Effective Analytics Without Google

Introduction: From Nursing to Numbers

Hi, I'm Jess. My journey into tech started in an unexpected place: nursing school. Back in 2002, while working at a hospital, I found myself managing a legacy email server—and that experience sparked my fascination with technology and data privacy. Since then, I've gone from managing servers to strategic planning and marketing development. Today, I work at Portland Labs, the creators of Concrete CMS, helping organizations—from the US Army to medical practices—build secure, flexible websites.

So let’s get into it: what does effective analytics look like in a post-Google world? And how do we do it in a way that respects privacy, stays compliant with HIPAA, and builds trust?

Why Data Privacy in Healthcare Matters

HIPAA—the Health Insurance Portability and Accountability Act—exists to protect sensitive data: personally identifiable information (PII) and protected health information (PHI). In healthcare, breaches of this data don’t just cost money (the average incident runs around $7 million), they cost trust. As marketers and technologists, we can’t afford to get this wrong.

When Does HIPAA Apply to a Website?

Not every healthcare-related site needs HIPAA compliance. Here’s a simple rule:

• If your site collects, stores, processes, or transmits PHI (like appointment forms, prescription refills, or patient portals), you must be HIPAA-compliant.
• If your site is purely informational—like WebMD or a basic clinic brochure site—you’re off the hook.

But many healthcare websites fall somewhere in between. And that gray area is where risk lives.

Real-World Wake-Up Calls

In 2023 alone, there were 725 healthcare data breaches impacting 133 million people. The Change Healthcare breach in 2024? It exposed the data of 100 million Americans in a single incident.

These aren’t abstract numbers. They represent people who now think twice before trusting healthcare providers with their information.

Google Analytics: A No-Go for HIPAA

Let’s be clear: Google Analytics is not HIPAA compliant. Why?

• Google won’t sign a Business Associate Agreement (BAA).
• Google Analytics can inadvertently collect PHI.

If you’re using Google Analytics on a site that processes PHI, you’re playing with fire. And HIPAA fines are not a slap on the wrist.

Enter Matomo: Privacy-First Analytics

Matomo is an open-source, self-hosted analytics platform that puts privacy first. It offers:

• Full data ownership (your data stays on your server)
• Built-in privacy controls (like IP anonymization and customizable retention policies)
• Support for BAAs and other regulatory needs

It gives you the insights you need without the risk.

How to Configure Matomo for HIPAA Compliance

1. Anonymize IP Addresses: Mask the last two bytes to avoid identifying users.
2. Encrypt Data in Transit and at Rest: Use SSL/TLS for all connections and encrypt your database or server disk.
3. Configure Data Retention: Set limits for how long you store data, and regularly purge old logs.
4. Honor Do Not Track Settings: Respect user preferences and provide opt-out options.
5. Train Your Team: Compliance isn’t just IT’s job. Everyone, especially marketers, needs to understand what data is being collected and why.

The Role of Cookies and Pixels

Cookies and tracking pixels are powerful, but they can also be risky. Tools like Cookie Search help audit what’s being stored. Be transparent, log everything, and review it with your marketing team.

PII vs. PHI: Know the Difference

• PII: Names, emails, IP addresses. Identifies someone.
• PHI: Medical records, prescriptions, claims. Identifies someone and relates to health.

Both require protection, but PHI is under stricter regulation.

Common Threats to Healthcare Data

• Phishing: Fake emails tricking staff into giving up credentials.
• Hacking: Exploiting unpatched systems or weak passwords.
• Human Error: Misconfigurations, wrong file sharing, etc.

The solution? Boring stuff: updates, access controls, encryption. But boring is what keeps you compliant.

The Takeaway

HIPAA compliance isn’t just legal red tape. It’s the foundation of trust in healthcare. By using tools like Matomo, configuring them correctly, and involving your entire team, you can:

• Protect patient data
• Stay compliant
• Build credibility

In a world where even a 12-year-old sees cybersecurity as "boring," it’s our job to make sure the boring stuff gets done right.

Final Words

Thanks for joining me. If you’re in marketing, IT, or somewhere in between, know this: privacy-first analytics is not only possible, it’s essential.

Special thanks to Leisa, our Data Protection Officer at Portland Labs, and our IT team who keep us on track. Want help setting this up? Let’s talk.