Is it HIPAA-compliant to use Google Analytics or Facebook Pixel in Chatbots?

by Vagelis H. 07/07/2020

Update 2/10/2023: Google has posted a page discouraging people from using Google Analytics when HIPAA is required

At SmartBot360, we have been working with customers and partners building HIPAA-compliant chatbots for patient conversion and customer support. A typical application is hosting a chatbot on a provider’s Web site, which interacts with a patient to answer common questions or make an appointment.

Over the last year, we often received the request to integrate with Google Analytics or Facebook Pixel. This is a natural need. Many healthcare companies — from medical devices to supplements to dentists to plastic surgeons — engage in digital advertising, by posting ads on Facebook, Google or other places. These companies need to measure how many of the users that clicked on the ad ended up interacting with the chatbot.

This is where things become messy. Consider a chatbot at a dentist’s Web page, which asks “Do you have pain when drinking cold beverages?” If we define a Google Analytics or a Facebook Pixel event called “painColdDrink” and have the bot track this event (i.e. notify Google or Facebook when a user responds “yes” to the above question), this leaks PHI (Protected Health Information) to Google or Facebook, which would violate HIPAA, if the company is a covered entity.

To avoid this problem, there are a couple of possible solutions. First, you can rename “painColdDrink” to something vague like “event1”. To learn more about this strategy, you can read Google’s article on how to prevent sending PHI to Google. This addresses the problem to some extent, but if you define follow-up actions (e.g. retargeting) based on the existence of “event1” (e.g., show to the user an ad for Sensodyne), you may again leak indirectly PHI to Google or Facebook.

Another solution to avoid (or minimize) any leak of information is to not define events based on the user’s responses, but instead only create an event that is triggered when the user completes the chatbot’s questionnaires or when the user responds to the first question (regardless of the answer).

Google states that if you share PHI with Google Analytics, there should not be an expectation that Google will protect this data in the context of HIPAA; for example, Google will likely not sign a BAA (Business Associate Agreement) about its Google Analytics service. Similarly, Facebook explicitly disallows the transmission of PHI (search for “HIPAA”). So, your responsibility as the chatbot designer is to avoid leaking PHI to Google Analytics or to Facebook.

Interestingly, I came across a document explaining how even CMS (Centers for Medicare and Medicaid Services) has used Facebook Pixel for their campaigns, and they claim that this does not violate patients’ privacy, given their tracking setup.

To summarize, my research on this topic draws the conclusion that one should have no expectation that Google Analytics or Facebook Pixel will protect their data, so if one decides to still use these services he/she is responsible to make sure that no PHI is directly or indirectly submitted to these services.

The way that SmartBot360 decided to walk this thin line, is to offer integration of its chatbots with Facebook Pixel and Google Analytics, but display clear warnings of the potential HIPAA implications of using them, both inside the SmartBot360 Management Dashboard (where the chatbots are created) and in the BAA.