Skip to main content
Work with us


HIPAA analytics solution

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have warned healthcare providers about privacy and security risks related to the use of online tracking technologies that could be disclosing sensitive, personal health data to third parties.

This warning has raised concerns about Google Analytics, which is the standard method of tracking the performance of websites.

Coffey is addressing this concern through development of a server-side tracking option for clients who want greater control over what data is sent to Google Analytics.

How does server-side analytics work?

With a typical Google Analytics setup, data flows directly from the website to Google Analytics. There’s no way to control what data is sent to Google Analytics.

Server-side analytics uses Google Tag Manager (GTM) to add an additional layer to the data collection chain. With this approach, data passes through an app engine within a Google Cloud server where it is processed to remove sensitive data, such as personal information (PI) and protected health information (PHI).

What’s the benefit of server-side analytics?

Server-side analytics gives you control over what data is gathered about your website visitors. With this setup, you may continue using Google Analytics for your reporting instead of turning off data completely or moving to a different (and potentially expensive) solution.

How much data does Google receive?

With this approach, Google Analytics has access to only the data you allow to pass through, so sensitive information would not be gathered.

In addition, Google Tag Manager and Google Cloud don’t store any data. The server is a transformation layer only. Data passes through it but does not live there. Similarly, Google Tag Manager provides the server with instructions for how to modify the data, but it does not store data.

Do clients have Business Associate Agreements (BAA) to protect their data?

Yes. Clients have BAAs with Coffey, and Coffey has a BAA with the Google Cloud Server. This permits Coffey to use your data and to pass your data through to the Google Cloud Server.

What about HIPAA?

Server-side tracking was created with an eye toward compliance with HIPAA, but your team and Coffey will need to work together to safeguard data.