# HIPAA Mode HIPAA mode is a feature that Freshpaint provides to give customers full control over what [Protected Health Information](https://www.hhs.gov/answers/hipaa/what-is-phi/index.html) (PHI) is sent to their destinations. Freshpaint allows you to configure explicit lists of properties, called allowlists, for each of your destinations so you opt into what you send and how you send it. ## What is PHI? PHI is the combination of Personal Identifiable Information (PII) and health information. Examples of PII include: * Names * IP Addresses * Non-anonymized user IDs * Emails Examples of health information include: * Diagnoses * Treatment information * Medical test results * Prescription information ## Enforced Allowlists {% embed url="" %} Watch this video to learn how to use allowlists in Freshpaint {% endembed %} The Enforced Allowlists feature allows you to send properties classified as PHI to your HIPAA-compliant destinations, and send only non-PHI properties to non-HIPAA compliant destinations. Freshpaint does this by allowing you to specify a list of properties that are known to not contain PHI. Whenever Freshpaint sees a property that is not in this allowlist, Freshpaint will remove the property before sending the event to non-HIPAA compliant destinations. ### Project Allowlist Navigate to the Project Allowlist page to specify which properties are not considered PHI for your Freshpaint Project. {% hint style="info" %} Properties allowed at the Project level will be automatically applied to all Destination Allowlists. {% endhint %}
### Destination Required Properties In addition to the Project Allowlist, each destination that supports server-side connection mode has its own allowlist. In order for Freshpaint to be able to send data to the destination, you must allow each of the required properties. These settings will not affect any other destination.

Some destinations offer Required Properties for you to add to the allowlist

For example, the Google Ads destination requires the `$gclid` and `conversion_label` properties. Without these properties, Google Ads will not be able to attribute conversions to your ad campaigns, so the destination will not be able to function.

$gclid and conversion_label are Required Properties for Google Ads

### Destination Recommended Properties Certain destinations have additional functionality that is controlled by certain event properties. Freshpaint indicates these properties as "Recommended" and describes the functionality they enable.

Some destinations offer Recommended Properties for you to add to the allowlist

For example, to enable the Conversions Report for Google Analytics 4, you would need to allow the `conversion` property.

To enable the Conversions Report in Google Analytics 4, allow the conversion property

### Destination Allowlist In addition to required and recommended properties, each destination that supports server-side connection mode has a full allowlist, similar to the Project Allowlist. You can use this advanced feature if you need to add properties to the destination's allowlist that are not covered by the Required or Recommended properties. {% hint style="info" %} All of the Required and Recommended Properties that you have allowed will be shown on the Destination Allowlist. {% endhint %}

Navigating to the Destination Allowlist

Add properties to the destination's allowlist if they're known to be safe to send to that specific destination. For example you may add the Facebook Ad Click ID to the allowlist for Facebook Conversions API in order to track conversions from your ad campaigns.

The Facebook Conversions API Destination Allowlist

{% hint style="warning" %} Required Properties, Recommended Properties, and Destination Allowlists are available in the latest version of Freshpaint HIPAA Mode. Contact to learn more. {% endhint %} ### Built-in Properties Freshpaint captures a number of properties automatically for each event, for example the URL of the page on which the event occurred. These are known collectively as [built-in properties](https://documentation.freshpaint.io/reference/faqs/what-data-does-freshpaint-collect/autotrack#properties-captured). You can use the PHI Allowlist to specify which ones are known not to contain PHI. {% hint style="warning" %} Built-in Property Allowlisting is available in the latest version of Freshpaint HIPAA Mode. Contact to learn more. {% endhint %}

Built-in and Custom Property Allowlist

Most of these built-in properties are documented under [What Data Does Freshpaint Collect?](https://documentation.freshpaint.io/reference/faqs/what-data-does-freshpaint-collect/autotrack#properties-captured). Special attention should be paid to **URL, UTM Parameters, and Other Query Parameters**. Suppose an event occurs on `http://shoes.com/the/best/shoe?utm_term=shoes&page=2`. The following table illustrates the value of the `$current_url` property under different allowlist configurations.
URLUTM TermOther Query Parameters$current_url propertyNotes
falsefalsefalsehttp://shoes.com/url-redacted-by-freshpaintWhen URL is not on the allowlist, Freshpaint will still send the domain name to destinations, along with a fake path that indicates the real path was redacted.
truefalsefalsehttp://shoes.com/the/best/shoeThe domain name and path are preserved but all query parameters are removed
truetruefalsehttp://shoes.com/the/best/shoe?utm_term=shoesThe page query parameter is removed.
truefalsetruehttp://shoes.com/the/best/shoe?page=2Since Other Query Parameters are allowlisted, any query parameters that aren't UTM parameters are preserved, in this case, page=2. The utm_term query parameter is removed.
truetruetruehttp://shoes.com/the/best/shoe?utm_term=shoes&page=2The entire URL is allowed to be sent to the destination.
### Custom Properties Events may have additional custom properties beyond those automatically captured by Freshpaint, for example if you're using [#addeventproperties](https://documentation.freshpaint.io/reference/developer/freshpaint-sdk-reference#addeventproperties "mention") to add data layer properties to your events. You can use the PHI Allowlist to specify the custom properties that are known not to contain PHI. ### User & Group Properties There are separate allowlists for user properties, which are attached to [`freshpaint.identify`](https://documentation.freshpaint.io/reference/developer/freshpaint-sdk-reference#identify) calls, and for group properties, which are attached to [`freshpaint.group`](https://documentation.freshpaint.io/reference/developer/freshpaint-sdk-reference#group) calls.

Event, User, and Group Allowlists

## ID Masking ID Masking allows you to [identify users](https://documentation.freshpaint.io/readme/setting-up-identify) in Freshpaint without sending the identifier to non-HIPAA compliant destinations. Freshpaint does this by *hashing* the user identifier before sending events to non-HIPAA compliant destinations. This anonymizes the user identifier, while still associating events with a single identified user and preserving functionality like identity resolution. Here's an example. Suppose you identified a user by their email address: ```javascript freshpaint.identify("some_distinct_id", { "email": "ada.lovelace@example.com", "browser": "Chrome" }); ``` Masking would send values like `ada.lovelace@example.com` in a hashed form, scrambled in such a way that a reader at the destination will be unable to determine the original value. This hashing is consistent for a given value. If `ada.lovelace@example.com` is hashed into `iuUwhqIm1kEriZsVlu5TsGgX6/y5Pwfn`, then you can count on it being that value every time in your destinations. ID Masking is automatically performed on builtin user identifiers for non-HIPAA compliant destinations. To turn on ID Masking for additional properties, you must configure the allowlist for your destination. Add the property you want to allow, then check the `Hashed?` option.
{% hint style="info" %} Freshpaint uses the [SHAKE3 hash algorithm](https://en.wikipedia.org/wiki/SHA-3) for ID masking {% endhint %} ## Server-side Destinations Freshpaint's HIPAA mode requires your destinations be configured with a server-side connection. If one of your destinations only supports a client-side connection, you will not be able to use them in HIPAA mode. ## Restricting PHI without HIPAA mode enabled You may want to send events to a non-HIPAA compliant destination without applying ID Masking or Allowlists. This might be the case when: * You want to send events to a non-HIPAA compliant destination that only supports Client-side connection mode, so you need to disable HIPAA mode to use the client-side destination. {% hint style="success" %} Example: you want to send events to Hotjar, which only supports client-side connections. {% endhint %} * You want to send events to a non-HIPAA compliant destination, and the destination needs the original user identifier, so you need to disable ID masking. {% hint style="success" %} Example: you want to send events to your email marketing platform, and you need to preserve the user's email address. {% endhint %} To avoid sending PHI to a non-HIPAA compliant destination, you must restrict PII, health information, or both. Note that this restriction is scoped to all API calls made for a user. For example: * You attach PII (but not health information) to an anonymous user in a destination with a `Freshpaint.identify()` API call * Later on, you send a `Freshpaint.track()` API call containing health information (but not PII) to the same destination for this anonymous user You're still sending PHI to the destination, since the destination has received both PII and health information for the same user, even though this information was received in different requests. When determining whether a destination may collect PHI, it's important to understand exactly what metadata and properties a destination collects, and whether these metadata and properties contain PII or health information. For example, the Freshpaint [Bing Ads](https://help.ads.microsoft.com/#apex/3/en/53056/1/#exp151) destination, when configured in client-side connection mode, collects IP addresses, Freshpaint event names, and page URLs (alongside other metadata). Because an IP address is PII, it's important to ensure the event names and page URLs collected by Bing Ads do not include health information. If you're unsure whether one of your destinations is collecting PHI, don't hesitate to reach out to . And of course, you should always consult with your legal team.