If you work in an industry, such as healthcare or medical insurance, which is covered by HIPAA regulations then there are limits around what data you can share and with who. However PostHog doesn't see any of your data and can be self-hosted on your existing infrastructure, making it the most HIPAA compliant product analytics platform available.
In this article I'll explain what HIPAA is, what data must be protected and what your options are for HIPAA compliant analytics - or you can get started with PostHog today.
HIPAA is the Health Insurance Portability and Accountability Act. It’s a piece of legislation that applies to certain covered entities operating in the United States of America (e.g. healthcare providers).
A key goal of this legislation is to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.”
In other words, it stops anyone from using or sharing a persons data improperly.
The consequences of violating HIPAA are severe. It can lead to fines of over $1M and prison sentences of up to 10 years for the most egregious violations.
Data which is protected under HIPAA is called Protected Health Information (PHI), or ePHI if it exists specifically in electronic format. It includes any identifying information related to a past, present or future health status. That includes individual diagnoses, medical test results and prescription info, as well as birthdays, gender, ethnicity and contact information.
In short, any information which is tied to a specific individual can be considered PHI, from their social security number or license plate number to photos, emails, URLs or formal medical information.
Most product analytics tools require you to send your captured user data to a third party system where the data is stored outside of your control. This is a problem under HIPAA, but there are two common ways to remain compliant:
- Anonymize the data: This involves either removing all traces of protected health information, including but not limited to email addresses, phone numbers, IP addresses, URLs etc., or following an expert determination to limit the data shared in such a way that the statistical risk of identifying an individual is mitigated.
- Sign a Business Associate Agreement (BAA): This is essentially a contract with your provider that ensures they are compliant and jointly liable for the protection of your data.
There are downsides to these two solutions:
- Anonymization: You can easily limit the data so much that it becomes meaningless and makes it impossible to perform standard and critical analyses of your product and users. There's no point reducing the data to an unusable state.
- Business Associate Agreement: Business Associate Agreements are often expensive and/or require you to pay for a higher tier of product than you actually require.
PostHog offers a third approach without either of these downsides: hosting the product analytics systems yourself.
PostHog is different from most other product analytics tools such as Mixpanel or Amplitude because it enables you to self-host on your own infrastructure and maintain full control of the data.
This means you don't need to anonymize the data, nor do you need to set up a Business Associate Agreement with PostHog because you never need to send any Protected Health Information (PHI) to us in the first place. The data stays on your systems, in its original form.
You may need to sign a BAA with your hosting provider, but major providers such as Google and AWS offer these for free.
The short answer is no, Google Analytics is not compliant with HIPAA for either Covered Entities or Business Associates. Nor are some other Google tools, such as Google Optimize.
As a web analytics service, Google Analytics is great for tracking high-level traffic metrics such as pageviews, but lacks deeper product analytics tools such as feature flags and session recording.
Google does offer some measures to avoid capturing personally identifiable information, it also issues an explicit HIPAA disclaimer:
"Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google."
We recommend hosting PostHog on your own infrastructure. If you’re leveraging a private cloud you will need a Business Associate Agreement with your provider first. These are commonly and easily available with services such as Amazon Web Services, Google Cloud Platform, Microsoft Azure and many more, often for free.
When setting up a PostHog instance we strongly recommend that you use HTTPS to secure data in transmission, whether or not your instance has access to the wider internet. We also have a guide for securing PostHog which you should follow to further protect your instance.
We also strongly recommend that you limit access to PostHog and the infrastructure it is deployed on only to people who are authorized and need to access the data, including shared dashboard links. Although aggregate data in dashboards should not contain PHI, it may be possible for malicious users to infer PHI unless it is evaluated thoroughly via expert determination.
We also strongly advise caution when installing, building and enabling plugins for your PostHog instance. Plugins are a great way to share and augment data from your instance with other systems, but it’s essential to ensure you have the proper controls (e.g. BAA, anonymization or self-hosting) in place when sharing PHI outside of your self-hosted PostHog instance.
We believe the most effective solution to HIPAA-compliant product analytics is to control the data yourself. That's why we recommend using the self-hosted versions of PostHog. As such, we do not offer a Business Associate Agreement (BAA) for PostHog Cloud.
PostHog is an open source product analytics tool which enables teams to build better products faster without sharing their user data with third parties.Try PostHog for free today or schedule a demo to learn more.