Collecting and analyzing user data is essential to healthcare businesses that want to build relationships with prospects, better meet their patients’ needs, and gain authority within the industry.

As a healthcare organization subject to HIPAA, you’re walking a fine line when trying to improve the patient experience and ensure your activities are HIPAA-compliant.

Since 2023, HIPAA enforcement has intensified, with over $100 million in fines for pixel tracking violations. Google Analytics remains dominant, but it’s fundamentally incompatible with HIPAA requirements.

In this article, we will show you the analytics vendors and implementations available on the market and explore their advantages and shortcomings concerning HIPAA compliance.

What are the challenges of finding a HIPAA-compliant analytics tool

HIPAA’s strict regulations require careful evaluation of analytics tools. Non-compliance risks heavy fines, with 47% of healthcare marketers reporting issues like reduced ROI and reputation damage.

As of 2025, HIPAA enforcement has surged, with fines up to $63,973 per violation and caps at $2M for repeat issues. In 2024, OCR closed 22 enforcement actions, followed by 10 more in 2025, targeting risk analysis failures.

When it comes to web analytics platforms and HIPAA, your approach depends on whether you collect protected health information (PHI) through your site or app. Data that isn’t considered PHI is outside the scope of HIPAA.

First, sharing PHI for marketing and analytics is not a permitted disclosure under the HIPAA Privacy Rule. To legally send PHI to your analytics platform, you must sign a business associate agreement (BAA) with the vendor, specifying each party’s responsibilities regarding PHI and ePHI and establishing a legally binding relationship.

Many vendors don’t want to sign BAAs. In this case, you must remove all identifiers from the data to use their services, so that it’s no longer considered PHI. But the process of de-identification is long and complicated.

For one thing, HIPAA views many types of URLs as PHI. It would be hard to de-identify all URLs, and doing so would make your analytics unusable. For example, de-identification would negatively impact remarketing and user-based or service-based reporting.

On the other hand, cherry-picking URLs containing PHI would also be difficult, mainly because of how much sites change over time.

If you need to comply with HIPAA, you should evaluate the available healthcare analytics solutions and find the right tool for your needs, even if it means migrating to a new vendor. Below, we will analyze how different vendors approach data privacy in healthcare and help you choose the best option for your organization.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

Why Google Analytics isn’t HIPAA-compliant

Although Google Analytics remains widely used, numerous compliance concerns and recent enforcement actions have made GA4 unsuitable for healthcare organizations.

Let’s consider several ways to implement GA4 and explore the issues associated with each approach.

Client-side GTM and GA4

This setup is not HIPAA-compliant.

Why can’t you send protected health information (PHI) to Google

Organizations covered by HIPAA can’t disclose PHI to tracking technology vendors – this includes sharing and using PHI for marketing purposes. Google uses all data within its systems to develop new services, improve existing offerings, and create personalized advertising experiences. Using a covered entity’s PHI for Google’s scale of operations can be a severe violation of HIPAA’s Privacy Rule.

Google also stores all tracked data in databases located around the world and offers neither on-premise hosting nor bespoke data residency services. Thus, covered entities cannot control where their patient data is stored. HIPAA sees this as a breach of accountability.

Google’s position is unambiguous in their official documentation. According to Google’s Analytics Help Center, “Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI”.

You must make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.

When using client-side GTM, the user’s browser communicates directly with third parties, making it challenging to control the shared information. Depending on how your website or app processes user information, there might be a risk of PHI being shared in HTTP requests.

What are the challenges of defining protected health information (PHI)

Not all health data is PHI. For example, phone numbers or IP addresses alone aren’t PHI, but they become PHI when linked to health conditions or treatments.

The HHS bulletin elaborates on when data may qualify as PHI. Healthcare information collected on a regulated entity’s website or app is generally considered PHI even if:

• The individual does not have an existing relationship with the regulated entity, and
• Data such as IP address or geographic location does not include specific treatment or billing information, like dates and types of healthcare services.

HHS guidance states that authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.

It also clarifies when unauthenticated pages include PHI. Specifically, whether PHI is being disclosed depends on the underlying intentions of the visitor.

For example, if a student visited a regulated entity’s webpage to review its oncology service offerings for a research paper, the collection of identifying information on the student would not be a violation because it is not related to the student’s health care. On the other hand, if an individual visited the same oncology webpage to seek a second opinion on a cancer diagnosis, any identifying information collected would be PHI because it relates to the individual’s past, present, and/or future health.

The bulletin also mentions that mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.

You can’t set GA4 tags on any pages that may fit the definitions provided in the HHS bulletin.

Note: In June 2024, a judge ruled in favor of the AHA, declaring that OCR had overstepped its authority when issuing the guidance. On August 29, the OCR decided not to appeal the district court’s decision.

The court ruling and HHS’ decision not to appeal it do not settle the issue of collecting and using PHI by healthcare organizations. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals. 

While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it easy for PHI to inadvertently leak into your website or app. It’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI. To protect patient privacy and reduce the risk of hefty fines, organizations must remain vigilant about the data they collect and share with analytics vendors.

Learn more about the implications of the court ruling: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

Server-side GTM and GA4

This setup is not HIPAA-compliant.

Server-side GTM, when properly set up, helps you control what data you share with Google. User data is only sent to the server hosting the GTM container rather than being shared with multiple third-party servers. You can remove any PII within the server container before passing the data on to marketing partners.

However, you’ll face two types of issues with this implementation.

Why is it difficult to de-identify protected health information (PHI)

Since you’re not allowed to send PHI to Google Analytics, you must strip all PII/PHI from the data before sending it to GA4. 

De-identifying PHI requires the removal of all 18 HIPAA identifiers (Safe Harbor method) or expert analysis (Expert Determination method) to ensure the data isn’t PHI and doesn’t fall under HIPAA’s Privacy Rule. 

That said, it’s unlikely that you’ll be able to strip all PHI.

IP addresses and device IDs can be easily removed with ssGTM. However, URLs are more complicated to de-identify because you collect a URL title on every visit. The title can contain sensitive information, like the doctor’s name and specialization or a patient’s name, or you can collect search parameters in link decorations.

There are also issues with de-identifying custom dimensions, variables, and event attributes that you assign PHI to. For example, you may track a healthcare app and collect a custom event when someone clicks on a doctor’s image. The event collects the doctor’s name and specialization, which may lead to uncovering the individual’s health issue, thus making this data PHI.

What are the legal risks of using Google Tag Manager in healthcare

Another aspect concerns the legal risk involved with using GTM together with GA4. 

This is reinforced by Google’s Tag Manager Use Policy, which explicitly states that users “will not assist or permit any third party to pass information, hashed or otherwise, to Google that Google could use or recognize as personally identifiable information”.

As a result, you can’t send PII to GA4, and PHI is a subset of PII.

Some people say that you can still safely analyze such data in GA4, and these terms don’t apply because:

• You can host ssGTM on the HIPAA-compliant infrastructure of your choice.
• If you de-identify data, it’s no longer considered PHI.

But there is a lot at stake here. As a HIPAA-covered entity, consult your legal team before implementing this option.

Find out more about Google Analytics and HIPAA: Is Google Analytics HIPAA-compliant?

ssGTM, BigQuery, and data visualization tool

This setup may be HIPAA compliant if you take certain steps.

Another option involves combining ssGTM with BigQuery and a data visualization tool.

This type of setup will only be affected by the ssGTM issue with the difficult de-identification process. But this problem can be mitigated when you work with a HIPAA-compliant data collection tool.

For example, you can set up ssGTM with different tech, including a data collection system, and transfer events directly into BigQuery. With this setup, the data would never be sent to Google Analytics servers and only be recorded in BigQuery, which is HIPAA-compliant. You can store the raw data and access it with a BI tool such as Looker Studio or Tableau.

Streaming events from ssGTM to BigQuery is simple but lacks analytics processing, requiring additional data handling in BigQuery.

Cons

• Loads of maintenance needed, which leads to inflated data team costs.
• De-identification will most likely be necessary with ssGTM, depending on downstream technologies’ compliance with HIPAA. It’s a complex and time-consuming process that requires stricter organizational measures.
• ssGTM lacks transparency – there is no way for end-users to monitor or make decisions about data processing.

Pros

• A lot of talent on the market is proficient at using Google’s products and can support your implementation.
• The setup with ssGTM and BigQuery is quite popular.
• You have the flexibility of your own data warehouse.

Adobe: Enterprise analytics solution

Adobe is the second-biggest enterprise analytics player on the market.

Adobe offers a few products that can help you improve healthcare experiences while protecting patient privacy:

• Adobe Analytics (AA) is an analytics and reporting solution that monitors user traffic and interactions across various marketing channels. AA offers customizable reporting, segmentation and predictive insights, but is complex, costly, and requires specialized expertise, limiting its accessibility.
• Adobe Customer Journey Analytics (CJA) lets you connect cross-channel data, explore the customer journey in full context and apply AI-driven insights, and it resembles GA4. Concerning HIPAA, CJA can easily identify and secure PHI and PII, apply access rules, and create data use audits.
• Adobe Launch is a tag management system and part of Adobe Experience Manager.
• Adobe Real-Time Customer Data Platform (CDP) connects customer data from all your channels into unified profiles that support discovering insights and delivering personalized experiences.

So, do Adobe’s products help you comply with HIPAA?

Providing PHI to Adobe is compliant only if it concerns a HIPAA-ready service, following the license agreement and BAA between Adobe and its client. To check which Adobe’s services are compliant, you can check this list of Adobe’s HIPAA-ready products.

Two analytics setups have been implemented on the market using Adobe’s products:

Adobe Launch and Adobe Analytics

This setup is not HIPAA compliant.

Adobe Analytics is not listed as HIPAA-ready on Adobe’s site. It means that Adobe won’t sign a BAA with you to use AA. As a result, you are not permitted to create, receive, maintain, or transmit PHI through Adobe Analytics.

Adobe Launch and Adobe Customer Journey Analytics

This setup is HIPAA compliant.

Adobe CJA is on the HIPAA-ready list, so you can safely use it as a HIPAA-covered entity and send PHI to it. This setup can be complemented with Adobe CDP for audience creation and activation.

However, since the only way to achieve HIPAA compliance with Adobe is by using CJA, note that this tool’s main advantage is integration with other components in the Adobe Experience Platform. By itself, CJA is far less advanced than AA.

It’s also worth noting that cost considerations are significant with Adobe solutions. Adobe’s enterprise analytics packages typically start at $48,000 annually, making it one of the more expensive options in the market.

Cons

• You are faced with high implementation and subscription costs.
• Adobe’s analytics products are difficult to learn and use.
• You risk single-vendor lock-in due to the amount of other tightly integrated products offered by Adobe.

Pros

• You can sign a BAA.
• You get an all-in-one analytics solution.

Piwik PRO: Full-featured HIPAA analytics

Piwik PRO has emerged as the leading HIPAA-compliant alternative to Google Analytics, purpose-built for organizations operating in highly regulated industries. Piwik PRO provides privacy-friendly analytics and combines accuracy, flexibility, and complete control when collecting and analyzing customer data.

Unlike other vendors that add compliance features later on, Piwik PRO was designed from the ground up with privacy and security requirements in mind, including HIPAA-related features and controls. Piwik PRO also helps you comply with the HHS bulletin on the use of tracking technologies. Because of that, we can easily support your analytics use cases in healthcare.

Here is an overview of our modules, all of which allow you to comply with HIPAA:

• Analytics allows you to analyze the customer journey across websites and apps. You can use advanced analytics features like funnels, user flows, customizable reports and dashboards. And you can always extend the platform’s capabilities through custom development and integrations. You can use raw data exports to send data to any destination. Increased security features allow you to use Analytics in sensitive industries, like healthcare.
• Tag Manager lets you quickly create, test, and deploy tags from customizable templates. You gain greater flexibility in collecting and utilizing their data through smooth integration with other Piwik PRO modules.
• Customer Data Platform (CDP) enhances your ability to act on the insights you draw from your data. You can better understand your customers, provide more personalized experiences, and improve your campaigns.
• Consent Manager is an optional addition for increased transparency, allowing you to collect, manage, and store user consents.

Key HIPAA compliance features

The most important features of Piwik PRO that support HIPAA compliance include:

• Ability to sign a customizable business associate agreement (BAA), allowing you to send all types of PHI to your analytics setup.
• Hosting on HIPAA-compliant Microsoft Azure data centers, where you can choose the specific location of your data.
• ISO 27001 and SOC 2 type II certifications.
• Encryption of ePHI when the data is at rest and in transit.
• Advanced user-permission options that let you put PHI only in the hands of authorized personnel.
• Not sharing ePHI with third parties or reusing it for other purposes.
• Regular privacy and security audits undertaken by external, independent bodies to ensure the highest level of security measures.

Implementation options

Recommended ways for you to implement Piwik PRO modules include:

Piwik PRO Analytics, Tag Manager and CDP

This setup is HIPAA-compliant and provides a complete suite of modules for effective healthcare analytics.

With this option, you can safely collect and analyze PHI and ePHI while respecting the highest privacy and security safeguards. You can analyze the customer journey across all channels, control data collection and adjust it to your needs, and you get to activate the data to improve the patient experience.

Piwik PRO Analytics Suite and a data warehouse

This setup is HIPAA-compliant.

This is a point solution for marketers, combining the capabilities of analytics and activation. You can connect our suite of products with a data warehouse via scheduled raw data exports or API, allowing you to extend the platform’s data analysis functionalities.

Learn more about How to make your website compliant with HIPAA using Piwik PRO.

Cons

• You are using tools from one vendor only.
• There is a client-side tag manager.

Pros

• You can sign a BAA.
• You get an all-in-one analytics solution.
• The costs are low.
• CDP is available for server-side profile activations.
• You have the ability to use Piwik PRO as an analytics endpoint in server-side tracking, which improves data collection, accuracy and control.
• The modules are easy to learn and use thanks to their similarity to the Universal Analytics interface.

Freshpaint: Healthcare Privacy Platform

This setup is HIPAA-compliant but has limitations.

Freshpaint offers its Healthcare Privacy Platform, which serves as a privacy layer between your website and analytics tools.

It captures all tracking data and automatically de-identifies PHI before sending cleaned data to downstream tools. While this approach allows continued use of familiar platforms, it comes with significant trade-offs.

Freshpaint is not an analytics platform itself and must be connected to other tools to create a full analytics setup. Setup and maintenance require significant technical skills, resources, and coordination across multiple teams, which makes using the tool very costly.

You also can’t report on or visualize the data within Freshpaint’s platform, meaning you won’t have access to PHI. As a result, your dataset will be incomplete and therefore not fully accurate.

Cons

• Not a complete analytics platform – requires additional tools for full functionality
• Complex setup and maintenance requiring specialized technical expertise
• Higher total cost when factoring in multiple vendor relationships
• Limited reporting capabilities within Freshpaint itself
• Data accuracy issues due to aggressive PHI filtering
• Ongoing compliance risk if de-identification fails

Pros

• Enables the use of the existing Google Analytics setup
• Healthcare-specific BAA and compliance features
• Advanced PHI detection and filtering capabilities

Using a mix of vendors

This setup may be HIPAA compliant if you take certain steps.

Combining tools from different vendors can get complex. You need to assess your needs very well, understand what each tool offers, and check how it can help you comply with HIPAA.

Generally, your analytics setup should include the following tools:

Data collection system + data warehouse + data visualization tool

We list some popular data collection systems below and link to the relevant information regarding their HIPAA compliance. Aside from that, you will need to verify their specific HIPAA compliance yourself.

Data collection system

Data collection tools like CDPs (e.g., Segment) and BDPs (e.g., Snowplow) vary in complexity and offered capabilities. These vendors offer more than just pure tracking, meaning you need to make a separate assessment of your needs and how these tools fulfill them.

Popular data collection systems (trackers or CDPs) that will sign a BAA:

• Rudderstack
• Tealium
• Segment
• Snowplow – no need for a BAA in the self-hosted version (it’s uncertain whether the vendor would sign a BAA for the cloud)

Data warehouse

A data warehouse holds data that is extracted, loaded, and transformed from one or more operational source systems and modeled to enable data analysis and reporting in your business intelligence (BI) tools.

Popular data warehouse providers that will sign a BAA:

• Snowflake
• Google Cloud Platform (such as Google BigQuery)
• Microsoft Azure (such as Microsoft Azure Data Synapse)
• Amazon Web Services (such as Amazon Redshift)

Data visualization tool

A data visualization tool enables the visual representation of data, allowing for the effective extraction of actionable insights from the data.

Popular data visualization tools that will sign a BAA:

• Looker Studio
• Tableau
• Power BI

Common setups that include different vendors:

• Piwik PRO (data collection, visualization, and CDP) + data warehouse (data copy for science team) + Looker Studio or Tableau (broad data visualization)
• Adobe CJA + CDP + AEP (data collection, activation, and visualization)
• Rudderstack (data collection, CDP) + data warehouse + data visualization tool

Most data collection vendors, such as Freshpaint, allow for GA4 as a destination, so the flow can also look like this:

A data collection system + GA4

However, this setup requires you to de-identify PHI to safely use it.

Cons

• You need to review the HIPAA compliance of each vendor – analyze security and privacy, manage and negotiate cooperation with all three selected vendors, sign a BAA with each of them, etc.
• The connection between the systems may not be seamless – changes or API updates in each of those vendors may break your setup.
• You would require a data analyst or database expert to manage and maintain pipelines.
• The costs are very high – you need to pay for implementation, licensing of multiple vendors, and maintenance.

Pros

• You benefit from diversification of vendors, meaning no vendor lock-in.
• You can combine the benefits and features of each system you implement.

How to choose the right HIPAA-compliant analytics platform

As of 2025, the choice is no longer whether to replace Google Analytics, but which HIPAA-compliant alternative to choose. With enforcement at record levels and mature alternatives available, healthcare organizations that continue using Google Analytics are taking unnecessary legal and financial risks.

Here is a breakdown of key features of the recommended HIPAA-compliant analytics tools that we’ve looked into:

	Piwik PRO	Adobe CJA	Freshpaint	Mix of vendors
HIPAA compliance	Full BAA	CJA only		Multiple BAAs required
Ease of implementation
Secure data handling for organizations in sensitive industries
Cost	$	$$$	$$	$$$
Data ownership	Full control	Adobe ecosystem	Limited	Distributed
Support quality
Built-in analytics capabilities
Integrations with other tools

Compared to other options for analytics in healthcare, Piwik PRO offers the optimal balance of HIPAA compliance, enterprise features, and affordability, with a Google Analytics-like interface for seamless adoption.

The post A review of HIPAA-compliant analytics platforms appeared first on Piwik PRO.

Collecting and analyzing user data is essential to healthcare businesses seeking to build relationships with prospects, better meet their patients’ needs, and gain authority within the industry. 

However, in 2025, HIPAA enforcement has expanded beyond internal systems and EHRs to include what happens in users’ browsers, making compliance more complex than ever. As a healthcare organization subject to HIPAA, you’re walking a fine line when trying to improve the patient experience while ensuring your activities remain compliant. 

Vendors have been adjusting to the shifting landscape of privacy-oriented analytics and their clients’ expectations. Many of them change their offers accordingly. 

At the same time, the dominant analytics vendors are not necessarily the most compliant options for healthcare providers. The stakes have never been higher, with U.S. healthcare firms paying over $100 million in fines between 2023 and 2025 due to pixel tracking violations.

In this article, we will explain why finding a HIPAA-compliant analytics provider should be a top priority and outline the key factors to consider when selecting your vendor. We will also compare popular analytics vendors, examining their advantages and capabilities in terms of HIPAA compliance.

Current enforcement landscape and recent developments

The HIPAA compliance landscape for analytics has evolved dramatically in recent years. Here is a breakdown of the most important developments:

Updated penalty structure 

HIPAA fines in 2025 range from $137 to $63,973 per violation for unknowing violations, with annual caps reaching $2,000,000 for repeat violations. There are four tiers of penalty structures, with the highest one concerning uncorrected willful neglect reaching $2,134,831 in 2024. Just last year, Montefiore Medical Center faced a $4.75 million penalty and a two-year corrective action plan after potential security rule violations.

AHA court victory

In June 2024, a US district court ruled in favor of the American Hospital Association’s lawsuit against HHS guidance on online tracking technologies. On August 29, the OCR decided not to appeal the district court’s decision. However, the victory’s scope is more limited than many healthcare organizations initially believed. 

The ruling only invalidates the part of the guidance stating that combining an IP address with a visit to a general health information page constitutes PHI. Other parts of the ruling, such as those relating to authenticated pages, including patient portals, remain valid. 

Additionally, HHS can enforce certain instances of combining HIPAA identifiers with health information, for example, an ad click ID connected with a scheduled doctor appointment shared with an ad platform like Google. 

Tracking pixels on major hospital websites

The Markup investigated the top 100 hospitals in the US and discovered tracking technologies on the appointment scheduling pages of 33 hospitals, meaning they were sending appointment data to Facebook, along with users’ IP addresses. 

Two lawsuits were immediately filed against Meta and health systems, including the University of California San Francisco and Dignity Health. This investigation revealed the widespread nature of non-compliant practices across major healthcare institutions.

 It sparked a wave of litigation that continues today, with healthcare organizations facing class action lawsuits for using tracking pixels. 

Increased HIPAA enforcement 

OCR has launched two enforcement initiatives in recent years – one targeting noncompliance with the HIPAA Right of Access in 2019, and the more recent focusing on noncompliance with the risk analysis provision of the HIPAA Security Rule. OCR Director confirmed that 22 enforcement actions were closed by OCR in 2024 with either settlements or civil monetary penalties, making it one of the busiest years for HIPAA enforcement.

This year has also begun with a large number of financial penalties, with a further 10 announced by the end of May 2025. 

Beyond financial penalties, malpractice involving healthcare data can also damage patients’ trust and affect their relationship with their healthcare provider.

The Federal Trade Commission (FTC) involvement

The Federal Trade Commission has issued orders in several cases relating to healthcare providers, including ordering the telehealth company Cerebral to pay a $7 million fine and limit the use of consumer health data for advertising purposes. 

The April 2024 ruling establishes precedent for how the FTC will address healthcare data misuse in the digital advertising space. A common legal basis for the FTC’s involvement is the FTC Act, which prohibits unfair or deceptive trade practices. Consequently, even if an organization isn’t directly covered by HIPAA, it may still face federal oversight for the misuse of healthcare data.

The challenge of finding a HIPAA-compliant analytics platform

Healthcare organizations seeking analytics solutions face a complex landscape of regulatory requirements, technical limitations, and vendor constraints that make compliance particularly challenging.

Signing a business associate agreement (BAA)

When it comes to web analytics platforms and HIPAA, your approach depends on whether you collect protected health information (PHI) through your site or app. Data that isn’t considered PHI is outside the scope of HIPAA. 

To legally send PHI to your analytics platform, you must sign a business associate agreement (BAA) with any vendor matching the definition of a business associate. A BAA specifies each party’s responsibilities regarding PHI and ePHI and establishes a legally binding relationship. 

Many vendors don’t want to sign BAAs because doing so would make them directly liable for compliance with certain HIPAA provisions, requiring them to implement comprehensive security measures. 

It’s vital to accurately identify which vendors and partners qualify as business associates under HIPAA. Some relationships may seem less directly related to healthcare operations, but they still involve access to PHI. Watch out for unnecessarily entering into BAAs with other HIPAA-covered entities or third-party service providers who have no access to PHI.

PHI de-identification

If your business associate, such as an analytics vendor, doesn’t offer a BAA, you must remove all identifiers from the data to use their services, so that it’s no longer considered PHI. HIPAA’s Privacy Rule provides two de-identification methods for health information: Expert Determination and Safe Harbor. De-identified data created following these methods does not fall within the definition of PHI. 

The process of de-identification is lengthy and complex, presenting numerous technical and practical challenges.

Even on unauthenticated webpages, your website can be in violation of HIPAA if it gathers information that may contain PHI. This creates practical challenges because, even without a login, tracking an IP address or geolocation on these pages can be considered PHI, as it suggests an individual’s interest in a specific healthcare condition or service.

It’s unlikely that you’ll be able to strip all PHI. Healthcare organizations face particular challenges with:

• IP addresses and device IDs that can be removed, but leave gaps in analytics capabilities
• URL titles that can contain sensitive information, like doctor names and specializations
• Custom tracking events that may inadvertently collect PHI through standard analytics implementations

Additionally, de-identifying all URLs would limit the usability of your analytics. De-identification would negatively impact remarketing and user-based or service-based reporting. On the other hand, cherry-picking URLs containing PHI is nearly impossible, given the dynamic nature of data collected and processed by websites and platforms.

Read more about PHI and PII: How they impact HIPAA compliance and your marketing strategy.

The evolving analytics landscape presents both opportunities and challenges for healthcare organizations. Recent developments in privacy-focused analytics platforms, server-side tracking solutions, and healthcare-specific analytics tools have created new options for organizations seeking HIPAA-compliant alternatives.

With increased regulatory scrutiny and evolving technology, healthcare organizations must take a proactive approach to analytics compliance. This includes conducting regular audits of all digital tracking technologies, implementing robust data governance frameworks, and staying current with emerging privacy regulations that may impact analytics practices. The cost of non-compliance has never been higher, making it essential to invest in proper HIPAA-compliant analytics solutions.

Is Google Analytics HIPAA-compliant?

The analytics landscape has matured significantly since Google completed its transition from Universal Analytics to GA4 in July 2023. Google Analytics remains the most widely used enterprise analytics platform. 

However, following the 2022 HHS guidance on the use of tracking technologies, Google Analytics is no longer recommended for use in the healthcare industry. 

Google offers its marketing technologies for free because it gets access to data collected by businesses that implement its services. The tech giant uses data within its systems to develop and improve its services and personalize their advertising experience. This business model is fundamentally incompatible with HIPAA requirements.

Google does not offer a business associate agreement (BAA), meaning you can’t share PHI with them. Google also explicitly forbids customers subject to HIPAA from using Google Analytics and sharing PHI with them.

Find out more about Google Analytics and HIPAA: Is Google Analytics HIPAA-compliant?

Is Adobe Analytics HIPAA-compliant?

Adobe has a list of HIPAA-ready services, but only certain products are compliant. To check which of Adobe’s services are compliant, you can check this list of Adobe’s HIPAA-ready products. 

• Adobe Analytics is not listed as HIPAA-ready on Adobe’s site. It means that Adobe won’t sign a BAA with you to use AA, and you can’t collect or share PHI through Adobe Analytics.
• Adobe Customer Journey Analytics (CJA) is on the HIPAA-ready list, so you can safely use it as a HIPAA-covered entity and send PHI to it.

Find out more about Adobe Analytics and HIPAA: Is Adobe Analytics HIPAA-compliant?

Popular HIPAA-compliant analytics platforms

The healthcare analytics landscape has undergone a fundamental shift. Many analytics tools still cannot adequately address HIPAA compliance requirements and don’t sign BAAs. However, this shift also presents opportunities – HIPAA-covered organizations have a chance to reassess the tools they use for analytics and marketing, and futureproof their compliance.

The market for HIPAA-compliant analytics has matured significantly, offering healthcare organizations various options to meet their analytical needs while maintaining regulatory compliance. 

Let’s review some popular analytics options that can meet the needs of healthcare organizations.

Piwik PRO Analytics Suite

Piwik PRO Analytics Suite is a privacy-focused analytics and data activation platform that helps businesses collect, analyze, and put user data into action. The platform is tailored for industries with strict data compliance requirements, such as healthcare, and enables them to enhance their marketing effectiveness and deliver better user experiences. 

Key strengths:

• HIPAA compliance with the ability to sign a customizable BAA
• Strong data ownership and governance tools
• Data encryption in transit and at rest, secure HIPAA-compliant hosting with Microsoft Azure, advanced anonymization options, granular access controls and more
• Comprehensive suite including analytics, tag management, consent management, and customer data platform
• ISO 27001 and SOC 2 certifications, including a HIPAA compliance assessment
• Competitive pricing and access to support & implementation services
• Ability to combine strong privacy compliance with effective analytics and data activation capabilities

Best for:

Organizations seeking an all-in-one platform with high data autonomy, configurable privacy settings, and seamless compliance with HIPAA and other regulations such as GDPR and CCPA.

Adobe Customer Journey Analytics (CJA)

Adobe Customer Journey Analytics (CJA) enables you to connect and normalize cross-channel data into actionable profiles, explore the customer journey in its full context, and apply AI-driven insights to deliver personalized experiences at scale.

Key strengths:

• Adobe CJA can identify and secure PHI and PII, apply access rules, and create data use audits to handle patient data
• The platform uses AI and machine learning to offer real-time insights into customer journeys, helping healthcare providers understand and optimize their patients’ experiences
• Strong integration with Adobe Experience Platform

Best for:

Large organizations with existing Adobe infrastructure and the technical expertise to implement the platform and fully leverage its capabilities.

Matomo

Matomo is an open-source analytics platform that can be self-hosted to support HIPAA compliance. While it provides full control over data, the task of maintaining compliance, including secure hosting and audit logging, falls entirely on the user.

Key strengths:

• Self-hosted option allows HIPAA-compliant configurations
• No data sampling, full data ownership
• Limited out-of-the-box support for enterprise security standards

Best for:

Organizations with technical resources to manage and secure their own analytics infrastructure.

Mixpanel 

Mixpanel offers product analytics with HIPAA-compliant options through a separate agreement and an enhanced security tier. Its event-based tracking is ideal for understanding user behavior within digital applications.

Key strengths:

• HIPAA-compliant plans available on request
• Powerful segmentation and retention analysis
• Modern UX with flexible dashboards

Best for:

Healthcare product teams focused on app engagement and retention metrics.

Amplitude

Amplitude is a product analytics platform designed for in-depth behavioral insights across digital experiences. It offers a HIPAA-compliant plan with enhanced security, making it suitable for healthcare and life sciences companies that handle PHI. Amplitude’s strength lies in its robust analytics capabilities, such as cohort analysis, retention tracking, and real-time collaboration.

Key strengths:

• HIPAA-compliant enterprise tier available upon request
• Advanced behavioral analytics, funnels, and retention tracking
• Built-in identity resolution and user journey mapping
• Scalable architecture with real-time event ingestion
• SOC 2 Type II and ISO 27001 certifications

Best for:

Healthcare organizations and digital health startups that need granular product insights to optimize patient or user engagement without sacrificing compliance.

Heap Analytics

Heap provides automatic data capture, making it easy to analyze user behavior without manually setting up event tracking. HIPAA compliance is available on select enterprise plans, featuring security protocols including data encryption, access controls, and audit logs.

Key strengths:

• HIPAA-compliant deployment available on request, including a BAA
• Advanced retroactive analysis and journey visualizations
• Automatic event capture that reduces implementation complexity
• ISO 27001 and SOC 2 certifications

Best for:

Teams seeking rapid setup and detailed behavioral analytics with minimal developer input – ideal for growth and product teams in HIPAA-regulated environments.

Freshpaint

Freshpaint is a healthcare-focused tool that functions as a filter routing data to analytics and marketing tools while providing a strict layer of privacy controls and compliance enforcement. It’s not an analytics platform in itself and doesn’t offer reporting or visualization options – it must be connected to other tools to create a full analytics setup.

Key strengths:

• Built for HIPAA compliance – BAA signed by default
• Real-time data routing with automatic PHI filtering
• Visual tagging interface for non-technical users
• Consent enforcement across third-party tools
• SOC 2 Type II and HITRUST CSF certification

Best for:

Healthcare and health tech companies with the resources and skills to implement a plug-and-play analytics integration layer that ensures downstream compliance and simplifies consent governance.

COMPARISON

The comparison of 9 HIPAA-compliant web analytics platforms

Compare the main features of Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe CJA and Piano Analytics.

Download the full comparison

Best practices for selecting a HIPAA-compliant analytics vendor

The ideal HIPAA-compliant analytics platform depends on specific organizational needs, technical capabilities, and resource constraints. Organizations seeking comprehensive functionality with minimal complexity may prefer integrated solutions that provide complete analytics suites with built-in compliance features. Those with specific technical requirements or existing tool investments might benefit from platforms that offer flexibility and integration capabilities.

The key is matching platform capabilities with organizational requirements while ensuring robust compliance measures that protect patient data and support long-term analytical goals. Success depends not just on the platform choice but on proper implementation, ongoing maintenance, and adherence to evolving regulatory requirements.

Here are key aspects to consider when choosing the right HIPAA-compliant analytics provider:

Essential compliance requirements

1. Business associate agreement (BAA)

• Ensure the vendor will sign a comprehensive BAA covering all required services and data types.
• Check that the BAA includes specific provisions for data processing, storage, and transmission.
• Verify that the BAA includes breach notification and incident response procedures.

2. Data hosting and residency

• Confirm data is hosted in a HIPAA-compliant infrastructure with proper certifications.
• Evaluate data residency options, including the ability to choose specific geographic locations.
• Verify that encryption standards for data at rest and in transit meet HIPAA requirements.

3. Security certifications

• Look for SOC 2 Type II certification as a baseline security standard.
• Learn if the vendor holds ISO 27001 compliance, which demonstrates a comprehensive approach to security management.
• Consider vendors that undergo regular third-party audits.

Technical evaluation criteria

1. PHI handling capabilities

• Identify whether the platform automatically collects and protects standard PHI, such as IP addresses and page URLs.
• Evaluate built-in data minimization features that limit PHI collection to necessary elements only.
• Look for robust data retention management tools with automated deletion capabilities.
• Determine if the platform provides granular access controls to limit the exposure of PHI to authorized personnel.

2. Integration and implementation

• Assess the complexity of the migration from your existing tools, such as Google Analytics.
• Find out what pre-built integrations are available, including connectors to popular healthcare technology tools.
• Discover the available customer support, onboarding, and implementation services.

3. Reporting and analytics features

• Verify if the platform provides the specific healthcare metrics your organization requires.
• Learn what advanced features are available – for example, funnel analysis, custom reporting, customizable dashboards and others you need.
• Determine the options available for extending platform capabilities, such as data exports or custom development.

Vendor assessment framework

1. Financial considerations

• Consider the total cost of ownership, including potential integration costs with existing systems.
• Factor in implementation costs, training, and ongoing support.
• Consider vendors that provide good value through all-in-one solutions to reduce costs.

2. Risk management

• Ensure the vendor doesn’t share data with third parties or reuse it for other purposes.
• Find out if the vendor provides regular security updates and proactive compliance monitoring.
• Assess incident response and breach notification procedures.
• Factor in whether the vendor prioritizes healthcare clients and understands industry-specific needs.

3. Scalability and futureproofing

• Determine if the vendor offers modular functionality, such as analytics, tag management, and CDP capabilities, within a single platform.
• Assess the solution’s scalability to determine how well it can grow in line with your organization’s increasing data volume and complexity.
• Learn how the vendor stays current with evolving HIPAA requirements.

The path forward

Despite numerous challenges, healthcare organizations are finding ways to maintain effective analytics while ensuring compliance with regulations. There are solutions for healthcare providers and organizations that want to run a modern digital business with all the necessary marketing tools to optimize and grow.

Healthcare providers must invest in compliant vendors and establish a compliance strategy to unlock the full potential of data-driven marketing, analytics, and advertising while safeguarding patient privacy.

The challenge of finding HIPAA-compliant analytics platforms reflects the broader transformation of healthcare digital marketing in the post-2022 regulatory environment. Organizations that successfully navigate these challenges will be those that prioritize compliance from the outset, invest in specialized solutions, and maintain ongoing vigilance as regulations continue to evolve.

HIPAA compliance doesn’t have to limit your marketing or analytics activities. Piwik PRO provides healthcare institutions with actionable marketing insights, ensuring regulatory compliance, and securing patient data. 

Learn more about how Piwik PRO can support your organization in HIPAA-compliant analytics: 

The post HIPAA-compliant analytics in 2025: Your complete vendor comparison and selection guide appeared first on Piwik PRO.

Although often marketed as a privacy safeguard, EU hosting alone does not ensure full legal protection or true data sovereignty. For organizations committed to long-term compliance, user privacy, and robust data governance, understanding the difference between data hosting and data sovereignty is more important than ever.

In this article, we’ll unpack the nuances between EU hosting and EU data sovereignty, explain why this distinction is especially relevant in light of current EU-US data transfer dynamics, and show solutions that are designed to deliver genuine sovereignty, building a foundation of trust, transparency, and compliance in a shifting legal landscape.

EU hosting is not the same as EU sovereignty: Legal risks remain

Many analytics vendors highlight their use of EU-based data centers to signal compliance with European privacy laws. However, if the services are owned or controlled by non-EU entities, particularly U.S. companies, your data may still fall under foreign jurisdiction.

Under the U.S. CLOUD Act, American authorities can legally compel U.S.-based companies to provide access to customer data, no matter where it is stored. This creates a significant compliance risk for organizations seeking to align with EU data protection standards.

To enable lawful data transfers outside the EU, many providers rely on the EU–U.S. Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs). While both mechanisms are currently valid, they remain under ongoing legal scrutiny.

The DPF, like its predecessors, Privacy Shield and Safe Harbor, could be invalidated by the Court of Justice of the EU (CJEU). If that happens, most organizations will revert to SCCs, just as they did after the Privacy Shield was struck down. Yet even SCCs come with limitations: they don’t offer full protection from U.S. government surveillance, a concern equally relevant to the DPF.

Some providers, such as Microsoft, offer both mechanisms to give customers flexibility. However, neither fully resolves the underlying legal uncertainty that comes from using cloud services under foreign ownership, even when the data itself never leaves the EU.

Data Transfers: DPF vs. SCCs – What’s the Difference?

Under the General Data Protection Regulation (GDPR), there are different ways to transfer personal data outside the EU legally. The Data Privacy Framework (DPF) is one of them — it’s an adequacy decision (Article 45), meaning the EU considers certain countries (like the U.S., under the DPF) to offer enough protection.

Another option is using Standard Contractual Clauses (SCCs), legal contracts approved by the EU Commission (Article 46). You don’t need both – just one is enough.

Some companies, like Microsoft, use both: they’re certified under the DPF and offer SCCs. Why? Because the legal landscape can change, having SCCs adds a backup layer of protection.

True data sovereignty means more than simply storing data within the EU. It requires that both the data and the organizations handling it remain entirely under the EU’s legal jurisdiction, free from foreign ownership or extraterritorial influence. 

For example, even if data is physically stored in a European data center, using infrastructure operated by a non-EU company, such as a U.S.-based cloud provider, can expose that data to foreign laws like the U.S. CLOUD Act. This creates similar risks to storing the data outside the EU, as foreign authorities may still compel access, undermining EU privacy protections. To achieve real sovereignty, organizations must ensure that data stays in the EU and within infrastructure owned and managed by EU-based providers bound solely by EU law.

Learn more:

• EU-US data transfers uncertainties: How an EU-based analytics platform can improve your marketing performance
• Norwegian DPA warns against EU-US data transfers – what it means for your website analytics
• The Story Behind Safe Harbor and Privacy Shield

Compliance implications of data sovereignty

Data sovereignty isn’t just a legal formality – it’s a strategic safeguard. Under the GDPR, any transfer of personal data to a third country must not undermine the level of protection guaranteed within the EU. This means organizations must ensure that data remains shielded from unauthorized access, even when stored or processed abroad. Sovereign infrastructure plays a key role here, reducing the risk of foreign jurisdictions, including intelligence agencies, compelling access to sensitive data.

This is particularly critical in sensitive sectors like healthcare, finance, public services, and education, where user trust and legal exposure are tightly linked.

Read more:

• 17 new privacy laws around the world and how they’ll affect your analytics
• PIPEDA & CPPA: How the Canadian privacy laws impact your analytics [Updated]
• Everything you need to know about the New York Health Information Privacy Act (NYHIPA)
• Data privacy laws in the United States and how they affect your business [UPDATED]

What Piwik PRO and Cookie Information deliver

Piwik PRO and Cookie Information offer a privacy-focused analytics and consent management platform developed entirely under EU jurisdiction. Both tools are designed to meet GDPR requirements, but achieving true data sovereignty – where data remains inaccessible to foreign entities – depends on the underlying infrastructure.

This level of sovereignty is fully realized with the Piwik PRO Enterprise plan, which allows hosting on Elastx, a fully EU-owned provider. This ensures that both the data and the technology stack are governed solely by EU laws.

For organizations prioritizing maximum legal protection, it’s crucial to choose a solution that combines EU-based infrastructure with EU ownership. This not only addresses growing concerns around EU-US data transfers but also supports long-term compliance and regulatory certainty.

However, deploying an EU-based analytics tool alone isn’t enough. Consent management must also be handled within the EU to avoid undermining your compliance efforts. If a consent platform transmits data to the U.S. or other external jurisdictions, your data remains possibly exposed. The solution: integrate your analytics with a consent platform that is fully managed and hosted in the EU. Together, they create a unified, privacy-first marketing system that upholds user trust and data protection standards.

Headquartered in Copenhagen with data centers across the EU, Cookie Information is a trusted choice for marketers who value both compliance assurance and performance optimization.

Find out more about Piwik PRO and Cookie Information:

• Implement your data privacy strategy with Piwik PRO Analytics Suite
• Piwik PRO is a PIPEDA-compliant analytics vendor
• Integrating Piwik PRO and Cookie Information CMP is now easier than ever
• Collect and activate more of your data: The benefits of combining Cookie Information and Piwik PRO

Benefits of EU-sovereign analytics

Adopting a truly EU-sovereign analytics solution significantly reduces the risk of legal exposure to foreign surveillance laws and strengthens compliance with global privacy regulations such as the GDPR, the California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD). When combined with additional safeguards, including strong data transparency, robust user consent mechanisms, and responsible data handling practices, data sovereignty becomes a cornerstone of long-term legal stability. This holistic approach not only supports regulatory compliance but also fosters user trust and enables sustainable, privacy-conscious marketing strategies.

Key benefits of an EU-sovereign analytics stack include:

• Minimizing legal risk from non-EU surveillance frameworks
  
• Ensuring alignment with major privacy laws, including GDPR, CCPA, and LGPD
  
• Strengthening user trust through transparent and compliant data handling
  
• Enabling ethical marketing through anonymized, consent-based insights
  
• Securing sustainable legal certainty for data-driven strategies

Evaluating your analytics setup

You should evaluate whether your organization’s analytics tools genuinely comply with EU data protection laws or if they are simply hosted in EU-based data centers owned by non-European providers.

Whether your organization is just beginning its privacy journey or requires the highest level of data protection, Piwik PRO and Cookie Information offer scalable solutions to meet a range of compliance needs. Both provide free standard plans – Piwik PRO Business and Cookie Information – with EU-based data hosting via established cloud providers.

However, data residency alone doesn’t equal data sovereignty. What truly matters is who controls access to your data and under which jurisdiction. For organizations that require full legal assurance that their data remains beyond the reach of foreign laws, especially in light of evolving developments in the U.S., Piwik PRO Enterprise offers hosting on EU-owned infrastructure, helping organizations maintain sovereignty and comply with the strictest privacy regulations.

This is a pivotal moment for businesses to evaluate their hosting strategy. With legal frameworks like the EU-U.S. Data Privacy Framework under increasing scrutiny and potential invalidation, now is the time to make strategic, forward-looking choices. These are not decisions that can be made in haste – having control over your hosting environment today means being prepared for tomorrow’s regulatory challenges.

Ultimately, it’s up to each organization to determine its level of control. You have a choice – and now is the time to make it.

The post EU hosting vs. EU sovereignty: Why the difference matters for privacy-first analytics appeared first on Piwik PRO.

Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information.

Keeping HIPAA compliant and protecting patient information requires healthcare organizations to understand the differences between PII and PHI. Especially if they want to use such data to promote their services or improve the digital customer experience.

This blog post explains what differentiates PHI from PII and the key identifiers that change health information into PHI under HIPAA. You will also learn how your organization can protect PHI and run compliant marketing activities.

PHI vs PII

PII Defined

PII stands for personally identifiable information, an American legal term for any information that identifies, links, or relates to a person. The definition of PII can vary depending on the context, such as specific federal or state laws or industry regulations.

Generally, PII refers to:

• Full name
• Home address
• Email address
• Social security number
• Passport number
• Driver’s license number
• Credit card number
• Date of birth
• Telephone number
• Owned properties, e.g., vehicle identification number (VIN)
• Login details
• Processor or device serial number
• Media access control (MAC)
• Internet Protocol (IP) address
• Device IDs
• Cookies

US government agencies and non-governmental organizations often reference PII. Currently, despite ongoing discussions and proposals, there is no comprehensive federal legislation protecting personally identifiable information (PII) in the United States. Various state laws have been enacted to address data privacy, such as those in Delaware, Iowa, Maryland, and Tennessee, which are taking effect in 2025. Also, there are specific federal regulations and laws, like the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), that focus on restricting the sale of sensitive data to certain foreign entities.

The National Institute of Standards and Technology (NIST) provides guidelines on the concept of PII, though they are not legally binding unless specifically referenced in a regulation.

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Medical, educational, employment, and financial information all fall under PII. However, the line between PII and other kinds of information is vague. As the US General Services Administration stresses, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

What is PHI in healthcare?

Healthcare organizations deal with sensitive information concerning people’s health. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).

The definition of protected health information is broad. PHI and electronically protected health information (ePHI) mean any identifiable data about the patient, including name, address, date of birth, SSN, device identifiers, email addresses, biometrics, lab or imaging results, medical history, and payment information.

Thus, PHI is a subset of PII that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.

What are HIPAA-covered entities?

Covered entities are specified in the HIPAA Privacy Rule as health plans, healthcare clearinghouses, and healthcare providers.

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:

1. Name
2. All geographic subdivisions smaller than a state (street address, city, county, zip code)
3. Dates, including birthdate, admission date, discharge date, and date of death
4. Telephone number
5. Fax number
6. Email address
7. Social Security number
8. Medical record number
9. Health plan beneficiary numbers
10. Account number
11. Certificate/license number
12. Vehicle identifiers and serial numbers, including license plate number
13. Device identifiers and serial numbers
14. Web URL
15. IP address
16. Biometric identifiers, including fingerprints and voice
17. Full face photo
18. Any other unique identifying number, characteristic, or code

As a result, not all health information acquired by organizations constitutes PHI. For example, phone numbers and residential addresses alone are not PHI. But if this data is connected with details about a health condition, treatment plan, or other particular health information, it would transform from PII to PHI.

In a Bulletin, the Office for Civil Rights (OCR) at the HHS states that healthcare information collected on a regulated entity’s website or app generally is considered PHI even if:

• The individual doesn’t have an existing relationship with the regulated entity.
• Data such as IP address or geographic location doesn’t include specific treatment or billing information like dates and types of healthcare services.

The original version of the bulletin assumed that anyone visiting a covered healthcare provider’s website was, is, or will be a patient of the provider. The updated bulletin from March 2024 attempted to clarify these provisions. It introduced subjective intent standards for classifying IP addresses as protected health information (PHI). While maintaining that IP addresses combined with health-related webpage visits could constitute PHI, the update added examples distinguishing scenarios like job postings (non-PHI) from cancer care pages (potential PHI) based on inferred user intent.

However, this created operational challenges for hospitals, as determining visitor intent on unauthenticated pages remained impractical. The updated bulletin did not substantively modify HHS’s core position that IP addresses linked to health-related content could trigger HIPAA obligations, despite the ongoing AHA lawsuit.

The HHS provides examples of what parts of a website or app can contain PHI:

• User-authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.
• Some unauthenticated pages include PHI. Whether PHI is being disclosed depends on the visitor’s underlying intentions and whether the page visit relates to the individual’s health care.
• Mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.

For more details on what qualifies as PHI, visit the HIPAA journal.

The American Hospital Association (AHA) and co-plaintiffs filed a lawsuit on November 3, 2023, challenging the HHS Office for Civil Rights’ December 2022 bulletin. They argued that the HHS bulletin unlawfully expanded HIPAA’s scope by treating data like IP addresses collected from public-facing hospital websites as PHI, exceeding statutory authority and bypassing proper rulemaking procedures.

In June 2024, a judge ruled in favor of the AHA. The ruling stated that HHS overstepped its authority by expanding the definition of PHI to include IP addresses combined with website visits. On August 29, the OCR decided not to appeal the district court’s decision.

Learn more: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

However, it’s crucial to emphasize that the ruling doesn’t vacate other parts of the guidance. The court’s decision was very narrow and only issued in a specific case concerning IP addresses combined with visit data. It doesn’t mean healthcare organizations can downplay HIPAA requirements, freely track users, or ignore HHS’s guidance. Other parts of the bulletin remain in place, like those relating to authenticated pages, such as patient portals.

The issue of protecting PHI in the context of analytical tools hasn’t been settled once and for all. The fundamental issues surrounding the collection and use of PHI by healthcare organizations remain unchanged. While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it alarmingly easy for PHI to inadvertently leak into your website or app. Therefore, it’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI that maintains the status quo. To protect patient privacy and reduce the risk of hefty fines and loss of trust, organizations must remain vigilant about the data they collect and share with analytics vendors.

The requirements for processing PHI help protect patient privacy and make care coordination easier. The HIPAA Privacy Rule ensures that PHI is shared and used only with patient permission or for care coordination between covered entities. Identifiable health information is not considered PHI unless that organization is a HIPAA-covered entity.

PII and PHI penalties and compliance

Another important area in understanding PII and PHI is the penalties for non-compliance with applicable regulations. As PHI applies specifically to HIPAA-covered entities that possess identifiable health information, using the terms interchangeably can lead to compliance issues. PII and PHI penalties are primarily financial, but in severe cases they may also include incarceration.

PII

To help organizations manage and protect PII appropriately, the National Institute of Standards and Technology (NIST) created the “PII confidentiality impact level” standard, allowing entities to categorize PII into low, moderate, or high-risk levels. The levels are determined by evaluating the potential harm to individuals and the organization if the PII ends up in the wrong hands.

What is high-impact PII for some could be at a low impact level for others. Each organization will have different needs depending on the types of PII they are storing and the way it is organized. For example, Social Security Numbers are more sensitive than phone numbers and may be categorized at a high confidentiality impact level. In addition, a breach involving the information of 30 people will likely be less impactful than one involving 300,000 people.

When a PII breach occurs, businesses must report the incident. US lawmakers have introduced legislation requiring companies to notify the government within 24 hours of a data breach. Many states do not have strict deadlines when businesses report a violation to the government. Data breach notification laws vary state by state. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving PII. Check out the list of Security Breach Notification Laws.

Deliberate, unauthorized disclosure of PII to others may result in incarceration and fines of up to $5,000.

PHI

The HIPAA Security Rule strictly regulates PHI breaches. It “establishes national standards to protect individuals’ electronic personal health information created, received, used, or maintained by a covered entity.”

HIPAA penalties are primarily financial and can be applied to healthcare providers, health plans, healthcare clearinghouses, and all other health organizations and business associates who have violated HIPAA rules.

In the case of PHI, HIPAA-covered entities that face a data breach are legally required to notify the HHS and state agencies within 60 days of the breach. If the breach impacts more than 500 residents of a state, organizations must notify major local media outlets through a press release.

In addition, covered entities must send a written notice in the mail to all impacted individuals and post information on the homepage of their website for at least 90 days. Specific requirements vary by state.

The penalties for HIPAA violations are divided into four tiers based on the level of culpability and intent behind the violation. Each level sets out criminal penalties, a fine, and a jail term, if applicable. HIPAA violation fines can be issued up to a maximum of $25,000 per violation category per calendar year. The minimum penalty is $100 per violation.

How to protect PHI in analytics

Health organizations are obligated to protect their patients’ PHI under HIPAA. You must apply a few safeguarding practices while collecting and processing data online.

1. Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and every company you’ll share your clients’ PHI with that meets the definition of a “business associate.” If you are a health organization and choose to send PHI to a business associate, you must have a written BAA requiring the associate to comply with HIPAA standards. If you don’t want to create a business associate relationship with the vendor or the vendor will not provide a satisfactory BAA, you cannot disclose PHI to that vendor without individuals’ authorization.

2. Provide breach notification to affected individuals, the Secretary, and the media (when applicable).

3. Address the use of analytics and other data platforms in your risk analysis and risk management processes. They are crucial components of HIPAA compliance, aimed at identifying and mitigating threats to electronic protected health information (ePHI).

4. Implement administrative, physical, and technical safeguards following the HIPAA Security Rule to protect PHI.

Administrative safeguards

Purpose: Focus on policies, procedures, and training to ensure the security of ePHI.

Examples:

• Conducting regular risk analyses to identify potential security threats.
• Implementing policies for workforce training and security management.
• Establishing procedures for emergency situations and incident response.
• Defining roles and responsibilities within the organization related to security.

Physical safeguards

Purpose: Protect the physical environment where ePHI is stored or accessed.

Examples:

• Implementing facility access controls, such as locks and alarm systems.
• Securing workstations and devices that handle ePHI.
• Establishing policies for the proper disposal and reuse of electronic media containing ePHI.

Technical safeguards

Purpose: Implement technologies to secure ePHI from unauthorized access or breaches.

Examples:

• Access controls to ensure only authorized personnel can view or modify ePHI.
• Audit controls to track and monitor access to ePHI.
• Data integrity measures to prevent unauthorized alteration or destruction of ePHI.
• Encryption and secure transmission protocols for ePHI sent over electronic networks.

5. Work with vendors that support values such as privacy by design. Privacy by design is an approach that integrates data privacy considerations into the design of systems, products, and services from the beginning rather than as an afterthought, ensuring data protection is prioritized alongside functionality. Following these values will help you fully control your data and understand what data you collect, store, and transfer.

6. If you can’t sign a BAA with the vendor, de-identify your PHI for research purposes or marketing by removing all 18 HIPAA identifiers. HIPAA-compliant de-identification methods include Expert Determination and Safe Harbor. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.

It’s important to think through both the legal aspect of data collection in terms of what legal agreements need to be in place with vendors to be in compliance with HIPAA, and the technical aspect of data collection – what data can be stored and where, as well as what data needs to be anonymized prior to storage.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

The obligations of healthcare companies that deal with PHI don’t stop there. HIPAA defines five major rules that all organizations that store, record, or share PHI and ePHI must follow. Read them here:

• Privacy Rule
• Security Rule
• Enforcement Rule
• Breach Notification Rule
• Omnibus Rule

Piwik PRO provides healthcare organizations with fully HIPAA-compliant analytics. Our platform allows you to securely collect and analyze PHI and ePHI and provide better and more personalized patient experiences.
By signing a BAA with us, you can safely send all types of PHI to your analytics setup. If you prefer, you can de-identify all PHI before sending it to our platform. Either way, you can ensure compliance with regulations.

On top of that, we offer the highest privacy and security safeguards to strengthen your data protection. Learn more about HIPAA compliance with Piwik PRO.

HIPAA marketing compliance: Best practices

When exploring HIPAA-compliant marketing strategies, you must first ensure that you disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. You must obtain explicit written authorization from patients before using their PHI for marketing purposes, which requires a specific, signed consent form. You don’t need authorization to provide essential healthcare services.

Covered entities must have a BAA with the analytics or marketing vendors that they share PHI with. They should also use tools that employ robust security features like user authentication, access controls, audit logs, and end-to-end encryption.

Most analytics platforms, including Google Analytics 4, don’t permit the use of PHI data in their products. These platforms don’t offer BAAs for their standard versions and are not configured to support HIPAA compliance out-of-the-box. It means you must either make an extra effort to avoid passing any trace of PHI to your analytics, or switch to a HIPAA-compliant analytics platform, such as Piwik PRO Analytics Suite.

Read more: Piwik PRO is officially HIPAA-certified!

Remember that data collected from marketing pages and used in retargeting campaigns may constitute PHI. Aside from the 18 types of HIPAA identifiers, including names, addresses, and medical records, user IDs and IPs used for retargeting can easily become PHI. In most cases, using this information for marketing also requires the patient’s authorization and a platform that offers a BAA.

Consider investing in a safe first-party data strategy to use PHI in a way that fully respects HIPAA. Combining data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, and offline sources, opens up many possibilities. 

Here are some tips for building a HIPAA-compliant data ecosystem:

• Use HIPAA-compliant customer data platforms (CDPs) to centralize and manage data from various sources, creating accurate and trusted patient profiles and focusing on first-party data.
• Utilize consent management platforms (CMPs) to manage consent forms and ensure data flows align with patient preferences.
• Limit access to authorized personnel only using role-based access controls to prevent unauthorized exposure.
• Implement policies for retaining and deleting PHI in accordance with HIPAA guidelines.
• Adopt policies and procedures for HIPAA compliance beyond technical measures.
• Inform patients about data collection and use, ensuring transparency and trust.
• Clearly communicate the benefits of sharing PHI to enhance patient engagement.
• Regularly monitor data access and changes, maintaining an audit trail to ensure compliance.

I highly recommend using server-side tagging on your website if you’re running digital marketing campaigns that send users to your site. Server-side tagging allows you to scrub PHI/PII from any user data ingested before sending that data back to the vendor.

Pat Barry
VP, Data & Analytics at SPM Marketing & Communications

Learn more about server-side tagging and tracking with Piwik PRO.

There are many different demands for compliant marketing and analytics under HIPAA. Read more:

• Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
• HIPPA privacy guidance on marketing

Final thoughts

Understanding the scope of PII and PHI will help you to maintain HIPAA compliance and protect patient data, especially if you use third-party platforms like analytics. You will also be able to run compliant marketing activities.

To avoid the potential risks of using popular ad platforms or analytics tools in a highly regulated sector such as healthcare, consider employing marketing strategies that revolve around HIPAA-compliant platforms rather than big tech products that put you at risk of breaches and hefty fines. A first-party data strategy can benefit your organization and help you build a relationship with your patients grounded in trust.

If you’d like to learn more about data activation under HIPAA, contact us. We’ll be happy to present some compliant use cases to you.

Unlock better insights and stronger data control in healthcare — see Piwik PRO in action:

The post PHI and PII: How they impact HIPAA compliance and your marketing strategy appeared first on Piwik PRO.

This article details the recent regulatory changes impacting cross-Atlantic data transfers and highlights the challenges marketers are facing. We’ll also demonstrate why you should look for an EU-based web analytics solution and outline the steps you need to take to ensure fully compliant analytics.

The current state of data transfers between the EU and the US

The transfer of personal data between the EU and the US has been disputed for years, primarily due to fundamental differences in privacy laws. The EU’s General Data Protection Regulation (GDPR) enforces strict individual rights and control over personal data. The US, however, operates with more fragmented privacy laws, and intelligence agencies have broad data access powers under legislation such as the Foreign Intelligence Surveillance Act (FISA 702).

These concerns have triggered major legal challenges, including the Schrems I and Schrems II cases, invalidating previous data transfer frameworks (Safe Harbor and Privacy Shield). The core issue is that these frameworks failed to adequately protect EU citizens’ data against US government surveillance.

Recent political developments 

Recent developments in the US political landscape and European regulatory actions have intensified the situation, with significant implications for businesses, regulators, and transatlantic relations. Donald Trump’s return to the US presidency is a major source of uncertainty. 

Situation in the United States

Early in his new term, Trump questioned the Biden-era executive orders that underpin the Transatlantic Data Privacy Framework (DPF), adopted in July 2023. It introduced three key elements:

• Data Protection Review Court (DPRC): An independent redress body allowing EU individuals to challenge how US intelligence agencies handle data with binding decision-making authority.
• Executive order 14086: Signed by President Biden in October 2022, establishes proportionality and necessity requirements for US surveillance activities.
• Self-certification system: Requires US companies to publicly commit to DPF principles for streamlined transfers administered by the Department of Commerce.

Read more: Everything you need to know about the Data Privacy Framework (Privacy Shield 2.0)

However, the most destabilizing event was the loss of quorum at the US Privacy and Civil Liberties Oversight Board (PCLOB) after Trump requested the resignation of its Democratic members in January 2025. The shutdown of PLOB, a core oversight body referenced in the DPF, has intensified European doubts about the long-term viability and independence of US redress mechanisms for EU citizens. As privacy advocate Max Schrems of NOYB points out, the current oversight mechanisms “may not even stand the test of just the first days of a Tump presidency.”

European regulatory actions

In response to these developments, European Data Protection Authorities (DPAs) and governments are taking a series of regulatory and political actions, signaling a broader shift in the EU-US relationship:

• Norway: The Norwegian DPA issued a new guidance warning against EU-US data transfers, citing concerns about the legal framework’s stability and adequacy.
• Netherlands: The Dutch Parliament voted to reduce reliance on US tech companies, requiring government agencies to prioritize European cloud and data processing alternatives.
• Denmark: The Danish Ministry of Industry recommended that companies develop exit strategies from American cloud services.
• Germany: Germany’s Interior Minister stated that businesses should develop contingency plans, as the government can no longer guarantee the long-term stability of transatlantic data flow mechanisms.

These steps reflect a growing consensus in Europe that relying on US-based solutions carries increasing legal and strategic risks.

Read more about the wave of decisions by European DPAs declaring the use of Google Analytics (GA) illegal under GDPR:

• Norwegian DPA warns against EU-US data transfers – what it means for your website
• Denmark’s data protection authority says Google Analytics is illegal under GDPR
• Sweden’s data protection authority orders companies to stop using Google Analytics
• Google Analytics might soon be banned in Norway
• Is Google Analytics (3 & 4) GDPR-compliant? [Updated]

Why you need an EU-based web analytics solution

The current regulatory environment is unstable. With European authorities increasingly willing to issue immediate compliance orders, companies relying on US-based analytics tools risk sudden operational paralysis. Using non-compliant data tools risks fines of up to 4% of global revenue under GDPR. A single enforcement decision could leave marketers scrambling to replace core infrastructure overnight. 

Main challenges for marketers

As the legal landscape shifts faster than ever, marketers face new and pressing challenges. Understanding these risks is the first step toward securing your data strategy.

Campaign interruptions that devastate performance metrics

Regulatory actions often come without warning. In past cases, enforcement orders have immediately suspended marketing tools tied to unlawful data transfers. For marketers, this means pausing campaigns mid-flight, cutting off personalization, and creating reporting gaps that impede optimization.

Analytics blackouts that force blind decision-making

Turning off third-party analytics due to compliance concerns means you’re flying blind. You lose the ability to segment audiences, evaluate creative performance, or justify spend allocation. Many brands using tools like GA or Meta Ads have already reported shifting to temporary EU-hosted or server-side alternatives that may offer reduced capabilities and slower insights.

Attribution failures that cut down your budget

Attribution is how marketers defend their budgets. However, trust in the numbers declines when tracking breaks due to deactivation, missing consent, or blocked data transfers. Without complete visibility into multi-channel performance, marketing ROI becomes harder to prove, and budget reductions follow.

Wasted ad spend that drains resources

Without real-time feedback, marketers overinvest in underperforming ads and can’t scale what’s working. This has been a common pain point for brands forced to migrate analytics setups under pressure, often leading to weeks of reduced optimization and reactive decisions.

Personalization gaps that stall conversions

With consent under scrutiny and restricted data flows, many marketers are forced to revert to generic messaging strategies. When you lose the ability to personalize content by behavior, preferences, or segments, conversion can be significantly lower. 

Competitive disadvantage that costs market share

As some companies scramble to react to policy changes, others with EU-hosted analytics and consent-first marketing stacks gain a competitive advantage. Even short periods of interrupted optimization can create lasting performance gaps.

Key features to look for in your next analytics platform

Selecting an analytics platform that is future-proof and fully compliant with European standards is essential. As 78% of EU users say they would abandon brands that mishandle data, proactively adopting compliant solutions signals responsibility and builds loyalty. Here is the list of the most important features you should seek:

Full data residency and processing within the EU/EEA

Ensure all user data is collected, processed, and stored exclusively within the EU or EEA to avoid legal uncertainties related to international data transfers.

Compliance with GDPR and upcoming regulations (Data Act, DORA)

Your analytics provider should meet current GDPR requirements and be prepared for new EU regulations like the Data Act and DORA to demonstrate a commitment to ongoing compliance.

Transparent data governance and security certifications (ISO 27001, SOC2)

Look for platforms with recognized security certifications, such as ISO 27001 or SOC2, demonstrating robust data governance, risk management, and security practices.

Compliant consent management and automation of data subject rights

The analytics platform should offer built-in tools for managing user consent, automating responses to data subject requests, and documenting compliance actions.

Flexibility to integrate with other marketing tools

Choose analytics platforms that connect easily with your existing marketing stack, CRM, and advertising tools to streamline tracking and boost campaign performance.

User-friendly interface with customizable dashboards

An intuitive, customizable dashboard empowers your team to access insights quickly and tailor reports to specific business needs.

Support for anonymization and pseudonymization of personal data

Select an analytics platform that offers strong anonymization and pseudonymization features, such as IP masking and cookieless tracking, to reduce compliance risks.

Clear data export and deletion options

Your next analytics platform should provide straightforward options for exporting, deleting, and modifying user data to fulfill the GDPR’s rights to data portability and to be forgotten.

Leading EU-based analytics alternatives

Finding alternatives to US-based analytics platforms that carry EU-US data transfer risks is not an easy task. Find below a list of providers that offer varying combinations of compliance protection, marketing optimization, and operational integration.

Piwik PRO Analytics Suite

Piwik PRO Analytics Suite is a comprehensive EU-based analytics platform designed to ensure full compliance with data protection laws while delivering powerful marketing insights. It offers flexible hosting options across multiple EU countries, supports both event-based tracking and session-level aggregation, and enables advanced user behavior analysis with features like funnels and user flows.

Plausible

Plausible is a lightweight, privacy-focused analytics tool fully hosted in the EU. As it doesn’t use cookies or collect personal data, you don’t need to include it in your website consent banner or cookie policy. It’s an open-source and GDPR-compliant solution that offers transparent and minimalistic analytics.

Simple Analytics

Simple Analytics is a Dutch provider that processes and stores all data within the EU, ensuring full GDPR compliance. It does not use cookies or track personal data, so you don’t need to include it in your website consent banner or cookie policy. The platform delivers easy-to-understand reports, suitable for companies that need simple, privacy-respecting insights.

Statcounter

Statcounter is an open-source, self-hosted analytics tool designed for EU-based organizations. It collects no personal data and uses no cookies, ensuring GDPR compliance and a privacy focus. The platform only provides essential website metrics, making it basic, privacy-first analytics.

	Country	Analytics capabilities	Free version	Privacy friendliness
Piwik PRO	Poland
Plausible	Estonia
Simple Analytics	Netherlands
Statcounter	Ireland

Visit our pricing page for more details about the available plans.

Piwik PRO Analytics Suite – the ideal EU-based web analytics platform for marketers

Transitioning to Piwik PRO ensures you meet stringent data protection requirements and maintain or even enhance your analytical capabilities. These key features prove it is the best choice for compliant, EU-based web analytics.

Simplified privacy compliance

Piwik PRO enables you to collect data in a manner that is fully compliant with privacy laws, including GDPR, HIPAA, CCPA, and TTDSG. Privacy settings embedded directly in the user interface make managing compliance intuitive and straightforward.

Complete EU data sovereignty

It offers hosting across multiple EU countries, guaranteeing data residency and complete control over where your data is stored. Such options help you adhere to local data residency requirements, minimizing transfer risks.

Data residency and sovereignty

Piwik PRO allows you to choose data storage locations, ensuring compliance with local data residency requirements.

Advanced analytics with familiar concepts

Piwik PRO supports both event-based tracking and session-level aggregation, allowing marketers to analyze user behavior with advanced reports such as funnels and user flows. 

Also, to avoid chaos with your data, you can implement Piwik PRO alongside your existing Google Analytics setup. This will ensure continuity in your reporting when the EU-US DTF is invalidated as well as the safety of your data in case of any further changes in European or US privacy laws. 

Seamless migration and setup

Implement Piwik PRO with a single tracking tag and start analyzing data in under an hour. The platform follows a familiar logic for those transitioning from Universal Analytics or GA4.

Well-integrated product suite

Benefit from an advanced analytics ecosystem that includes a Customer Data Platform, a Tag Manager, a Consent Manager, and multiple integration options for better data activation and personalization.

The strong connection between analytics and consent management

EU-based consent management is equally important when implementing an EU-based analytics platform. Proper analytics becomes meaningless if your consent management platform still transfers data to the US. The solution is simple: pair your EU-based analytics with EU-based consent management to create a compliant and fully protected marketing intelligence system.

Cookie Information, headquartered in Copenhagen with a few data centers across the EU, has established itself as the marketer’s first choice when both compliance protection and performance optimization are priorities. 

As an EU-based consent management platform, Cookie Information benefits your marketing operations in at least 5 ways:

• Industry-leading consent optimization technology.
• Proprietary cookie scanning engine that automatically identifies and categorizes all marketing technologies, including those commonly missed by basic scanners.
• A strong consent record and export system designed to satisfy inquiries by data protection authorities (DPAs) about marketing data flows.
• Seamless integration with all major CMSs such as Shopify, Drupal, and WordPress, as well as advertising and analytics platforms like Google Tag Manager and Piwik PRO.
• Multi-language cookie consent banners for a localized website experience.

Conclusion: How to protect marketing performance and compliance when the future is uncertain

With international politics potentially reducing your ROI, acting proactively to protect your marketing operations is crucial. 

Start with a comprehensive audit of your marketing technology, focusing on EU-US data transfers and compliance mechanisms. Next, you should deploy EU-based analytics tools to replace the ones sending data to the US, ensuring both compliance and uninterrupted marketing insights. Review advertising platform data flows to implement EU data residency options where possible. 

As with your remaining marketing stack you should implement an EU-based consent management solution that optimizes consent rates and integrates easily with your existing setup. Finally, make sure to showcase your privacy-first approach to marketing – positioning your brand as the privacy leader in your niche – to build consumer trust.

A risk-free decision is implementing an European analytics solution like Piwik PRO alongside your current US-based analytics tools. With free options available, this parallel approach ensures marketing continuity while building valuable historical data in a privacy-compliant environment.

By following these strategic steps, you’ll minimize regulatory risks, avoid disruptions, and secure your marketing performance in the turbulent EU privacy landscape.

The post EU-US data transfers uncertainties: How an EU-based analytics platform can improve your marketing performance appeared first on Piwik PRO.

In February 2025, Norway’s Data Protection Authority (Datatilsynet) issued new guidance on data transfers to the United States, highlighting growing concerns about the legal framework supporting these transfers – the EU-US Data Transfer Agreement. 

But why is this a matter of concern? The recent shake-up at the US Privacy and Civil Liberties Oversight Board (PCLOB) has left it unable to function properly. As a result, without a working oversight board, the US may struggle to guarantee adequate privacy protection measures – putting your data compliance at serious risk.

What are the consequences for marketers and website owners? If the EU decides to revoke the US adequacy decision, restrictions could be imposed immediately – without a transition period. That means if you’re still using Google Analytics or similar US-based services, you could suddenly find yourself/your business violating the General Data Protection Regulation (GDPR) overnight.

The key takeaways from Norway’s new guidance

“An adequacy decision will remain in force until it is revoked by the Commission. (…) if it is revoked, there will most likely not be a transition period.”

Olya Vasylyk, Digest Editor at TechGDPR

Here’s what the Norwegian DPA’s warning means for you if you’re handling EU/EEA user data:

Immediate risk for US services
The Privacy and Civil Liberties Oversight Board (PCLOB), which was meant to protect privacy rights in the US, is no longer operational. This raises red flags about the legal stability of transatlantic data transfers.

The current adequacy decision is still valid
Despite concerns over the PCLOB’s operational status, the EU-US Data Privacy Framework remains in effect – for now.

European Commission oversight
The European Commission is actively monitoring the situation and may revise or revoke the adequacy decision if significant privacy risks emerge.

Expert warnings
Privacy experts and legal advisors strongly recommend that you start planning an exit strategy now, rather than wait for new restrictions to take effect.

No grace period
If the EU withdraws the US adequacy decision, you may have no time to react, exposing you to financial fines and data disruption.

“Organizations that rely on their EU-US Data Privacy Framework (DPF) certification for transatlantic data transfers should consider developing a contingency plan to prevent potential disruption to the transfer of essential personal data.”

Mary T. Costigan of Counsel Jackson Lewis P.C.

Why data transfers between the EU and US are so controversial

The transfer of personal data between the EU and US has been a long-standing point of contention due to fundamental differences in privacy laws. The EU enforces strict privacy rights under the General Data Protection Regulation (GDPR), ensuring that individuals have control over their personal data. The US, however, has more fragmented privacy laws, with intelligence agencies having broad powers to access data under regulations like the Foreign Intelligence Surveillance Act (FISA 702).

These concerns have led to major legal battles, including the Schrems I and Schrems II cases, which invalidated previous data transfer frameworks (Safe Harbor and Privacy Shield) because they failed to offer adequate protection for EU citizens’ data. The current EU-US Data Privacy Framework (DPF) is now under scrutiny, with Norway’s DPA warning that its validity could be short-lived. If it’s overturned, businesses relying on data transfers to the US could face immediate compliance risks.

The role of the European Commission in data transfers

The European Commission is responsible for assessing whether non-EU countries offer adequate data protection.  This process results in adequacy decisions like the one granted to the US under the DPF.

However, adequacy decisions are not permanent. They can be revoked or suspended if conditions change, and the Commission is obligated to continuously monitor the legal and political landscape in countries that receive the EU data. The recent turmoil surrounding the Privacy and Civil Liberties Oversight Board (PCLOB) in the US has raised new doubts about whether the DPF can continue to meet the EU’s high data protection standards.

This means that relying solely on the DPF for legal data transfers may not be a sustainable long-term strategy for businesses. To avoid data disruption, you should explore alternative compliance measures such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or switching to EU-based solutions.

What this means for marketers and website owners

If you’re running analytics on your website, now is the time to stay alert and prepare for any scenario. We’ve seen this before in 2020 – when Privacy Shield was invalidated, several European regulators quickly cracked down on Google Analytics and other US-based services. If history repeats itself and the EU-US DPF agreement is now revoked, we could see a domino effect of similar enforcement actions, following the latest concerns raised by the Norwegian DPA.

This means that if you continue using Google Analytics or similar US-based marketing solutions that rely on data transfers – such as ad networks, email platforms, and customer data platforms (CDPs), you could soon be violating GDPR. Waiting for regulators to act could leave you scrambling at the last minute. Instead, you should take control now by switching to a privacy-compliant analytics solution such as Piwik PRO Analytics Suite.

European regulatory actions against Google Analytics

After the Schrems II ruling invalidated Privacy Shield in 2020, and before the European Commission adopted a new adequacy decision in 2023 – the EU-US Data Privacy Framework – European regulators wasted no time in taking action. Several data protection authorities (DPAs) ruled that using Google Analytics and other US-based services violated GDPR, citing concerns over inadequate safeguards against the US surveillance.

These enforcement decisions created a ripple effect, forcing European businesses to rethink their analytics strategies. Here’s a look at how different countries responded:

• Denmark: The Danish DPA (Datatilsynet) concluded that the use of Google Analytics violates the GDPR, as it involves transferring personal data to the US, which does not offer an adequate level of data protection.
• Austria: The Austrian DPA ruled that data transfers to Google in the US via Google Analytics breach Chapter V of the GDPR, due to insufficient safeguards against US surveillance.
• France: The French DPA (CNIL) determined that the use of Google Analytics is illegal under the GDPR, as it involves transferring personal data to the US without adequate protection.
• Italy: The Italian Data Protection Authority (Garante) found that the use of Google Analytics violates the GDPR, as it results in the transfer of personal data to the US, which lacks adequate data protection measures.
• Sweden: Sweden’s data protection authority (IMY) ruled that four companies had unlawfully transferred personal data to the US by using Google Analytics. The IMY stated that companies using Google Analytics fail to implement sufficient safeguards against US government surveillance, violating GDPR requirements.
• Norway: The Norwegian DPA declared that the use of Google Analytics was illegal prior to the EU-US Data Privacy Framework adequacy decision, indicating potential for future restrictions.

How you can prepare for potential data transfer disruptions

Transatlantic data flows account for more than half of Europe’s data flows and about half of US data flows globally (US Chamber). This underscores the importance of ensuring compliant and secure data transfer mechanisms between the EU and the US. To mitigate these risks and ensure continued compliance, you should take proactive steps now. Some key actions include:

1. Review contracts with US providers: Audit all agreements with analytics, marketing, and cloud service providers based in the US to understand data processing terms and compliance measures.
2. Implement Standard Contractual Clauses (SCCs): If you continue working with US providers, ensure that SCCs are in place to provide additional legal safeguards for cross-border data transfers.
3. Assess alternative digital marketing tools: Consider migrating to EU-based analytics and marketing solutions that operate within GDPR-compliant frameworks and offer full data residency options.
4. Monitor regulatory developments: Stay updated on changes to data transfer regulations, including potential shifts in the EU-US Data Privacy Framework and rulings from other European DPAs.
5. Enhance data protection policies: Strengthen internal policies on data minimization, user consent management, and encryption to align with best practices in privacy compliance.

While not all of these compliance steps fall directly within the marketing department’s responsibilities, marketers play a crucial role as advocates for privacy-first strategies, by ensuring compliance protects not just user data but also the company’s reputation and ROI. By proactively championing privacy compliance, you help secure sustainable and legally sound digital marketing and analytics strategies that maintain customer trust and business continuity.

A practical approach to transitioning to GDPR-compliant analytics

Looking for a low-risk path to analytics compliance? You can implement Piwik PRO alongside your existing Google Analytics setup rather than making an immediate switch. 

This parallel tracking approach offers you several advantages. It maintains continuity in your reporting and historical data access while you explore a compliant analytics alternative. Third, running both solutions simultaneously allows your team to gradually transition at their own pace, learning the new platform while still having access to familiar tools and reports. 

This dual-solution implementation creates a safety net for your measurement strategy regardless of how regulatory decisions unfold, while building valuable historical data in a privacy-compliant European platform.

Norwegian DPA’s broader concerns beyond Google Analytics

While much of the discussion around data transfers has focused on Google Analytics, Norway’s DPA highlights a much broader issue – US companies across multiple industries process EU personal data, raising legal and compliance risks.

Many businesses use US-based services beyond analytics, including:

• Cloud providers like Amazon Web Services (AWS) and Microsoft Azure.
• Marketing platforms like HubSpot and Mailchimp.
• Customer Relationship Management (CRM) software like Salesforce.
• Ad-tech solutions that track users across websites.
• Consent management platforms (CMPs) such as OneTrust and TrustArc.

If the EU-US adequacy decision is revoked, all these services could be in legal jeopardy for businesses processing EU citizen data. Norway’s DPA encourages companies to audit their data flows now, ensuring they know where personal data is processed and whether it complies with GDPR.For businesses seeking a sustainable approach, shifting towards EU-hosted, privacy-first solutions will help ensure compliance without relying on regulatory frameworks that could change at any moment.

Piwik PRO Analytics Suite: A safe and compliant Google Analytics alternative 

Piwik PRO Analytics Suite is the best GA4 alternative for marketers who want to gain valuable and actionable analytics insights while ensuring full GDPR compliance. Here’s why:

8 reasons to replace Google Analytics 4 with Piwik PRO Analytics Suite

1. Fully GDPR-compliant: Built with privacy in mind, unlike US-based platforms that risk legal challenges.
2. Data residency and sovereignty: Piwik PRO allows you to choose data storage locations, ensuring compliance with local data residency requirements.
3. Easy privacy compliance: Collect data with full respect for privacy laws, including GDPR, HIPAA, CCPA, and TTDSG. The platform includes privacy settings directly in the UI.
4. 100% data ownership: No third-party sharing, so you retain control over all user data.
5. Advanced analytics with familiar concepts: Piwik PRO supports both event-based tracking and session-level aggregation, allowing marketers to analyze user behavior with advanced reports such as funnels and user flows.
6. More reliable data collection: Capture up to 70% more data compared to Google Analytics, all while staying privacy-compliant. Piwik PRO offers session-level data collection in anonymous profiles that align with EU regulations.
7. Painless migration & seamless setup: Implement Piwik PRO with a single tracking tag and start analyzing data in under an hour. The platform follows a familiar logic for those transitioning from Universal Analytics or GA4.
8. Well-integrated product suite: Benefit from an advanced analytics ecosystem that includes a Customer Data Platform, a Tag Manager, a Consent Manager, and multiple integration options for better data activation and personalization.

Don’t just take our word for it: hear from our customers on Piwik PRO’s benefits

Still unsure if Piwik PRO is the right choice to confidently replace Google Analytics? See what the experts have to say about the advantages of switching to Piwik PRO for a privacy-compliant, powerful analytics solution:

Success Story

ICTRecht finds a privacy-focused analytics partner and valuable marketing insights in Piwik PRO

There has been a lot of discussion surrounding the legality of Google Analytics in Europe due to data transfers from the EU to the US. We didn’t want to wait for developments, nor did we want to stay in the gray area of legality. So we started looking around for alternatives. A partner organization had recently switched to Piwik PRO and put us in touch.

Emke de Vries

Online Marketer at ICTRecht

Success Story

DKMS optimizes online campaigns and donor registration funnels with GDPR-compliant analytics

It became pretty clear at that time that we needed to step away from Google Analytics, because of GDPR and the invalidation of the Privacy Shield framework. We realized we had to replace it with a European, privacy-compliant platform and implement a consent manager to respect the rights of our visitors.

Kay Beutling

Digital Project Manager at DKMS

Piwik PRO benefits by Melonie Dodaro

• Comprehensive reporting: The Analytics feature provides a complete view of your website’s performance, from visitor behavior to conversion tracking.
• User-friendly interface: The platform’s intuitive design makes it easy to navigate and extract valuable insights without a steep learning curve.
• Privacy compliance: Piwik PRO’s commitment to data privacy ensures that your analytics practices align with regulations like GDPR.
• Customizable dashboards: Tailor your analytics view to focus on the metrics that matter most to your business.
• Dedicated support: Access to a responsive support team ready to assist with any questions or challenges.

In A marketer’s quest for better website insights by Melanie Dodaro, Global B2B Marketing Strategist.

Getting started with Piwik PRO Analytics Suite: A step-by-step guide

Transitioning to Piwik PRO ensures compliance with data protection regulations while maintaining robust analytics capabilities. Here’s how to get started:​

1. Research your analytics needs: Identify the key insights and features your business relies on and ensure they align with compliance requirements.
2. Compare Piwik PRO with your current solution: Explore Piwik PRO’s capabilities to determine how it meets your needs and where it can even offer deeper privacy-first insights.
3. Request a demo: Schedule a personalized demo to see Piwik PRO in action and discuss integration with your existing marketing stack.
4. Plan your migration: Work with Piwik PRO’s team to develop a seamless transition strategy, ensuring minimal data loss and downtime.
5. Set up & customize: Configure dashboards, reports, and user permissions to align with your business objectives. We offer flexible support for onboarding and implementation.
6. Train your team: Provide onboarding resources and training to maximize the value of their new analytics platform. A good place to start is Piwik PRO’s YouTube channel, which offers a dedicated playlist with Piwik PRO Analytics video tutorials.
7. Optimize & monitor: Continuously refine your analytics setup based on insights while ensuring ongoing compliance with privacy regulations.

Find your Google Analytics replacement

Regulatory uncertainty is increasing, and Norway’s warning makes it clear: US-based analytics tools could soon be non-compliant across the EU. However, global data regulations are tightening beyond the EU. Countries like China (PIPL), India (DPDP Act), Brazil (LGPD), and Canada (CPPA) are all implementing stricter privacy frameworks. Businesses that rely on cross-border data transfers need a future-proof strategy that prioritizes privacy-first solutions, EU-based vendors, and data sovereignty.

Waiting until restrictions are enforced could mean scrambling to find a solution while facing potential fines and data loss. Piwik PRO Analytics Suite is the best alternative to Google Analytics, providing a powerful, privacy-focused analytics solution that keeps your business ahead of changing regulations without disrupting your analytics and marketing data. Plus, you can implement it alongside your Google Analytics setup instead of switching immediately.

FAQ 

Why are EU-US data transfers under scrutiny again?

The Norwegian DPA has raised concerns about the operational status of the US Privacy and Civil Liberties Oversight Board (PCLOB), which plays a key role in ensuring US data protection standards. If the EU-US Data Privacy Framework (DPF) is revoked, businesses relying on US-based services like Google Analytics could suddenly find themselves non-compliant with GDPR.

What happens if the EU revokes the Data Privacy Framework (DPF)?

If the EU revokes the adequacy decision for the EU-US Data Privacy Framework (DPF), companies relying on Google Analytics or other US-based tech tools could suddenly be in violation of GDPR, with no transition period. This could lead to financial fines and operational disruptions.

Is Google Analytics a GDPR-compliant choice for EU businesses?

While the EU-US Data Privacy Framework (DPF) is currently in place, concerns remain about its long-term stability. The Norwegian DPA and other European regulators warn that Google Analytics still poses compliance risks because it involves transferring personal data to the US, where surveillance laws (like FISA 702) allow government access to foreign data.

Multiple European Data Protection Authorities (DPAs) – including those in France, Austria, Denmark, Italy, Sweden, and Norway – have ruled in the past that Google Analytics violates GDPR due to US surveillance risks. If you’re still using Google Analytics, your company could be at risk of enforcement actions should the DPF be withdrawn by the European Commission.

Solution: To future-proof your analytics, switch to a privacy-compliant alternative like Piwik PRO Analytics Suite, which offers GDPR-compliant data hosting in the EU.

What is the best alternative to Google Analytics for GDPR compliance?

A privacy-compliant alternative to Google Analytics is Piwik PRO Analytics Suite. Unlike US-based tools, Piwik PRO offers:

• Full GDPR compliance with EU-based hosting options.
• 100% data ownership, meaning your data stays private.
• Advanced analytics capabilities, including event tracking, funnels, and user flows.

Migrating from GA4 to Piwik PRO is simple, making the transition easy with:

• One-click data import options.
• Customizable dashboards to match your existing setup.
• Comprehensive onboarding support to help teams transition smoothly.

What makes Piwik PRO Analytics Suite different from other Google Analytics alternatives?

Piwik PRO Analytics Suite is built with privacy at its core, offering:

• Data residency options within the EU, US, or private cloud.
• No third-party data sharing—you own 100% of your analytics data.
• Integrated privacy tools, including built-in consent management.
• Advanced analytics and tag management in one platform.

How can I confidently switch from Google Analytics without losing insights?

Piwik PRO Analytics Suite provides a familiar analytics experience while improving data collection reliability (up to 70% more data than GA4), privacy compliance, and advanced reporting features like funnels and user flows. It also offers easy migration tools for a seamless transition.

How do I start transitioning away from Google Analytics?

To replace Google Analytics, first audit your data flows, then evaluate privacy-compliant analytics platforms. Piwik PRO Analytics Suite makes it easy to migrate with a our plan, allowing businesses to test the platform before fully transitioning. You can also request a free demo customized to your needs.

What other US-based services might be affected by EU data transfer regulations?

Beyond Google Analytics, any US-based marketing, cloud, or analytics platform handling EU data – including for example HubSpot, Mailchimp, Salesforce, and AWS – could be impacted if the adequacy decision is revoked. You should assess all third-party tools that process user data now to be prepared with alternative tools.

How can I prepare for potential EU-US data transfer disruptions?

To stay ahead of regulatory changes, businesses should:

• Audit current data flows to identify any dependencies on US-based services.
• Explore privacy-compliant alternatives like Piwik PRO Analytics Suite.
• Consider running your US-based and new EU alternative analytics platform – such as Piwik PRO – in parallel to ensure continued reporting while you test the new tool.
• Implement Standard Contractual Clauses (SCCs) for additional safeguards.
• Monitor regulatory updates and plan for a smooth transition.

What’s the safest way to future-proof my analytics strategy?

To avoid regulatory uncertainty, switch to an EU-hosted analytics provider with strong privacy protections, like Piwik PRO Analytics Suite, that allows you to implement a reliable data privacy strategy. This ensures long-term compliance with GDPR and other evolving global privacy laws.

Can I run a hybrid setup with both EU- and US-based tools?

For a transitional period and to minimize disruption, it can be a practical approach though. Consider implementing a European analytics solution like Piwik PRO alongside your existing Google Analytics setup. With our options available, this parallel tracking strategy ensures reporting continuity while you evaluate an EU-based analytics alternative that respects data sovereignty.

The post Norwegian DPA warns against EU-US data transfers – what it means for your website analytics appeared first on Piwik PRO.

On January 22, 2025, the New York Assembly passed Senate Bill S929, also known as the New York Health Information Privacy Act (NYHIPA). The bill now awaits Governor Kathy Hochul’s signature. 

The new legislation adopts novel provisions that would make this one of the most stringent privacy laws in the US. It introduces an expansive definition of regulated health information (RHI) and authorization requirements for processing and sharing data with third parties.

If enacted, NYHIPA will become effective one year after signing. 

This would make New York the fourth state – following Washington, Nevada, and Connecticut – to impose targeted and comprehensive regulations on consumer health-related information that is not otherwise protected by HIPAA. The act would significantly affect how businesses process health and wellness-related information, including their marketing and analytics practices.

Who does NYHIPA apply to

Unlike HIPAA, which primarily applies to healthcare organizations, NYHIPA covers nearly all organizations that process RHI, specifically ones that:

• Control the processing of RHI of a New York resident.
• Control the processing of RHI of an individual who is in New York at the time their RHI is processed.
• Are located in New York and control the processing of RHI.

What is regulated health information (RHI)

NYHIPA protects regulated health information (RHI), which is broadly defined as any data reasonably linkable to an individual or a device that is collected or processed in connection with that individual’s physical or mental health. This also applies to location or payment information and any inference about an individual’s mental or physical health.

NYHIPA regulates internet browsing data, search or purchase histories, data collected through online tracking technologies, wellness habits, and reproductive health information. The definition potentially extends to behavioral data indicating that an individual is seeking health services.

Regulated health information (RHI) exemptions

NYHIPA exempts four categories of information: 

• Data processed by government entities
• Protected health information (PHI) governed by HIPAA and HITECH
• HIPAA-covered entities, but only when maintaining information in accordance with HIPAA rules 
• Data collected for clinical trials subject to federal protections for human subjects
• De-identified information – but only if the de-identification satisfies NYHIPA’s specific criteria (technical safeguards, no reidentification, and contractual obligations with data recipients)

The law does not exempt nonprofits, information regulated by the Gramm-Leach-Bliley Act, or public data. Also, HIPAA-covered entities are not exempt with regard to their non-protected health information, such as employee health and wellness data.

COMPARISON

The comparison of 9 HIPAA-compliant web analytics platforms

Compare the main features of Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe CJA and Piano Analytics.

Download the full comparison

What are the requirements of NYHIPA

NYHIPA requires valid authorization for data processing, which can include different operations concerning RHI like collection, use, storage, sharing, analysis, modification, or deletion. In contrast, similar laws in Washington and Nevada require consent only before selling consumer health data. Thus, NYHIPA’s authorization requirements are much stricter and more difficult to fulfill.

Processing is allowed without authorization only when it is strictly necessary for purposes such as:

• Providing a requested product or service
• Detecting or preventing fraud or illegal activity
• Protecting vital interests
• Complying with legal obligations
• Internal operations (excluding marketing or advertising)

These activities are explicitly not considered strictly necessary and require valid authorization.

Valid authorization

Regulated entities must obtain valid authorization before collecting or processing regulated health information for something other than a permissible purpose. 

Importantly, authorization must not be requested within 24 hours after account creation or first use of a product or service. Organizations must take an additional step to obtain the necessary consent and authorizations during the sign-up process.

A valid authorization must include the following:

• The types of regulated health information to be processed
• The nature of the processing activity
• The specific purposes for such processing
• The names or the categories of service providers and third parties to whom the regulated entity may disclose the individual’s regulated health information, and the purposes for such disclosure
• Any monetary or other valuable consideration the regulated entity may receive in connection with processing the individual’s regulated health information, where applicable
• Notice that declining authorization will not affect the individual’s experience of using the regulated entity’s products or services
• The expiration date of the authorization, which may be up to one year from the date the authorization was provided
• The mechanism by which the individual may revoke authorization before expiration
• The mechanism by which the individual may request access to and deletion of their regulated health information
• Any other information material to an individual’s decision-making regarding authorization for processing
• Notice of prior authorization refusals (cannot request again if authorization was declined or revoked in the past year)
• A signature (which may be electronic)

Regulated entities must allow users to view and manage authorizations in their account settings and enable one-click revocation.

Entities must also publicly post either the authorization form or a representative sample.

Since the authorization expires after only one year, regulated entities need to implement a process for requesting new authorizations annually. Organizations must also allow individuals to revoke authorization for specific processing activities at any time and immediately cease processing their data after revocation.

Authorization requests must be presented in a clear, user-friendly format, free of manipulative interface design (“dark patterns”) that could impair or mislead decision-making.

The requirement to provide tailored forms that track when authorization was given and revoke such authorization after one year is likely to create numerous costly compliance issues for regulated entities. Unfortunately, there is no guidance provided on how regulated entities should verify individuals’ rights requests within the 30-day period for responding, while also implementing measures to prevent fraudulent requests.

Consumer rights

NYHIPA grants consumers the right to access and delete their regulated health information via an effective, efficient, and easy-to-use mechanism through an interface the consumer regularly uses. Notably, consumers may engage an authorized agent to make requests for them. However, the bill doesn’t clarify whether the regulated entities can take steps to validate the requestor’s identity. 

Regulated entities must fulfill deletion and access requests within 30 days and pass deletion requests to their service providers or third parties. Deletion by downstream parties must also occur within 30 days unless impossible or disproportionate, which must be documented.

Authorized agents may submit requests on behalf of consumers.

Privacy notice

NYHIPA requires a privacy notice if a regulated entity processes health information for a permissible purpose without authorization. 

The notice must disclose: 

• The purposes of data collection.
• The names or categories of third parties and service providers that may receive the data. 
• How individuals can exercise their privacy rights. 

Any material change in processing requires a separate, clear, and conspicuous notice and an opportunity to delete RHI.

Service providers

Regulated entities must enter into agreements with service providers that process RHI on their behalf, similar to business associate agreements (BAA) under HIPAA. 

NYHIPA service provider agreements must also:

• Prohibit combining RHI with other personal information
• Require downstream deletion within 30 days
• Require reasonable assessments or third-party audits
• Ensure all subcontractors are contractually bound to equivalent obligations
• Notify the regulated entity before involving further service providers

Penalties for NYHIPA violations

Violating NYHIPA provisions can result in a civil penalty of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater. The penalty is payable to the state. 

There is no private right of action under NYHIPA; enforcement is vested exclusively in the New York State Attorney General.

The Attorney General may bring a civil action to obtain injunctive relief, civil penalties, disgorgement of profits, restitution, and any other appropriate relief.

Although private lawsuits are not permitted, regulated entities should expect active enforcement, especially given recent trends in privacy regulation and litigation strategies targeting health-related data.

NYHIPA vs. other state laws

NYHIPA joins Washington and Nevada in targeting consumer health data beyond HIPAA’s scope, suggesting a national shift toward stricter privacy. It shares significant structural and conceptual similarities with Washington State’s My Health My Data Act (MHMDA), which took effect for most entities on March 31, 2024, and applies broadly to any entity collecting health data of Washington consumers.

Unlike Nevada’s SB 370, which focuses primarily on the sale and disclosure of health data, NYHIPA regulates nearly all types of processing and imposes stricter requirements for authorization, timing, and service provider oversight. Maryland’s new law (MODPA), by contrast, is a general data privacy statute and does not specifically target health data in the same way.

NYHIPA is notable for requiring regulated entities to dispose of regulated health information no later than 60 days after it is no longer needed, which makes it stand out from other state privacy laws. The 60-day disposal requirement poses a challenge, as it conflicts with certain sectoral and legal retention obligations – for example, the New York Workers’ Compensation Board requires some claim-related health records to be retained for up to 18 years. Regulated entities will need to reconcile NYHIPA disposal timelines with those statutory obligations and document any such legal basis for extended retention.

What does NYHIPA mean for covered organizations

Consumers are becoming increasingly aware of how their data is used and demanding greater control over their personal information. NYHIPA responds to these concerns by strengthening privacy protections and restricting the use and disclosure, or sale of health-related data without explicit user authorization. At the same time, it addresses gaps in federal regulations like HIPAA. The impact of NYHIPA will vary between different types of businesses in the healthcare industry. 

When it comes to traditional healthcare organizations, HIPAA-covered entities may need to enter into NYHIPA agreements with payment processors (similar to BAAs) to take payments from patients, as payment processors would qualify as service providers. Although traditional medical records maintained by HIPAA-covered entities will likely be exempt, other types of health-related data they collect – such as marketing data, wellness program inputs, or unauthenticated web traffic – may fall under NYHIPA as regulated health information (RHI)..

On the other hand, digital health companies face particularly high compliance burdens, as they often rely on behavioral tracking, personalization, and cross-platform data analytics to deliver services and optimize engagement. NYHIPA’s one-year authorization limit, 24-hour delay rule, and downstream deletion requirements may hinder user onboarding, personalization, and product development workflows.

Companies must analyze online tracking technologies and cookie management tools to determine whether additional disclosure and authorization mechanisms are required.

Given NYHIPA’s expansive definitions, limited exceptions, and strict requirements, all organizations processing health-related information must reassess their data processing and authorization practices. Organizations that have not previously implemented robust privacy-by-design principles – particularly in consumer-facing digital health contexts – will need to accelerate their adoption of data minimization, purpose limitation, and granular consent infrastructure.

The effective date is one year after signature by the Governor, which is an exceptionally short time for digital health companies to implement the required changes. Regulated entities must explore the available methods and service providers, including analytics vendors, that will help them comply with existing and future regulatory requirements. 

Selecting vendors that offer robust consent management, transparent data flows, and NYHIPA-aligned service provider terms – such as Piwik PRO – can help organizations balance compliance with actionable insights. 

How to prepare for NYHIPA

Digital health companies and other industries targeting New York consumers may find it challenging to comply with NYHIPA. Organizations covered by NYHIPA should begin preparing now to implement internal processes, governance mechanisms, and technical safeguards aligned with the Act’s requirements..

If you are subject to NYHIPA, these are steps you should take now:

• Map your data:
  • Conduct an internal audit to identify all sources of regulated health information, how it is used, and where it is stored
  • Identify all touchpoints where RHI is processed, including employee wellness data, payment processing, and marketing analytics
  • Assess whether data is collected directly from individuals, inferred, or obtained from third parties – and whether it may be linkable to an individual or device in the context of health
• Review all current data uses and eliminate those that are not considered “strictly necessary”.
• Document legal bases for any processing that does not rely on authorization.
• Develop a proper infrastructure for collecting valid authorization:
  • Build systems to track when authorization was given and automatically expire authorization after one year
  • Implement comprehensive and granular authorization mechanisms that allow individuals to provide or revoke authorization for each use of their RHI
  • Ensure no authorization is requested until at least 24 hours after account creation or first use of a service
  • Ensure that authorization requests are not bundled with other transactions and are free of dark patterns
  • Enable one-click revocation in user-facing systems, including customer account settings
• Establish appropriate agreements with service providers:
  • Update contracts to require service providers not to combine RHI with any other personal information received from third parties or from their own relationships with individuals
  • Include provisions requiring service providers to notify the regulated entity “a reasonable time in advance” before sharing health information with any further service providers
  • Require service providers to allow compliance assessments by the regulated entity or designated assessor
  • Ensure all downstream processors are bound by equivalent contractual obligations (“flow-down” terms)
  • Include data return or deletion clauses upon termination of services
• Update your technical infrastructure:
  • Implement data segregation mechanisms to prevent mingling of RHI with other data sets across services, systems, or clients
  • Implement retention schedules that ensure RHI is only kept as long as necessary and securely disposed of after processing
  • Create a publicly available retention schedule and securely dispose of RHI within 60 days after it is no longer necessary
  • Where longer retention is required by law (e.g., Workers’ Compensation), document the legal basis and applicable time period
• Implement ongoing monitoring and training for employees:
  • Provide role-specific training on NYHIPA requirements, particularly for staff involved in product design, marketing, legal compliance, and vendor management
  • Establish internal monitoring mechanisms and escalation workflows for handling rights requests, data breaches, or improper processing

Organizations should be prepared for active enforcement once the law takes effect, as regulators in other states with similarly sweeping privacy laws have signaled aggressive enforcement. Even before formal enactment, NYHIPA reflects a broader shift toward regulating non-HIPAA health data, and regulators are expected to scrutinize data practices involving behavioral and inferred health information.

The steps outlined above should become baseline compliance measures for all healthcare companies to prepare for NYHIPA and other existing and upcoming legal requirements.

Supporting your healthcare organization’s compliance journey with Piwik PRO

Piwik PRO offers privacy protection and regulatory compliance while providing actionable insights to improve healthcare services and patient experience. 

Here is how healthcare organizations benefit from choosing Piwik PRO as their analytics vendor:

• We will sign a business associate agreement (BAA), allowing you to process any type of PHI safely. If you prefer, you can also de-identify your PHI. Both PHI and de-identified data are exempt from NYHIPA requirements. 
• We offer hosting on select HIPAA-compliant Microsoft Azure data centers located in the US.
• We implement the best data security practices, which are validated by our ISO 27001 certification and HIPAA compliance attested as part of our SOC 2 Type II report.
• We don’t share PHI with third parties or reuse it for other purposes.
• We offer granular data access controls to restrict data access, detailed audit logs, regular privacy and security audits, and more.

Want to learn how Piwik PRO can help you comply with healthcare regulations?

FAQ

What is the purpose of the New York Health Information Privacy Act (NYHIPA)?

The New York Health Information Privacy Act (NYHIPA) aims to regulate the collection, sale, and processing of healthcare information. It restricts the uses and disclosures of personally identifiable consumer data related to health and wellness, excluding the protected health information (PHI) collected by HIPAA-regulated entities.

Who is affected by NYHIPA?

NYHIPA applies to “regulated entities” that collect or process “regulated health information” in New York or about New York residents. It covers entities of all sizes, regardless of revenue, processing thresholds, for-profit status, or physical presence in the state.

What is considered “regulated health information” (RHI) under NYHIPA?

Regulated health information refers to any information that is reasonably linkable to an individual or a device and is collected or processed in connection with an individual’s physical or mental health. This includes location or payment information related to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual or a device. RHI is not limited to medical records but covers biometric data, genetic information, and even information that could indirectly identify a person.

Does NYHIPA apply to HIPAA-regulated entities?

NYHIPA exempts PHI, not HIPAA-regulated entities. A HIPAA-regulated entity would be required to comply with NYHIPA if they process health data outside the HIPAA definition of PHI.

What are the key requirements of NYHIPA?

Key requirements include:

• Obtaining consent through a transparent opt-in process before selling or sharing consumers’ health data.
• Providing consumers with clear explanations of the types of information collected, the nature of processing activity, the purpose of processing, the categories of third parties with whom the information will be shared, how consent can be revoked, and that use of the product or service will be unaffected by the failure to provide authorization.
• Ensuring consent is obtained separately from any other transaction and only after 24 hours of the first request or use of a product or service.
• Deleting personal data within 30 days of a consumer revoking consent and requesting deletion.
• Processing health data only if it is strictly necessary for providing or maintaining a service or product, with limited exceptions.
• Providing a “clear and conspicuous notice” publicly available on their websites that describes their RHI processing and sharing practices.

What rights do individuals have under NYHIPA?

The Act provides individuals with the right to access and delete RHI. Regulated entities must fulfill these requests within 30 days.

What are the penalties for violating NYHIPA?

Violations of NYHIPA can result in a civil penalty of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater. The penalty is payable to the state.

Can individuals take legal action against regulated entities for NYHIPA violations?

No, there is no private cause of action under NYHIPA, meaning individuals cannot take legal action against regulated entities for NYHIPA violations. However, the New York attorney general can enforce the law through strict penalties.

When does NYHIPA take effect?

NYHIPA will take effect 12 months after the governor signs the bill into law.

The post Everything you need to know about the New York Health Information Privacy Act (NYHIPA) appeared first on Piwik PRO.

Privacy regulations such as GDPR and CCPA have significantly changed how companies can track and measure user interactions online. Additionally, the rise of adblockers and browser tracking restrictions limit the use of third-party cookies on the web. 

Users are blocking and deleting cookies due to a lack of trust in the AdTech industry and what happens with their data. To build trust, companies must adjust their data collection processes to be transparent and respect users’ consent choices. Advertisers and marketers need to adapt to new methods and technologies for tracking and targeting users across different websites and devices that help build trust with users.

To mitigate the impact of these privacy-facing developments, tech giants have created their own solutions – Google has introduced Enhanced Conversions, while Meta has launched Advanced Matching. They aim to enhance conversion tracking by leveraging first-party data, earning them the nickname “cookies on steroids“. However, recent guidance from the Federal Trade Commission (FTC) suggests that these solutions are not as privacy-compliant as they claim. Using them comes with significant privacy risks: once the data is captured, it is out of the user’s control, giving Google and Meta unlimited possibilities to use it to their benefit. 

Today, we will explore Google’s and Meta’s initiatives more closely, looking into how they work and how privacy-compliant they actually are. We will also discuss other solutions that companies can utilize to combine privacy compliance with effective leveraging of data.

What are Google’s Enhanced Conversions?

Google’s Enhanced Conversions are designed to improve the accuracy of conversion measurement by using hashed data from your website. Enhanced Conversions are part of the Google Privacy Sandbox initiative, which is Google’s attempt at developing measures to support advertising without relying on third-party cookies.

As part of Enhanced Conversions, Google captures the data that prospects input on your website when filling out a form or completing a purchase. Examples of this data include visitors’ names, phone numbers, and email addresses. The data is kept pseudo-anonymized with a hashing algorithm known as SHA-256. Through hashing, identifying information is transformed into a character string.

Once the hashed data is sent to Google, it is matched with signed-in Google accounts to attribute campaign conversions to ad events such as clicks or views. The platform can then attribute conversions across devices and platforms so advertisers can build retargeting audiences.

What is Meta’s Advanced Matching?

Like Google’s solution, Meta’s Advanced Matching leverages data from your site or app to enhance conversion tracking. 

This feature is part of the Conversions API (CAPI), which is Meta’s response to privacy updates like Apple’s iOS 14 changes and the introduction of the App Tracking Transparency (ATT) prompt. The Conversions API allows advertisers to send data directly from their servers to Meta, bypassing the browser’s privacy features.

Advanced Matching enables a website that uses the Meta Pixel to automatically collect visitors’ data and match them with users on their platforms. If you use a form on your website, the technology gathers form data like email addresses and phone numbers, hashes it, and then transfers it to Facebook or Instagram. 

Benefits of Enhanced Conversions and Advanced Matching

The two technologies come with several advantages for businesses:

Improved conversion tracking accuracy

By using first-party data, these technologies offer a more precise way to attribute conversions, even across different devices and platforms. This leads to better-informed marketing decisions and optimized ad spend​.

Enhanced ROI

With more accurate conversion tracking, businesses can better measure the return on their advertising investments. This allows for more effective budget allocation and improved campaign performance​. 

Data security

Both Google and Facebook emphasize the privacy-safe nature of their solutions. Enhanced Conversions and Advanced Matching use secure hashing techniques like SHA-256 to anonymize personal data before transmission, safeguarding the data while enabling detailed conversion tracking. 

Privacy concerns 

Despite Google’s and Meta’s claims that their solutions are privacy-compliant, there have been serious concerns about the ethical implications of scraping and utilizing personal data for conversion tracking. 

Many argue that while this approach can enhance ad targeting and conversion tracking, it may compromise user privacy. The balance between effective marketing and respecting user privacy is a critical issue that needs to be addressed to maintain user trust and comply with privacy regulations​.

Here are some additional criticisms concerning privacy:

Potential for reidentification

The Federal Trade Commission (FTC) has highlighted that hashing does not fully protect user anonymity and can still allow user identification. Hashing transforms data into a unique string of characters, which can still be reversed or matched with sufficient computational effort and supplemental data. Thus, hashing does not fully anonymize the data, and businesses must remain vigilant in their privacy practices​. This undermines the privacy safeguards that hashing is supposed to provide and raises concerns about how securely user data is being handled and stored by Google​ and Meta.

GDPR compliance

There are also concerns about GDPR compliance when using Google’s Enhanced Conversions and Meta’s Advanced Matching. GDPR mandates that personal data be processed lawfully, fairly, and transparently. Businesses must ensure data minimization – collecting only what is necessary for the intended purpose – and that they only use the data for the specific purposes for which consent was given. 

Privacy experts argue that Google’s and Meta’s practice of scraping form data and using it for ad conversion tracking may not fully align with these principles, particularly if users are not adequately informed or do not have a straightforward way to opt out​ of tracking​.

On top of that, even though the data is hashed, it does not eliminate the privacy risks associated with collecting and processing personal data without explicit user consent. Under GDPR, businesses must obtain clear and explicit consent from users before collecting their data and be transparent about how this data will be used​​. Consequently, companies that are subject to the relevant privacy regulations and want to adopt these technologies must ensure they obtain the necessary user consent.

Implementation challenges

Next to privacy concerns, Google’s and Meta’s technologies may come with implementation challenges. More advanced configurations require technical knowledge. Additional expertise might also be required to configure tags and manage data privacy settings. In practice, this rarely happens as decisions are left to those with technical knowledge of how both platforms work rather than privacy teams that should oversee the setup process. 

Adding a salt to the wound

A salt is a random value added to the data before hashing, meaning that even identical inputs produce different hashes. Adding a salt to the hash could enhance privacy by making it significantly more challenging to reidentify users. This approach mitigates the risk of attackers using precomputed tables to reverse-engineer the original data, thereby providing stronger protection against reidentification. 

However, this added privacy measure would lead to lost revenue for companies like Google and Meta. The reason is that salting would disrupt their ability to effectively match hashed data across different sessions and devices. Without consistent hashes, it’s impossible to track user behavior accurately and attribute conversions, which is critical for optimizing ad targeting and measuring campaign performance. Consequently, the precision of ad targeting would decrease, leading to less effective advertising strategies and reduced ad revenue for these platforms​.

How hashing works in Piwik PRO

Google and Facebook operate an ad business, while Piwik PRO provides analytics. Hence we can’t directly compare their features. However, we’re still able to contrast their approaches to privacy. 

Unlike Google and Facebook, which store hashed emails or phone numbers, Piwik PRO temporarily only links events with one visitor session. 

Google and Facebook use hashed data to track and reidentify users across different platforms, such as websites and mobile apps. Meanwhile, at Piwik PRO, temporary linking is utilized for pre-consent data tracking to ensure user data cannot be reidentified across sessions.

Here’s how hashing works in Piwik PRO:

1. Data protection: When users visit a site, their client device characteristics are hashed and salted using secure techniques. 
2. Active session detection: Piwik PRO maintains a session hash, which is a mechanism linking the visitor and session in memory for up to 30 minutes from the last update. 
3. No reidentification: Unlike Google and Facebook, Piwik PRO drops the link between the visitor and their session (usually after around 30 minutes, which is the session hash’s time-to-live (TTL)). This means that once the data has been processed – for example, a visitor’s session has ended – for its intended purpose – such as anonymized analytics – the session hash is discarded, making reidentification of the user impossible.
4. User consent: Before any data that could identify a user across sessions is collected or processed, explicit consent is obtained from the user. This aligns with GDPR and other privacy regulations prioritizing user control over personal data.

This methodology ensures that Piwik PRO’s use of hashing adheres to privacy best practices, offering a robust solution for businesses that need to track user interactions without compromising privacy.

Experts opinion

Brian Clifton

Digital analytics and privacy expert

A business thrives by encouraging people to buy, subscribe, and make contact. A big part of that process is giving people plenty of reasons to trust you. A remarketing approach based on a surveillance economy breaks that trust. Contextual remarketing is an alternative – it has been around for decades and works without profiling your customers. Whether you use remarketing or not, I would posit that the gains of building long-term trust with your customers and prospects, will far outway the short-term benefits of remarketing by stealth.

The bottom line 

Google and Meta are pushing advertisers to adopt their technologies – without that, they will lose huge amounts of data that they currently use for their own purposes to target individuals for ads. 

Let’s not forget that having explicit and informed user consent makes it possible to track users through access to their hashed first-party data and send it to Google or Meta. However, each business should individually assess its compliance and whether they have valid consent for such data processing purposes.

Substituting third-party cookies with hashed first-party data, as applied by Google and Meta, carries privacy concerns. Businesses should be aware of the negative privacy implications of Google’s and Meta’s technologies and consider more privacy-friendly options rather than risk loss of customer trust.

Without hashed first-party data, it will be harder for companies to perform personalized advertising due to the limited ability to stitch user sessions together, resulting in less personalized ads, though contextual advertising alternatives do exist (ironically, Google was an early leader in the field of contextual advertising until it changed its approach). 

However, businesses can still collect vital data with platforms like Piwik PRO Analytics Suite. They can successfully use it to optimize their website or app, improve user experience, and inform marketing campaigns or content initiatives. They’re also still able to run ad campaigns through Google or Facebook or turn to other forms of advertising, such as contextual targeting. 

Learn more about using Piwik PRO with Google Ads:

• How to optimize Google Ads campaigns with Piwik PRO Analytics Suite
• [Video] Sending ad conversions from Piwik PRO CDP to Google Ads
• [Video] Sending CDP Audience to Customer list in Google Ads

Learn more about how you can effectively collect and analyze user data while maintaining privacy compliance with Piwik PRO:

The post How do Google’s Enhanced Conversions and Meta’s Advanced Matching impact analytics appeared first on Piwik PRO.

On June 20, 2024, a US district court ruled in favor of the American Hospital Association’s (AHA) lawsuit against the Department of Health and Human Services (HHS) bulletin on using online tracking technologies, declaring it beyond agency authority. The 2022 bulletin sought to inform entities regulated under HIPAA of their obligations concerning the use of tools like analytics platforms on websites or apps. On August 29, the OCR decided not to appeal the court’s decision.

As a result, healthcare organizations may feel inclined to relax their efforts to ensure HIPAA compliance in their marketing stacks or stop seeking HIPAA-compliant alternatives. However, it’s important to note that the ruling, and HHS’s decision not to appeal, do not diminish the actual compliance risks.

Neglecting HIPAA compliance can damage healthcare providers’ reputations and patient trust, in addition to risking costly fines. Many organizations face class action lawsuits even after the court ruling against the HHS bulletin. Healthcare providers continue to violate HIPAA, primarily through tracking pixels installed on their websites that share sensitive patient data with tech giants like Meta or Alphabet. 

In this article, we explain the implications of the ruling in the AHA’s case and how healthcare organizations should use online tracking technologies in ways that let them comply with HIPAA.

The HHS bulletin on the use of tracking technologies

The HHS bulletin was initially issued on December 1, 2022, aiming to address potentially impermissible uses and disclosures of protected health information (PHI) by healthcare providers. According to the bulletin, PHI may be found on many authenticated (password-protected) pages and certain unauthenticated pages and mobile apps, making them subject to HIPAA. For example, the OCR assumed that anyone visiting a covered healthcare provider’s website was, is or will be a provider’s patient.

The AHA lawsuit against HHS and its guidance on tracking technologies

In November 2023, the American Hospital Association (AHA), joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued HHS to bar enforcement of a rule adopted in its bulletin on the use of online tracking technologies. 

The AHA challenged the HHS’ interpretation of HIPAA requirements, especially its overly broad conception of PHI. They argued that, contrary to HHS guidance, a person’s IP address combined with a visit to a specific webpage isn’t sufficient to constitute PHI. 

The AHA stated that the HHS bulletin upended hospitals’ and health systems’ ability to share health care information with the communities they serve and analyze their website traffic to enhance access to care and public health. The AHA also argued that essential website tools like analytics platforms will no longer appear on hospital websites. The AHA’s lawsuit was supported by 17 state hospital associations and 30 hospitals and health systems.

After the original bulletin was challenged in court, HHS issued revised guidance on March 18, 2024. The revisions, however, left regulated entities with the seemingly impossible task of distinguishing between what is and what is not a disclosure of PHI subject to HIPAA based on a website visitor’s intent. The AHA called the modifications “cosmetic” and stated that “the modified Bulletin suffers from the same basic substantive and procedural defects as the original one.”

In June 2024, a judge ruled in favor of the AHA, declaring that the OCR had overstepped its authority when issuing the guidance. The ruling centered on the interpretation that an IP address combined with website visit data from an unauthenticated page does not constitute PHI. On August 29, the OCR announced it would not appeal the district court’s decision.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Download the whitepaper

The impact of the court ruling on HIPAA-covered entities

The court ruling and HHS decision not to appeal it do not mean that the issue of protecting PHI in the context of analytics tools has been settled once and for all. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals. HHS can enforce certain instances of combining HIPAA identifiers with health information – for example, an ad click ID connected with a scheduled doctor appointment shared with an ad platform like Google. 

The HHS is not the only authority governing HIPAA compliance. Even if data doesn’t fall under HIPAA, it may still be subject to other privacy regulations. The Federal Trade Commission (FTC) has issued orders in several cases relating to healthcare providers, and it’s not directly tied to HIPAA. A common legal basis for the FTC’s involvement is the FTC Act, which prohibits unfair or deceptive trade practices. In April 2024, the FTC ordered the telehealth company Cerebral to pay a $7 million fine and limit the use of consumer health data for advertising purposes.

Collecting and sharing PHI still requires special caution

While the court’s verdict in AHA’s lawsuit may serve as a benchmark for later decisions on possible HIPAA violations, the complexity of PHI protection and the diversity of contexts involved dictate particular attention. The fundamental issues surrounding the collection and use of PHI by healthcare organizations remain unchanged. 

What is allowed under HIPAA concerning the use of tracking technologies like analytics platforms continues to be subject to interpretation. While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it alarmingly easy for PHI to inadvertently leak into your website or app. Therefore, it’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI that maintains the status quo.

The rise in class action lawsuits against healthcare providers

In recent years, dozens of class action lawsuits have been filed against healthcare providers across the US. Most of these lawsuits concern the providers’ use and sharing of patient data with major ad platforms. 

Two Louisiana health systems – LCMC Health and Willis-Knighton Health – were sued for using Meta Pixel on their websites, which shared medical data of hundreds of thousands of patients with Facebook and Instagram. Advocate Aurora Health agreed to pay $12.2 million to settle a lawsuit for disclosing the personal health information of more than 2.5 million people to Meta and Google without their consent.

The ruling in the AHA’s case does nothing to protect healthcare companies from these class action lawsuits, especially since they allege violations of state and federal privacy laws, such as the California Consumer Privacy Act (CCPA) or the Illinois Biometric Information Privacy Act (BIPA), not HIPAA. Many states have laws that protect the same information as HIPAA and provide a private right of action, which HIPAA does not. The class action lawsuits indicate that healthcare providers continuously fail to sufficiently protect patient data from being shared with third parties.

Focusing on patient trust

Consumers have grown more aware of their online privacy and how their personal data is being used, and this trend will only increase. People don’t want to be tracked by ad tech companies, especially when it concerns their health information. But, as we can see, many healthcare providers continue to neglect patient privacy by sharing their sensitive information with third-party vendors. 

Healthcare companies also struggle to adequately inform consumers about the use of third-party tracking technologies on their websites. A recent study of 100 US hospitals found that 96% of hospital websites transmitted user information to third parties, and only 71% had a publicly accessible privacy policy. Of those, only 56.3% disclosed the specific third-party companies receiving user information.

Considering all these aspects, the AHA ruling does not remove healthcare organizations’ responsibilities when collecting and sharing sensitive patient information with tracking technology vendors. They must apply proper safeguards to protect themselves from costly lawsuits and civil penalties. Let’s not forget the root of all this – patient trust – which means there is no room for bare-minimum measures in protecting patient privacy. 

Here is what you can do to ensure your use of analytics stays in line with HIPAA requirements.

How should healthcare organizations comply with HIPAA and HHS guidance

Healthcare providers must carefully assess and monitor the tracking technologies they use, what tools can access PHI, and whether they have business associate agreements (BAAs) in place.

On top of that, they need to monitor any future guidelines issued by HHS/OCR, FTC, and other state privacy developments in this space.

HIPAA-covered entities must sign a business associate agreement (BAA) with a tracking technology vendor that meets the definition of a business associate before passing PHI to them. If you can’t sign a BAA, you must adequately de-identify PHI or restrict its flow to analytics.

HIPAA-covered entities must ensure that all disclosures of PHI to tracking technology vendors are permitted by HIPAA. Using any PHI/ePHI for marketing or advertising without a BAA can be a severe violation of HIPAA.

Consider the following cases:

• You need BAAs for tools containing user data, such as CRM systems and customer data platforms (CDPs). 
• You might not need a BAA if your analytics tool runs on unauthenticated websites.
• You must sign a BAA if your analytics tool runs on authenticated (password-protected) pages, such as a patient portal.

However, these approaches heavily depend on what data you collect on respective pages. If any data, even that collected on unauthenticated pages, could be used to identify an individual and relates to their health, it could still be considered PHI. You must carefully assess all data collected, regardless of whether the page is password protected. Consult your legal department to review your digital infrastructure and determine whether a BAA is necessary. 

While a BAA ensures that the vendor complies with HIPAA, it does not eliminate the need for patient authorization. Covered entities must obtain written authorization from patients before using or disclosing PHI for marketing purposes, as well as for selling it. This includes any campaign that promotes a product or service, especially if it involves payment. However, authorization isn’t required when the activity is related to treatment, payment, or healthcare operations. 

Valid patient authorization under HIPAA must be specific, informed, and given voluntarily, and must include the following:

• The specific purpose for which the PHI will be used, such as analytics, research, or improving patient care.
• The types of PHI that will be collected and used such as IP addresses, search queries, or appointment details.
• Any third parties, such as analytics vendors, that will receive the PHI. 
• An expiration date or event after which the consent is no longer valid.
• How patients can revoke their authorization at any time.
• Signature and date by the patient or their legal representative.

A consent management platform (CMP) can help you automate the process of obtaining, managing, and tracking patient consent.

What if you can’t sign a BAA with the analytics vendor

Without a signed BAA with the vendor, healthcare organizations must de-identify PHI using one of the approved methods:

• Safe Harbor method: Remove all 18 identifiers listed in HIPAA (e.g., names, addresses, dates, Social Security Numbers) and ensure no remaining data could identify an individual.
• Expert Determination: Engage a qualified expert to confirm that the risk of re-identification is “very small” using statistical or scientific methods.

Once de-identified, the data is no longer PHI and can be used for analytics without a BAA.

Freshpaint is an example of a platform that adopts de-identification. It uses techniques such as creating anonymous visitor IDs and irreversible cryptographic hashing to de-identify data. Freshpaint’s key feature involves preventing PHI from being shared with non-HIPAA-compliant tools

However, de-identification is challenging and requires significant resources to do it properly. Despite efforts to de-identify data, there remains a risk that sophisticated technologies could re-identify individuals, especially if the data is combined with other datasets. De-identification requires careful handling to ensure the data remains protected and useful for analysis, which can be difficult to achieve in practice. On top of that, managing de-identified data with a platform like Freshpaint requires coordination between legal, technical, and marketing teams.

Another option for healthcare organizations to mitigate the risk of HIPAA violations is data anonymization. For example, they can use third-party anonymization software to irreversibly mask PHI before transmitting data to analytics vendors. You need a signed BAA with the anonymization vendor, but since the analytics vendor does not receive PHI, you don’t need a BAA with them.

Anonymized data, while offering maximum privacy protection, may not be suitable for all types of analysis or research. Anonymization reduces data accuracy and granularity, strongly limiting its value. Achieving proper anonymization requires advanced techniques and thorough validation.

Companies can also use HIPAA-compliant “limited data sets” (retaining some identifiers like dates) for analytics if a data use agreement is in place. This avoids a BAA but still requires contractual safeguards to prevent re-identification. 

Aggregated data for healthcare operations, such as population health analysis or quality improvement, is permitted under HIPAA if the BAA with the business associate explicitly allows it. Without a BAA, aggregation alone is insufficient unless combined with de-identification. For example, combining de-identified datasets from multiple sources to analyze trends without exposing individual identities. 

The most secure approach for HIPAA-covered entities involves switching to an analytics platform that explicitly supports HIPAA compliance and provides appropriate safeguards for handling sensitive health information.

HIPAA-compliant analytics with Piwik PRO

Piwik PRO offers an all-in-one analytics platform consisting of four integrated modules – Analytics, Tag Manager, Consent Manager, and Customer Data Platform. As a healthcare organization, you can use our comprehensive features to build a powerful, HIPAA-compliant analytics stack that includes data collection, analysis, and activation.

We are committed to providing HIPAA-covered entities with the most secure marketing platform. We help companies in the healthcare industry meet the stringent requirements of HIPAA and offer our clients informative, valuable, and actionable insights.

We will sign a BAA with you, allowing you to send all types of PHI to your analytics setup. If you prefer, you can also de-identify all PHI before sending it to our platform.

Other HIPAA-related features that are part of our product include:

• Hosting on select HIPAA-compliant Microsoft Azure data centers located in the US.
• ISO 27001 certification.
• HIPAA compliance attested as part of our SOC 2 Type II report.

• Granular data access controls to restrict data access only to authorized personnel. 
• Detailed audit logs to efficiently track data access and changes to the data collection configuration.
• Not sharing ePHI with third parties or reusing it for other purposes.
• Regular privacy and security audits by external, independent bodies to ensure the highest level of security measures.

After signing a BAA, you can safely use our Customer Data Platform (CDP) to deliver trusted and personalized healthcare experiences. CDP empowers you to unify patient data from different sources, remove data silos, and create a secure foundation for driving effective marketing and communications and improving your services. You can activate the data to acquire new clients, better respond to patients’ needs, improve contact center interactions, and much more. 

The post The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics appeared first on Piwik PRO.

Let’s dive into the third episode of our video series with Brian Clifton, a renowned digital analytics and privacy expert. He presents the history of digital analytics, including technologies and mindsets surrounding the analytics industry. The first part was dedicated to the origins of web analytics tools, and the second focused on the increased interest in privacy in data collection.

In the third part, Brian discusses challenges in ensuring proper data quality and explores how organizations can overcome them to build their audience’s trust, enabling more informed and effective decision-making. You can watch the videos in the corresponding sections of this article.

The importance of data in modern organizations

As data analysis now impacts all aspects of a business, it has become difficult to locate where data analytics actually fits within organizational structures. Data democratization can cause greater buy-in and innovation, but it can also result in a lack of data ownership- in other words, it becomes unclear who, precisely, is responsible for it.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

There are two important challenges that arise when dealing with data in larger organizations:

• Understanding the audience’s perspective: Data experts often struggle to simplify complex concepts for those with less experience, such as marketers who engage with analytics less frequently. It’s essential to present data in a consistent and accessible way without losing key insights.
• Determining the role of analytics: Analytics is often used across multiple departments, making it difficult to establish clear ownership and governance. Organizations need to ensure that their data strategy aligns with overall business objectives, rather than it being siloed by each department.

“One of the great challenges with analytics is it doesn’t fit in any one place anymore; it’s everywhere, and because it’s everywhere, it’s very difficult to take ownership of it. As with any project without an owner, there is no leadership, and that results in teams working in their own data silos.”

Brian Clifton, Digital analytics and privacy expert

Businesses need to adopt a holistic approach to fully leverage the power of data-informed decisions. This means engaging multiple stakeholders across different departments and ensuring that the impact of data-driven decisions is understood and aligned with the overall business strategy. While it can be challenging to broaden the scope of a data project, especially when budget constraints and departmental boundaries come into play, it is essential for long-term success.

The impact of data quality on decision-making processes

Modern organizations rely on data to make informed decisions across all levels of the business. Whether it’s determining the success of a marketing campaign, optimizing supply chain logistics, achieving efficient staffing levels, or enhancing customer service, data provides the information needed to guide strategic choices. As the digital landscape expands, the amount of data available to organizations has grown exponentially, providing new opportunities to gain a competitive edge.

However, the abundance of data also presents challenges. It’s not just about having access to data but understanding what data is relevant, how to analyze it, and how to apply insights effectively.

“Currently, large chunks of collected data are simply noise. Data noise is not only distracting, but can be costly to process and store, can bury the useful signals you need, and are a business risk for privacy compliance. Auditing your data has never been so important.”

Brian Clifton, Digital analytics and privacy expert

The evolution of data collection and usage practices reflects a broader shift in how businesses operate. The days of simply gathering as much data as possible just because you can are over. Now, the focus is on collecting and using the right data to benefit both the organization and its customers.

Moving data handling from IT to other departments

In the early days, analytics was primarily an IT function focused on building and maintaining the website. In the mid-2000s, it expanded into marketing, becoming a key tool for driving strategy. Today, however, the reach of data analytics extends, impacting various departments. 

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

Effective collaboration between IT, marketing, and legal teams is key to navigating the complexities of modern data management. By working together, the teams ensure the four pillars of analytics are in place: that data is accurate, compliant, actionable, and aligned with the organization’s strategic goals.

“Once you get teams out of their silos and working together, they start to think in terms of answering the business questions, rather than focusing on what data to collect. That is where the conversation should start.”

Brian Clifton, Digital analytics and privacy expert

Using data analytics to provide meaningful insights rather than just numbers

Being “data-driven” is a buzzword, because it’s not enough just to collect numbers. The real value lies in being data-informed, which means understanding what the data truly represents and using it to drive meaningful decisions. Many organizations focus on headline numbers without investing time and energy in thinking about what insights they can derive from this data and how they can act on them.

This content is hosted by a third party (YouTube). By clicking the button below, you consent to loading the video.

Data must be accurate, consistent, and aligned with business objectives to be truly valuable. This requires a robust data governance process in which business questions drive data collection, not the other way around. 

It’s also essential to ensure high-quality data is gathered ethically and with proper user consent. Data should inform strategic decisions, helping businesses understand customer behavior, optimize processes, and ultimately create more value. With these insights, it becomes a powerful tool for growth and innovation.

The post 25 years of digital analytics with Brian Clifton: Being data-informed, not just data-driven appeared first on Piwik PRO.