Back to blog

HIPAA-compliant analytics for healthcare systems: How hospital marketing teams can measure what matters

Written by Małgorzata Poddębniak

Published April 20, 2026

Running hospital marketing campaigns in 2026 means navigating a tension between marketing performance and patient data protection, a combination that most analytics platforms weren’t built to support.

Patients now research symptoms, compare providers, and book appointments entirely online before ever contacting a hospital. Healthcare marketers need to adapt to digital-first patient journeys, run campaigns for numerous service lines, manage hospital marketing analytics across multiple locations, and prove ROI to administrators. For nonprofit hospitals, the picture is broader still — donation tracking is part of the marketing mandate, with fundraising tied directly to research programs, capital projects, and long-term growth.

At the same time, the rules for compliant data collection are getting stricter. In 2025 alone, HIPAA enforcement led to roughly $148 million in fines across 22 major cases. FTC enforcement actions, state health data laws, and a wave of pixel-related class-action lawsuits have expanded well beyond what HIPAA alone covers. 

Compliance is no longer a legal department concern that sits separately from campaign planning. It now shapes what data you can collect, how you can use it, and what you can report.

Most guidance on healthcare analytics focuses on what you can’t do. This article is about what you can do. We will cover: 

  • The specific analytics challenges hospital marketing teams face.
  • What HIPAA-compliant measurement actually enables (with concrete examples).
  • How to structure a governance framework.
  • How to evaluate vendors. 

Whether you’re just starting to assess your analytics stack or you’re in the middle of implementation, you’ll find practical frameworks you can apply immediately.

The measurement challenges hospital marketers face

Hospital marketing teams deal with constraints that don’t exist in other industries.

Healthcare service line attribution breaks down immediately – You’re running simultaneous campaigns for cardiology, orthopedics, oncology, and women’s health. Each service line has different budget owners, margin profiles, and administrators demanding ROI proof. You can’t rely on seamless cross-site tracking when content and patient portals operate in separate environments, fragmenting the patient journey and limiting reliable attribution.

Multi-location tracking gets complex fast – Many hospitals now manage multiple locations, spanning flagship medical centers, community hospitals, urgent care clinics, specialty facilities, and others. Patients research on your main site, book at the most convenient location, and expect seamless experiences. You need analytics that can track how patients move across your public-facing web properties — from first research touchpoint to location-specific conversion — without stitching together data you’re not permitted to access.

Patient portals remain unmeasured – Your portal handles the most sensitive interactions that drive engagement, such as appointment scheduling, test results, and secure messaging. Most hospitals can’t properly measure portal adoption or feature usage because standard analytics can’t meet HIPAA requirements for authenticated environments. You’re left guessing which features drive satisfaction and where patients abandon tasks.

Telehealth analytics barely exists – Hospitals invested heavily in virtual visits, but measurement rarely goes beyond basic appointment counts. Many critical questions about your telehealth services are left unanswered. Without HIPAA-compliant telehealth analytics across your digital ecosystem, it becomes impossible to optimize your strategy or prove its business value.

Learn more about best practices for telehealth analytics: Telehealth analytics: Optimizing virtual care experiences in a HIPAA-compliant way

Proving marketing ROI requires dealing with PHI – Hospital CMOs need concrete numbers for board presentations. But tracking individual patient journeys from first website visit through appointment booking means handling protected health information (PHI) throughout your analytics pipeline. Most teams compromise by using proxy metrics that don’t demonstrate actual business impact, or risk compliance violations to obtain valuable data.

Is Google Analytics safe for healthcare organizations and patient portals?

Platforms like Google Analytics 4 (GA4) were built for measuring marketing performance rather than to be used by organizations handling sensitive user data. 

As a hospital marketer using GA4, you are facing two main issues:

  • GA4 collects persistent identifiers, routes data through Google’s infrastructure, and feeds into advertising networks – all by design, and all problematic in a healthcare context. Even if you’re not actively using some patient data, Google still receives it and may process it further.
  • Google does not offer business associate agreements (BAAs), which, under HIPAA, are required for any vendor handling PHI.

Google itself warns about using GA when PHI may be involved:

“Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google’s contracts and policies.”

Some healthcare organizations implement Google Analytics server-side to limit PHI exposure, but this approach has real limitations. Even a well-architected setup carries risk: a single misconfiguration can cause PHI to leak, and the implementation requires substantial technical expertise to execute correctly, plus significant ongoing resources to maintain. 

What PHI means for your website

To be specific: PHI isn’t limited to names, medical records, or data in your EHR. Under HIPAA, health information becomes PHI when it can be linked to an individual, even indirectly. For hospital websites, that includes:

  • IP addresses combined with visits to service-line pages (like someone’s IP appearing in logs for your oncology or addiction treatment pages)
  • URL parameters that reveal which condition page, physician, or service line a user visited
  • Form fields on appointment request pages, even if never submitted
  • Behavioral patterns within a patient portal that reveal what services a patient is using
  • Third-party cookies – particularly third-party advertising cookies, which track users across sites and can connect health-related browsing behavior to individual profiles outside your control
  • Visitor cookies – even first-party cookies can indirectly link health information to personal identifiers
  • Click IDs like GCLID – appended to URLs by ad platforms, these identifiers travel through your analytics implementation and can share PHI with advertising platforms through conversion exports or tracking pixels, connecting a user’s health-related actions to their ad profile

Many hospitals and health systems continue to use Google Analytics. While deploying it on general public pages doesn’t pose as many security risks, the compliance picture changes once analytics touches pages where health-related intent can be inferred. 

In markets where patients actively choose between competing health systems, one data incident can damage relationships you’ve spent years building. 

HIPAA isn’t the only regulation hospital marketers need to consider

Most hospital marketing analytics compliance conversations stop at HIPAA, but the regulatory picture is broader and getting more complex.

  • FTC enforcement on health data: The Federal Trade Commission has taken enforcement action against companies that shared health-related data through third-party pixels without consumer consent. Hospitals using advertising pixels on pages where health conditions are implied, such as symptom checkers, service line pages, and appointment booking user flows, face potential FTC scrutiny regardless of whether HIPAA violations occur.
  • State-level health data laws: Washington’s My Health MY Data Act, which went into effect in 2024, covers any entity that collects consumer health data, regardless of HIPAA applicability. Similar legislation is advancing in other states. For multi-state health systems, this creates a compliance patchwork that standard analytics tools aren’t designed to handle.
  • Pixel tracking violations: Since 2022, dozens of hospitals have faced class action lawsuits alleging they improperly shared patient data with third parties through tracking technologies such as Meta Pixel. For hospital marketing teams, it means that routine campaign tracking tools, like pixels, click IDs and third-party cookies, have become potential evidence in federal lawsuits.

For healthcare providers, the path forward is choosing an analytics vendor that signs a BAA, processes data on infrastructure you control, and handles compliance by design rather than by workaround. This way, the marketing team can focus on campaigns, attribution, and performance rather than fielding technical questions from IT and compliance about whether you are leaking PHI.

What HIPAA-compliant analytics enables for hospital marketing

With HIPAA-compliant analytics, hospital marketers can answer the following questions:

Service line performance

  • Which channels drive the most appointments for orthopedics vs. cardiology vs. oncology?
  • Which service lines deliver the strongest return on our marketing investment?
  • Which service lines have the highest patient acquisition costs?
  • How do patients move through the funnel differently for elective vs. urgent care services?

Multi-location insights

  • Which locations need more marketing support?
  • Are patients traveling across our network for specialist care?
  • Should we adjust location-specific campaign budgets?
  • How do service lines perform differently by location?

Patient portal optimization

  • Which features drive patient satisfaction and repeat engagement?
  • Where do patients abandon appointment booking flows?
  • What’s the completion rate for scheduling tasks?
  • Which portal improvements would have the biggest impact?

Telehealth utilization

  • How do patients discover your telehealth options?
  • What’s the conversion rate from the information page to booking?
  • Does telehealth increase total appointments or just shift in-person visits online?
  • Which service lines see the best virtual consultation outcomes?
  • Are telehealth patients converting to in-person procedures?

Practical measurement frameworks

Here’s how to implement HIPAA-compliant analytics for hospitals that answers real business questions while maintaining compliance.

Service line attribution framework

Map distinct measurement paths for each service line

For example, for orthopedics:

  • Entry micro-conversion: Paid search on procedure keywords, organic content about joint conditions, and physician directory searches
  • Mid-journey micro-conversion: Treatment option pages, surgeon profiles, insurance verification
  • Conversion: Appointment requests, tracked phone calls, patient portal registrations

Not all conversions are equally valuable for your organization — someone might register on the patient portal or call you asking about a service you offer, but in the end, they won’t book any appointments. 

To further analyze the value of specific conversions, you can use Data Activation. For example, create an audience of users who meet the following conditions: signed up for the patient portal and logged in 4 times in the past 2 weeks. Looking at this audience, you’ll find active users who are more likely to use your services.

Set up service-line-specific conversion goals 

Instead of generic form submissions, define goals tied to specific service lines — orthopedic consultations, cardiology appointments, oncology inquiries, or women’s health bookings. But avoid using descriptive names directly in your analytics platform. Goal names are often exported and shared across teams, and a label like “Oncology inquiry form submission” can constitute PHI if it’s ever linked back to an individual.

Use codified naming conventions instead — for example, “OC1” for an oncology-related goal rather than a descriptive label. The mapping between codes and service lines lives in your internal documentation, not in the analytics tool itself.

Create quarterly reporting that ties spend to outcomes

Use this sample report format to create your own:

Service lineMarketing spendTracked conversionsCost per acquisitionVolume change
Orthopedics$45,000127$354+18%
Cardiology$38,00093$408+12%
Oncology$32,00067$477+8%

Example: You allocate budget across channels, but most goes to paid ads. Your cardiology campaign shows strong click-through rates, but attribution data points to organic symptom-related content as the bigger driver of appointments. You shift budget toward content optimization and physician profiles. Complete journey stitching is rarely possible in healthcare — patient paths cross public sites, portals, and offline touchpoints, and HIPAA limits how much can be connected. The goal is consistent measurement across what you can track, ideally within a single compliant platform, so you’re always comparing like with like.

“As part of our marketing objectives to drive patient referrals, we partnered with Piwik PRO to gain valuable insights into the user experience on our referral web pages and the referral process. After enhancing our on-page content, we saw a remarkable 215% increase in page views and a 79% drop in bounce rates, resulting in a 40% rise in online referrals.”

Kelsey Harris

Web Strategist at Shepherd Center

Multi-location network analytics

Build a cross-property measurement network 

Deploy analytics using a hub-and-spoke model where your main analytics instance aggregates data from all properties, but each location can also be analyzed independently:

  1. Central instance: Tracks the complete patient journey across all properties
  2. Location-specific views: Filter central data to show performance by facility
  3. Service line + location matrix: Measure how specific services perform at specific locations

This structure answers questions like: “Which locations need more marketing support for orthopedics?” or “Is our cardiovascular institute drawing patients system-wide or just locally?”

Set up custom dimension tracking

Tag interactions with the following dimensions:

  • Location code (such as “flagship-downtown”, “community-north”, “urgent-westside”)
  • Service line category
  • Patient acquisition stage (awareness, consideration, conversion)

This lets you run reports showing patient flow patterns:

  • Which locations receive the most cross-location referrals
  • Geographic areas where brand awareness is weak
  • Service lines that draw patients from across the system vs. those that are location-specific

“My team makes many decisions based on data. So, if we notice in Piwik PRO that people are interacting with our content differently than we assumed, then we pivot and make decisions to align with that. There certainly was a reason why we purchased Piwik PRO. We wanted to analyze the data to see how people are interacting with our digital platforms, and we take that very seriously.”

Tyler Pierce

Manager, Digital Engagement at Rochester Regional Health

Patient portal measurement

Track portal usage without creating persistent patient identifiers that expose PHI. Key metrics here include:

  • Portal registration rate (share of users who completed registration after landing on the registration page)
  • Feature usage distribution (scheduling vs. messaging vs. test results)
  • Task completion rates for appointment booking flows
  • UX improvements that could lead to better conversion rates

Note: Metrics that link portal registration to a prior appointment — such as time from first visit to sign-up — require connecting data across systems. That typically means a server-side integration with your EHR rather than just standard analytics tracking.

Example: You launched a self-scheduling feature in your patient portal, but adoption seems lower than expected. Task completion data shows a large drop-off at the insurance verification step in your appointment scheduling flow — not at login or appointment selection as you assumed. You bring the findings to your UX and IT teams to explore simplifying the step or adding a save-and-return option.

Donation analytics

For hospitals with philanthropic programs, understanding what drives donations is as valuable as tracking appointment conversions. Key metrics here include:

  • Which content drives donation intent — disease awareness pages, patient stories, department-specific campaigns
  • Conversion path from content to donation form, with drop-off points identified
  • Offline-to-online attribution via UTM-tagged QR codes on event materials, direct mail, or printed collateral
  • Repeat donor behavior and which content keeps donors engaged over time

Example: You’ve been promoting your telehealth services, and appointment volumes are growing. Your data shows that telehealth consultations for one service line frequently lead to in-person follow-up bookings, while another shows no such pattern. You use this to argue for different telehealth marketing strategies by service line rather than a one-size-fits-all approach.

HIPAA-compliant analytics vendor evaluation checklist

Choosing the right analytics platform involves more than compliance checkboxes. Marketing, IT, and legal all have different priorities, and a platform that satisfies one team may fall short for another. 

Use this checklist to align all stakeholders before committing to a vendor and document the criteria behind your final recommendation.

Compliance requirements

  • ✓ Business associate agreement (BAA) included
  • ✓ Data encryption at rest and in transit
  • ✓ Hosting options and data residency
  • ✓ Granular user access controls
  • ✓ Audit logging for all PHI access
  • Data retention controls

Marketing requirements

  • ✓ Service line-specific conversion tracking available
  • ✓ Multi-location/multi-property analytics
  • Custom reports and dashboards
  • Attribution modeling capabilities
  • ✓ Integration with existing marketing tools

IT requirements

  • ✓ Technical support and SLAs
  • ✓ Implementation assistance
  • ✓ API access for custom integrations
  • ✓ Scalability for growing data volumes
  • ✓ Unlimited user seats (Some vendors charge per user added, which drives up costs without adding analytical value)
  • ✓ Role-based access controls
  • ✓ Audit logs and activity tracking to monitor platform and data usage

This ensures all departments agree on the choice, preventing post-implementation conflicts.

CHECKLIST

Is your analytics setup actually HIPAA-compliant?

Use this practical checklist to verify your data collection practices, BAA coverage, technical safeguards, and breach response procedures — before a compliance gap becomes a problem.

Download the full checklist

HIPAA-compliant analytics for hospitals & healthcare systems with Piwik PRO

Piwik PRO was designed for organizations where privacy compliance is mandatory.

  • Complete data ownership: All data stays on the infrastructure you control, either in a secure public cloud or private cloud. No sharing with ad networks, no third-party processing, no PHI sent to external vendors.
  • Customizable business associate agreements: Sign a BAA tailored to your needs and protect all processing activities.
  • Analytics for healthcare needs: Build service line dashboards, patient journey funnels, multi-location attribution reports, and portal engagement analyses.
  • Authenticated environment tracking: Measure portal adoption and engagement with analytics designed for password-protected properties, without exposing patient communications or medical information.
  • Tag management platform with built-in BAA-covered analytics: Govern all tracking implementations centrally. Define data policies once and enforce consistently across all properties.
  • Secure integrations: Connect to Data Activation, CRM, marketing automation, and BI tools through APIs and ensure access to all tools in your data stack in one place.

COMPARISON

Not sure which analytics platform is right for your organization?

You don’t have to start from scratch. We compared Piwik PRO and eight other analytics platforms across their HIPAA compliance capabilities, marketing features, and implementation requirements — get your copy now.

Download the full comparison

Moving forward with HIPAA-compliant analytics

Regulatory scrutiny of healthcare data practices continues to intensify. Patient privacy expectations keep rising. Digital-first patient journeys become increasingly complex. And the cost of getting it wrong — OCR investigations, multi-million dollar settlements, headline-making breaches — has never been higher. Hospital systems that continue relying on non-compliant analytics platforms are gambling with patient trust, institutional reputation, and operational continuity.

Privacy-first analytics platforms provide the path forward. They enable the comprehensive measurement healthcare marketers need while maintaining the HIPAA compliance and patient privacy protections the industry demands.

In healthcare, trust and data go hand in hand. Implementing measurement capabilities that serve both marketing effectiveness and patient privacy is now a business imperative.

See how Piwik PRO helps hospitals and healthcare systems measure what matters

Track patient acquisition, measure service line performance, and prove marketing ROI without putting patient data at risk – find out how:

Request a demo

Related resources:

Frequently Asked Questions

Is Google Analytics HIPAA-compliant for hospitals and healthcare systems? 

No. Google does not offer business associate agreements for Google Analytics, which is necessary under HIPAA for any vendor that may process PHI. Google itself warns users not to use GA when PHI is involved. Beyond the BAA issue, GA4 collects persistent identifiers, routes data through Google’s infrastructure, and feeds into advertising networks. Using GA in environments where patient data is present creates direct compliance exposure, regardless of how the implementation is configured.

Is Piwik PRO HIPAA-compliant? 

Yes. Piwik PRO was built specifically for organizations operating in regulated industries where privacy compliance is mandatory. It offers customizable business associate agreements, processes data on infrastructure you control — either in a private or secure public cloud, with US-based options available — and is designed with privacy and security measures built in. Piwik PRO also doesn’t share data with third-party vendors or advertising networks. 

What counts as PHI on a hospital website? 

Beyond names and medical records, PHI can include IP addresses paired with visits to condition-specific pages, visitor cookies that link health content interactions to personal identifiers like email, URL parameters revealing which service line or physician a user visited, and click IDs like GCLID passed through advertising platforms.

Learn more: PHI vs PII in HIPAA: Healthcare marketing compliance guide.

Is HIPAA the only regulation hospital marketers need to worry about? 

No. FTC enforcement, Washington’s My Health MY Data Act, and a growing wave of pixel-related class action lawsuits extend the compliance landscape well beyond HIPAA. A strategy built around HIPAA alone leaves meaningful exposure on multiple fronts.

What can hospital marketing teams measure with HIPAA-compliant analytics?

With the right infrastructure, hospital marketers can measure quite a lot – service line attribution by channel, multi-location patient flow, patient portal feature adoption and drop-off points, telehealth conversion rates, and marketing ROI tied directly to patient acquisition by service line. With this data, they can make more informed decisions.

What should hospitals look for when evaluating analytics vendors? 

Start with the non-negotiables: a BAA that covers all data processing activities, data residency controls, secure hosting, and full data ownership. Beyond compliance, look for service line conversion tracking, multi-property analytics, consent management integration, and a vendor with no commercial stake in your patients’ behavioral data.

Małgorzata Poddębniak

Senior Content Marketer

Senior content marketer at Piwik PRO, copywriter, translator and editor. She started as a freelancer, gaining experience with creating versatile marketing content for various channels and industries. Later, she began working as a translator and editor, specializing in academic articles and essays, mainly in the field of history and politics. After becoming interested in SEO, she moved on to work as a content writer for a technical SEO agency. While there, she designed the company newsletter and planned and created in-depth articles, practical guides, interviews, and other supporting marketing materials. She joined Piwik PRO with extensive knowledge of technology, SEO, and digital marketing. At Piwik PRO, she writes about analytics, privacy, marketing, personalization, and data management and explains product best practices and industry trends for different industries. | LinkedIn Profile