Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.
SUMMARY
- In 2025, healthcare organizations face rigorous HIPAA compliance challenges, with increased enforcement resulting in substantial fines for violations, particularly when using non-compliant tools like Google Analytics, which cannot sign business associate agreements (BAAs) and risks exposing protected health information (PHI).
- Each healthcare organization needs to carefully assess the available analytics options, considering aspects like usability, resources, privacy and security, and analytics capabilities.
- HIPAA-compliant analytics platforms should provide features like customizable BAAs, robust data encryption, and secure hosting options to ensure compliance. On top of that, healthcare organizations should seek tools offering access to accurate data, flexible reporting and the ability to put data into action.
- Popular analytics tools like Adobe Customer Journey Analytics and Freshpaint provide HIPAA compliance but often involve high implementation costs, complex setups, or limitations like incomplete datasets due to aggressive PHI filtering.
- Platforms like Piwik PRO Analytics Suite offer a balance between strong privacy controls and actionable insights, allowing organizations to meet regulatory requirements without sacrificing analytics capabilities.
Collecting and analyzing user data is essential to healthcare businesses that want to build relationships with prospects, better meet their patients’ needs, and gain authority within the industry.
As a healthcare organization subject to HIPAA, you’re walking a fine line when trying to improve the patient experience and ensure your activities are HIPAA-compliant.
Since 2023, HIPAA enforcement has intensified, with over $100 million in fines for pixel tracking violations. Google Analytics remains dominant, but it’s fundamentally incompatible with HIPAA requirements.
In this article, we will show you the analytics vendors and implementations available on the market and explore their advantages and shortcomings concerning HIPAA compliance.
What are the challenges of finding a HIPAA-compliant analytics tool
HIPAA’s strict regulations require careful evaluation of analytics tools. Non-compliance risks heavy fines, with 47% of healthcare marketers reporting issues like reduced ROI and reputation damage.
As of 2025, HIPAA enforcement has surged, with fines up to $63,973 per violation and caps at $2M for repeat issues. In 2024, OCR closed 22 enforcement actions, followed by 10 more in 2025, targeting risk analysis failures.
When it comes to web analytics platforms and HIPAA, your approach depends on whether you collect protected health information (PHI) through your site or app. Data that isn’t considered PHI is outside the scope of HIPAA.
First, sharing PHI for marketing and analytics is not a permitted disclosure under the HIPAA Privacy Rule. To legally send PHI to your analytics platform, you must sign a business associate agreement (BAA) with the vendor, specifying each party’s responsibilities regarding PHI and ePHI and establishing a legally binding relationship.
Many vendors don’t want to sign BAAs. In this case, you must remove all identifiers from the data to use their services, so that it’s no longer considered PHI. But the process of de-identification is long and complicated.
For one thing, HIPAA views many types of URLs as PHI. It would be hard to de-identify all URLs, and doing so would make your analytics unusable. For example, de-identification would negatively impact remarketing and user-based or service-based reporting.
On the other hand, cherry-picking URLs containing PHI would also be difficult, mainly because of how much sites change over time.
If you need to comply with HIPAA, you should evaluate the available healthcare analytics solutions and find the right tool for your needs, even if it means migrating to a new vendor. Below, we will analyze how different vendors approach data privacy in healthcare and help you choose the best option for your organization.
Why Google Analytics isn’t HIPAA-compliant
Although Google Analytics remains widely used, numerous compliance concerns and recent enforcement actions have made GA4 unsuitable for healthcare organizations.
Let’s consider several ways to implement GA4 and explore the issues associated with each approach.
Client-side GTM and GA4
This setup is not HIPAA-compliant.
Why can’t you send protected health information (PHI) to Google
Organizations covered by HIPAA can’t disclose PHI to tracking technology vendors – this includes sharing and using PHI for marketing purposes. Google uses all data within its systems to develop new services, improve existing offerings, and create personalized advertising experiences. Using a covered entity’s PHI for Google’s scale of operations can be a severe violation of HIPAA’s Privacy Rule.
Google also stores all tracked data in databases located around the world and offers neither on-premise hosting nor bespoke data residency services. Thus, covered entities cannot control where their patient data is stored. HIPAA sees this as a breach of accountability.
Google’s position is unambiguous in their official documentation. According to Google’s Analytics Help Center, “Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI”.
You must make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.
When using client-side GTM, the user’s browser communicates directly with third parties, making it challenging to control the shared information. Depending on how your website or app processes user information, there might be a risk of PHI being shared in HTTP requests.
What are the challenges of defining protected health information (PHI)
Not all health data is PHI. For example, phone numbers or IP addresses alone aren’t PHI, but they become PHI when linked to health conditions or treatments.
The HHS bulletin elaborates on when data may qualify as PHI. Healthcare information collected on a regulated entity’s website or app is generally considered PHI even if:
- The individual does not have an existing relationship with the regulated entity, and
- Data such as IP address or geographic location does not include specific treatment or billing information, like dates and types of healthcare services.
HHS guidance states that authenticated pages will likely contain many forms of PHI, making them subject to HIPAA.
It also clarifies when unauthenticated pages include PHI. Specifically, whether PHI is being disclosed depends on the underlying intentions of the visitor.
For example, if a student visited a regulated entity’s webpage to review its oncology service offerings for a research paper, the collection of identifying information on the student would not be a violation because it is not related to the student’s health care. On the other hand, if an individual visited the same oncology webpage to seek a second opinion on a cancer diagnosis, any identifying information collected would be PHI because it relates to the individual’s past, present, and/or future health.
The bulletin also mentions that mobile apps contain PHI provided by the app user and their devices, such as geolocation or device ID.
You can’t set GA4 tags on any pages that may fit the definitions provided in the HHS bulletin.
Note: In June 2024, a judge ruled in favor of the AHA, declaring that OCR had overstepped its authority when issuing the guidance. On August 29, the OCR decided not to appeal the district court’s decision.
The court ruling and HHS’ decision not to appeal it do not settle the issue of collecting and using PHI by healthcare organizations. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals.
While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it easy for PHI to inadvertently leak into your website or app. It’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI. To protect patient privacy and reduce the risk of hefty fines, organizations must remain vigilant about the data they collect and share with analytics vendors.
Learn more about the implications of the court ruling: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics
Server-side GTM and GA4
This setup is not HIPAA-compliant.
Server-side GTM, when properly set up, helps you control what data you share with Google. User data is only sent to the server hosting the GTM container rather than being shared with multiple third-party servers. You can remove any PII within the server container before passing the data on to marketing partners.
However, you’ll face two types of issues with this implementation.
Why is it difficult to de-identify protected health information (PHI)
Since you’re not allowed to send PHI to Google Analytics, you must strip all PII/PHI from the data before sending it to GA4.
De-identifying PHI requires the removal of all 18 HIPAA identifiers (Safe Harbor method) or expert analysis (Expert Determination method) to ensure the data isn’t PHI and doesn’t fall under HIPAA’s Privacy Rule.
That said, it’s unlikely that you’ll be able to strip all PHI.
IP addresses and device IDs can be easily removed with ssGTM. However, URLs are more complicated to de-identify because you collect a URL title on every visit. The title can contain sensitive information, like the doctor’s name and specialization or a patient’s name, or you can collect search parameters in link decorations.
There are also issues with de-identifying custom dimensions, variables, and event attributes that you assign PHI to. For example, you may track a healthcare app and collect a custom event when someone clicks on a doctor’s image. The event collects the doctor’s name and specialization, which may lead to uncovering the individual’s health issue, thus making this data PHI.
What are the legal risks of using Google Tag Manager in healthcare
Another aspect concerns the legal risk involved with using GTM together with GA4.
This is reinforced by Google’s Tag Manager Use Policy, which explicitly states that users “will not assist or permit any third party to pass information, hashed or otherwise, to Google that Google could use or recognize as personally identifiable information”.
As a result, you can’t send PII to GA4, and PHI is a subset of PII.
Some people say that you can still safely analyze such data in GA4, and these terms don’t apply because:
- You can host ssGTM on the HIPAA-compliant infrastructure of your choice.
- If you de-identify data, it’s no longer considered PHI.
But there is a lot at stake here. As a HIPAA-covered entity, consult your legal team before implementing this option.
Find out more about Google Analytics and HIPAA: Is Google Analytics HIPAA-compliant?
ssGTM, BigQuery, and data visualization tool
This setup may be HIPAA compliant if you take certain steps.
Another option involves combining ssGTM with BigQuery and a data visualization tool.
This type of setup will only be affected by the ssGTM issue with the difficult de-identification process. But this problem can be mitigated when you work with a HIPAA-compliant data collection tool.
For example, you can set up ssGTM with different tech, including a data collection system, and transfer events directly into BigQuery. With this setup, the data would never be sent to Google Analytics servers and only be recorded in BigQuery, which is HIPAA-compliant. You can store the raw data and access it with a BI tool such as Looker Studio or Tableau.
Streaming events from ssGTM to BigQuery is simple but lacks analytics processing, requiring additional data handling in BigQuery.
Cons
- Loads of maintenance needed, which leads to inflated data team costs.
- De-identification will most likely be necessary with ssGTM, depending on downstream technologies’ compliance with HIPAA. It’s a complex and time-consuming process that requires stricter organizational measures.
- ssGTM lacks transparency – there is no way for end-users to monitor or make decisions about data processing.
Pros
- A lot of talent on the market is proficient at using Google’s products and can support your implementation.
- The setup with ssGTM and BigQuery is quite popular.
- You have the flexibility of your own data warehouse.
Adobe: Enterprise analytics solution
Adobe is the second-biggest enterprise analytics player on the market.
Adobe offers a few products that can help you improve healthcare experiences while protecting patient privacy:
- Adobe Analytics (AA) is an analytics and reporting solution that monitors user traffic and interactions across various marketing channels. AA offers customizable reporting, segmentation and predictive insights, but is complex, costly, and requires specialized expertise, limiting its accessibility.
- Adobe Customer Journey Analytics (CJA) lets you connect cross-channel data, explore the customer journey in full context and apply AI-driven insights, and it resembles GA4. Concerning HIPAA, CJA can easily identify and secure PHI and PII, apply access rules, and create data use audits.
- Adobe Launch is a tag management system and part of Adobe Experience Manager.
- Adobe Real-Time Customer Data Platform (CDP) connects customer data from all your channels into unified profiles that support discovering insights and delivering personalized experiences.
So, do Adobe’s products help you comply with HIPAA?
Providing PHI to Adobe is compliant only if it concerns a HIPAA-ready service, following the license agreement and BAA between Adobe and its client. To check which Adobe’s services are compliant, you can check this list of Adobe’s HIPAA-ready products.
Two analytics setups have been implemented on the market using Adobe’s products:
Adobe Launch and Adobe Analytics
This setup is not HIPAA compliant.
Adobe Analytics is not listed as HIPAA-ready on Adobe’s site. It means that Adobe won’t sign a BAA with you to use AA. As a result, you are not permitted to create, receive, maintain, or transmit PHI through Adobe Analytics.
Adobe Launch and Adobe Customer Journey Analytics
This setup is HIPAA compliant.
Adobe CJA is on the HIPAA-ready list, so you can safely use it as a HIPAA-covered entity and send PHI to it. This setup can be complemented with Adobe CDP for audience creation and activation.
However, since the only way to achieve HIPAA compliance with Adobe is by using CJA, note that this tool’s main advantage is integration with other components in the Adobe Experience Platform. By itself, CJA is far less advanced than AA.
It’s also worth noting that cost considerations are significant with Adobe solutions. Adobe’s enterprise analytics packages typically start at $48,000 annually, making it one of the more expensive options in the market.
Cons
- You are faced with high implementation and subscription costs.
- Adobe’s analytics products are difficult to learn and use.
- You risk single-vendor lock-in due to the amount of other tightly integrated products offered by Adobe.
Pros
- You can sign a BAA.
- You get an all-in-one analytics solution.
Piwik PRO: Full-featured HIPAA analytics
Piwik PRO has emerged as the leading HIPAA-compliant alternative to Google Analytics, purpose-built for organizations operating in highly regulated industries. Piwik PRO provides privacy-friendly analytics and combines accuracy, flexibility, and complete control when collecting and analyzing customer data.
Unlike other vendors that add compliance features later on, Piwik PRO was designed from the ground up with privacy and security requirements in mind, including HIPAA-related features and controls. Piwik PRO also helps you comply with the HHS bulletin on the use of tracking technologies. Because of that, we can easily support your analytics use cases in healthcare.
Here is an overview of our modules, all of which allow you to comply with HIPAA:
- Analytics allows you to analyze the customer journey across websites and apps. You can use advanced analytics features like funnels, user flows, customizable reports and dashboards. And you can always extend the platform’s capabilities through custom development and integrations. You can use raw data exports to send data to any destination. Increased security features allow you to use Analytics in sensitive industries, like healthcare.
- Tag Manager lets you quickly create, test, and deploy tags from customizable templates. You gain greater flexibility in collecting and utilizing their data through smooth integration with other Piwik PRO modules.
- Customer Data Platform (CDP) enhances your ability to act on the insights you draw from your data. You can better understand your customers, provide more personalized experiences, and improve your campaigns.
- Consent Manager is an optional addition for increased transparency, allowing you to collect, manage, and store user consents.
Key HIPAA compliance features
The most important features of Piwik PRO that support HIPAA compliance include:
- Ability to sign a customizable business associate agreement (BAA), allowing you to send all types of PHI to your analytics setup.
- Hosting on HIPAA-compliant Microsoft Azure data centers, where you can choose the specific location of your data.
- ISO 27001 and SOC 2 type II certifications.
- Encryption of ePHI when the data is at rest and in transit.
- Advanced user-permission options that let you put PHI only in the hands of authorized personnel.
- Not sharing ePHI with third parties or reusing it for other purposes.
- Regular privacy and security audits undertaken by external, independent bodies to ensure the highest level of security measures.
Implementation options
Recommended ways for you to implement Piwik PRO modules include:
Piwik PRO Analytics, Tag Manager and CDP
This setup is HIPAA-compliant and provides a complete suite of modules for effective healthcare analytics.
With this option, you can safely collect and analyze PHI and ePHI while respecting the highest privacy and security safeguards. You can analyze the customer journey across all channels, control data collection and adjust it to your needs, and you get to activate the data to improve the patient experience.
Piwik PRO Analytics Suite and a data warehouse
This setup is HIPAA-compliant.
This is a point solution for marketers, combining the capabilities of analytics and activation. You can connect our suite of products with a data warehouse via scheduled raw data exports or API, allowing you to extend the platform’s data analysis functionalities.
Learn more about How to make your website compliant with HIPAA using Piwik PRO.
Cons
- You are using tools from one vendor only.
- There is a client-side tag manager.
Pros
- You can sign a BAA.
- You get an all-in-one analytics solution.
- The costs are low.
- CDP is available for server-side profile activations.
- You have the ability to use Piwik PRO as an analytics endpoint in server-side tracking, which improves data collection, accuracy and control.
- The modules are easy to learn and use thanks to their similarity to the Universal Analytics interface.
Freshpaint: Healthcare Privacy Platform
This setup is HIPAA-compliant but has limitations.
Freshpaint offers its Healthcare Privacy Platform, which serves as a privacy layer between your website and analytics tools.
It captures all tracking data and automatically de-identifies PHI before sending cleaned data to downstream tools. While this approach allows continued use of familiar platforms, it comes with significant trade-offs.
Freshpaint is not an analytics platform itself and must be connected to other tools to create a full analytics setup. Setup and maintenance require significant technical skills, resources, and coordination across multiple teams, which makes using the tool very costly.
You also can’t report on or visualize the data within Freshpaint’s platform, meaning you won’t have access to PHI. As a result, your dataset will be incomplete and therefore not fully accurate.
Cons
- Not a complete analytics platform – requires additional tools for full functionality
- Complex setup and maintenance requiring specialized technical expertise
- Higher total cost when factoring in multiple vendor relationships
- Limited reporting capabilities within Freshpaint itself
- Data accuracy issues due to aggressive PHI filtering
- Ongoing compliance risk if de-identification fails
Pros
- Enables the use of the existing Google Analytics setup
- Healthcare-specific BAA and compliance features
- Advanced PHI detection and filtering capabilities
Using a mix of vendors
This setup may be HIPAA compliant if you take certain steps.
Combining tools from different vendors can get complex. You need to assess your needs very well, understand what each tool offers, and check how it can help you comply with HIPAA.
Generally, your analytics setup should include the following tools:
Data collection system + data warehouse + data visualization tool
We list some popular data collection systems below and link to the relevant information regarding their HIPAA compliance. Aside from that, you will need to verify their specific HIPAA compliance yourself.
Data collection system
Data collection tools like CDPs (e.g., Segment) and BDPs (e.g., Snowplow) vary in complexity and offered capabilities. These vendors offer more than just pure tracking, meaning you need to make a separate assessment of your needs and how these tools fulfill them.
Popular data collection systems (trackers or CDPs) that will sign a BAA:
- Rudderstack
- Tealium
- Segment
- Snowplow – no need for a BAA in the self-hosted version (it’s uncertain whether the vendor would sign a BAA for the cloud)
Data warehouse
A data warehouse holds data that is extracted, loaded, and transformed from one or more operational source systems and modeled to enable data analysis and reporting in your business intelligence (BI) tools.
Popular data warehouse providers that will sign a BAA:
- Snowflake
- Google Cloud Platform (such as Google BigQuery)
- Microsoft Azure (such as Microsoft Azure Data Synapse)
- Amazon Web Services (such as Amazon Redshift)
Data visualization tool
A data visualization tool enables the visual representation of data, allowing for the effective extraction of actionable insights from the data.
Popular data visualization tools that will sign a BAA:
Common setups that include different vendors:
- Piwik PRO (data collection, visualization, and CDP) + data warehouse (data copy for science team) + Looker Studio or Tableau (broad data visualization)
- Adobe CJA + CDP + AEP (data collection, activation, and visualization)
- Rudderstack (data collection, CDP) + data warehouse + data visualization tool
Most data collection vendors, such as Freshpaint, allow for GA4 as a destination, so the flow can also look like this:
A data collection system + GA4
However, this setup requires you to de-identify PHI to safely use it.
Cons
- You need to review the HIPAA compliance of each vendor – analyze security and privacy, manage and negotiate cooperation with all three selected vendors, sign a BAA with each of them, etc.
- The connection between the systems may not be seamless – changes or API updates in each of those vendors may break your setup.
- You would require a data analyst or database expert to manage and maintain pipelines.
- The costs are very high – you need to pay for implementation, licensing of multiple vendors, and maintenance.
Pros
- You benefit from diversification of vendors, meaning no vendor lock-in.
- You can combine the benefits and features of each system you implement.
How to choose the right HIPAA-compliant analytics platform
As of 2025, the choice is no longer whether to replace Google Analytics, but which HIPAA-compliant alternative to choose. With enforcement at record levels and mature alternatives available, healthcare organizations that continue using Google Analytics are taking unnecessary legal and financial risks.
Here is a breakdown of key features of the recommended HIPAA-compliant analytics tools that we’ve looked into:
Piwik PRO | Adobe CJA | Freshpaint | Mix of vendors | |
---|---|---|---|---|
HIPAA compliance | ||||
Ease of implementation | ||||
Secure data handling for organizations in sensitive industries | ||||
Cost | $ | $$$ | $$ | $$$ |
Data ownership | Adobe ecosystem | Limited | ||
Support quality | ||||
Built-in analytics capabilities | ||||
Integrations with other tools |
Compared to other options for analytics in healthcare, Piwik PRO offers the optimal balance of HIPAA compliance, enterprise features, and affordability, with a Google Analytics-like interface for seamless adoption.
Healthcare marketing insights that transform your business and keep you HIPAA-compliant
No more compromises between accurate data and privacy – learn why industry leaders choose Piwik PRO:
Frequently asked questions (FAQ) about healthcare analytics platforms
Can I use server-side Google Tag Manager with BigQuery safely for HIPAA compliance?
Yes, BigQuery can be HIPAA compliant with a signed BAA, but the challenge lies in the server-side GTM de-identification process. You’ll face significant technical hurdles removing PHI from URLs, custom dimensions, and event parameters before data reaches BigQuery. The setup requires ongoing maintenance and carries compliance risks if de-identification fails. Most healthcare organizations find dedicated HIPAA-compliant platforms more reliable and cost-effective long-term.
What specific data gets classified as PHI that I might accidentally send to Google Analytics?
Beyond the obvious patient names or medical record numbers, common PHI in analytics includes: URL parameters containing appointment IDs or doctor names, page titles with patient-specific information, custom events tracking interactions with doctor profiles, search terms entered on health condition pages, and form field data from appointment booking. Even data like “clicked on Dr. Smith’s cardiology page” combined with an IP address can constitute PHI.
Can I safely use Google Analytics now that the HHS guidance was ruled unlawful by the court?
No. The June 2024 court ruling was very specific – it only addressed IP addresses on unauthenticated pages where visitor intent couldn’t be determined as health-related. The ruling explicitly did NOT address authenticated pages (like patient portals), pages with clear health intent, or other forms of PHI collection. Google still refuses to sign BAAs, making compliance impossible for most healthcare analytics use cases.
Do I need to de-identify data for HIPAA-compliant analytics tools?
No, one of the major advantages of truly HIPAA-compliant platforms is that you don’t need to de-identify PHI before sending it to them. Platforms like Piwik PRO that sign BAAs can legally receive and process PHI. This eliminates the complex and error-prone de-identification process required for non-compliant platforms like Google Analytics.
What should I do if my current analytics vendor won’t sign a BAA?
If your current vendor refuses to sign a BAA, you have limited options:
- Stop sending PHI to that platform (often impractical for healthcare sites)
- Implement data de-identification (complex and error-prone)
- Switch to a compliant alternative (recommended approach)
- Use an intermediary solution like Freshpaint (adds complexity and cost)
The cleanest solution is typically migrating to a platform designed for healthcare compliance.
Can I use multiple analytics platforms simultaneously?
Yes, but with considerations. You can run compliant analytics alongside other platforms, but ensure that any platform receiving PHI has a signed BAA. Some organizations use compliant analytics for authenticated/sensitive pages and standard analytics for purely informational content. However, managing multiple platforms increases complexity and costs – a single compliant solution across your entire digital presence is often more efficient.