POWER LEADER: Piwik PRO's Piotr Korzeniowski on digital analytics and advertising under HIPAA

As the digital landscape continues to evolve, particularly with regulations such as HIPAA shaping the framework within which electronic Protected Health Information (ePHI) is handled, Piwik PRO CEO Piotr Korzeniowski shares more about the industry and what the company’s future looks like. Learn how Piwik PRO navigates these complexities, supporting businesses across scales and sectors to harness the power of data without compromising on compliance.

Piwik PRO operates at the intersection of digital analytics and law  like HIPAA. Could you discuss how Piwik PRO balances the drive for innovative analytics solutions with the need to adhere to legal requirements, especially in handling electronic Protected Health Information (ePHI)?

Expansion of privacy laws (among other things) resulted in bigger scrutiny of what data, how, and for what purpose is collected. This affects online activities, especially marketing and advertising, where a gigantic amount of information, including sensitive data, is processed daily. Organizations adapt, and this tends to be a painful process. Piwik PRO supports businesses of all sizes in performing successful marketing activities such as analytics, tag management, and consent collection compliantly.

From our early days, we knew privacy would play a growing role in digital marketing in the coming years. We designed the Piwik PRO to bring as much value as possible to organizations operating in privacy legal regimes. So, for marketers, we provide clickstream data (URLs, campaign information, referrers, etc), real-time dashboards, custom reporting, enterprise-grade tag management, and more. At the same time, security and privacy teams will be happy to see that we undergo ISO, SOC2, and independent security and privacy reviews.

The HIPAA regulation is a great example of the reality in which businesses must now operate. PHI and ePHI are special kinds of information that the legal regime requires handling in a certain way, even deleting if needed. Popular analytics solutions from the old days, like Google Analytics or Adobe Analytics, are not built to meet these requirements. But thanks to how Piwik PRO has been designed, it can be done.

The HHS' Office for Civil Rights provides guidelines on online tracking technologies that affect healthcare companies significantly. What are some key legal challenges you face, and how does Piwik PRO ensure compliance in its operations and offerings?

There are many things to be solved for organizations to be compliant, but the approaches to solving HIPAA boil down to two:

• One: It can take full responsibility and employ the proper means, e.g., strip marketing data of any traces of PHI before analyzing it or pushing it to the ad networks. This creates a computing burden and greatly hinders organizations' ability to analyze their performance.
• Two: sign a BAA with the marketing vendor and share the responsibility with them. Only vendors with proper technologies and safeguards will enter such arrangements. Google and Adobe won't sign BAAs for their most popular solutions, Google Analytics and Adobe Analytics.

As Piwik PRO has all the necessary technology and an advanced security & privacy program, we're fine with sharing the responsibilities here and signing the BAAs.

Scenario two is more beneficial because it gives healthcare companies one less reason to worry about their setups.

HIPAA-Compliant Analytics Solutions: Piwik PRO offers various analytics approaches. Can you compare these solutions regarding HIPAA compliance, ease of use, and integration with existing tools that healthcare companies might already use?

Our product is built around the golden standards and concepts of marketing analytics introduced by the industry-beloved Google Universal Analytics 360. So marketers and digital analysts accustomed to GUA will feel at home with Piwik PRO. This means you get event-level clickstream data and session-level dimension for your visitors' browsing intents.

Those who utilize open-source products like Matomo will be pleasantly surprised to see Piwik PRO's boosted reporting capabilities. For those on the fence about moving from Adobe Analytics to Customer Journey Analytics, Piwik PRO has a lower price and complexity, so you'll save resources when partnering with us.

Marketers and smaller businesses will appreciate a rich collection of predefined reports and integrations with Google Ads and Google Search Console. More seasoned analysts can play around with custom reports, calculated metrics, or export data to BI tools. We also offer robust ecommerce tracking for digital retail, real-time dashboards, and data activation via our customer data platform.

Piwik PRO can be the fundamental pillar of an organization's digital marketing activities. Thanks to native integrations and APIs, it can also fit seamlessly into existing marketing stacks. It's up to the user to decide; we give them options.

What are some essential dos and don’ts for companies looking to implement compliant data collection strategies? Could you provide examples from Piwik PRO’s practices?

Everything depends on the legal regime your organization is operating in and what you plan to use the data for. Businesses operating in the EU need to primarily look at GDPR, while California businesses need to adhere to CCPA. In Canada, you need to look up PIPEDA, and then there are sectoral regulations, like HIPAA, for healthcare organizations. Complexity rises more if you must simultaneously navigate a few or all (!) of those regimes. The best way is to use setups of the “least common denominator.” Usually, this means that we track less to meet the stringiest law of all.

I would encourage bringing legal and compliance people to any data project. Disclosure and collaboration are always good, and bringing the right people to the table will help. A good strategy can be created only by combining the perspectives of law, business needs, and technological possibilities.

Map what you collect, map the data points and flows, and identify all the data categories that need special attention. Implement proper consent management mechanisms if needed, allowing users to opt in or out of certain activities. Closely review the third parties to whom you’re pumping your data. Introduce additional safeguards and means to ensure that no special category data leaves your ecosystem without your knowledge and consideration.

Invest in proper technologies. Seek solutions that have privacy features rooted deeply in their design. These will allow you to achieve compliance faster and cheaper than trying to make popular solutions compliant.

Online advertising requires installing tracking technologies like pixels, which can be problematic under HIPAA. How does Piwik PRO navigate this challenge, ensuring effective audience targeting and compliance with privacy regulations?

We’re giving our users complete control over the data they possess, including full control over what’s sent to which third-party vendor. This is true for our Analytics endpoint, and we also facilitate connections to third parties via our Customer Data Platform, which transfers the data on the server side to audit every single data point shared with the broader martech ecosystem. That includes, for instance, the ability to push audiences to ad networks or automatically upload conversions.

With the evolving digital landscape, how do you see technology impacting healthcare marketing and analytics in the next few years? What role will HIPAA compliance play in shaping these advancements?

Introducing more privacy or sectoral laws and declarations of stricter enforcement (for HIPAA in the US and GDPR in the EU) will motivate organizations to seek solutions that will make their compliance obligations easier to execute. In the US, a federal privacy law is needed, and we’re happy to see that one is already in the works.

Marketing and advertising that thrive on consuming large amounts of data will not be sustainable in the future. More “old school” methods (like ad tracking via third-party cookies) will be obliterated. We can expect even more products that will support organizations in compliant marketing, advertising, and human resources.

Data is now difficult to obtain, and we collect less. This creates a false assumption that marketing and advertising won’t work now. That’s not true; the reality is different, and everyone must adapt. So, shifts in mindsets are required.

Embracing the data minimization rule and carefully considering the validity of each data point is not just a requirement but a great starting point for building a robust marketing strategy. You should measure what’s important, and that will give you a directional: “go/no-go” on the activity you’re running instead of just chasing the # of engagements/conversions.

Organizations should also shift their focus from detailed, personal data to anonymized data sets that allow to make valid decisions in a more privacy-friendly way, instilling public confidence in their marketing approach.

As digital landscapes and regulations evolve, how is Piwik PRO preparing to stay at the forefront of compliant analytics and advertising solutions? What are the next big trends or technologies you foresee impacting your industry, and how is Piwik PRO gearing up to lead these changes?

Privacy is becoming mainstream. More countries will introduce proper legislation, and who knows, we might get a federal privacy law in the US. At the same time, the need for quality data is bigger than ever. With the demise of third-party data, organizations are moving towards first-party data, building their own setups, and communicating with ad systems on their terms. In short, working with data is becoming more complex. Organizations must invest in proper technologies and know how to win in this arena.

In the past, organizations collected data without any need, “just in case.” With data pipelines now far smaller, such waste is unacceptable, and organizations must make the most of each piece of data. That’s why data activation is crucial, and organizations are increasingly adopting customer data platforms.

At Piwik PRO, we look closely at those trends, ensuring our product can work efficiently in this changing environment. The privacy component has been with us from day one, and we’re further expanding our capabilities with, e.g., the CDP, now giving Piwik PRO the ability to call itself a one-stop shop for data collection, analytics, and activation.