Google Analytics vs Matomo For HIPAA Compliance

Healthcare providers are in a difficult position when it comes to analyzing their users’ behavior online and using that to produce better experiences. Because their platforms contain so much sensitive data in the form of PHI, they’re much more restricted in what they can do with data than other marketing or product teams.

This directly impacts the tools they are using. Healthcare providers using tools that aren’t HIPAA-compliant like Google Analytics have found themselves in a tough spot since HHS released its latest guidance on tracking technologies. The use of out-of-the-box Google Analytics installations puts them at risk due to the collection of personal identifiers and health information. Google’s tracking technology sends PHI to its servers and won’t sign a BAA to bring them into compliance. If you are using the vanilla installation, you are probably in violation of the HIPAA Privacy Rule.

This is where the demand for an alternative like Matomo comes into play. By bringing the software on-premise, they promise a compliant alternative for web analytics at healthcare companies. However, there are some downsides with making the switch. Let’s take a look at the difference between Google Analytics and Matomo.

The differences between Google Analytics and Matomo

Matomo puts considerable emphasis on controlling your data and keeping data private. But to do that, you must switch from a hosted solution to an on-premise one. We’ll get into that more later.

With Google Analytics, you don’t control your data as it is always on Google’s servers. All your data is stored and processed on their servers. They want access to collect as much data from your visitors as possible to continue feeding their incredibly successful ad business with user data. Google Analytics would be okay to use if they signed a BAA, but they won’t.

Matomo’s main cloud-based service also uses its servers to store and process your data. That version of Matomo, like Google Analytics, is not HIPAA-compliant (they won’t sign a Business Associate Agreement, BAA, to use this service).

Instead, you must use the open-source Matomo on-premises solution to be HIPAA compliant. This is the only way to completely control your data with Matomo. This version is open source and free (in contrast to the Piwik Pro on-premises version, which isn’t free).

From a broader perspective, Matomo has features for analyzing the complete customer journey, including cohorts, conversions, heatmaps, testing, and funnels.

But Matomo has some things that could be improved, especially for large healthcare providers or hospitals with high data volumes.

Reporting

Reporting is an Achilles heel for Matomo.

The first limitation is around using unique visitor accounts. Matomo can only support this for websites with low traffic; even then, it’s limited on which reports it can be used for. Matomo might be a better fit for small businesses than healthcare providers with healthy website traffic looking for more of an enterprise-grade solution.

Matomo also lacks support for calculated metrics. Maybe you want to understand the conversion rate of your visitors. You won’t be able to set up a reporting function for conversions divided by visitors to produce this metric in Matomo.

Matomo is very slow at generating reports for medium to high-traffic sites due to its MySQL database. If you’re used to generating reports in Google Analytics on the fly, the additional preprocessing wait time in Matomo will be painful. More proof is that Matomo is designed for small businesses vs. large healthcare providers.  

You can’t customize default reports; nearly 80% of default reports are missing data visualizations. Additionally, setting up dashboards is extremely limited. You can only choose from a limited number of preset templates, and the dashboards can only exist of pre-made widgets.

Another significant limitation of Matomo is the inability to apply segments to individual widgets in a dashboard. You have to use the same segment for the entire dashboard!

Lack of Support

Matomo also offers little support. For healthcare providers facing a significant change and all the implementation costs that go with it, they’ll be left on their own with Matomo. Given its limitations and its difference from Google Analytics, we anticipate incredibly high switching costs.

How Matomo handles HIPAA compliance

Matomo is up-front about their cloud hosting solution not being HIPAA compliant. They won’t sign a BAA for their main product. This really puts them in the same position as Google Analytics.  

This means to use Matomo for healthcare, you must use their on-premises option. They market this version as HIPAA compliant. But what this really means is that Matomo itself isn’t being HIPAA compliant; you are. You must build and maintain your on-premises infrastructure in a specific way to be HIPAA compliant. Matomo is part of that, but not the only part. You must make sure you have some of these critical features to make sure your infrastructure is compliant:

• Have backups and recovery options for your data
• Have audit and change logs for your data and users
• Secure encryption of your data at rest and in transit

Matomo never stores or processes your data–it is entirely up to you. You’re going to get control of your data but that’s going to come at a cost that we’ll cover below.

The drawbacks of an on-premises solution

As Matomo’s only answer to HIPAA compliance is the self-hosted option for their platform, you have to consider the setup and maintenance of self-hosting when evaluating this solution.

On the surface, this seems like a great option. You control all your data and who you share it with. But once you start to consider what is needed to use this solution at scale, it becomes more complicated:

• You will have upfront expenses and setup costs: You can download the Matomo on-premises version for free. But to run it, you will have to set up and pay for your own servers, server racks, UPSes, and networking hardware. On top of that, you’ll also need all the software to run all of this hardware in-house. You may also have to hire consultants or temporary IT staff to set up.
• You will have ongoing maintenance and updates: With cloud-based offerings, all updates are taken care of automatically. This isn’t true of on-premises software. You will have to make sure all software is patched regularly (both Matomo and all your server and networking software). You’ll also have maintenance for the hardware.  You may have to have full-time IT staff for this.
• You will have to scale it yourself. As your software isn’t sitting on VMs in an AWS data center that are easy to spin up and down as needed, you will have to deal with any scaling yourself. This will mean more servers, racks, and other hardware, as well as higher power and networking costs.
• You will have to deal with securing your data. The good part of on-prem solutions is that you are in control of all your data. The bad thing about on-prem solutions is that you are in control of all your data. You are responsible for securing the data at-rest and in-transit and making sure that there are no security breaches or holes in your databases. Again, to do this right requires full-time IT staff specializing in data security.
• You will be responsible for backups and recovery. Your databases will need to be backed up regularly (depending on your size, this could be every day or even every hour) to make sure you aren’t losing data. You need to develop backup systems, redundancy, and testing. And procedures for recovering data if something happens (which, given you are building your own data center, is more likely).
• You can’t move your data: On-premises means just that–you are restricted in how you can expand and how you can access your data. Opening up tunnels for remote access for a remote team causes security issues that you then have to consider. On-prem usually means that your entire data, IT, and security teams have to be on-site as well.

This might still work for you. If you already have some of this set up for other reasons, adding a tracking option to your on-premises platform should be easier. But if you are starting from scratch, this is a considerable project with considerable cost.

The costs of Matomo HIPAA Compliance

So let’s talk about the costs. There are three types of costs associated with setting up an on-premises solution with Matomo.

The literal costs

Google Analytics is free. This is, of course, part of the problem. If you aren’t paying, you’re the product. Google wants to track the data across all sites on the web for better advertising.

The Matomo on-premises solution is also free. You can download it and install it for free today. But anything beyond the basic functionality is extra. Support, logs, performance, funnels, flows, heatmaps, A/B testing, forms, roll-ups, web vitals, conversion exports, cohorts, and SAML all cost. If you want the full functionality from the platform, you are going to be spending at least $3,000 per year.

The switching costs

Switching costs are what you’re going to pay to set up the full Matomo experience in a HIPAA-compliant way on-premises. We can split these into four categories:

• The software costs: free for the basic up to $3k+ depending on your needs
• The hardware costs: These are what we mentioned above. For an on-premises solution you effectively need a data center setup on-premises. You need the servers, the racks, the cooling, and the power supplies (and all the software). Then you have the added costs from your additional networking and power.
• The team costs: You will need people to run this. At least one network administrator to keep it up and running. Probably consultants or interim team members to get it entirely set up and implement updates and maintenance as needed.
• The downstream costs: As your data is now coming from a new source, you’ll also need to re-instrument all your pages or products and update all of your follow-on analyses. You’ll need extra engineering time from your core product team to redo all their previous work and extra time from your data team to redo all their previous work.

The sunk costs

And all your previous work will be thrown out the window. This doesn’t just mean the instrumentation of your product or all the dashboards or flows you have built upon your data. It also means the data itself. Your new data won’t accord with your previous GA data, so everything from before the switch will effectively be useless as it’s no longer comparable to your incoming data. Historical analysis won’t be an option.

You don’t need on-prem

Ideally, you don’t want to make this switch. It would be ideal if you could just continue to use Google Analytics as before but in a HIPAA-compliant way.

You can. The basic implementation of Google Analytics isn’t viable for HIPAA compliance, you can use Freshpaint to manage your user data. To do this, all you have to do is replace your current Google Analytics tracking code with Freshpaint.

Your data will then initially be sent to Freshpaint’s BAA-protected platform instead of directly to Google.

Freshpaint then allows you to:

• Not share any personal identifiers with Google Analytics. Personal identifiers + health information are what results in HIPAA violations.
• Set an allowlist for data to be sent on to Google. By default, no data is sent on to Google. Instead, you have to manually identify the events and data that can be sent on. This makes sure you are never sending PHI to Google.
• You can then continue to see web activity in Google Analytics and can continue to use the rest of your analytics pipeline built on GA.

This is a HIPAA-compliant pipeline that you can set up today and that will see no interruption to your pipeline, watch the video below to learn how Columbus Regional Health continued using Google Analytics in a HIPAA-compliant way: