

That said, it’s unlikely that you’ll be able to strip all PHI.

IP addresses and device IDs can be easily removed with ssGTM. However, URLs are more complicated to de-identify because you collect a URL title on every visit. The title can contain sensitive information, like the doctor’s name and specialization or a patient’s name, or you can collect search parameters in link decorations.

There are also issues with de-identifying custom dimensions, variables, and event attributes that you assign PHI to. For example, you may track a healthcare app and collect a custom event when someone clicks on a doctor’s image. The event collects the doctor’s name and specialization, which may lead to uncovering the individual’s health issue, thus making this data PHI.

What are the legal risks of using Google Tag Manager in healthcare

Another aspect concerns the legal risk involved with using GTM together with GA4. 

This is reinforced by Google’s Tag Manager Use Policy, which explicitly states that users “will not assist or permit any third party to pass information, hashed or otherwise, to Google that Google could use or recognize as personally identifiable information”.

As a result, you can’t send PII to GA4, and PHI is a subset of PII.

Some people say that you can still safely analyze such data in GA4, and these terms don’t apply because:

• You can host ssGTM on the HIPAA-compliant infrastructure of your choice.
• If you de-identify data, it’s no longer considered PHI.

But there is a lot at stake here. As a HIPAA-covered entity, consult your legal team before implementing this option.

Find out more about Google Analytics and HIPAA: Is Google Analytics HIPAA-compliant?

ssGTM, BigQuery, and data visualization tool

This setup may be HIPAA compliant if you take certain steps.

Another option involves combining ssGTM with BigQuery and a data visualization tool.

This type of setup will only be affected by the ssGTM issue with the difficult de-identification process. But this problem can be mitigated when you work with a HIPAA-compliant data collection tool.

For example, you can set up ssGTM with different tech, including a data collection system, and transfer events directly into BigQuery. With this setup, the data would never be sent to Google Analytics servers and only be recorded in BigQuery, which is HIPAA-compliant. You can store the raw data and access it with a BI tool such as Looker Studio or Tableau.

Streaming events from ssGTM to BigQuery is simple but lacks analytics processing, requiring additional data handling in BigQuery.

Cons

• Loads of maintenance needed, which leads to inflated data team costs.
• De-identification will most likely be necessary with ssGTM, depending on downstream technologies’ compliance with HIPAA. It’s a complex and time-consuming process that requires stricter organizational measures.
• ssGTM lacks transparency – there is no way for end-users to monitor or make decisions about data processing.

Pros

• A lot of talent on the market is proficient at using Google’s products and can support your implementation.
• The setup with ssGTM and BigQuery is quite popular.
• You have the flexibility of your own data warehouse.

Adobe: Enterprise analytics solution

Adobe is the second-biggest enterprise analytics player on the market.

Adobe offers a few products that can help you improve healthcare experiences while protecting patient privacy:

• Adobe Analytics (AA) is an analytics and reporting solution that monitors user traffic and interactions across various marketing channels. AA offers customizable reporting, segmentation and predictive insights, but is complex, costly, and requires specialized expertise, limiting its accessibility.
• Adobe Customer Journey Analytics (CJA) lets you connect cross-channel data, explore the customer journey in full context and apply AI-driven insights, and it resembles GA4. Concerning HIPAA, CJA can easily identify and secure PHI and PII, apply access rules, and create data use audits.
• Adobe Launch is a tag management system and part of Adobe Experience Manager.
• Adobe Real-Time Customer Data Platform (CDP) connects customer data from all your channels into unified profiles that support discovering insights and delivering personalized experiences.

So, do Adobe’s products help you comply with HIPAA?

Providing PHI to Adobe is compliant only if it concerns a HIPAA-ready service, following the license agreement and BAA between Adobe and its client. To check which Adobe’s services are compliant, you can check this list of Adobe’s HIPAA-ready products.

Two analytics setups have been implemented on the market using Adobe’s products:

Adobe Launch and Adobe Analytics

This setup is not HIPAA compliant.

Adobe Analytics is not listed as HIPAA-ready on Adobe’s site. It means that Adobe won’t sign a BAA with you to use AA. As a result, you are not permitted to create, receive, maintain, or transmit PHI through Adobe Analytics.

Adobe Launch and Adobe Customer Journey Analytics

This setup is HIPAA compliant.

Adobe CJA is on the HIPAA-ready list, so you can safely use it as a HIPAA-covered entity and send PHI to it. This setup can be complemented with Adobe CDP for audience creation and activation.

However, since the only way to achieve HIPAA compliance with Adobe is by using CJA, note that this tool’s main advantage is integration with other components in the Adobe Experience Platform. By itself, CJA is far less advanced than AA.

It’s also worth noting that cost considerations are significant with Adobe solutions. Adobe’s enterprise analytics packages typically start at $48,000 annually, making it one of the more expensive options in the market.

Cons

• You are faced with high implementation and subscription costs.
• Adobe’s analytics products are difficult to learn and use.
• You risk single-vendor lock-in due to the amount of other tightly integrated products offered by Adobe.

Pros

• You can sign a BAA.
• You get an all-in-one analytics solution.

Piwik PRO: Full-featured HIPAA analytics

Piwik PRO has emerged as the leading HIPAA-compliant alternative to Google Analytics, purpose-built for organizations operating in highly regulated industries. Piwik PRO provides privacy-friendly analytics and combines accuracy, flexibility, and complete control when collecting and analyzing customer data.

Unlike other vendors that add compliance features later on, Piwik PRO was designed from the ground up with privacy and security requirements in mind, including HIPAA-related features and controls. Piwik PRO also helps you comply with the HHS bulletin on the use of tracking technologies. Because of that, we can easily support your analytics use cases in healthcare.

Here is an overview of our modules, all of which allow you to comply with HIPAA:

• Analytics allows you to analyze the customer journey across websites and apps. You can use advanced analytics features like funnels, user flows, customizable reports and dashboards. And you can always extend the platform’s capabilities through custom development and integrations. You can use raw data exports to send data to any destination. Increased security features allow you to use Analytics in sensitive industries, like healthcare.
• Tag Manager lets you quickly create, test, and deploy tags from customizable templates. You gain greater flexibility in collecting and utilizing their data through smooth integration with other Piwik PRO modules.
• Customer Data Platform (CDP) enhances your ability to act on the insights you draw from your data. You can better understand your customers, provide more personalized experiences, and improve your campaigns.
• Consent Manager is an optional addition for increased transparency, allowing you to collect, manage, and store user consents.

Key HIPAA compliance features

The most important features of Piwik PRO that support HIPAA compliance include:

• Ability to sign a customizable business associate agreement (BAA), allowing you to send all types of PHI to your analytics setup.
• Hosting on HIPAA-compliant Microsoft Azure data centers, where you can choose the specific location of your data.
• ISO 27001 and SOC 2 type II certifications.
• Encryption of ePHI when the data is at rest and in transit.
• Advanced user-permission options that let you put PHI only in the hands of authorized personnel.
• Not sharing ePHI with third parties or reusing it for other purposes.
• Regular privacy and security audits undertaken by external, independent bodies to ensure the highest level of security measures.

Implementation options

Recommended ways for you to implement Piwik PRO modules include:

Piwik PRO Analytics, Tag Manager and CDP

This setup is HIPAA-compliant and provides a complete suite of modules for effective healthcare analytics.

With this option, you can safely collect and analyze PHI and ePHI while respecting the highest privacy and security safeguards. You can analyze the customer journey across all channels, control data collection and adjust it to your needs, and you get to activate the data to improve the patient experience.

Piwik PRO Analytics Suite and a data warehouse

This setup is HIPAA-compliant.

This is a point solution for marketers, combining the capabilities of analytics and activation. You can connect our suite of products with a data warehouse via scheduled raw data exports or API, allowing you to extend the platform’s data analysis functionalities.

Learn more about How to make your website compliant with HIPAA using Piwik PRO.

Cons

• You are using tools from one vendor only.
• There is a client-side tag manager.

Pros

• You can sign a BAA.
• You get an all-in-one analytics solution.
• The costs are low.
• CDP is available for server-side profile activations.
• You have the ability to use Piwik PRO as an analytics endpoint in server-side tracking, which improves data collection, accuracy and control.
• The modules are easy to learn and use thanks to their similarity to the Universal Analytics interface.

Freshpaint: Healthcare Privacy Platform

This setup is HIPAA-compliant but has limitations.

Freshpaint offers its Healthcare Privacy Platform, which serves as a privacy layer between your website and analytics tools.

It captures all tracking data and automatically de-identifies PHI before sending cleaned data to downstream tools. While this approach allows continued use of familiar platforms, it comes with significant trade-offs.

Freshpaint is not an analytics platform itself and must be connected to other tools to create a full analytics setup. Setup and maintenance require significant technical skills, resources, and coordination across multiple teams, which makes using the tool very costly.

You also can’t report on or visualize the data within Freshpaint’s platform, meaning you won’t have access to PHI. As a result, your dataset will be incomplete and therefore not fully accurate.

Cons

• Not a complete analytics platform – requires additional tools for full functionality
• Complex setup and maintenance requiring specialized technical expertise
• Higher total cost when factoring in multiple vendor relationships
• Limited reporting capabilities within Freshpaint itself
• Data accuracy issues due to aggressive PHI filtering
• Ongoing compliance risk if de-identification fails

Pros

• Enables the use of the existing Google Analytics setup
• Healthcare-specific BAA and compliance features
• Advanced PHI detection and filtering capabilities

Using a mix of vendors

This setup may be HIPAA compliant if you take certain steps.

Combining tools from different vendors can get complex. You need to assess your needs very well, understand what each tool offers, and check how it can help you comply with HIPAA.

Generally, your analytics setup should include the following tools:

Data collection system + data warehouse + data visualization tool

We list some popular data collection systems below and link to the relevant information regarding their HIPAA compliance. Aside from that, you will need to verify their specific HIPAA compliance yourself.

Data collection system

Data collection tools like CDPs (e.g., Segment) and BDPs (e.g., Snowplow) vary in complexity and offered capabilities. These vendors offer more than just pure tracking, meaning you need to make a separate assessment of your needs and how these tools fulfill them.

Popular data collection systems (trackers or CDPs) that will sign a BAA:

• Rudderstack
• Tealium
• Segment
• Snowplow – no need for a BAA in the self-hosted version (it’s uncertain whether the vendor would sign a BAA for the cloud)

Data warehouse

A data warehouse holds data that is extracted, loaded, and transformed from one or more operational source systems and modeled to enable data analysis and reporting in your business intelligence (BI) tools.

Popular data warehouse providers that will sign a BAA:

• Snowflake
• Google Cloud Platform (such as Google BigQuery)
• Microsoft Azure (such as Microsoft Azure Data Synapse)
• Amazon Web Services (such as Amazon Redshift)

Data visualization tool

A data visualization tool enables the visual representation of data, allowing for the effective extraction of actionable insights from the data.

Popular data visualization tools that will sign a BAA:

• Looker Studio
• Tableau
• Power BI

Common setups that include different vendors:

• Piwik PRO (data collection, visualization, and CDP) + data warehouse (data copy for science team) + Looker Studio or Tableau (broad data visualization)
• Adobe CJA + CDP + AEP (data collection, activation, and visualization)
• Rudderstack (data collection, CDP) + data warehouse + data visualization tool

Most data collection vendors, such as Freshpaint, allow for GA4 as a destination, so the flow can also look like this:

A data collection system + GA4

However, this setup requires you to de-identify PHI to safely use it.

Cons

• You need to review the HIPAA compliance of each vendor – analyze security and privacy, manage and negotiate cooperation with all three selected vendors, sign a BAA with each of them, etc.
• The connection between the systems may not be seamless – changes or API updates in each of those vendors may break your setup.
• You would require a data analyst or database expert to manage and maintain pipelines.
• The costs are very high – you need to pay for implementation, licensing of multiple vendors, and maintenance.

Pros

• You benefit from diversification of vendors, meaning no vendor lock-in.
• You can combine the benefits and features of each system you implement.

How to choose the right HIPAA-compliant analytics platform

As of 2025, the choice is no longer whether to replace Google Analytics, but which HIPAA-compliant alternative to choose. With enforcement at record levels and mature alternatives available, healthcare organizations that continue using Google Analytics are taking unnecessary legal and financial risks.

Here is a breakdown of key features of the recommended HIPAA-compliant analytics tools that we’ve looked into:

	Piwik PRO	Adobe CJA	Freshpaint	Mix of vendors
HIPAA compliance	Full BAA	CJA only		Multiple BAAs required
Ease of implementation
Secure data handling for organizations in sensitive industries
Cost	$	$$$	$$	$$$
Data ownership	Full control	Adobe ecosystem	Limited	Distributed
Support quality
Built-in analytics capabilities
Integrations with other tools

Compared to other options for analytics in healthcare, Piwik PRO offers the optimal balance of HIPAA compliance, enterprise features, and affordability, with a Google Analytics-like interface for seamless adoption.

The post A review of HIPAA-compliant analytics platforms appeared first on Piwik PRO.

Although often marketed as a privacy safeguard, EU hosting alone does not ensure full legal protection or true data sovereignty. For organizations committed to long-term compliance, user privacy, and robust data governance, understanding the difference between data hosting and data sovereignty is more important than ever.

In this article, we’ll unpack the nuances between EU hosting and EU data sovereignty, explain why this distinction is especially relevant in light of current EU-US data transfer dynamics, and show solutions that are designed to deliver genuine sovereignty, building a foundation of trust, transparency, and compliance in a shifting legal landscape.

EU hosting is not the same as EU sovereignty: Legal risks remain

Many analytics vendors highlight their use of EU-based data centers to signal compliance with European privacy laws. However, if the services are owned or controlled by non-EU entities, particularly U.S. companies, your data may still fall under foreign jurisdiction.

Under the U.S. CLOUD Act, American authorities can legally compel U.S.-based companies to provide access to customer data, no matter where it is stored. This creates a significant compliance risk for organizations seeking to align with EU data protection standards.

To enable lawful data transfers outside the EU, many providers rely on the EU–U.S. Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs). While both mechanisms are currently valid, they remain under ongoing legal scrutiny.

The DPF, like its predecessors, Privacy Shield and Safe Harbor, could be invalidated by the Court of Justice of the EU (CJEU). If that happens, most organizations will revert to SCCs, just as they did after the Privacy Shield was struck down. Yet even SCCs come with limitations: they don’t offer full protection from U.S. government surveillance, a concern equally relevant to the DPF.

Some providers, such as Microsoft, offer both mechanisms to give customers flexibility. However, neither fully resolves the underlying legal uncertainty that comes from using cloud services under foreign ownership, even when the data itself never leaves the EU.

Data Transfers: DPF vs. SCCs – What’s the Difference?

Under the General Data Protection Regulation (GDPR), there are different ways to transfer personal data outside the EU legally. The Data Privacy Framework (DPF) is one of them — it’s an adequacy decision (Article 45), meaning the EU considers certain countries (like the U.S., under the DPF) to offer enough protection.

Another option is using Standard Contractual Clauses (SCCs), legal contracts approved by the EU Commission (Article 46). You don’t need both – just one is enough.

Some companies, like Microsoft, use both: they’re certified under the DPF and offer SCCs. Why? Because the legal landscape can change, having SCCs adds a backup layer of protection.

True data sovereignty means more than simply storing data within the EU. It requires that both the data and the organizations handling it remain entirely under the EU’s legal jurisdiction, free from foreign ownership or extraterritorial influence. 

For example, even if data is physically stored in a European data center, using infrastructure operated by a non-EU company, such as a U.S.-based cloud provider, can expose that data to foreign laws like the U.S. CLOUD Act. This creates similar risks to storing the data outside the EU, as foreign authorities may still compel access, undermining EU privacy protections. To achieve real sovereignty, organizations must ensure that data stays in the EU and within infrastructure owned and managed by EU-based providers bound solely by EU law.

Learn more:

• EU-US data transfers uncertainties: How an EU-based analytics platform can improve your marketing performance
• Norwegian DPA warns against EU-US data transfers – what it means for your website analytics
• The Story Behind Safe Harbor and Privacy Shield

Compliance implications of data sovereignty

Data sovereignty isn’t just a legal formality – it’s a strategic safeguard. Under the GDPR, any transfer of personal data to a third country must not undermine the level of protection guaranteed within the EU. This means organizations must ensure that data remains shielded from unauthorized access, even when stored or processed abroad. Sovereign infrastructure plays a key role here, reducing the risk of foreign jurisdictions, including intelligence agencies, compelling access to sensitive data.

This is particularly critical in sensitive sectors like healthcare, finance, public services, and education, where user trust and legal exposure are tightly linked.

Read more:

• 17 new privacy laws around the world and how they’ll affect your analytics
• PIPEDA & CPPA: How the Canadian privacy laws impact your analytics [Updated]
• Everything you need to know about the New York Health Information Privacy Act (NYHIPA)
• Data privacy laws in the United States and how they affect your business [UPDATED]

What Piwik PRO and Cookie Information deliver

Piwik PRO and Cookie Information offer a privacy-focused analytics and consent management platform developed entirely under EU jurisdiction. Both tools are designed to meet GDPR requirements, but achieving true data sovereignty – where data remains inaccessible to foreign entities – depends on the underlying infrastructure.

This level of sovereignty is fully realized with the Piwik PRO Enterprise plan, which allows hosting on Elastx, a fully EU-owned provider. This ensures that both the data and the technology stack are governed solely by EU laws.

For organizations prioritizing maximum legal protection, it’s crucial to choose a solution that combines EU-based infrastructure with EU ownership. This not only addresses growing concerns around EU-US data transfers but also supports long-term compliance and regulatory certainty.

However, deploying an EU-based analytics tool alone isn’t enough. Consent management must also be handled within the EU to avoid undermining your compliance efforts. If a consent platform transmits data to the U.S. or other external jurisdictions, your data remains possibly exposed. The solution: integrate your analytics with a consent platform that is fully managed and hosted in the EU. Together, they create a unified, privacy-first marketing system that upholds user trust and data protection standards.

Headquartered in Copenhagen with data centers across the EU, Cookie Information is a trusted choice for marketers who value both compliance assurance and performance optimization.

Find out more about Piwik PRO and Cookie Information:

• Implement your data privacy strategy with Piwik PRO Analytics Suite
• Piwik PRO is a PIPEDA-compliant analytics vendor
• Integrating Piwik PRO and Cookie Information CMP is now easier than ever
• Collect and activate more of your data: The benefits of combining Cookie Information and Piwik PRO

Benefits of EU-sovereign analytics

Adopting a truly EU-sovereign analytics solution significantly reduces the risk of legal exposure to foreign surveillance laws and strengthens compliance with global privacy regulations such as the GDPR, the California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD). When combined with additional safeguards, including strong data transparency, robust user consent mechanisms, and responsible data handling practices, data sovereignty becomes a cornerstone of long-term legal stability. This holistic approach not only supports regulatory compliance but also fosters user trust and enables sustainable, privacy-conscious marketing strategies.

Key benefits of an EU-sovereign analytics stack include:

• Minimizing legal risk from non-EU surveillance frameworks
  
• Ensuring alignment with major privacy laws, including GDPR, CCPA, and LGPD
  
• Strengthening user trust through transparent and compliant data handling
  
• Enabling ethical marketing through anonymized, consent-based insights
  
• Securing sustainable legal certainty for data-driven strategies

Evaluating your analytics setup

You should evaluate whether your organization’s analytics tools genuinely comply with EU data protection laws or if they are simply hosted in EU-based data centers owned by non-European providers.

Whether your organization is just beginning its privacy journey or requires the highest level of data protection, Piwik PRO and Cookie Information offer scalable solutions to meet a range of compliance needs. Both provide free standard plans – Piwik PRO Business and Cookie Information – with EU-based data hosting via established cloud providers.

However, data residency alone doesn’t equal data sovereignty. What truly matters is who controls access to your data and under which jurisdiction. For organizations that require full legal assurance that their data remains beyond the reach of foreign laws, especially in light of evolving developments in the U.S., Piwik PRO Enterprise offers hosting on EU-owned infrastructure, helping organizations maintain sovereignty and comply with the strictest privacy regulations.

This is a pivotal moment for businesses to evaluate their hosting strategy. With legal frameworks like the EU-U.S. Data Privacy Framework under increasing scrutiny and potential invalidation, now is the time to make strategic, forward-looking choices. These are not decisions that can be made in haste – having control over your hosting environment today means being prepared for tomorrow’s regulatory challenges.

Ultimately, it’s up to each organization to determine its level of control. You have a choice – and now is the time to make it.

The post EU hosting vs. EU sovereignty: Why the difference matters for privacy-first analytics appeared first on Piwik PRO.

Tools that rely on third-party cookies and unclear data practices can lead to compliance challenges and loss of control over customer information. Although Google initially announced plans to phase out third-party cookies in Chrome by 2025, recent updates suggest that cookies will remain in use for the foreseeable future. This regulatory and technical uncertainty highlights the need for analytics solutions that offer long-term stability, transparency, and user privacy.

Privacy-compliant platforms like Piwik PRO give Shopify merchants a reliable and secure way to collect and analyze data, without compromising compliance, control, or customer trust.

The importance of privacy in ecommerce

Online shoppers are increasingly aware of how their data is tracked and used. In an environment where data breaches, aggressive targeting, and a lack of transparency are all too common, trust is easily destroyed.

Adopting a privacy-first analytics approach allows Shopify businesses to:

• Build credibility by handling data transparently and ethically.
  
• Comply with international regulations such as GDPR, CCPA, and others.
  
• Reduce the risk of fines and legal action due to noncompliance.
  
• Future-proof data collection strategies as third-party tracking becomes less effective.

Privacy is no longer just a legal obligation — it’s a fundamental part of the customer experience.

Seamless privacy compliance with Shopify 

With Piwik PRO’s anonymous tracking mode, you can keep collecting valuable insights — even when users don’t give consent. Integrated with Shopify’s Privacy API, it ensures your analytics remain compliant with GDPR, CCPA, and other regulations, without sacrificing essential data. That means you continue to understand customer behavior while fully respecting user preferences.

Challenges with traditional analytics tools

Many Shopify merchants have long been relying on popular platforms like Google Analytics. However, these tools come with serious limitations, especially in today’s privacy-aware environment:

• Compliance complexity: Setting up tools like Google Analytics to comply with GDPR or CCPA requires extra effort and technical resources.
  
• Loss of data control: Merchants using third-party platforms often give up ownership of their customer data. This data often supports larger ad networks, not your business goals.
  
• Data monetization risks: It’s not uncommon for platforms to sell or share user data to support their own advertising ecosystems — something Piwik PRO explicitly does not do.
  
• Ad blocker interference: Widespread use of ad blockers can disrupt tracking scripts, leading to inaccurate or incomplete data.
  
• Reliance on cookies: As tracking cookies become less relevant, analytics tools must adapt. Platforms that rely heavily on third-party cookies will continue to lose ground.

Benefits of privacy-compliant analytics for Shopify stores

Solutions like Piwik PRO offer Shopify merchants a powerful alternative to traditional analytics tools, emphasizing control, reliability, and privacy.

1. Complete data ownership and control

Piwik PRO ensures your analytics data stays in your hands. It’s securely hosted in a privacy-compliant cloud environment located in the region of your choice. Unlike platforms that feed data into ad ecosystems, Piwik PRO does not sell or share your customer information.

2. Vendor independence

With Piwik PRO, your analytics operate independently from the business models of Big Tech. Your data isn’t used to fund third-party advertising platforms — you remain in full control of your customer insights.

3. Resilient, cookieless tracking

Piwik PRO supports server-side tracking and cookieless data collection, offering accurate insights even as traditional methods become less reliable. This adaptability makes it a smart choice for navigating the uncertain future of online tracking.

4. Consent-aware Shopify integration

While the Piwik PRO Shopify app doesn’t offer a built-in consent manager, it integrates seamlessly with Shopify’s Privacy API. This allows it to respect analytics consent gathered through Shopify’s native privacy tools or compatible third-party platforms, helping you stay compliant without adding a separate consent solution.

5. Accurate data, no sampling

Google Analytics often uses data sampling on high-traffic sites, which can distort reporting. Piwik PRO avoids this by capturing every visit and event, ensuring the accuracy of your analytics, regardless of your store’s size.

6. Ad blocker resistance

Thanks to its privacy-friendly design, Piwik PRO is less likely to be blocked by privacy tools and extensions. This leads to more complete data collection and a clearer picture of customer behavior.

WEBINAR

Piwik PRO for ecommerce:
Get data-driven insights to boost your online sales

Watch the webinar recording and learn how to use Piwik PRO Analytics Suite to improve user experience, optimize product pages, and drive more sales.

Watch the webinar

How to implement privacy-compliant analytics on Shopify

Getting started with privacy-first analytics doesn’t have to be complicated. Follow these steps to ensure compliance and data integrity:

• Choose a trusted provider: Select a solution like Piwik PRO that’s purpose-built for data privacy and regulatory compliance.
  
• Integrate consent management: Use a third-party consent tool compatible with Shopify’s Privacy API to collect and manage user permissions.
  
• Adopt modern tracking methods: Implement first-party and cookieless tracking to ensure long-term reliability.
  
• Be transparent with users: Clearly communicate your data policies and give users control over their privacy preferences.
  
• Stay up to date: Regularly audit your analytics setup to ensure continued compliance with evolving regulations.

Conclusion

As data privacy laws become more stringent and customer expectations shift, Shopify merchants can no longer rely on outdated analytics tools. Solutions like Piwik PRO offer not only compliance but also accurate, secure, and future-ready data collection.

By taking control of your data, respecting user privacy, and reducing dependence on third-party vendors, you can build a stronger, more resilient business. Privacy compliance isn’t just a legal safeguard — it’s a competitive advantage.

The post Why Shopify stores need privacy-compliant analytics appeared first on Piwik PRO.

While Google Analytics 4 (GA4) remains a popular default, many merchants discover its limitations too late: missing transactions, inconsistent reporting, lack of flexibility, and difficulty activating data outside Shopify.

Piwik PRO offers a powerful alternative. With full data accuracy, built-in tools for segmentation and activation, and seamless Shopify integration, it’s built for businesses that want more than just page views.

Why GA4 often falls short for Shopify merchants

Google Analytics 4 is designed for general-purpose web and app tracking, not for the specific needs of ecommerce platforms like Shopify. Here are some common challenges:

• Missing or delayed ecommerce events: GA4 sometimes fails to track all Shopify interactions reliably, especially without a custom setup.
  
• Lack of built-in reporting for Shopify-specific metrics: To obtain meaningful sales data, you often need an extra configuration or GA4 BigQuery exports.
  
• Data sampling and thresholds: In some cases, especially for larger stores, Google samples data or hides it entirely due to user privacy thresholds.
  
• Limited activation options: GA4 keeps your data within the Google ecosystem. Activating it in external platforms or marketing tools often requires workarounds or extra software.

Learn more: How to install Piwik PRO app for Shopify

Key differences: Piwik PRO vs. Google Analytics

Choosing the right analytics platform can make or break your data strategy. Here’s how Piwik PRO stacks up against Google Analytics 4, from data accuracy and privacy to Shopify integration and activation capabilities.

Read more:

• What is ecommerce analytics and how can you use it to grow your business
• Explore the benefits of ecommerce analytics with Piwik PRO Analytics Suite
• Reports in Google Analytics 4 and Piwik PRO: Everything you should know 

Why Piwik PRO stands out for reliable Shopify analytics

1. Accurate tracking from day one

Piwik PRO delivers clean, accurate data with no sampling. You’ll get the full picture of your store’s performance, capturing every transaction and visitor journey, without the uncertainty often introduced by GA4.

2. Data you can activate, not just analyze

What good is analytics data if it can’t drive action? With Piwik PRO, you can segment and send audience data to external platforms — ad networks, CRMs, email platforms without relying on third-party tools or cloud workarounds. This capability turns insights into revenue.

External data activation

Piwik PRO helps you to unlock the full potential of your data across all marketing channels. Activate your Shopify analytics data on external platforms and marketing tools:

• Direct integration with email marketing platforms for targeted campaigns
• Seamless data export to advertising platforms for enhanced audience targeting
• Real-time data synchronization with CRM systems for improved customer relationship management
• Custom API connections for specialized marketing tools and platforms

3. Built for ecommerce

Piwik PRO’s integration with Shopify ensures accurate event tracking and full compatibility with the platform’s privacy and data-sharing features. You’ll get the key data you need to drive conversions and improve customer experience.

4. More control, fewer limitations

Piwik PRO gives you full control over your data, which can be securely stored in the EU or a region of your choice. Most importantly, it’s never shared, sold, or used to train advertising algorithms.

5. Privacy support when you need it

Piwik PRO helps you comply with regulations like GDPR and CCPA automatically. Its anonymous tracking mode integrates with Shopify’s Privacy API and respects consent collected through any compatible platform.

Read more:

• What is ecommerce analytics and how can you use it to grow your business
• Explore the benefits of ecommerce analytics with Piwik PRO Analytics Suite

When to choose Piwik PRO over Google Analytics

Consider switching to Piwik PRO if:

• You’re frustrated by GA4’s limited Shopify event tracking and inconsistent reporting
  
• You need clean, unsampled data you can trust
  
• You want to activate analytics data across external marketing platforms
  
• You need more flexibility, transparency, and control than Google Analytics offers

Conclusion

Google Analytics 4 can feel like a black box, especially for Shopify merchants who need precision and performance. If you’re looking for a platform that gives you reliable insights, full data control, and the power to activate your data anywhere, Piwik PRO is the better choice.

It’s more than just privacy compliance. It’s analytics that work for your business.

The post Piwik PRO vs. Google Analytics for Shopify: A comparison appeared first on Piwik PRO.

Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information.

Keeping HIPAA compliant and protecting patient information requires healthcare organizations to understand the differences between PII and PHI. Especially if they want to use such data to promote their services or improve the digital customer experience.

This blog post explains what differentiates PHI from PII and the key identifiers that change health information into PHI under HIPAA. You will also learn how your organization can protect PHI and run compliant marketing activities.

PHI vs PII

PII Defined

PII stands for personally identifiable information, an American legal term for any information that identifies, links, or relates to a person. The definition of PII can vary depending on the context, such as specific federal or state laws or industry regulations.

Generally, PII refers to:

• Full name
• Home address
• Email address
• Social security number
• Passport number
• Driver’s license number
• Credit card number
• Date of birth
• Telephone number
• Owned properties, e.g., vehicle identification number (VIN)
• Login details
• Processor or device serial number
• Media access control (MAC)
• Internet Protocol (IP) address
• Device IDs
• Cookies

US government agencies and non-governmental organizations often reference PII. Currently, despite ongoing discussions and proposals, there is no comprehensive federal legislation protecting personally identifiable information (PII) in the United States. Various state laws have been enacted to address data privacy, such as those in Delaware, Iowa, Maryland, and Tennessee, which are taking effect in 2025. Also, there are specific federal regulations and laws, like the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), that focus on restricting the sale of sensitive data to certain foreign entities.

The National Institute of Standards and Technology (NIST) provides guidelines on the concept of PII, though they are not legally binding unless specifically referenced in a regulation.

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Medical, educational, employment, and financial information all fall under PII. However, the line between PII and other kinds of information is vague. As the US General Services Administration stresses, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

What is PHI in healthcare?

Healthcare organizations deal with sensitive information concerning people’s health. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).

The definition of protected health information is broad. PHI and electronically protected health information (ePHI) mean any identifiable data about the patient, including name, address, date of birth, SSN, device identifiers, email addresses, biometrics, lab or imaging results, medical history, and payment information.

Thus, PHI is a subset of PII that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.

What are HIPAA-covered entities?

Covered entities are specified in the HIPAA Privacy Rule as health plans, healthcare clearinghouses, and healthcare providers.

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:

1. Name
2. All geographic subdivisions smaller than a state (street address, city, county, zip code)
3. Dates, including birthdate, admission date, discharge date, and date of death
4. Telephone number
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan beneficiary numbers
10. Account number
11. Certificate/license number
12. Vehicle identifiers and serial numbers, including license plate number
13. Device identifiers and serial numbers
14. Web URL
15. IP address
16. Biometric identifiers, including fingerprints and voice
17. Full face photo
18. Any other unique identifying number, characteristic, or code

As a result, not all health information acquired by organizations constitutes PHI. For example, phone numbers and residential addresses alone are not PHI. But if this data is connected with details about a health condition, treatment plan, or other particular health information, it would transform from PII to PHI.

In a Bulletin, the Office for Civil Rights (OCR) at the HHS states that healthcare information collected on a regulated entity’s website or app generally is considered PHI even if:

• The individual doesn’t have an existing relationship with the regulated entity.
• Data such as IP address or geographic location doesn’t include specific treatment or billing information like dates and types of healthcare services.

The original version of the bulletin assumed that anyone visiting a covered healthcare provider’s website was, is, or will be a patient of the provider. The updated bulletin from March 2024 attempted to clarify these provisions. It introduced subjective intent standards for classifying IP addresses as protected health information (PHI). While maintaining that IP addresses combined with health-related webpage visits could constitute PHI, the update added examples distinguishing scenarios like job postings (non-PHI) from cancer care pages (potential PHI) based on inferred user intent.

However, this created operational challenges for hospitals, as determining visitor intent on unauthenticated pages remained impractical. The updated bulletin did not substantively modify HHS’s core position that IP addresses linked to health-related content could trigger HIPAA obligations, despite the ongoing AHA lawsuit.

The HHS provides examples of what parts of a website or app can contain PHI:

• User-authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.
• Some unauthenticated pages include PHI. Whether PHI is being disclosed depends on the visitor’s underlying intentions and whether the page visit relates to the individual’s health care.
• Mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.

For more details on what qualifies as PHI, visit the HIPAA journal.

The American Hospital Association (AHA) and co-plaintiffs filed a lawsuit on November 3, 2023, challenging the HHS Office for Civil Rights’ December 2022 bulletin. They argued that the HHS bulletin unlawfully expanded HIPAA’s scope by treating data like IP addresses collected from public-facing hospital websites as PHI, exceeding statutory authority and bypassing proper rulemaking procedures.

In June 2024, a judge ruled in favor of the AHA. The ruling stated that HHS overstepped its authority by expanding the definition of PHI to include IP addresses combined with website visits. On August 29, the OCR decided not to appeal the district court’s decision.

Learn more: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

However, it’s crucial to emphasize that the ruling doesn’t vacate other parts of the guidance. The court’s decision was very narrow and only issued in a specific case concerning IP addresses combined with visit data. It doesn’t mean healthcare organizations can downplay HIPAA requirements, freely track users, or ignore HHS’s guidance. Other parts of the bulletin remain in place, like those relating to authenticated pages, such as patient portals.

The issue of protecting PHI in the context of analytical tools hasn’t been settled once and for all. The fundamental issues surrounding the collection and use of PHI by healthcare organizations remain unchanged. While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it alarmingly easy for PHI to inadvertently leak into your website or app. Therefore, it’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI that maintains the status quo. To protect patient privacy and reduce the risk of hefty fines and loss of trust, organizations must remain vigilant about the data they collect and share with analytics vendors.

The requirements for processing PHI help protect patient privacy and make care coordination easier. The HIPAA Privacy Rule ensures that PHI is shared and used only with patient permission or for care coordination between covered entities. Identifiable health information is not considered PHI unless that organization is a HIPAA-covered entity.

PII and PHI penalties and compliance

Another important area in understanding PII and PHI is the penalties for non-compliance with applicable regulations. As PHI applies specifically to HIPAA-covered entities that possess identifiable health information, using the terms interchangeably can lead to compliance issues. PII and PHI penalties are primarily financial, but in severe cases they may also include incarceration.

PII

To help organizations manage and protect PII appropriately, the National Institute of Standards and Technology (NIST) created the “PII confidentiality impact level” standard, allowing entities to categorize PII into low, moderate, or high-risk levels. The levels are determined by evaluating the potential harm to individuals and the organization if the PII ends up in the wrong hands.

What is high-impact PII for some could be at a low impact level for others. Each organization will have different needs depending on the types of PII they are storing and the way it is organized. For example, Social Security Numbers are more sensitive than phone numbers and may be categorized at a high confidentiality impact level. In addition, a breach involving the information of 30 people will likely be less impactful than one involving 300,000 people.

When a PII breach occurs, businesses must report the incident. US lawmakers have introduced legislation requiring companies to notify the government within 24 hours of a data breach. Many states do not have strict deadlines when businesses report a violation to the government. Data breach notification laws vary state by state. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving PII. Check out the list of Security Breach Notification Laws.

Deliberate, unauthorized disclosure of PII to others may result in incarceration and fines of up to $5,000.

PHI

The HIPAA Security Rule strictly regulates PHI breaches. It “establishes national standards to protect individuals’ electronic personal health information created, received, used, or maintained by a covered entity.”

HIPAA penalties are primarily financial and can be applied to healthcare providers, health plans, healthcare clearinghouses, and all other health organizations and business associates who have violated HIPAA rules.

In the case of PHI, HIPAA-covered entities that face a data breach are legally required to notify the HHS and state agencies within 60 days of the breach. If the breach impacts more than 500 residents of a state, organizations must notify major local media outlets through a press release.

In addition, covered entities must send a written notice in the mail to all impacted individuals and post information on the homepage of their website for at least 90 days. Specific requirements vary by state.

The penalties for HIPAA violations are divided into four tiers based on the level of culpability and intent behind the violation. Each level sets out criminal penalties, a fine, and a jail term, if applicable. HIPAA violation fines can be issued up to a maximum of $25,000 per violation category per calendar year. The minimum penalty is $100 per violation.

How to protect PHI in analytics

Health organizations are obligated to protect their patients’ PHI under HIPAA. You must apply a few safeguarding practices while collecting and processing data online.

1. Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and every company you’ll share your clients’ PHI with that meets the definition of a “business associate.” If you are a health organization and choose to send PHI to a business associate, you must have a written BAA requiring the associate to comply with HIPAA standards. If you don’t want to create a business associate relationship with the vendor or the vendor will not provide a satisfactory BAA, you cannot disclose PHI to that vendor without individuals’ authorization.

2. Provide breach notification to affected individuals, the Secretary, and the media (when applicable).

3. Address the use of analytics and other data platforms in your risk analysis and risk management processes. They are crucial components of HIPAA compliance, aimed at identifying and mitigating threats to electronic protected health information (ePHI).

4. Implement administrative, physical, and technical safeguards following the HIPAA Security Rule to protect PHI.

Administrative safeguards

Purpose: Focus on policies, procedures, and training to ensure the security of ePHI.

Examples:

• Conducting regular risk analyses to identify potential security threats.
• Implementing policies for workforce training and security management.
• Establishing procedures for emergency situations and incident response.
• Defining roles and responsibilities within the organization related to security.

Physical safeguards

Purpose: Protect the physical environment where ePHI is stored or accessed.

Examples:

• Implementing facility access controls, such as locks and alarm systems.
• Securing workstations and devices that handle ePHI.
• Establishing policies for the proper disposal and reuse of electronic media containing ePHI.

Technical safeguards

Purpose: Implement technologies to secure ePHI from unauthorized access or breaches.

Examples:

• Access controls to ensure only authorized personnel can view or modify ePHI.
• Audit controls to track and monitor access to ePHI.
• Data integrity measures to prevent unauthorized alteration or destruction of ePHI.
• Encryption and secure transmission protocols for ePHI sent over electronic networks.

5. Work with vendors that support values such as privacy by design. Privacy by design is an approach that integrates data privacy considerations into the design of systems, products, and services from the beginning rather than as an afterthought, ensuring data protection is prioritized alongside functionality. Following these values will help you fully control your data and understand what data you collect, store, and transfer.

6. If you can’t sign a BAA with the vendor, de-identify your PHI for research purposes or marketing by removing all 18 HIPAA identifiers. HIPAA-compliant de-identification methods include Expert Determination and Safe Harbor. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.

It’s important to think through both the legal aspect of data collection in terms of what legal agreements need to be in place with vendors to be in compliance with HIPAA, and the technical aspect of data collection – what data can be stored and where, as well as what data needs to be anonymized prior to storage.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

The obligations of healthcare companies that deal with PHI don’t stop there. HIPAA defines five major rules that all organizations that store, record, or share PHI and ePHI must follow. Read them here:

• Privacy Rule
• Security Rule
• Enforcement Rule
• Breach Notification Rule
• Omnibus Rule

Piwik PRO provides healthcare organizations with fully HIPAA-compliant analytics. Our platform allows you to securely collect and analyze PHI and ePHI and provide better and more personalized patient experiences.
By signing a BAA with us, you can safely send all types of PHI to your analytics setup. If you prefer, you can de-identify all PHI before sending it to our platform. Either way, you can ensure compliance with regulations.

On top of that, we offer the highest privacy and security safeguards to strengthen your data protection. Learn more about HIPAA compliance with Piwik PRO.

HIPAA marketing compliance: Best practices

When exploring HIPAA-compliant marketing strategies, you must first ensure that you disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. You must obtain explicit written authorization from patients before using their PHI for marketing purposes, which requires a specific, signed consent form. You don’t need authorization to provide essential healthcare services.

Covered entities must have a BAA with the analytics or marketing vendors that they share PHI with. They should also use tools that employ robust security features like user authentication, access controls, audit logs, and end-to-end encryption.

Most analytics platforms, including Google Analytics 4, don’t permit the use of PHI data in their products. These platforms don’t offer BAAs for their standard versions and are not configured to support HIPAA compliance out-of-the-box. It means you must either make an extra effort to avoid passing any trace of PHI to your analytics, or switch to a HIPAA-compliant analytics platform, such as Piwik PRO Analytics Suite.

Read more: Piwik PRO is officially HIPAA-certified!

Remember that data collected from marketing pages and used in retargeting campaigns may constitute PHI. Aside from the 18 types of HIPAA identifiers, including names, addresses, and medical records, user IDs and IPs used for retargeting can easily become PHI. In most cases, using this information for marketing also requires the patient’s authorization and a platform that offers a BAA.

Consider investing in a safe first-party data strategy to use PHI in a way that fully respects HIPAA. Combining data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, and offline sources, opens up many possibilities. 

Here are some tips for building a HIPAA-compliant data ecosystem:

• Use HIPAA-compliant customer data platforms (CDPs) to centralize and manage data from various sources, creating accurate and trusted patient profiles and focusing on first-party data.
• Utilize consent management platforms (CMPs) to manage consent forms and ensure data flows align with patient preferences.
• Limit access to authorized personnel only using role-based access controls to prevent unauthorized exposure.
• Implement policies for retaining and deleting PHI in accordance with HIPAA guidelines.
• Adopt policies and procedures for HIPAA compliance beyond technical measures.
• Inform patients about data collection and use, ensuring transparency and trust.
• Clearly communicate the benefits of sharing PHI to enhance patient engagement.
• Regularly monitor data access and changes, maintaining an audit trail to ensure compliance.

I highly recommend using server-side tagging on your website if you’re running digital marketing campaigns that send users to your site. Server-side tagging allows you to scrub PHI/PII from any user data ingested before sending that data back to the vendor.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

Learn more about server-side tagging and tracking with Piwik PRO.

There are many different demands for compliant marketing and analytics under HIPAA. Read more:

• Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
• HIPPA privacy guidance on marketing

Final thoughts

Understanding the scope of PII and PHI will help you to maintain HIPAA compliance and protect patient data, especially if you use third-party platforms like analytics. You will also be able to run compliant marketing activities.

To avoid the potential risks of using popular ad platforms or analytics tools in a highly regulated sector such as healthcare, consider employing marketing strategies that revolve around HIPAA-compliant platforms rather than big tech products that put you at risk of breaches and hefty fines. A first-party data strategy can benefit your organization and help you build a relationship with your patients grounded in trust.

If you’d like to learn more about data activation under HIPAA, contact us. We’ll be happy to present some compliant use cases to you.

Unlock better insights and stronger data control in healthcare — see Piwik PRO in action:

The post PHI and PII: How they impact HIPAA compliance and your marketing strategy appeared first on Piwik PRO.

This article details the recent regulatory changes impacting cross-Atlantic data transfers and highlights the challenges marketers are facing. We’ll also demonstrate why you should look for an EU-based web analytics solution and outline the steps you need to take to ensure fully compliant analytics.

The current state of data transfers between the EU and the US

The transfer of personal data between the EU and the US has been disputed for years, primarily due to fundamental differences in privacy laws. The EU’s General Data Protection Regulation (GDPR) enforces strict individual rights and control over personal data. The US, however, operates with more fragmented privacy laws, and intelligence agencies have broad data access powers under legislation such as the Foreign Intelligence Surveillance Act (FISA 702).

These concerns have triggered major legal challenges, including the Schrems I and Schrems II cases, invalidating previous data transfer frameworks (Safe Harbor and Privacy Shield). The core issue is that these frameworks failed to adequately protect EU citizens’ data against US government surveillance.

Recent political developments 

Recent developments in the US political landscape and European regulatory actions have intensified the situation, with significant implications for businesses, regulators, and transatlantic relations. Donald Trump’s return to the US presidency is a major source of uncertainty. 

Situation in the United States

Early in his new term, Trump questioned the Biden-era executive orders that underpin the Transatlantic Data Privacy Framework (DPF), adopted in July 2023. It introduced three key elements:

• Data Protection Review Court (DPRC): An independent redress body allowing EU individuals to challenge how US intelligence agencies handle data with binding decision-making authority.
• Executive order 14086: Signed by President Biden in October 2022, establishes proportionality and necessity requirements for US surveillance activities.
• Self-certification system: Requires US companies to publicly commit to DPF principles for streamlined transfers administered by the Department of Commerce.

Read more: Everything you need to know about the Data Privacy Framework (Privacy Shield 2.0)

However, the most destabilizing event was the loss of quorum at the US Privacy and Civil Liberties Oversight Board (PCLOB) after Trump requested the resignation of its Democratic members in January 2025. The shutdown of PLOB, a core oversight body referenced in the DPF, has intensified European doubts about the long-term viability and independence of US redress mechanisms for EU citizens. As privacy advocate Max Schrems of NOYB points out, the current oversight mechanisms “may not even stand the test of just the first days of a Tump presidency.”

European regulatory actions

In response to these developments, European Data Protection Authorities (DPAs) and governments are taking a series of regulatory and political actions, signaling a broader shift in the EU-US relationship:

• Norway: The Norwegian DPA issued a new guidance warning against EU-US data transfers, citing concerns about the legal framework’s stability and adequacy.
• Netherlands: The Dutch Parliament voted to reduce reliance on US tech companies, requiring government agencies to prioritize European cloud and data processing alternatives.
• Denmark: The Danish Ministry of Industry recommended that companies develop exit strategies from American cloud services.
• Germany: Germany’s Interior Minister stated that businesses should develop contingency plans, as the government can no longer guarantee the long-term stability of transatlantic data flow mechanisms.

These steps reflect a growing consensus in Europe that relying on US-based solutions carries increasing legal and strategic risks.

Read more about the wave of decisions by European DPAs declaring the use of Google Analytics (GA) illegal under GDPR:

• Norwegian DPA warns against EU-US data transfers – what it means for your website
• Denmark’s data protection authority says Google Analytics is illegal under GDPR
• Sweden’s data protection authority orders companies to stop using Google Analytics
• Google Analytics might soon be banned in Norway
• Is Google Analytics (3 & 4) GDPR-compliant? [Updated]

Why you need an EU-based web analytics solution

The current regulatory environment is unstable. With European authorities increasingly willing to issue immediate compliance orders, companies relying on US-based analytics tools risk sudden operational paralysis. Using non-compliant data tools risks fines of up to 4% of global revenue under GDPR. A single enforcement decision could leave marketers scrambling to replace core infrastructure overnight. 

Main challenges for marketers

As the legal landscape shifts faster than ever, marketers face new and pressing challenges. Understanding these risks is the first step toward securing your data strategy.

Campaign interruptions that devastate performance metrics

Regulatory actions often come without warning. In past cases, enforcement orders have immediately suspended marketing tools tied to unlawful data transfers. For marketers, this means pausing campaigns mid-flight, cutting off personalization, and creating reporting gaps that impede optimization.

Analytics blackouts that force blind decision-making

Turning off third-party analytics due to compliance concerns means you’re flying blind. You lose the ability to segment audiences, evaluate creative performance, or justify spend allocation. Many brands using tools like GA or Meta Ads have already reported shifting to temporary EU-hosted or server-side alternatives that may offer reduced capabilities and slower insights.

Attribution failures that cut down your budget

Attribution is how marketers defend their budgets. However, trust in the numbers declines when tracking breaks due to deactivation, missing consent, or blocked data transfers. Without complete visibility into multi-channel performance, marketing ROI becomes harder to prove, and budget reductions follow.

Wasted ad spend that drains resources

Without real-time feedback, marketers overinvest in underperforming ads and can’t scale what’s working. This has been a common pain point for brands forced to migrate analytics setups under pressure, often leading to weeks of reduced optimization and reactive decisions.

Personalization gaps that stall conversions

With consent under scrutiny and restricted data flows, many marketers are forced to revert to generic messaging strategies. When you lose the ability to personalize content by behavior, preferences, or segments, conversion can be significantly lower. 

Competitive disadvantage that costs market share

As some companies scramble to react to policy changes, others with EU-hosted analytics and consent-first marketing stacks gain a competitive advantage. Even short periods of interrupted optimization can create lasting performance gaps.

Key features to look for in your next analytics platform

Selecting an analytics platform that is future-proof and fully compliant with European standards is essential. As 78% of EU users say they would abandon brands that mishandle data, proactively adopting compliant solutions signals responsibility and builds loyalty. Here is the list of the most important features you should seek:

Full data residency and processing within the EU/EEA

Ensure all user data is collected, processed, and stored exclusively within the EU or EEA to avoid legal uncertainties related to international data transfers.

Compliance with GDPR and upcoming regulations (Data Act, DORA)

Your analytics provider should meet current GDPR requirements and be prepared for new EU regulations like the Data Act and DORA to demonstrate a commitment to ongoing compliance.

Transparent data governance and security certifications (ISO 27001, SOC2)

Look for platforms with recognized security certifications, such as ISO 27001 or SOC2, demonstrating robust data governance, risk management, and security practices.

Compliant consent management and automation of data subject rights

The analytics platform should offer built-in tools for managing user consent, automating responses to data subject requests, and documenting compliance actions.

Flexibility to integrate with other marketing tools

Choose analytics platforms that connect easily with your existing marketing stack, CRM, and advertising tools to streamline tracking and boost campaign performance.

User-friendly interface with customizable dashboards

An intuitive, customizable dashboard empowers your team to access insights quickly and tailor reports to specific business needs.

Support for anonymization and pseudonymization of personal data

Select an analytics platform that offers strong anonymization and pseudonymization features, such as IP masking and cookieless tracking, to reduce compliance risks.

Clear data export and deletion options

Your next analytics platform should provide straightforward options for exporting, deleting, and modifying user data to fulfill the GDPR’s rights to data portability and to be forgotten.

Leading EU-based analytics alternatives

Finding alternatives to US-based analytics platforms that carry EU-US data transfer risks is not an easy task. Find below a list of providers that offer varying combinations of compliance protection, marketing optimization, and operational integration.

Piwik PRO Analytics Suite

Piwik PRO Analytics Suite is a comprehensive EU-based analytics platform designed to ensure full compliance with data protection laws while delivering powerful marketing insights. It offers flexible hosting options across multiple EU countries, supports both event-based tracking and session-level aggregation, and enables advanced user behavior analysis with features like funnels and user flows.

Plausible

Plausible is a lightweight, privacy-focused analytics tool fully hosted in the EU. As it doesn’t use cookies or collect personal data, you don’t need to include it in your website consent banner or cookie policy. It’s an open-source and GDPR-compliant solution that offers transparent and minimalistic analytics.

Simple Analytics

Simple Analytics is a Dutch provider that processes and stores all data within the EU, ensuring full GDPR compliance. It does not use cookies or track personal data, so you don’t need to include it in your website consent banner or cookie policy. The platform delivers easy-to-understand reports, suitable for companies that need simple, privacy-respecting insights.

Statcounter

Statcounter is an open-source, self-hosted analytics tool designed for EU-based organizations. It collects no personal data and uses no cookies, ensuring GDPR compliance and a privacy focus. The platform only provides essential website metrics, making it basic, privacy-first analytics.

	Country	Analytics capabilities	Free version	Privacy friendliness
Piwik PRO	Poland
Plausible	Estonia
Simple Analytics	Netherlands
Statcounter	Ireland

Visit our pricing page for more details about the available plans.

Piwik PRO Analytics Suite – the ideal EU-based web analytics platform for marketers

Transitioning to Piwik PRO ensures you meet stringent data protection requirements and maintain or even enhance your analytical capabilities. These key features prove it is the best choice for compliant, EU-based web analytics.

Simplified privacy compliance

Piwik PRO enables you to collect data in a manner that is fully compliant with privacy laws, including GDPR, HIPAA, CCPA, and TTDSG. Privacy settings embedded directly in the user interface make managing compliance intuitive and straightforward.

Complete EU data sovereignty

It offers hosting across multiple EU countries, guaranteeing data residency and complete control over where your data is stored. Such options help you adhere to local data residency requirements, minimizing transfer risks.

Data residency and sovereignty

Piwik PRO allows you to choose data storage locations, ensuring compliance with local data residency requirements.

Advanced analytics with familiar concepts

Piwik PRO supports both event-based tracking and session-level aggregation, allowing marketers to analyze user behavior with advanced reports such as funnels and user flows. 

Also, to avoid chaos with your data, you can implement Piwik PRO alongside your existing Google Analytics setup. This will ensure continuity in your reporting when the EU-US DTF is invalidated as well as the safety of your data in case of any further changes in European or US privacy laws. 

Seamless migration and setup

Implement Piwik PRO with a single tracking tag and start analyzing data in under an hour. The platform follows a familiar logic for those transitioning from Universal Analytics or GA4.

Well-integrated product suite

Benefit from an advanced analytics ecosystem that includes a Customer Data Platform, a Tag Manager, a Consent Manager, and multiple integration options for better data activation and personalization.

The strong connection between analytics and consent management

EU-based consent management is equally important when implementing an EU-based analytics platform. Proper analytics becomes meaningless if your consent management platform still transfers data to the US. The solution is simple: pair your EU-based analytics with EU-based consent management to create a compliant and fully protected marketing intelligence system.

Cookie Information, headquartered in Copenhagen with a few data centers across the EU, has established itself as the marketer’s first choice when both compliance protection and performance optimization are priorities. 

As an EU-based consent management platform, Cookie Information benefits your marketing operations in at least 5 ways:

• Industry-leading consent optimization technology.
• Proprietary cookie scanning engine that automatically identifies and categorizes all marketing technologies, including those commonly missed by basic scanners.
• A strong consent record and export system designed to satisfy inquiries by data protection authorities (DPAs) about marketing data flows.
• Seamless integration with all major CMSs such as Shopify, Drupal, and WordPress, as well as advertising and analytics platforms like Google Tag Manager and Piwik PRO.
• Multi-language cookie consent banners for a localized website experience.

Conclusion: How to protect marketing performance and compliance when the future is uncertain

With international politics potentially reducing your ROI, acting proactively to protect your marketing operations is crucial. 

Start with a comprehensive audit of your marketing technology, focusing on EU-US data transfers and compliance mechanisms. Next, you should deploy EU-based analytics tools to replace the ones sending data to the US, ensuring both compliance and uninterrupted marketing insights. Review advertising platform data flows to implement EU data residency options where possible. 

As with your remaining marketing stack you should implement an EU-based consent management solution that optimizes consent rates and integrates easily with your existing setup. Finally, make sure to showcase your privacy-first approach to marketing – positioning your brand as the privacy leader in your niche – to build consumer trust.

A risk-free decision is implementing an European analytics solution like Piwik PRO alongside your current US-based analytics tools. With free options available, this parallel approach ensures marketing continuity while building valuable historical data in a privacy-compliant environment.

By following these strategic steps, you’ll minimize regulatory risks, avoid disruptions, and secure your marketing performance in the turbulent EU privacy landscape.

The post EU-US data transfers uncertainties: How an EU-based analytics platform can improve your marketing performance appeared first on Piwik PRO.

Webinar on-demand

A practical guide to digital analytics and advertising under HIPAA

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.

Healthcare organizations deal with tons of sensitive information concerning people’s health. It needs to be handled with proper care. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).

Unfortunately, many companies are still unaware of the provisions of the law and the potential consequences of breaching its rules. The recent scandal around the use of Facebook pixels inside the patient portals of renowned medical institutions is sad proof of that.

In this article, we explain which marketing practices are unlawful under HIPAA and why. We also present some practical measures you could take to make your retargeting campaigns HIPAA-compliant.

Finally, we provide you with more privacy-friendly alternatives to retargeting that can help you do effective marketing and engagement campaigns without violating patients’ privacy.

Healthcare providers continue to misuse patient data

The recent lawsuit filed against the UCSF Medical Center and the Dignity Health Medical Foundation has caused a stir in the world of healthcare. According to the lawsuit, the healthcare providers collected sensitive health information from patient portals and used it for retargeting ads on Facebook, transmitting the data to Facebook without patient consent.

Healthcare data breaches, although alarming, are neither new nor rare. As of July 2023, healthcare organizations reported 330 breaches of sensitive health information affecting 41.4 million individuals to the HHS Office for Civil Rights, compared to 52 million affected in all of 2022. Many breaches involve cyberattacks and ransom demands, but some involve the inadvertent disclosure of private health data through tracking technologies, known as pixels, utilized by social media companies. Last year, The Markup found that 33 of the top 100 US hospitals used Facebook pixels on their websites. Seven of them used tracking codes on patients’ portals behind login walls.

New guidance on using tracking technologies

Many healthcare companies remain unaware of HIPAA provisions and ways to comply with them. One of the factors affecting the increased number of HIPAA breaches is HHS’s bulletin from December 2022 that provides strict guidance on the use of third-party cookies, pixels and other tracking technologies by healthcare companies. This bulletin did not change HIPAA law itself, but rather provided an interpretation from HHS of how existing HIPAA rules apply to these technologies. This interpretation broadened what the HHS considers to be protected health information (PHI), which has sparked many controversies. 

Earlier in 2023, numerous healthcare organizations submitted breach reports, acknowledging they had violated the December guidance from HHS. Telehealth provider Cerebral filed a data breach notification with HHS, admitting to having disclosed PII to other parties without sufficient HIPAA-protective measures. In July 2023, the FTC and HHS sent a joint letter to approximately 130 hospital systems and telehealth providers to alert them to the risks of tracking technologies on sites and apps that can impermissibly disclose consumers’ sensitive personal health data to third parties. 

The AHA lawsuit against the HHS bulletin

The American Hospital Association (AHA) filed a lawsuit against the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in November 2023, challenging its guidance on the use of online tracking technologies. This lawsuit, joined by several hospital associations and health systems, aimed to block the enforcement of OCR’s December 2022 bulletin, which expanded the definition of PHI to cover metadata such as IP addresses combined with webpage visits collected through tracking tools like pixels on hospital websites and apps. 

In June 2024, a judge ruled in favor of the AHA, declaring that the OCR had exceeded its statutory authority under HIPAA. It is crucial to understand the narrow scope of this ruling. The court specifically addressed the use of IP addresses and website visit data from unauthenticated web pages. The ruling does not invalidate other parts of the HHS guidance, particularly those relating to authenticated pages or the use of other types of data. The fundamental responsibility of healthcare organizations to protect PHI remains unchanged. Practices allowed under HIPAA concerning the use of tracking technologies like analytics platforms are still subject to interpretation. Consequently, healthcare providers should err on the side of caution and choose an approach to analytics that will ensure security and compliance. 

Learn more: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

What happens if you don’t comply with HIPAA

The unauthorized use of protected health data for marketing and advertising may have some serious consequences. HIPAA breaches lead to the harshest and most direct penalties, including fines of up to $1,806,757, and in some cases, even criminal sanctions.

Malpractice concerning healthcare data can also damage patients’ trust and affect their relationship with their healthcare provider. As a recent study shows, patients who worry about their electronic health records being compromised in a breach are three times more likely to withhold information from their physicians.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

Marketing and HIPAA: The problem goes beyond Facebook

Under HIPAA, marketing is defined as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service”. An example of marketing includes sending promotional emails about new medical devices or services that encourage purchases. 

HIPAA generally requires covered entities to obtain written authorization from individuals before using or disclosing protected health information (PHI) for marketing purposes. The increased costs and complexity in obtaining these authorizations can hinder targeted marketing efforts.

It’s worth noting that communications related to treatment, case management, care coordination, or recommendations for alternative therapies are not considered marketing and don’t require patient authorization. 

Examples include:

• Prescription refill reminders.
• Information about health-related services included in a health plan.
• Communications aimed at improving patient care without promoting specific products.

It’s vital for healthcare organizations to clearly differentiate between permissible healthcare-related communications and those classified as marketing. They must also ensure that any tools or methods used for marketing (like email campaigns) are HIPAA-compliant.

To assess if your marketing use case requires patient authorization, read the guide on marketing by the US Department of Health and Human Services (HHS).

To learn about the elements of compliant patient authorization, look into the resources provided by the HHS.

The issue of defining PHI

Marketers must stay updated on what constitutes PHI in the digital age to avoid using data that could be considered protected without proper authorization. 

PHI includes any individually identifiable health information, which is a category that can be interpreted broadly. This means that even seemingly innocuous data, such as IP addresses or contact information, could be considered PHI if linked to health-related information. 

HIPAA’s definition of protected health information lists 18 types of data, including names, addresses, and medical records, but also user IDs and IPs often used to recognize visitors across channels. Even data collected from marketing pages and used in retargeting campaigns may constitute PHI.

Some publishers, such as Facebook, serve ads on social platforms available after logging in. Data that doesn’t include health information may become PHI when combined with user data from social networks.

Consider employing data aggregation or anonymization to remove individual identifiers, which makes it no longer PHI. Another method involves using a limited data set that can be used for marketing purposes with a data use agreement.

Signing a BAA

BAAs are essential tools for ensuring HIPAA compliance and protecting sensitive patient information when covered entities work with third-party vendors. By signing a BAA with a marketing or advertising vendor, a HIPAA-covered entity can securely share PHI with them. 

Popular advertising platforms, including Facebook, Google, and LinkedIn Ads, don’t give you the option to sign a business associate agreement (BAA). The same issue applies to many other products used by marketers, like analytics. Most of the platforms available on the market, including Google Analytics 4 and Adobe Analytics, don’t offer BAAs and forbid the use of PHI data in their products. 

These platforms cannot be configured in a HIPAA-compliant manner without significant customization, such as the lengthy and complex process of de-identifying PHI. A covered entity can’t just use GA4 or Adobe Analytics and expect to be compliant. The most future-proof approach involves switching to a marketing or analytics provider that will sign a BAA and help you process patient data with the proper safeguards. 

All these factors limit the ways you can do marketing in healthcare, especially when it comes to retargeting and other practices relying on user identifiers. That said, running retargeting campaigns is not impossible under HIPAA.

How to run compliant ad campaigns under HIPAA

Using retargeting in healthcare is possible but requires some serious precautions. 

Here are some tips for HIPAA-compliant advertising:

• Remove marketing pixels from your password-protected apps and websites, such as patient portals. Consider limiting their use to your homepage. Some subpages of your website, such as blog posts about a specific disease or treatment, may still contain health information and can pass it to advertising platforms. 
• Strip your data of any traces of PHI before you push it to ad networks. Make sure to get rid of any unique identifiers and pieces of data that would allow an individual to be identified. Follow the privacy guidelines of your chosen ad platform. 
• Create remarketing campaigns based on simple and broad targeting, for example, website visits. This way, instead of targeting individuals, you create broad remarketing campaigns that don’t involve PHI.
• Consider using a safe tag management system for better control over the information you send to the ad platforms. This way, you will control where and when pixels are allowed to run.

These campaigns will be less effective than traditional remarketing, since stripping your data from user identifiers removes the layer of personalization. However, they are still a good choice if you want to continue using ad platforms in your marketing.

That said, the compliance of your retargeting ads will depend on the type of healthcare business you’re in. The narrower and more sensitive the subject is, the greater the risk of disclosing PHI to a publisher.

Let’s consider three scenarios:

1. You want to prepare a remarketing campaign for a health insurance provider. Hence, you create a general campaign that targets users who have visited your website and presents them with non-personalized ads that promote your offer. In this case, you don’t rely on PHI, and the message of your ad doesn’t contain information about the visitor’s condition or health issues. Given that you’ve gotten rid of all potential user identifiers, your advertisement is most probably HIPAA-compliant.
2. You’re running a fertility clinic and plan to create a retargeting campaign based solely on page visits without using demographic data. Unfortunately, displaying ads related to sensitive issues, such as infertility, might still violate user privacy and bring compliance risks. By using data about a visit on a highly specialized website, you disclose information about a person’s potential health issues and share it with an ad platform.
3. You’re in charge of digital marketing for a dermatological clinic. A person has visited your website in search of dermatitis treatment. Retargeting them with an ad promoting a treatment for the skin condition they looked up would violate the patient’s privacy. But an ad that promotes your clinic without mentioning any particular health issues should be a safe choice.

Keep in mind that these are only general guidelines and examples. Each ad campaign must be carefully assessed to ensure that it does not directly or indirectly reveal protected health information.

Consider implementing search engine advertising (SEA) or contextual advertising, which do not rely on PHI or sensitive patient data but instead use keywords. 

You can also integrate data from your ad platforms with a secure analytics platform, such as Piwik PRO Analytics Suite. This will allow you to evaluate the performance of your ads without sending this data back to Google or Facebook and adjust your campaigns accordingly.

How to run compliant marketing campaigns under HIPAA

HIPAA-covered entities can engage in compliant marketing by following these strategies:

Content marketing

• Create educational content that does not require PHI, such as blog posts on health topics, videos about common medical conditions, and infographics on preventive care.
• Focus on general health information rather than specific patient cases.

Social media engagement

• Use social media to share general health tips and wellness advice, avoiding discussions of specific patient cases.
• Implement disclaimers to clarify that direct medical advice is not provided on social platforms.
• Educate staff on HIPAA-compliant social media practices.

Email marketing

• Obtain proper consent for marketing emails and use secure, HIPAA-compliant email platforms.
• Focus on general health information and practice updates rather than personalized health data.

Onsite retargeting and personalization

• Reengage patients directly on your website or inside your app and serve them special offers, discounts, or recommendations. 
• Get upsell and cross-sell opportunities, which may often not require patient authorization.

Creating a first-party data marketing strategy

Despite your best efforts, marketing campaigns run on popular advertising platforms always pose some compliance risks. These platforms weren’t built for such privacy-sensitive industries as healthcare.

For greater peace of mind, consider investing in a safe first-party data ecosystem to use the potential of PHI in a way that fully respects HIPAA.

The benefits of a first-party data marketing strategy include:

• Better compliance – Operating on first-party data helps you comply with data protection laws such as HIPAA. First-party data stays in the hands of those who collect it, and that gives more control and transparency over what happens with the data.
• Data accuracy – First-party data is more accurate because you obtain it directly from your patients, unlike third-party data that is often aggregated from various data sets. Also, this data comes from your audience, making it more relevant to your business.
• Patient trust – As you gather data first-hand from users and inform them about all processing purposes, you build trust and solid relationships with them.
• Enhanced personalization and segmentation – First-party data enables targeting content recommendations and messages at a more granular level. Relying on PHI in a safe data ecosystem will allow you to create detailed segments of users based on characteristics such as demographics or subscribed health plans. This wouldn’t be possible or permitted with third-party data.
• Increased customer engagement – The direct relationships built with site visitors and previous customers create many opportunities for customer experience optimization. As you gather data on customer engagement with the site and different digital assets, you gain key insights into what it needs to do better.

Customer data platforms (CDPs) and HIPAA compliance

You can use a customer data platform (CDP) to establish and manage a first-party data strategy. CDPs are not HIPAA-compliant by default, so you must carefully choose the right tool.

When evaluating a CDP for HIPAA compliance, look for the following security features:

• Data encryption at rest and in transit.
• Role-based access controls to limit PHI access.
• Audit logs for tracking PHI access and modifications.
• Consent management to track patient consent for marketing communications.
• Vulnerability scanning and conducting penetration tests.
• Incident response plan for data breaches.
• Physical security measures.

A HIPAA-compliant CDP lets organizations combine data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, consent managers, offline sources, and more.

This helps companies connect siloed data to create unified patient records and opens up many possibilities for effective marketing activities to improve users’ digital experiences. CDPs can store consent centrally and use it to ensure compliance across all connected downstream systems.

One of the key features of a CDP is data activation, which allows you to target users with relevant content or recommendations.

Here are some ideas for activations that healthcare organizations can employ:

• Creating tailored treatment or medication plans and sharing them with patients via secure portals or apps.
• Showing real-time on-site banners to encourage users to learn more about your services.
• Sending emails reminding users to finish booking a test or a doctor’s visit.
• Providing recommendations for higher treatment plans for frequent users.

How to find a HIPAA-compliant marketing vendor

What makes a MarTech vendor the right partner for a HIPAA-covered organization? As mentioned, a willingness to sign a business associate agreement (BAA) is essential.

A BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect PHI and comply with the guidelines provided by HIPAA. This means ensuring the proper standards of data encryption, private hosting, data minimization options, and other safety measures required by the act.

Keep in mind that signing a BAA is not a universal solution – evaluate the marketing platform’s agreement, terms of service, and data management processes diligently.

There are also additional security features that you can look for in your chosen marketing tools, such as:

• User authentication methods to ensure unique login credentials to access the platform for each authorized employee. For increased security, the platform should enable two-factor authentication (2FA).
• Access controls limit access to sensitive data and should be set based on an employee’s job function. Not all employees should have full access to the platform – they should only be granted access to the data that they need to perform their job. 
• Audit logs help ensure that data is only accessed when it should be. Audit logs can be used to determine access patterns for each employee, enabling administrators to identify when an employee is accessing data excessively. This can help quickly detect breaches.
• End-to-end encryption enabled when electronic PHI is created, stored, transmitted, or received using a software platform.
• Storage of PHI on an encrypted offsite data backup server.

Piwik PRO gives you the option to sign a BAA, on top of many other HIPAA-protective measures, such as:

• Secure hosting in HIPAA-compliant data centers.
• Safe backup storage with maximum recovery capability.
• Data encryption and transmission mechanisms.
• Audit log and change log.
• Full data control, and more.

Read more about how Piwik PRO approaches HIPAA compliance.

If the vendor you choose won’t sign a BAA with you, you need to de-identify all data that can be considered PHI before sharing it with the vendor. Such data is deprived of any identifiers, so it is no longer viewed as PHI, removing it from the scope of HIPAA. At the same time, de-identified data lacks a lot of valuable information that would make your marketing campaigns more effective.

Alternatively, find a MarTech platform that offers on-premises hosting. If the vendor doesn’t have access to your infrastructure, they won’t be considered your business associate, so you won’t have to sign a BAA with them. However, maintaining such infrastructure requires extensive resources and time, so not every company will be able to use this option. You can also look into other secure, less resource-heavy options developed over the years, such as a private cloud.

Check out our review of HIPAA-compliant analytics platforms to choose the right analytics provider for your organization.

Marketing and HIPAA: A summary

Using popular ad platforms or non-compliant marketing platforms in a highly regulated sector such as healthcare puts organizations at risk of data breaches and issues with regulatory compliance. Consider employing alternative marketing strategies that don’t involve products from Big Tech. 

A first-party data strategy can bring many benefits to your organization and help you build a trust-based relationship with your patients. Opt for HIPAA-compliant marketing and analytics platforms that employ the highest security safeguards and offer business associate agreements (BAAs).

The post HIPAA, marketing and advertising: How to run compliant campaigns in healthcare appeared first on Piwik PRO.

Dive into the fourth and final episode of our video series with Brian Clifton, a renowned digital analytics and privacy expert. He presents the history of digital analytics, including technologies and mindsets surrounding the analytics industry. The first part is dedicated to the origins of web analytics tools, the second focuses on the increased interest in privacy in data collection, and the third discusses challenges in ensuring proper data quality for effective decision-making. 

In this part, Brian talks about the importance of staying current with technological advancements to maintain proper data quality. He also shares insights into the future of digital analytics, emphasizing the need to balance automation and human knowledge to enhance marketing strategies.

The complexity of data quality in digital analytics

Over the years, many have viewed data collection as a daunting task, particularly for those without technical expertise. However, it has become clear that the real challenge is not gathering data – it’s effectively making sense of it. Analysts must connect a host of data points to extract meaningful insights that drive informed decision-making.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

Poorly collected or noisy data can lead to tricky conclusions, making robust data-cleaning processes essential. Once data quality is compromised, correcting flawed data can be an intensive task and may require starting over from scratch.

“It’s very easy to collect poor-quality data without knowing it’s poor quality. However, it’s very hard to clean it later. Monitoring data quality at the point of collection is crucial for effective decision-making.”

Brian Clifton, Digital analytics and privacy expert

There is a school of thought that businesses should embrace aggregate tracking methods alongside individualized tracking. This dual approach enables organizations to gain insights into overall trends while respecting individual privacy rights, aligning more closely with consumer privacy choices. For those users that grant consent to be tracked, individualized tracking allows for the website to provide a more personalised experience.

Privacy and ethical use of data

As digital analytics has evolved, so has awareness of privacy responsibilities. Analysts now find themselves focused not only on educating data stakeholders about web analytics, but also on their obligations regarding protection of users’ data. Striking a balance between collecting valuable insights and upholding user privacy remains a persistent challenge.

“I think GDPR is the best thing since sliced bread as it has put control in the hands of users, and not with far away and opaque tech vendors. Privacy laws are here to stay, because that is what users want and I believe the US will eventually adopt a federal privacy law similar to GDPR, instead of having fragmented state-level regulations.”

Brian Clifton, Digital analytics and privacy expert

Organizations must navigate the complexities of compliance to avoid severe penalties, including hefty fines and reputational damage. As marketers adjust to these new realities, they must rethink their strategies to rely less on extensive personal data and more on aggregated insights that respect individual privacy.

Adapting to new analytics tools supported by AI

With rapid advancements in analytical tools, now is the time for organizations to reassess their technological stack. By exploring alternatives beyond traditional platforms, companies can better tailor their approaches to meet contemporary analytical needs.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

The role of analysts is becoming increasingly specialized, with AI augmenting human capabilities by enabling faster restructuring and comparison of data. Technologies like ChatGPT have dramatically transformed digital marketing by shifting focus from keyword-based searches to conversational queries. This evolution challenges the traditional role of the analyst, though building insights based on a solid understanding of the data is still key.

“Advanced web analytics isn’t about the tools; it’s about doing the basics very well and applying them in a clever way.”

Brian Clifton, Digital analytics and privacy expert

Making sense of data to drive meaningful change

AI has the potential to revolutionize digital marketing by providing rapid insights through data interpretation. While some jobs may be displaced by automation, AI creates new opportunities by handling time-intensive, complex tasks, allowing analysts to widen their analytical scope for even greater insights.

“There’s huge potential here – not to replace humans but to augment their capabilities with superpowers. AI serves as a smart, always-on, never forgetful assistant. It helps the analyst work faster and more efficiently, even trying new ideas that were previously too cumbersome to explore. The role of the analyst is becoming increasingly more important to businesses.”

Brian Clifton, Digital analytics and privacy expert

The future of digital analytics hinges on building trust and privacy while embracing technological advancements and AI-driven tools. By prioritizing data quality, respecting user privacy, leveraging new technologies, and fostering collaboration among teams, analysts can effectively navigate this dynamic landscape and drive meaningful change within their organizations. 

The post 25 years of digital analytics with Brian Clifton: The real challenge for the future is to make sense of data appeared first on Piwik PRO.

Healthcare organizations use analytics platforms to collect and analyze data about their patients. The data helps them improve the quality of digital services and personalize content and advertising. It also contributes to reducing data administration costs.

Using analytics tools in a strictly regulated sector such as healthcare requires caution, especially if you operate in the US or work with US patients. In this case, you must process and store protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Healthcare entities cannot engage in the impermissible disclosure of PHI to tracking technology vendors. This is particularly important now with the expansion of sensitive information collected by vendors like Google Analytics. Disclosing PHI in a manner consistent with HIPAA has become more critical than ever.

In addition, patients are increasingly aware of their legal rights and data security. A focus on HIPAA compliance helps maintain patients’ trust.

Healthcare analytics – Google Analytics and HIPAA

If you use Google Analytics or similar software, you’re likely already optimizing your website to serve your customers better. But what about Google Analytics and HIPAA compliance?

In short – if you’re a HIPAA-covered entity, using GA4 puts you at serious risk of a HIPAA breach. 

Using Google Analytics to collect and process PHI and ePHI

In this scenario, you want to use analytics data and protected health information (PHI and ePHI).

PHI refers to any information relating to a patient´s condition, the past, present, or future provision of healthcare, such as lab or imaging results and medical history, or payment for such services. When identifiers are included in the same record set, PHI becomes individually identifiable health information and is thus protected when it is transmitted or maintained in any form by a covered entity.

Not all health information gathered by healthcare organizations is considered PHI. For example, in most cases, phone numbers, email addresses, or social security numbers alone are not PHI. However, if this data is connected to details about a health condition, treatment plan, or other particular health information, it would transform from PII into PHI.

Meanwhile, using GA4 to track PHI is far from being HIPAA-compliant.

Take a look at the HIPAA disclaimer from Google’s website:

Google states that Google Analytics doesn’t satisfy HIPAA requirements. And you can’t use Google Analytics for any purpose involving PHI if you are:

• A covered entity – hospital, clinics, insurance company, healthcare clearinghouse, etc.
• A business associate – for example, an external company hired to perform legal services, data aggregation, management or data analysis.

Moreover, if you want to use a tracking technology (such as an analytics platform) that collects and processes PHI, you must sign a business associate agreement (BAA) with the vendor. Google does not offer this option.

Why Google won’t sign a BAA with you

There are two possible reasons why Google won’t sign a BAA with organizations covered by HIPAA:

• Google doesn’t offer on-premises hosting and data residency of your choice. It means that all data tracked by the platform will be stored in randomly assigned data centers within and outside the US. This breaks the HIPAA accountability rule – you don’t know your patients’ exact data location.
• Google’s terms and conditions describe how it uses tracked data. Google uses the data to develop new services, measure the effectiveness of advertising, and personalize content and ads. Using any PHI or ePHI in an advertising context might be a serious violation of HIPAA.

As a result, if you pass any trace of PHI/ePHI into Google Analytics, you’rebreaking HIPAA regulations and Google’s terms of service. This may result in the termination of your GA account.

Many ways in which third-party tracking technologies, like Google Analytics, collect and track user information are not apparent to users visiting your website or app. These technologies send information directly to the third parties that develop them. Users’ unique identifiers and other collected information allow Google Analytics to create individual profiles for each user. They may continue to track users and gather information about them even after they navigate away from the original website to other websites. Such practices are particularly serious when they concern sensitive information like healthcare data.

Also, consider this case from your patients’ perspective. Your visitors trust your website and search for information about their illnesses, including cancer or depression. If they later see ads related to that illness on an unrelated page, you’ll be in trouble. This not only violates HIPAA provisions but also leads to the loss of patients’ trust in your organization.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

Using Google Analytics without collecting and processing ePHI or PHI

If you use Google Analytics as a healthcare organization without collecting and processing PHI/ePHI, you might comply with HIPAA. However, this requires additional work and precaution from your side. You need to ensure you don’t send any traces of PHI/ePHI to Google Analytics – mistakes can be damaging to your company’s reputation and result in HIPAA breaches. This is also the case if you violate HIPAA rules unknowingly.

According to the OCR’s Bulletin, PHI can be found on different parts of your website, such as post-login areas, which will likely contain lots of PHI, but also on unauthenticated pages or mobile apps. For example, PHI disclosures can occur if a patient’s use of the page or app is related to a health condition (for example, they are using appointment scheduling pages and symptom-checker tools, or they are looking for specific treatment options) and is coupled with PII (for example, name, email address or IP address).

Whether PHI is being disclosed depends on whether the page visit relates to the individual’s health care or what the visitor’s underlying intentions are – and that’s difficult to determine with complete certainty.

GA4 and client-side vs. server-side Google Tag Manager (GTM)

There is a difference between using client-side and server-side GTM when it comes to HIPAA compliance. 

When using client-side GTM, the user’s browser communicates directly with third parties, making it challenging to control the information bring shared. Depending on how your website or app processes user information, there might be a risk of sharing PHI in HTTP requests. Consequently, this option is far from compliant with HIPAA.

Server-side GTM, when correctly set up, helps you control what data you share with Google. User data is only sent to the server hosting the GTM container rather than being shared with multiple third-party servers. You can remove any PII within the server container before passing the data on to marketing partners. However, consider two things:

• GTM’s use policy also requires compliance with Google Analytics’s terms of service, which state that you can’t send PII to GA4 – and PHI is a subset of PII.
• You must adequately de-identify any data matching the definition of PHI before sending it to Google, which is a lengthy and error-prone process.

Read more about using server-side GTM and GA4 as a HIPAA-covered entity.

Considering all these aspects, using Google Analytics by HIPAA-covered entities is very risky. If you want to take that risk, you must ensure no PHI finds its way into the platform. 

Take a look at these sample URLs:

• https://healthclinics.com/your_account_john_hill/stomatologist_nelson_green 
• https://healthclinics.com/url8554

The first URL contains PHI – your patient’s name and their doctor’s name and specialization. Meanwhile, the second URL is scrubbed of PHI and shows only a universally unique identifier. Ensure your settings and site architecture are properly configured so the first URL switches to the second one before it reaches your analytics.

One way is to de-identify data so it is no longer considered PHI and does not fall under HIPAA. However, de-identification is a complex and time-consuming process that requires strict organizational measures. It’s especially difficult for certain types of data, such as custom dimensions or event attributes.

The rules under HIPAA concerning the use of tracking technologies like analytics platforms continue to be subject to interpretation. While the definitions of PHI and ePHI are well-established, the broad adoption and connectivity of modern technologies increase the risk of PHI accidentally leaking into your website or app.

De-identified data may be less valuable for those who analyze it. Because it’s stripped of identifiers, you can’t use it to personalize content for returning visitors – they always appear as new visitors. You also can’t analyze patients’ journeys and create detailed conversion attribution.

How to make your analytics HIPAA-compliant

Switching to an analytics platform that allows you to process patient data with the proper safeguards can help you avoid the risks and limitations of using GA4.

The best way to support your HIPAA compliance efforts is to find an analytics vendor that will sign a business associate agreement (BAA). This will allow you to share PHI/ePHI without de-identifying or restricting its flow to the platform.

Here are a few analytics vendors that offer a BAA:

• Piwik PRO
• Mixpanel
• Heap
• Amplitude
• Freshpaint
• Adobe* (Applies to Adobe Customer Journey Analytics. You can’t sign a BAA to use Adobe Analytics.)

Some platforms offer on-premises hosting, which means you don’t share data with third parties and thus don’t need to sign a BAA. However, this option makes you responsible for your data infrastructure’s security, so ensure you have the resources and expertise to maintain it. You can self-host your analytics with Piwik PRO by storing your data in a dedicated database.  

When selecting the right tool, review each platform’s strengths individually and look in detail at your specific needs in terms of functionality, ease of use, resources, and cost.

Learn more: A review of HIPAA-compliant analytics platforms

Piwik PRO vs. Freshpaint

Both Piwik PRO and Freshpaint offer HIPAA compliance, but they differ significantly regarding the provided features. 

Piwik PRO is an all-in-one platform with analytics and data activation capabilities that can be further extended through integrations with other tools and platforms. It also employs high-level privacy and security features. Overall, you get HIPAA compliance and full analytics capabilities within one platform.

Freshpaint, on the other hand, doesn’t offer analytics capabilities. It sits between data sources (such as data warehouses) and third-party data destinations and acts as a buffer to prevent PHI from being sent to non-compliant tools. As a result, setup and maintenance require significant technical skills, resources, and coordination across multiple teams, making the tool very resource-intensive. 

HIPAA compliance with Piwik PRO

Piwik PRO Analytics Suite allows you to collect and analyze PHI and ePHI, helping you provide an even better and more personalized patient experience while employing the highest privacy and security safeguards. Depending on your organization’s needs, it enables you to track both basic and advanced data.

By signing a BAA with us, you can safely send all types of PHI to your analytics setup. If you prefer, you can de-identify all PHI before sending it to our platform. Either way, you can ensure you stay compliant with regulations. 

On top of a BAA, healthcare organizations can benefit from Piwik PRO through the following features: 

• Hosting on select HIPAA-compliant Microsoft Azure data centers located in the US
• 100% data control – Piwik PRO doesn’t share or reuse your data for its own purposes
• High-level privacy and security features (compliance with ISO 27001 and SOC 2 standards, including HIPAA certification)
• Granular data access controls to restrict data access only to authorized personnel
• Detailed audit logs to efficiently track data access and changes to the data collection configuration
• Integrated analytics, tag manager, consent management platform, and customer data platform
• User-friendly interface and customizable reports and dashboards
• Integrations with other platforms, marketing tools, data storage and more
• Personalized support and onboarding

After signing a BAA, you can safely use our Customer Data Platform (CDP) and activate the data to acquire new clients, better respond to patients’ needs, improve contact center interactions, and much more. 

Best practices for HIPAA compliance in analytics

Healthcare providers must carefully assess and monitor their tracking technologies, what tools can access PHI, and whether they have business associate agreements (BAAs) in place.

Start by reviewing your website architecture, the types of scripts you’re using, and the implementation and settings of your analytics software and tag manager. Consult your legal department or hire an analytics auditor to review your digital infrastructure and determine whether a BAA is necessary.

Consider the following questions:

• Are you tracking user IDs? If yes, how do you use them?
• What data appears in page URLs, titles and query strings?
• What information do you collect in the analytics platform with website forms? How do you use form data in personalization or analytics?
• Have you anonymized/hashed visitors’ IP addresses? Do you avoid tracking GPS or fine-grained location information?
• What other tags and third-party scripts (for example, from your partner’s website) do you use on your website?

Your legal and security teams should monitor changes in HIPAA and other applicable state regulations and guidelines issued by HHS/OCR, the FTC, and others and regularly evaluate your analytics setup for compliance with US law.

Additional security measures include addressing the use of tracking technologies in your risk analysis and risk management processes. To protect PHI/ePHI, implement appropriate administrative, physical, and technical safeguards.

Final thoughts

The use of Google Analytics by HIPAA-covered entities poses many compliance risks. While it’s technically possible to de-identify PHI and still use Google Analytics, much is at stake. Even minor mistakes can lead to costly lawsuits, civil penalties, and damage to your business’ reputation. 

With Piwik PRO, you can apply appropriate safeguards to protect your patient data rather than following a bare minimum approach. We help healthcare companies meet the stringent requirements of HIPAA and offer our clients informative, valuable, and actionable insights.

FAQ

Is Google Analytics HIPAA-compliant?

No, Google Analytics is not HIPAA-compliant. Google explicitly states that it doesn’t satisfy HIPAA requirements, and you can’t use it for any purpose involving protected health information (PHI) if you are a covered entity (e.g., hospital, clinic, insurance company) or a business associate. Google also does not offer a business associate agreement (BAA).

What is a business associate agreement (BAA)?

A business associate agreement (BAA) is a contract between a HIPAA-covered entity and a business associate. It ensures that the business associate understands its responsibilities regarding PHI and will protect it according to HIPAA guidelines. If you want to use a tracking technology that collects and processes PHI, you must sign a BAA with the vendor.

Why doesn’t Google offer a BAA for Google Analytics?

There are two main reasons:

• Data hosting and residency: Google doesn’t offer on-premises hosting or guaranteed data residency. Data is stored in randomly assigned data centers, potentially outside the US, which conflicts with HIPAA’s accountability rule regarding knowing the location of patient data.
• Data usage: Google’s terms allow them to use collected data to develop new services, measure advertising effectiveness, and personalize content. Using PHI for advertising purposes would be a HIPAA violation.

What happens if I pass PHI/ePHI into Google Analytics?

You would be violating HIPAA regulations and Google’s terms of service. This could result in the termination of your Google Analytics account, breaches of HIPAA, fines and damage to your organization’s reputation.

Can I use Google Analytics if I don’t collect PHI/ePHI?

Yes, but it requires significant caution and effort. You must ensure that no PHI/ePHI is transmitted to Google Analytics. Mistakes can be costly. PHI can be found in many different places, including post-login areas, unauthenticated pages, or mobile apps (e.g., in URLs, form fields, or event data).

What is considered PHI?

Protected health information (PHI) is any information relating to a patient’s condition, the past, present, or future provision of healthcare, such as lab or imaging results and medical history, or payment for such services. When identifiers are included in the same record set, PHI becomes individually identifiable health information (IIHI), and it becomes protected when transmitted or maintained in any form by a covered entity. Even seemingly innocuous data like IP addresses, combined with information about a patient’s visit related to a health condition, can be considered PHI.

How can I make my analytics HIPAA-compliant?

• Switch to a HIPAA-compliant analytics platform: The best approach is to use an analytics platform that offers a BAA and provides the necessary safeguards for handling PHI.
• De-identify data: You can attempt to de-identify all PHI before sending it to Google Analytics, but this is a complex, time-consuming, and potentially error-prone process.
• Consider on-premises hosting: Some platforms offer on-premises hosting, giving you complete control over your data and eliminating the need to share it with third parties. However, this option requires significant resources and expertise to maintain data security.

Which analytics platforms offer a BAA?

Analytics vendors that offer a BAA include:

• Piwik PRO
• Mixpanel
• Heap
• Amplitude
• Freshpaint
• Adobe* (for Adobe Customer Journey Analytics but not Adobe Analytics)

The post Is Google Analytics HIPAA-compliant? appeared first on Piwik PRO.

As of January 1, 2025, significant amendments have been introduced, particularly concerning cookie guidelines and user data collection. 

These changes aim to enhance user privacy and align Norway’s regulations with broader European standards, such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

Understanding the Norwegian E-Com Act

The E-Com Act serves as Norway’s implementation of the aforementioned EU’s privacy regulations, focusing on regulating electronic communications networks and services. 

A critical aspect of this Act concerns the use of cookies and similar tracking technologies – web beacons (pixel tags) or JavaScript trackers – on websites, mobile apps, and other digital platforms. 

Cookies, small data files stored on a user’s device, are widely used to enhance user experience, facilitate website functionality, and gather data for web analytics and marketing purposes. However, in some cases, this raises concerns about user privacy.

Norway’s new cookie guidelines (2025)

The 2025 amendments to the E-Com Act introduce stricter requirements for obtaining user consent before setting cookies or other online tracking technologies. 

Previously, implied consent methods, such as pre-ticked boxes or reliance on browser settings, were considered acceptable. Under the new cookie guidelines of the E-Com Act, such practices are no longer allowed. 

Consent must now be:

• Freely given: Users must have a genuine choice without any form of coercion or deception.
• Specific: Consent should be obtained for distinct purposes, ensuring users fully know what they agree to.
• Informed: Users must be provided with clear and comprehensive information about the data being collected, its purpose, and who will process it.
• Unambiguous: Consent must be indicated through explicit affirmative action, such as ticking an unchecked box or clicking an accept button, leaving no room for misinterpretation.

Additionally, the scope of cookies that do not require consent has been narrowed. Only those deemed “strictly necessary” (instead of just “necessary” in the previous version of the E-Com law) for a website or service’s basic functionality are exempt from consent. 

This change emphasizes the importance of obtaining explicit, active consent for analytics, marketing, or tracking cookies. 

In addition, companies are to meet the following requirements:

• Classify cookies under categories (strictly necessary, marketing, functional, etc.).
• Ensure users can easily give granular consent, i.e., agree to one cookie category but not the others.
• List the categories and respective cookies in the website’s privacy or cookie policy (this step can be easily automated with a tool like Cookie Information, which updates your cookie policy according to the cookies found during your website’s scan).

Proper cookie categorization on your website is essential to complying with Norway’s updated cookie regulations. These regulations now give authorities tools to easily determine which types of cookies are strictly necessary.

Implications for data collection in web analytics

These stringent consent requirements have significant implications for data collection, particularly in the realm of web analytics. 

Web analytics relies heavily on data gathered through cookies to monitor user behavior, measure site performance, and fuel marketing strategies. 

Under the updated E-Com Act, analytics cookies do not fit into the ‘strictly necessary’ category and require user consent.

With the new regulations in force, you have to bear in mind these crucial aspects of your web analytics:

• Data availability: If users choose to withhold consent for analytics cookies, the pool of data available for analysis may diminish.
• Data accuracy: Without comprehensive data, analytics may not accurately reflect user interactions, potentially impacting business decisions.
• User trust: Transparent data practices can enhance user trust, potentially leading to higher consent rates and more reliable data. 
• Compliance: Non-compliance with the E-Com Act can result in substantial fines and reputational damage.

Therefore, organizations must adapt by implementing robust consent management solutions that allow users to easily grant or withdraw consent.

Impact of the E-Com Act compliance on businesses

The updated E-Com Act 2025 should not be considered another set of business limitations. Despite the challenges associated with stricter regulations, it offers numerous opportunities.

Here are some of them:

Building trust with users

Businesses can foster trust and loyalty by providing users with clear and detailed information about data collection practices. A privacy-centric approach can differentiate your organization from competitors who don’t comply with the new consent requirements and strengthen customer loyalty.

Future-proofing against regulatory changes

The E-Com Act aligns with broader trends toward stricter data protection laws worldwide. Compliance now ensures businesses are well-positioned to adapt to future regulations, minimizing disruptions.

Gaining competitive advantage

Adopting compliant analytics tools like Piwik PRO allows organizations to balance privacy with performance. Businesses prioritizing user privacy can market themselves as ethical and trustworthy, appealing to increasingly privacy-conscious consumers.

Improved data quality

While the new consent requirements may limit the volume of data collected, the quality of the data obtained will likely improve. With explicit user consent, businesses can have more confidence that the analyzed data reflects genuine engagement, which allows them to target their audiences more precisely.

Steps to achieve compliance with the E-Com Act

Businesses operating in Norway or targeting Norwegian users should take the following steps to ensure compliance with the newly introduced requirements:

1. Audit your current practices

• Review the types of cookies and tracking technologies used on your website.
• Identify whether you rely on implied consent or collect data without explicit user approval.

2. Implement a consent management platform

• Deploy a consent manager that allows users to give, withdraw, or modify their consent easily.
• Ensure the tool meets the E-Com Act’s requirements for obtaining clear, specific, and informed consent.

3. Update your privacy policies

• Clearly outline your data collection practices, cookie usage, and user rights in your privacy policy.
• Make the policy easily accessible to users on your website.

4. Leverage privacy-friendly analytics 

• Switch to analytics platforms like Piwik PRO that prioritize user privacy and offer robust compliance features.
• Consider using cookieless tracking to mitigate data loss while respecting user privacy.

5. Train your team

• Educate your staff on the implications of the E-Com Act and the importance of compliance.
• Provide ongoing training to ensure your team stays informed about changes in privacy laws.

How Piwik PRO can assist you in complying with the E-Com Act

Piwik PRO Analytics Suite is a privacy-friendly analytics platform that enables businesses to meet regulatory requirements while maintaining effective data collection and analysis. 

Here’s how Piwik PRO supports compliance with the stricter cookie and consent regulations:

Privacy-centered data collection

Piwik PRO enables companies to collect data in compliance with the E-Com Act, GDPR, CCPA, and similar regulations. 

Its analytics platform offers flexible solutions that allow you to adapt to privacy requirements:

• Integrated consent manager: Piwik PRO is equipped with its own consent manager. It also integrates seamlessly with consent management tools like Cookie Information, ensuring users’ consent preferences are respected at every data collection stage. Only the data authorized by the user is processed, supporting compliance with the E-Com Act’s demand for specific and informed consent.
• First-party data focus: Piwik PRO allows you to gather first-party data, which is less intrusive and aligns with privacy regulations. This helps organizations reduce reliance on third-party tracking technologies while improving data privacy.

Enhanced transparency for users

Transparency is a cornerstone of the updated E-Com Act. Piwik PRO simplifies compliance by offering functions that make it easy to communicate with users about data collection:

• Customizable cookie banners: Businesses can create transparent, user-friendly cookie banners that adhere to E-Com Act requirements. 
• Granular opt-in/out settings: Users can consent to specific types of cookies, such as those for analytics or marketing, giving them greater control over their data.

Data protection at every stage

Piwik PRO Analytics Suite is designed to protect user data throughout its lifecycle, from collection to storage and processing. Key features include:

• Data hosting in secure locations: Piwik PRO allows businesses to store data in Europe or other trusted locations.
• Retention period management: Companies can set and manage data retention periods to comply with the principle of data minimization.
• Data anonymization: This feature allows you to respect users’ privacy preferences while gaining valuable insights into their behavior on your website.
• Cookieless tracking: If you want to reduce your reliance on cookies, Piwik PRO enables cookieless tracking, an ideal alternative for companies navigating stricter cookie consent rules.

Conclusion

The Norwegian Electronic Communications Act introduces stricter requirements for data collection and cookie consent, emphasizing the importance of user privacy. 

While these changes present challenges, they offer businesses opportunities to build trust, enhance transparency, and future-proof their operations against evolving regulations.

By leveraging privacy-friendly solutions like Piwik PRO Analytics Suite, organizations can meet the E-Com Act’s demands and gain a competitive edge in today’s privacy-conscious market. 

With features like customizable cookie banners, first-party data, and cookieless tracking, Piwik PRO empowers businesses to balance compliance with effective data-driven decision-making.

Discover Piwik PRO’s privacy-friendly and E-Com-compliant analytics. Create an account or book an individual demo.

FAQ

What is the Norwegian E-Com Act?

The E-Com Act in Norway, which aligns with the European Union’s ePrivacy Directive, governs electronic communications within the country. This comprehensive legislation impacts various aspects of online interactions, including data collection, storage, and processing. 

It aims to safeguard individuals’ privacy and ensure that businesses and other digital entities responsibly handle their personal information.

When did the E-Com Act come into force?

The E-Com Act, with its latest amendments regarding cookies and user data, came into force on January 1, 2025.

What are the new cookie guidelines in Norway?

Norway’s new E-Com Act has updated cookie guidelines, requiring explicit user consent for all but strictly necessary cookies. Websites can no longer use pre-checked boxes or imply consent, and must clearly communicate their data practices. Only cookies essential for core functions are exempt. 

Analytics practices must also comply, potentially requiring consent for analytics cookies or alternative tracking methods. These changes give users more control over their data and require businesses to adapt to maintain compliance and ethical standards.

How must companies obtain user consent under the Norwegian E-Com Act?

The E-Com Act has strict requirements for user consent: it must be freely given, specific, informed, and unambiguous:

• Freely given consent means users have a genuine choice without facing negative consequences. 
• Consent must be obtained separately for each specific purpose. 
• Users must be provided with clear and comprehensive information about the data processing. 
• Unambiguous consent means it must be expressed through explicit affirmative action. Pre-checked boxes or passive methods are unacceptable.

Companies gathering cookies must also list them in their privacy policy and categorize them properly, enabling users to give granular consent, i.e. to accept only some cookie categories while declining others. See the full checklist.

Which companies must adapt to the new cookie guidelines of the E-Com Act?

Any business that operates in Norway or targets Norwegian users and utilizes cookies or similar tracking technologies on its websites and/or mobile apps must adapt to the new cookie guidelines.

How does the E-Com Act impact web analytics?

The Norwegian E-Com Act classifies analytics cookies as non-essential and requires explicit user consent before their deployment. This can lead to incomplete datasets and skewed web analytics reports, as users who decline cookies won’t be included in data collection. 

Businesses operating in Norway or targeting Norwegian users must adapt their strategies by implementing cookie consent mechanisms, exploring alternative data collection methods, or adjusting analytics practices to account for data gaps.

How can businesses comply with the E-Com Act?

To comply with the Norwegian E-Com Act, businesses should take a multi-faceted approach to data protection and privacy by following these steps:

• Conduct a thorough cookie compliance audit
• Implement a consent management platform (CMP)
• Update privacy and/or cookie policies
• Utilize privacy-friendly analytics
• Train staff on data protection
• Consider data processing agreements with vendors
• Stay informed about regulatory changes

By taking these proactive steps, businesses can navigate the complexities of the Norwegian E-Com Act, ensuring compliance and fostering trust with their customers.

How can Piwik PRO help with E-Com Act compliance?

Piwik PRO provides a comprehensive suite of tools designed to assist businesses in achieving and maintaining compliance with various data protection laws, including the Norwegian E-Com Act, while collecting user data. These tools include:

• Privacy-friendly analytics
• Integrated consent manager
• First-party data focus
• Customizable cookie banners
• Granular opt-in/out settings
• Secure data hosting
• Data retention management
• Data anonymization
• And many more

With Piwik PRO’s comprehensive suite of tools, businesses can navigate the complexities of the Norwegian E-Com Act and similar regulations, ensuring compliance while collecting valuable user data.

The post Navigating the Norwegian E-Com Act 2025: How it Impacts Web Analytics and What Steps You Should Take appeared first on Piwik PRO.