Why You Need More Than Just A BAA To Manage PHI
If you are building health tech, the management of your users’ data is a huge responsibility. They are putting their trust in you to safeguard some of their most sensitive information.
Living up to that responsibility is difficult. You have to engineer not just your product to protect this data, but anytime you have to send that data anywhere you are opening up the possibility of exposing PHI, and a chance to lose that trust.
At Freshpaint we take this responsibility seriously as well. If your users’ data is flowing through our product, we help handle it correctly. Part of that is signing a BAA, or Business Associate Agreement, but there is much more to correct handling of data than legal documentation.
Here we’re going to take you through a framework for thinking about compliance with the HIPAA privacy rule, and how we are doing things differently at Freshpaint.
4 approaches to HIPAA compliance
Before we start, here’s what the privacy rule says:
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
"Individually identifiable health information" is information, including demographic data, that relates to:
- the individual's past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
So there are two parts to this:
- the health information itself, and
- individual identifiers.
It’s the second part here that causes problems, especially with the way modern products work. Those individual identifiers are part of the dataset that teams need to improve products and marketing campaigns, understanding problems, and communicating with users. Let’s say you’re tracking a user interacting with a page on your site (HHS updated their guidance in December, 2022 to specifically call out tracking technologies). The tracking payload might look like this:
"city": "San Francisco",
"country": "United States",
"carrier": "T-Mobile US",
"name": "iPhone OS",
"userAgent": "Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1"
"name": "Ray Mina",
There are 18 individual identifiers. 8 of them are in this single payload. The two obvious ones are name and email, but these six would also be classed as PHI:
- device id
- city, latitude, and longitude
You can strip out some (which comes with an engineering overhead) but others, such as the URL here, are necessary to understand the journey of the user on your site. Maybe you can also strip out name and email and userId, but then you lose the ability to use those identifiers in downstream tools. If you don’t send the user identifier to downstream tools those tools, like Mixpanel, are useless because you can’t attribute any actions to a user so it’s impossible to get a view of the buyer journey.
You’re stuck between sending them and being non-compliant and not sending them and losing insight.
So how do you square this circle? You have four possible avenues:
1. Turning off analytics
Going lights out is undoubtedly a way to stay HIPAA compliant. If you've been building a data-driven culture, this is also the way to A) lose valuable employees that become frustrated and B) lose the ability to use data to improve visitor and member experience on your site.
Most healthcare systems have spent years building out their reporting to continue providing the best possible experience - losing that view doesn't just impact morale. It can have an impact on the bottom line. Losing access to tech tools can directly affect the bottom line. When Tenet Healthcare experienced a cyberattack and was forced to shut off parts of its tech stack, it reported a $100 million unfavorable impact in its Q2 2022 earnings report.
Do this if: you want to make decisions based only on your gut.
Don’t do this if: you think having a more complete view of the visitor journey is imperative to building a world class experience.
2. Rolling your own
This is the first genuine option. You can build custom tracking and integrations for your product. The problem here is the time and cost involved. You need to build separate data pipes for HIPAA-compliant and non-compliant destinations. As Henry Lyford, Director of Engineering at Two Chairs (Director of Eng), told us that’s the cost of a full-time engineer:
"To maintain customer data internally you have to have your own library for tracking events. You need to have a bunch of database tables. You'd have to make your own data to go to some visualization platform, which would be annoying. I could see this being an entire engineer's time."
More on why Two Chairs says it requires more than just a BAA
If you are trying to integrate with analytics, advertising, or marketing tools, this is also the first time a ‘BAA’ might come into the conversation.
A BAA, or Business Associate Agreement, is what you need in place if you are going to pass PHI to a downstream vendor (your ‘Business Associate’ in HIPAA-speak). That might be Mixpanel for analytics, Iterable for marketing, or Facebook for advertising.
A BAA sets out the terms of how a vendor will “implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information.”
Some vendors, such as Hubspot, Google, or Facebook won’t sign a BAA. Some vendors will, but it is on you to understand what the BAA covers, and what it doesn’t. Importantly, their appropriate safeguards and your appropriate safeguards might not be the same. It could be that they say you can send X and Y data but not Z. If you pass them Z and it leads to a violation, that’s on you.
Do this if: you have a specific use case, the engineering resources to support the ongoing work required, and a good understanding of the legal requirements of BAAs.
Don’t do this if: you have a small team and are iterating quickly.
3. Using an alternative analytics tool
Another option is to look for a replacement for Google Analytics. There are countless on-prem solutions and an equal number of analytics tools. But this is a complex change.
If you've invested time and resources deploying Google Analytics, all of that will be lost. You're going to need to reconfigure all of your events. You'll need to rebuild all your reporting. The entire team will need to be trained. And if you have downstream workflows that rely on Google Analytics data, that will all be lost.
The switching costs here will be high, and nobody on your team wants to make a change in the first place.
Do this if: you haven't invested heavily in time and money in Google Analytics.
Don’t do this if: you're happy with the data you get from Google Analytics and really didn't anticipate making a change.
4. Using a tracking technology purpose-built for healthcare like Freshpaint
Google Analytics as a reporting tool isn't the problem. It's the Google tracking technology that can trip you up when it comes to staying HIPAA compliant. Freshpaint replaces Google's unsafe tracking technology with a platform that is safe by default. What we mean by this is that, by default, Freshpaint doesn’t send any data to Google Analytics and masks the user identifiers:
- By default Freshpaint masks user IDs irreversibly so you don’t have to do custom work to send data safely to a destination like Google Analytics where a BAA doesn't exist.
- We give customers the ability to determine which elements are safe to send to destinations. We block data to non-compliant destinations by default eliminating the risk of accidentally sending PHI and violating HIPAA
- We give customers the ability to determine which locations are HIPAA compliant (you have a signed BAA) and which aren’t (you don’t have a BAA) - these are your separate pipes
We’ll go through the specifics of these in a moment. Of course, we sign a BAA but we also have a purpose-built product that helps reduce the security footprint, eliminates the need to replace Google Analytics, and reduces costs by eliminating BAAs downstream.
Do this if: you want to still benefit from the data you get from Google Analytics but in a HIPAA compliant way.
How Freshpaint keeps you safe by default
So there are three main components to how we work at Freshpaint. Firstly, we sign a BAA. But this is table stakes. Actual safety and compliance come from our ID Masking and our allowlist-first philosophy:
Instead of eliminating Google Analytics entirely, Freshpaint de-indentifies users automatically. This way you can still connect all the points of the user’s journey in GA without revealing who they are.
Our ID Masking is HIPAA compliant. We do this by:
- Using cryptographic hashing,
- with a secret key, and
- only share information server to server.
You must use a secret key because, as The US Department of Health & Human Services says:
“Code derived from a secure hash function without a secret key (e.g., “salt”) would be considered an identifying element. This is because the resulting value would be susceptible to compromise by the recipient of such data.”
Hashing without a secret key makes your data susceptible to straightforward lookup attacks and easily compromised by malicious actors.
So every identifier can have a cryptographically-hashed substitute that can still be used for product, marketing, and analytics purposes, but can’t be used to identify the individual.
Then all data is shared only server to server so the key is never exposed.
Allowlists are safer because the default is nothing is happening–no data is being sent to non-compliant destinations. Allowlists aren’t just on the integration level, they are on the event, user, and group level. This requires a little more initial setup, but for a lot more peace of mind downstream.
Manually filtering out data you don’t want to send to non-compliant destinations puts your team at risk of mistakes. Freshpaint blocks data to those non-compliant destinations by default.
First, you select the destinations that have BAAs. Then you select the events and traits that can be sent to non-HIPAA-compliant destinations. As every data point comes in, Freshpaint will screen the data, then:
- For non-compliant destinations, Freshpaint will block PHI metadata and only send masked identifiers
- For HIPAA-compliant destinations, properties can be sent as usual.
Choosing the right solution
Depending on your resources, there are several ways to stay HIPAA compliant. But if you want to keep using Google Analytics and stay safe by default, Freshpaint is your best choice.
If you want to see how Freshpaint replaces Google's tracking technology and makes Google Analytics HIPAA-compliant and reduces your security footprint, reach out to set some time with one of our product experts.