Posted on 
April 3, 2023

Google Analytics vs Piwik For HIPAA Compliance

As healthcare marketing teams become wise to the problems tracking technologies cause for HIPAA compliance, more and more of them are starting to look for safe versions of their tools.

When it comes to web analytics, one option is Piwik Pro. Piwik Pro is positioning itself as an alternative to Google Analytics. Focusing on privacy as a selling point, Piwik Pro’s Enterprise plan offers two choices for HIPAA compliance.

Let’s look how this product stacks up against Google Analytics, its HIPAA-compliant offering, and the costs associated with switching from Google Analytics to Piwik Pro.

The differences between Google Analytics and Piwik Pro

The core difference between Google Analytics and Piwik Pro is around the idea of data privacy and ownership and control of data.

Google Analytics is owned by Google and is an entirely cloud-based service. Google Analytics’ native tracking technology shares user data directly with Google's servers. This means that Google has access to any data processed or stored on these servers. Ultimately, this is how Google works–they track user behavior and activity around the web through tracking technologies and use that data and knowledge to sell advertising.

In contrast, the Enterprise version of Piwik Pro allows you to store your data on your own servers or in a private cloud, giving you more control over your data and its usage. In terms of HIPAA compliance, this is vital. With the Enterprise version, you can sign a Business Associate Agreement (BAA) with Piwik Pro when you host remotely, or you can host on your own servers on premises, negating the need for a BAA.

From a wider perspective, Piwik Pro has features to track the entire customer journey. Google Analytics has traditionally focused on just pageviews and conversions, though GA4 is moving to more of an event-based tracking methodology.

Another key difference is that you can access full raw and unsampled data with Piwik Pro. Google Analytics often samples data once you have a non-trivial number of visitors. You can get unsampled data with Google Analytics 360.

A downside of Piwik Pro Core is that it is limited to 10 properties, compared with 100+ for Google Analytics (Piwik Pro Enterprise allows for unlimited properties).

Another downside for marketers that also use the Google Ad’s platform is that there is no way to push data from Piwik Pro to Google Ads in order to optimize campaign performance.

Finally, Piwik Pro uses a session-based methodology. This is how Google’s Universal Analytics worked before they deprecated it and moved to an event-based data model. The argument in favor of event-based is that provides a more complete view of the customer journey, which is ultimately what all of us are after in 2023.

How Piwik Pro handles HIPAA compliance

HIPAA compliance is available with the Piwik Pro Enterprise plan. You have two options:

  • A hosted version, where Piwik Pro handles your data.
  • A self-hosted version, where you install Piwik Pro on your own servers.

In the hosted version, Piwik Pro will sign a Business Associate Agreement (BAA) to show how they are storing and handling sensitive data. They allow you to choose where your data is stored. You can store data and any backups in the US on HIPAA-compliant data centers.

With the hosted version you also get:

  • Backups and recovery options
  • Audit and change logs
  • Secure encryption at rest and in transit

In the self-hosted version, a BAA isn’t needed as Piwik Pro never stores or handles sensitive data themselves, it is entirely down to you.

The disadvantages of running an on-premises solution

Piwik Pro Enterprise offers a self-hosted version of their product. Initially this seems like an ideal solution for HIPAA compliance. You will never be sharing sensitive data with other providers or storing data on remote servers–you have full control over your data.

However, these ‘on-premises’ solutions can come with significant challenges.

  • Initial investment and setup costs: On-premises solutions often require a substantial upfront investment in hardware, software licenses, and other infrastructure. Setting up and configuring these systems can also be time-consuming and require specialized expertise, which may incur additional costs.
  • Maintenance and upgrades: Unlike cloud-based services, on-premises solutions require the organization to be responsible for the ongoing maintenance and upgrading of hardware and software. This can be resource-intensive and may result in higher operational costs over time.
  • Scalability: Scaling an on-premises solution can be challenging and expensive, as it typically involves purchasing and deploying additional hardware, upgrading existing systems, and reconfiguring the network. In contrast, cloud-based solutions offer greater flexibility and scalability, as resources can be easily added or removed as needed.
  • Security and compliance: Ensuring the security of on-premises solutions can be more challenging than with cloud-based services, as the organization is responsible for implementing and maintaining all security measures. Additionally, staying compliant with industry regulations and standards may require significant resources and expertise.
  • Disaster recovery and redundancy: Developing a robust disaster recovery plan for on-premises solutions can be complex and expensive. Organizations must create and maintain backup systems, ensure redundancy, and test their recovery processes regularly. Cloud-based services typically offer built-in disaster recovery and redundancy features, which can be more cost-effective and efficient.
  • Limited access and mobility: On-premises solutions may restrict access to internal networks or require additional security measures for remote access. This can limit the flexibility and mobility of employees, particularly for those working remotely or traveling.

Despite these challenges, on-premises solutions may still be the preferred choice for healthcare organizations that have specific customization and want to maintain greater control over their data.

The costs of Piwik Pro HIPAA Compliance

There are three types of costs associated with switching to Piwik Pro for HIPAA data.

The literal costs

One of the core benefits of Google Analytics has always been that the main product has been free. Some teams make the upgrade to Google Analytics 360 for more features (in particular, less data sampling and access to raw data), but most companies use the free Google Analytics happily.

To use Piwik Pro in a way that keeps you HIPAA-compliant you’ll have to opt in to the Enterprise version whether you host it or not. And that’s going to cost you.

Piwik Pro incurs costs, and larger costs as you scale. And their main lever to base charging off of are actions.

From Piwik, “An action is any activity registered by the Piwik PRO analytics platform, e.g. a visit, Page view, download or event.” So depending on how you instrument your site in terms of the actions and events you are tracking, you might pass a million actions quickly in a month. When thinking about costs for Piwik Pro you need to think about the equation:

Monthly actions = (pageviews + events tracked) X visitors.

You’ll also have to pay if you want to add the Piwik Pro Customer Data Platform (CDP) to your setup.

We’ve seen price quotes at 25 million actions per month for $45,000 annually from Piwik.

But the costs don’t end there.

The switching costs

When it comes to using the on-premise version of Piwik Pro there are the costs we touched on previously. You have the setup costs of getting the on-premise servers and software up and running. You then have the ongoing maintenance costs for both hardware and software. Then you have the constant upgrade costs that will be required for patches and security upgrades

All this will probably require building an IT team and expertise. Managing and maintaining on-premises solutions often requires a dedicated IT team with specialized knowledge. This can be a significant expense for organizations, particularly smaller businesses that may not have the budget for a large IT department.

Even if you don’t go the on-prem route and stick with Piwik’s hosted version you’ll still have the development costs of re-instrumenting your product around the Piwik Pro tracking code and removing all the GA code. An important thing to keep in mind is that you can’t leverage any of the work you’ve done in setting up Google Analytics when migrating over to Piwik Pro. Don’t be misled. It’s a big lift to make the switch.

We’ve seen implementation quotes of $15,000 - $35,000 to migrate from Google Analytics over to Piwik Pro. Even with an implementation budget you can expect months of work to make the switch.

The sunk costs

These are the costs you’ve already invested into Google Analytics. Even though the product itself is free, you probably have a number of downstream tools and analyses that are dependent on the original GA tracking. You might be sharing data with other analytics products, marketing tools, data warehouses, or just custom code. Switching Google Analytics data out for Piwik Pro means altering all these tools and analysis. It also means the old and new data aren’t compatible, so all your historical data will be useless.

Sunk costs are usually associated with the sunk costs fallacy, where you shouldn’t make future investment decisions based on costs you’ve already incurred. But in this case it’s important to consider how you’ve set up your current pipeline and how much you’ll want to keep, or need to throw out.

You don’t need a new analytics tool

Most marketers we’ve talked to don’t really want to switch from Google Analytics to Piwik Pro. They just think there is no way to continue using Google Analytics and stay HIPAA-compliant. Though the basic implementation of Google Analytics is not HIPAA compliant, you can make it so by using Freshpaint to govern your visitor data. It works like this:

  • You replace your current Google Analytics tracking code with Freshpaint.
  • The data is initially sent to Freshpaint’s BAA protected platform instead of directly to Google.

Freshpaint then allows you to:

  • Not share any personal identifiers with Google Analytics. Personal identifiers + health information are what results in HIPAA violations.
  • Set an allowlist for data to be sent on to Google. By default, no data is sent on to Google. Instead, you have to manually identify the events and data that can be sent on. This makes sure you are never sending PHI to Google.
  • You can then continue to see web activity in Google Analytics and can continue to use the rest of your analytics pipeline built on GA.

This is a HIPAA-compliant pipeline that you can set up today and that will see no interruption to your pipeline, your data, or your ability to act on data to help your users. You can learn more about making Google Analytics HIPAA-compliant here.

Ray Mina
Head of Marketing
view All Posts
Featured Posts
HIPAA COMPLIANCE
Direct Response, Remarketing, and Programmatic Advertising: The HIPAA Pitfalls You Didn't Know
HIPAA COMPLIANCE
IP Addresses and HIPAA Compliance: Unpacking the Risks for Healthcare Websites
USE CASES
Don't Remove It! Make Google Analytics HIPAA Compliant Instead
HIPAA COMPLIANCE
Staying HIPAA-Compliant: How to Detect Web Tracking Risks on Your Website
HIPAA COMPLIANCE
A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites
HIPAA COMPLIANCE
Cut the Jargon: A Look at the FTC-HHS Privacy Warning and What It Means For Your Healthcare Org
USE CASES
How To Make Facebook Ads HIPAA Compliant and Still Get Conversion Tracking
USE CASES
What HHS Has to Say About Tracking Technologies in Latest HIPAA Guidance
GROWTH & STARTUPS
Two Chairs Journey to a HIPAA Compliant Growth Stack
Stay Connected
Tweet this post: 
© 2024 Perfalytics, Inc.
Crafted in San Francisco