Switching to HIPAA-compliant data collection is a learning process. We’ve shepherded several of our clients through this critical transition. Here’s what to know.
Given the legal complexity of healthcare analytics today, and the risks associated with collecting PHI (Protected Health Information) and PII (Personally Identifiable Information), your health system needs a structured, compliant, and careful approach to collecting user data across your digital experiences. There are a lot of options out there and we know that switching tools and processes requires a good deal of change management. All that considered, it’s important to take the right steps to choose the right data analytics solution for your health system.
To do this, you’ll need to look beyond feature checklists and focus on listening to the needs of your end users, technical teams, marketers, and compliance stakeholders. Only then can you start to evaluate analytics solutions against your technical requirements—looking not just at capabilities, but how well they fit within the ecosystem and risk posture.
Compliant Data Collection
At Modea, we define two main categories of HIPAA- and PHI-compliant data analytics solutions: analytics platforms and compliance layers.
Analytics platforms
These are your core analytics engines, designed to track behavior, measure outcomes, and provide reporting. They differ in implementation complexity and support, but all aim to deliver first-party insights. These platforms include vendor-hosted or cloud solutions, where the vendor signs a Business Associate Agreement (BAA) to ensure data privacy and standards between the vendor and the covered entity (health system), or self-hosted, open-source platforms.
Compliance layer
This approach manages compliance in a different way, leveraging Customer Data Platforms (CDPs) that serve as intermediaries. These intermediaries collect behavioral data in a HIPAA-compliant way, strip out identifiers, and then forward the sanitized data to your downstream analytics platforms. These solutions make it possible to use tools like Google Analytics or ad platforms in a way that is HIPAA and PHI compliant.
Deciding Your Measurement Strategy
While you’re rethinking and retooling your approach to data analytics, another critical decision point is setting your measurement strategy. You’ll want to consider how to collect user data in a way that best serves your internal stakeholders and teams, organizational needs, and existing technology stack. There are two leading approaches to measurement that we’ll outline.
- Auto-capture
Analytics auto-capture platforms automatically collect everything—clicks, pageviews, form fills—without requiring manual tagging.
Auto-capture means faster setup, lower maintenance, and more flexibility for exploratory analysis. But it also comes with risks, including data overload, potential gaps in quality, and more effort needed to clean and interpret the results.
- Precision tracking
Precision tracking is a more curated approach where you define exactly what gets tracked and why (GA4 is an example of this). While it requires more upfront effort, coordination with developers, and ongoing maintenance, it can lead to cleaner data with tighter alignment to KPIs.
Neither approach is inherently better—it really depends on your team’s capacity and how much flexibility you need.
Narrowing Down Solutions: A Case Study
We recently helped a large health system rethink their analytics strategy, both to ensure they were gathering universal insights and to be HIPAA compliant.
To make sure we recommended a solution that didn’t just look good on paper, but would meet their real-world needs, we talked to several groups of stakeholders, including team members from analytics, IT, marketing, and legal and compliance. We also interviewed end users within departments across the health system, as they are the individuals who will work with the tool in their day-to-day roles.
We started with a broad list of 22 platforms, and after talking with stakeholders and studying solutions, we eliminated many of them based on cost, requirements, and organizational security and compliance needs. Then, we created a scorecard to evaluate each option against consistent criteria:
- Data requirements
- Analytics capabilities
- Data management
- Reporting and dashboarding features
- Product support
- Data governance
- HIPAA posture and security
- Total cost of ownership
- User experience
We evaluated an analytics auto-capture solution, an analytics precision solution, and a compliance layer.
To fairly assess the compliance layer, we used GA4 as a control case. Using Google Analytics not only allowed us to compare platform solutions to compliance layer solutions, but also helped us evaluate how the analytics experience would likely differ from our client’s previous experience with Google Analytics.
Pros and cons of compliant solutions
After we finished our scorecard exercise, we facilitated demos with vendors of the platforms we wanted to explore more. We highly recommend this, because it helped us to see the pros and cons in a more clear way.
Analytics auto-capture
| Pros | Cons |
| User friendly | Analytics-only, so some features are lost |
| Advanced analytical capabilities, including AI-enabled features | Only basic ad integrations |
| Easy to implement and start data collection ASAP | |
| Robust onboarding offerings | |
| Data governance | |
| Value for what it offered |
Compliance Layer
| Pros | Cons |
| Streamlined BAA processes | GA4 dependent |
| Advanced ad integration | Less documentation and support/Higher support requirements |
| Good future potential | Perceived value not as strong |
| Strong integration capabilities |
Ultimately, for this client, we recommended the analytics autocapture solution. We are now working with them to implement the solution across their complex health system, including configuring tracking, creating dashboards, and setting up exports to the enterprise data warehouse.
Takeaways: Choosing a Compliant Analytics Solution
Along the journey of working with our client to define and implement a HIPAA- and PHI-compliant solution to collecting user insights, we learned some key lessons.
- There’s no one-size fits all solution. For example, depending on whether you have a centralized or decentralized ecosystem, you may come up with a very different solution.
- Tradeoffs are inevitable. Be honest with your end users about what will change and why.
- Know your warehouse strategy. Google won’t sign a BAA for your data warehouse, which means you’ll need to think carefully about finding the right vendor for this.
- Beware of quick fixes without long-term vision; you can wind up having to backtrack. If you skip the step of talking to stakeholders (or don’t talk to the key groups), it can lead to surprises and roadblocks.
- Be honest with where you are in your analytics journey. For example, academic medical centers tend to be on a different trajectory than regional health systems. You need foresight to know what might be ahead, so you don’t outgrow your solution. But you also don’t want to pay for what you aren’t likely to need.
- After selecting your platform, have a plan for implementation. Even working with the best tool will be a frustrating experience without a solid plan to activate it.
The right data analytics solution should meet your current needs while leaving room for growth. A deliberate, well-informed approach can help ensure today’s decisions remain effective well into the future.
