This week on the HIPAA Vault show, we discuss the important topic of website tracking and patient privacy. We cover what website tracking is and how it is used, as well as how HIPAA rules apply to regulated entities using technologies like Google Analytics.


HHS Bulletin on Online tracking apps: https://bit.ly/40CWeyL
Google Analytics Recommendations: https://bit.ly/3oz0VMM
Matomo: https://bit.ly/41YSnxi

Transcript:


Adam
Hello and welcome to The HIPAA Vault Show where we discuss all things hippocompliance in the cloud. My name is Adam Zeineddine, and I’m joined today by Gil Vidals, the founder and CTO of HIPAA Vault. Hi Gil. 


Gil
Hey, good to see you again. 


Adam
Yeah, great to see you too. So last week we talked a little bit about HIPAA compliance for Outlook. This week we’re going to talk about slightly broader topic which has been the source of a lot of interest recently. We’ve been getting a lot of questions and comments about it and that is third party website tracking and how that relates to HIPA and patient privacy. Most of the questions have been coming from marketing agencies. So this episode is going to be just FYI kind of geared more towards that. But if you are a website owner, it is also useful to stay abreast of this kind of information and maybe ask your marketing agency about it. So maybe the best way to start here, Gil, is to maybe define a little bit about what website tracking is. So I’ll go ahead and do that. 


Adam
So what is website tracking and what is it used for? So, website tracking is the collection and sharing of information on an individual visitor to the website’s activity on the internet. And it’s used for a couple of things. It’s used to measure a website’s traffic, how many visitors it gets in a certain time period, provide user tailored experiences. So when a visitor specific visitor visits the website, it tailors the experience to them, measures success in terms of the visitors coming to the website and maybe purchasing a product or filling in a form, tracking conversions and delivering targeted advertisements. So I would say the main use cases. Would you agree with that, Gil? 


Gil
Yeah, I would like to add that this is so vital to market tiers marketing departments because marketing departments spend a lot on promoting the website and they really are trying to implement the CTA, the call to action. And like Adam mentioned, a call to action might be to buy a product, it might be to download a white paper, it might be to call the 800 number. I mean, it could be any number of things. But you cannot measure the success and the return on your investment of those marketing dollars unless you have proper tracking. So it is something very vital to the survival of the business. 


Adam
Yeah, definitely. And to add to that, I think before we started recording, were talking about analogies here and I think we could start by maybe saying that it’s already proven successful in the retail industry as they switched from more brick and mortar stores to selling their products online. I think we use the analogy of depot. Right, Gil? Maybe you’d get to kind of expand on that a little bit. 


Gil
Well, were talking about the data that’s being collected in the context of the kind of entity. So let’s say someone goes to Home Depot and they’re on the website, they want to buy some hammers and nails for a project. That same individual who’s shopping at Home Depot might go over to Kaiser and they’re a patient, let’s say they’re part of the Kaiser organization, that’s where they have their healthcare plan. So now they’re over at the Kaiser website, and let’s say both Kaiser and Home Depot are tracking this individual’s IP address, their email address, their geolocation, the time of the day, the type of web browser they’re on, all these details and many more details. But in context, Kaiser is regulated by HIPAA. Home Depot is not. So clearly there’s a big difference. 


Gil
Home Depot is not on the hook saying, oh, this is patient information, protected health information. It’s not the guy’s just going there to buy hammers and nails online. But with Kaiser, because Kaiser has a relationship, a healthcare relationship with that user who happens to be a patient or under the healthcare plan. Now all of a sudden, Kaiser has to be careful with that data and where they display and how they use that data of all those metrics they collected. They’re more limited and more restrictive in the scope of what they can do with that data. 


Adam
So they might in this scenario, be using exactly the same marketing methods, the same tools, but the law applies differently to them because of the nature of. 


Gil
The yeah, and let’s be even more so, both Home Depot and Kaiser, and this is just a fictitious example, by the way. Both websites have the same data, let’s say. But in the case of Kaiser, they should not let these metrics that they’ve collected leak into the area where the analytics reside. So the analytics for all this fancy data could reside on Google Analytics or some other platform. They should not let that happen. They shouldn’t say this data we collected is now going to be over as some metrics company. Whereas Home Depot could do that, they could allow the same metrics over to their metrics platform that’s run by some other vendor. Kaiser has to do more data scrubbing and they have to de identify the data before they allow it to go to the analytics platform. 


Gil
They have to strip out a certain amount of data that would identify that user. 


Adam
This is a developing item in terms of legally, and we’re not legal experts disclaimer. But there has been more and more activity, let’s say, when it comes to lawsuits that are being filed against healthcare companies, when it comes to whether or not they did or did not use tracking tools in a way that doesn’t comply with HIPAA law. So it’s moving very fast. So just to put that as a comment, in terms of a timestamp, this is something that’s not clear. There’s no 100% what to do exactly for healthcare entities on it. But the HHS has issued a bulletin and we’ll make sure to share the link to that bulletin online tracking apps in the show description notes. When it comes to the tools like you mentioned, Gil, there’s Google Analytics, there’s also metapixel that are being used for these purposes. 


Adam
I did find, and we’re researching as we go here, but I did find that there was a Google Analytics documentation as to your point how to best deidentify any kind of phi that could come in if you don’t take extra care to it. So Gil, did you have any recommendations on that or should we just kind of advise to follow that advice? 


Gil
Well, I was going to mention I don’t know if you wanted to mention Matomo or if it’s okay I mentioned. 


Adam
Absolutely. 


Gil
So there are third party companies that can be a proxy. So what that means is that you collect this information, which we mentioned at the top of the podcast, is vital for the business to grow to collect this info. So you collect it on a server that you control inside your company. And I think Matomo is one of the companies and full disclaimer, we don’t have any relationship with them or any kind of commercial relationship at all. We googled it. We found the company does this. So all this information that you collect on your visitors to your website could go onto the server that’s again within your organization and then in this example, Matomo server would de identify, they strip out some of this information, then they send it off to say Google Analytics. 


Adam
Exactly. 


Gil
Or the metapixel. So now Metapixel, Google Analytics and other platforms all receive the information that’s been deidentified, it’s been cleaned up. They are confident. Yeah, go ahead. 


Adam
I was just going to say on the Google Analytics, I did some research and it does look like that’s correct in terms of sending that information over. I’m not 100% sure that it integrates with Metapixel currently. So just be aware of that. It might by the time you’re watching this. 


Gil
Sure. But I think the idea proxy is a computer term that’s used meaning a middle layer, a middleman that takes and does something with the data before it passes it on to the final destination. So that’s certainly something that we would recommend looking into. And you can Google those. See, I’m sure there’s more than one competitor out there. You can look to see what sounds reasonable. I’m sure these services are pretty expensive because it’s a new technology and it’s also not widely used. So that means that it’s early days. It’s probably going to be kind of expensive, I would think. 


Adam
Yeah, well, actually it’s great that you bring that up because Matomo specifically is the software itself. When you’re self hosting, it is free, the software side of it. So they do have a cloud platform, cloud SaaS based model software as a service. But you need a baa ultimately to make sure that data is secure. In a HIPAA compliant manner. So Matomo is free when you host it what’s called on premise. We’ve actually hosted a couple of hosted basically they’ll install the server and then. 


Gil
When you say you need a baa, you mean that if you were to use some third party provider that’s out in the cloud, you would want to have a baa with that provider. But if you’re self hosting in your own environment. 


Adam
Exactly. Thanks for that. Basically, wherever the data is being stored and the communications that are there, it’s with the hosting provider really, to set that up. And that’s something that we can certainly help with. But yeah, Matomo free to install on premise, and we’re hearing really good things about it. As I say, we’re not experts in Matomo specifically, and we don’t have any commercial direct relationship with them, but we’re definitely worth checking out. 


Gil
Sure. And I would recommend to our listeners, if you do decide to self host your platform, whatever that is, where you’re going to deidentify the data, you can bring that information into our platform, into HIPAA Vault so we could host that platform for you, and that may be a help. So that’s a plug for our own services that we offer to the community. 


Adam
Absolutely. That’s a good plug for it. I think it makes it worthwhile. Definitely. Gil, are there any other considerations here on a high level? We’ve talked a lot, maybe more for the marketing professional. Is there anything that you’d recommend for the website owner themselves that might not be too technically savvy here in terms of what you need to look. 


Gil
Think? I mean, this collection of data is important. It’s important that if you do have analytics is currently receiving the data that you’re not hosting, let’s sit out there. Google analytics or Metapixel or wherever it is, be very careful to make sure that information from those platforms doesn’t get leaked out. So you want to make sure that you don’t use, for example, a common email. Like some people will have an email called Advertising@acme.com as an example. And you have 25 people at your company, they all use the same email to log into Google Analytics. You’re going to want to stop that right away and say, no, only these few people can log into that. Because now you’ve got a risk that you have to manage in that environment to make sure that you don’t let everybody in there. 


Gil
You have to make sure that information doesn’t get leaked out. 


Adam
Right. The accountability portion of HIPAA, right? 


Gil
Yeah. It’s best to use a proxy like you were saying. But in the meantime, while you’re doing your research and you’re trying to figure out how to improve your security and your HIPAA compliance, make sure the analytics platform you’re using is adhering to HIPAA compliance. Ideally. But if not, at least you can control the credentials. Who has access and turn on two factor authentication. I would do that immediately. I would go there, I’d log in, I’d turn on the switch for two factor, and at least now I’d have a little bit more security. 


Adam
Absolutely. Anything else that you’d like to bring up with regards to? 


Gil
No, I think that’s it. This is, as you said at the top of the podcast, Adam, this is a newer area. Let me say it this way. Collecting analytics and data has been around for a long time. That’s not new. What we mean by new is that there are new complaints and court cases and litigation around this topic. That’s the part that’s new and it’s come to the limelight. And you know how it is. Anytime there’s a weakness and leakage of data, I am sure litigation is the next step and everybody wants to avoid that. So hopefully this podcast will help you at least come to terms and be aware that this is a risky area, that maybe something you didn’t give it any thought before at all. And now it could be top of mind and you can talk to your team. 


Gil
If you’re the CEO listening to this, go talk to your team, your website team, and ask them where do we store the data? I want to know where we store the data. Is it stored on premise or is this analytics stored somewhere else? 


Adam
Absolutely no great points there. And to the listeners and viewers, if you have any questions about website tracking hosting in a HIPAA compliant manner in any way, just send us an email at podcast@hipaavault.com. You can also tweet us at @hipaahosting. Please also make sure to subscribe and leave us a five star review if you enjoyed this episode. And until next time, thanks for stopping by.