Healthcare

HIPAA-Friendly Analytics

No BAA required because we never touch PHI

The Bottom Line

Zero Trust Analytics cannot identify your patients. We collect page routes and time on page. That's it. No IP addresses, no cookies, no user identifiers.

BAA available on request for healthcare organizations that require one.

Why No BAA Is Needed

A Business Associate Agreement (BAA) is required when a vendor handles Protected Health Information (PHI) on your behalf. PHI includes data that can identify a patient combined with their health information.

We don't handle PHI because we can't identify anyone.

Our analytics system is architecturally designed to be blind to individual visitors:

No IP addresses stored - IPs are hashed with a daily-rotating salt, then immediately discarded. The hash cannot be reversed.
No cookies - We don't use cookies or any client-side storage
No user identifiers - No login tracking, no session persistence across days
No fingerprinting - No canvas, WebGL, font, or audio fingerprinting

When a patient visits your healthcare website, we see: "Someone viewed /services/cardiology for 45 seconds."

We do not see: "John Smith (192.168.1.1) viewed /services/cardiology for 45 seconds."

Exactly What We Collect

Here is a real example of the data we store when someone visits your site:

Stored Analytics Record

{
  "site_id": "your-site-id",
  "event_type": "pageview",
  "page_path": "/services/physical-therapy",
  "referrer_domain": "google.com",
  "timestamp": "2024-12-10T14:30:00Z",
  "country": "US",
  "region": "TX",
  "device_type": "mobile",
  "browser": "Safari",
  "duration_seconds": 47
}

Notice what's missing:

No IP address
No patient name or identifier
No email address
No device fingerprint
No cookie ID
No way to link this visit to any other visit

What We Don't Collect

Data Type	Collected?	Why
IP Addresses	Never Stored	Hashed with daily salt, then discarded
Patient Names	Never	Not collected
Email Addresses	Never	Not collected from visitors
Cookies	Never	Zero cookies policy
Form Inputs	Never	We don't capture what users type
Device Fingerprints	Never	No fingerprinting of any kind
Cross-site Tracking	Never	Each site is isolated

URL Best Practices

The only theoretical risk would be if your website URLs contain patient information (e.g., /patient/john-smith-12345/records). This would be a problem with any analytics tool.

Our recommendation: Never include patient identifiers in URLs. Use patterns like:

/portal/appointments (good)
/patient/123456/appointments (avoid)

If your site follows standard web practices, there's no PHI in the URLs we see.

For Your Compliance Team

We've designed Zero Trust Analytics to make compliance review simple:

Technical Verification

Open your browser's Developer Tools on any page with our script. Watch the Network tab - you'll see exactly what data is sent. No hidden tracking.

3KB Script

Our entire tracking script is ~3KB and fully readable. Your security team can audit every line in minutes.

Data Export

Request an export of all data we have for your site. You'll see it contains no PHI because we never collected any.

Self-Hosted Option

For maximum control, run Zero Trust Analytics on your own HIPAA-compliant infrastructure with our Docker deployment.

Why Healthcare Organizations Choose Us

No consent banners needed - No PII means no HIPAA consent requirements for analytics
BAA available - We'll sign a BAA if your compliance process requires one
Simple compliance story - "We use analytics that can't see patient data"
Audit-friendly - Transparent, verifiable data collection
No vendor risk - We can't breach what we don't have

Google Analytics Is a HIPAA Risk

Traditional analytics platforms like Google Analytics collect IP addresses, use cookies, and build user profiles. When used on healthcare websites, this creates potential HIPAA exposure:

IP addresses can identify individuals
Page visits to condition-specific pages become PHI when linked to an identity
Google uses this data for advertising purposes
You'd need a BAA with Google (which they don't offer for free GA)

With Zero Trust Analytics, these risks don't exist because the identifying data is never collected.

Pricing for Healthcare

We offer straightforward pricing based on pageviews:

Starter: $50/month - Up to 100K pageviews
Professional: $99/month - Up to 500K pageviews
Enterprise: Custom - Unlimited pageviews, dedicated support, SLA

All plans include unlimited sites, unlimited team members, and full API access.

Ready to simplify your analytics compliance?

Get analytics that your compliance team will actually approve.

Start Free Trial Talk to Sales

Questions?

Contact us at healthcare@zerotrustanalytics.com for a compliance review call with your team. We're happy to walk through our architecture and answer any questions.