You’ve benefited from HIPAA, whether you know it or not. The Health Insurance Portability and Accountability Act has been around since 1996 when it was signed into law by President Bill Clinton. The law protects you and me from having our medical information leaked, shared, or spoken about by those with access to it. The “Privacy Rule” created by the act ensures that our medical information doesn’t get into the wrong hands.

In the realm of web design, especially for our numerous medical clients, navigating HIPAA compliance is a critical yet often overlooked aspect. Many are unaware of what constitutes compliance and, more importantly, the potential risks of non-compliance. As a trusted partner, we dedicate significant effort to educating our clients on these matters. While instances of legal action are rare, the possibility of being sued for HIPAA violations is real and should not be underestimated. This guide aims to shed light on these complexities, especially in the context of website tracking software in the healthcare sector

Despite the sensitivity of your PHI, otherwise known as protected health information, there are several online tracking entities, apps, and websites that can collect your data, violating HIPAA. You not only need to check how good your web hosts are, but you also need to look into your digital tracking tools. You might be thinking you’re using responsible, HIPAA-compliant tools while they’re slowly siphoning your data to bad actors or third parties. That’s why I’ve put together an extensive list of web tracking software that are and are NOT HIPAA-compliant.

Let’s start digging into the details.

Screenshot of a video where Marc audits a website, overlaid with a play button

Free 5 Minute Video Website & SEO Audit

Delivered right to your inbox

What is website tracking or analytics?

Website analytics refers to the collection and analysis of web data to understand and optimize web usage. It involves tracking various metrics such as visitor behavior, traffic sources, page views, and user engagement. Implementation typically starts with integrating a tracking code, like Google Analytics, into a website's HTML. This code collects data on user interactions and sends it to a server for analysis. The resulting insights help website owners make informed decisions to improve user experience, content, and overall website performance.

It's a straightforward process, widely used in various industries, including healthcare. This technology can enhance patient care, data management, and cost efficiency. However, it's crucial to choose HIPAA-compliant software for handling sensitive medical data. Ensuring top-notch security is vital to protect patient information and avoid potential leaks.

We make sure ALL of our clients have some form of analytics on their websites. It’s crucial to know how your website is being used.

Tracking Software And How Some Are and Aren’t HIPAA-Compliant

I just barely scratched the surface of the countless benefits an effective tracking service can have for a company, even one in the medical industry. Regardless of the specific positives it can have for any business, it can provide a valuable cache of data to help you improve everything from conversion rates to website ranking. The best tools provide a bevy of analytics that you can use to optimize your content and draw in a hell of a lot of traffic.

Some of these tools can track business goals and milestones; some can analyze your online traffic to tell you more about it. When dealing with sales of any kind, you’re already giving those tools access to a lot of private information. The kind of information that has led to massive leaks to the public resulting in lawsuits, legal issues, and a ton of other problems.

There are already rules in place to ensure certain tools only share or disclose PHI(Private Health Information) as permitted by a user under the HIPAA Privacy Rule. While we wish websites did everything we told them to, that’s not always the case.

Some tools take measures that protect our information, and frankly, many others don’t.

HIPAA-Compliant Tracking Software

HIPAA penalties can be costly for those who violate them. I don’t want to have to pay $50,000 for violating someone’s privacy rules and you shouldn’t either. That’s why it’s in the patient’s and the provider’s best interests to use tracking tools with the right security measures.

Secure data disposal, strong encryption protections, data audits, and risk assessments are just a few of the protections tracking software should be taking. Then, it should use forms of consent management to keep users and patients informed on those data practices. I’ve put together a list of just a few of the tools applying security features like these to protect your data. These are the tracking tools that have security measures in place to protect your data.

  • Mixpanel
    • Compliance Status: Potentially Compliant.
    • Reason: Mixpanel can be configured for enhanced privacy settings and, with a BAA, might be used in a HIPAA-compliant manner. However, careful setup and continuous monitoring are necessary.
  • Clicky
    • Compliance Status: Potentially Compliant.
    • Reason: Clicky provides real-time web analytics. With proper configuration to avoid PHI capture and a BAA, it may be used in compliance with HIPAA.
  • Matomo (formerly Piwik)
    • Compliance Status: Potentially Compliant.
      Reason: As an open-source platform, Matomo can be configured for privacy and, with a BAA, could be HIPAA compliant. It allows for on-premises hosting which gives better control over data.
  • Adobe Analytics
    • Compliance Status: Potentially Compliant.
    • Reason: Adobe offers robust data privacy and security features. With a BAA and careful configuration, it could be made HIPAA-compliant.
  • Woopra
    • Compliance Status: Potentially Compliant.
    • Reason: Woopra focuses on customer journey analytics. With stringent data privacy measures and a BAA, it might meet HIPAA compliance requirements.
  • VWO (Visual Website Optimizer)
    • Compliance Status: Potentially Compliant.
    • Reason: VWO offers A/B testing and conversion optimization. It may be HIPAA compliant with strict data handling and a BAA.
  • Optimizely
    • Compliance Status: Potentially Compliant.
    • Reason: Known for A/B testing and personalization, Optimizely can be HIPAA compliant with proper configuration and a BAA.
  • StatCounter
    • Compliance Status: Potentially Compliant with Caution.
    • Reason: StatCounter provides real-time analytics. HIPAA compliance is possible but requires careful setup to avoid capturing PHI.
  • ly
    • Compliance Status: Potentially Compliant.
    • Reason: Parse.ly offers content analytics and could be HIPAA compliant with a BAA and appropriate configuration to safeguard PHI.
  • Mouseflow
    • Compliance Status: Potentially Compliant with Caution.
    • Reason: Mouseflow is a tool that offers website heatmap tracking, session replay, and other analytics capabilities. It captures detailed information about user interactions on a website, which could include clicks, mouse movements, and form submissions.

SERMO, Roche Diagnostics, GE Healthcare, and Varian are just a few of the corporations putting these tools to good use.

Non-Compliant Website Tracking Software

As it turns out, there are quite a few tracking tools that aren’t making the best use of your data. I was surprised to find just how many don’t implement simple measures like consent management and data disposal, which are fairly basic security features. Without safeguards to protect you or your patient’s data, you shouldn’t be using these tools.

Here’s a list of some non-HIPAA-compliant software.

  • Google Analytics
    • Compliance Status: Generally Not Compliant.
    • Reason: Google Analytics tracks and stores user data, which can include protected health information (PHI). Without proper configuration and a business associate agreement (BAA), it's typically not HIPAA compliant.
  • Facebook Pixel
    • Compliance Status: Not Compliant.
    • Reason: It collects detailed user data for ad targeting, which can be problematic under HIPAA, especially without a BAA and stringent data privacy measures.
  • Hotjar
    • Compliance Status: Not Compliant.
    • Reason: Hotjar records user interactions on the site, which can include PHI. It doesn’t typically offer a BAA, crucial for HIPAA compliance.
  • SEMRush
    • Compliance Status: Not Compliant.
    • Reason: Primarily an SEO and marketing tool, SEMRush is not designed with HIPAA compliance in mind and generally does not offer a BAA.
  • Ahrefs
    • Compliance Status: Not Compliant.
    • Reason: Ahrefs focuses on SEO and backlink analysis and is not typically used in a manner compliant with HIPAA regulations.
  • Moz Pro
    • Compliance Status: Not Compliant.
    • Reason: Moz Pro is an SEO tool and doesn't align with HIPAA compliance requirements, typically lacking necessary data protection and privacy features.

If you use one of these forms of tracking software, you could be putting you and your users at risk. I know just how vital web security is to ensuring users have a positive experience. Risking their security, or private information, just because you want to save a few bucks isn’t a good excuse. The results are there, now it’s up to you to make the right call.

Ensuring Your Web Tools Are HIPAA-Compliant

There is no test to ensure a tool is compliant – you have to ask. You can also ask for a compliance certificate (not required for compliance). Of course, these have their limits and you’ll need to use your best judgement.

The Future of Data Protection and Digital Tools

HIPAA isn’t set in stone. They make changes and advancements to those regulations so make sure your tracking tool is turning said changes into updates. Privacy rule changes have already been made for the 2023 calendar year with some potential new ones expected for 2024. One of 2023’s biggest regularity updates led to more protections for people seeking treatment for SUD(substance abuse disorder).

Look for regular updates that reflect those regulation changes, otherwise, you could end up paying thousands of dollars for a lazy mistake.

As management software continues to evolve, security measures need to evolve too. I don’t risk my data when I’m ordering dinner let alone when I’m making a doctor’s appointment or ordering my prescriptions. Making sure your digital tracking tools have the right protections isn’t just a matter of security, it’s a matter of trust. Your patients and users are already placing their care in your hands, make sure that care includes their privacy. If you don’t, it’ll cost you more than a few thousand bucks - it’ll cost you patients.