Back to blog

Is Google Analytics HIPAA-compliant?

,

Written by Karolina Lubowicka, Małgorzata Poddębniak

Published February 20, 2026

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney.

QUICK ANSWER

Google Analytics is not HIPAA-compliant. Google explicitly states it doesn’t satisfy HIPAA requirements and won’t sign a business associate agreement (BAA) with covered entities. Healthcare organizations that collect protected health information (PHI) cannot use Google Analytics without risking HIPAA violations.

Using analytics tools in a highly regulated sector, such as healthcare, requires caution, especially if you operate in the US or work with US patients. In this case, you must process and store protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA sets federal standards for processing, storing, and disclosing protected health information in any form – electronic, written, or spoken.

Healthcare entities cannot engage in the impermissible disclosure of PHI to tracking technology vendors. This is particularly important now with the expansion of sensitive information collected by vendors like Google Analytics. Disclosing PHI in a manner consistent with HIPAA has become more critical than ever.

Healthcare analytics – Google Analytics and HIPAA

If you use Google Analytics or similar software, you’re likely already optimizing your website to serve your customers better. But what about Google Analytics and HIPAA compliance?

In short, if you’re a HIPAA-covered entity, using GA4 puts you at serious risk of a HIPAA breach. 

Using Google Analytics to collect and process PHI and ePHI

Protected health information (PHI) encompasses any data related to a patient’s health condition, treatment, or payment when combined with personal identifiers. 

Google explicitly prohibits using Google Analytics for any purpose involving PHI if you’re a covered entity or business associate and they won’t sign the required business associate agreement (BAA).

Google’s HIPAA disclaimer 

According to the disclaimer, “Google does not intend uses of Google Analytics to create obligations under HIPAA and makes no representations that Google Analytics satisfies HIPAA requirements. If you are a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose involving Protected Health Information.”

Why Google won’t sign a BAA with you

Google won’t sign a BAA because:

  • Google’s data usage practices conflict with HIPAA: Google’s terms and conditions allow them to use tracked data for advertising, service development, and content personalization – practices that violate HIPAA when applied to PHI. 
  • No data residency guarantee: Data is stored in randomly assigned data centers, potentially outside the US, making it impossible to maintain the accountability HIPAA requires – you don’t know the exact location of your patients’ data.

As a result, if you pass any trace of PHI/ePHI into Google Analytics, you’re breaking HIPAA regulations and Google’s terms of service. This may result in the termination of your GA account.

The tracking problem

Google Analytics creates individual user profiles that persist across websites, tracking users long after they leave your site. For healthcare organizations, this means:

  • Patient behavior data may inform the ads they see elsewhere online
  • Unique identifiers link health-related browsing to individual users
  • These tracking practices occur without clear visibility to site visitors

This not only violates HIPAA but also erodes patients’ trust in your organization.

read also

How to make your analytics HIPAA-compliant: A practical checklist for healthcare marketers

Follow this step-by-step HIPAA compliance checklist to ensure your analytics meet healthcare privacy standards and protect patient data.

Download the whitepaper

Can you use Google Analytics if you avoid collecting PHI?

Using Google Analytics without collecting PHI is theoretically possible, but it is also risky. PHI can appear in unexpected places:

  • URLs containing patient identifiers or appointment details
  • Form fields capturing health-related information
  • Page visits to symptom checkers or treatment pages, when combined with IP addresses

Recent legal developments: While a 2024 court ruling challenged HHS guidance on whether IP addresses combined with page visit data constitute PHI on unauthenticated pages, this doesn’t resolve the broader issue. The ruling doesn’t apply to authenticated pages (like patient portals), and organizations must remain vigilant about all PHI collection points.

Whether or not a piece of data is considered PHI is subject to interpretation. HHS has also previously stated that whether PHI is being disclosed depends on the visitor’s underlying intentions, which are difficult to determine with complete certainty.

The complexity of PHI protection and the multiplicity of contexts involved dictate special caution. Organizations must remain vigilant about the data they collect and share with analytics vendors in order to protect patient privacy and reduce the risk of hefty fines and loss of trust.

Considering all these aspects, using Google Analytics by HIPAA-covered entities is risky. If you want to take that risk, you must ensure no PHI finds its way into the platform.

Here’s what PHI in URLs looks like:

  • https://healthclinics.com/your_account_john_hill/stomatologist_nelson_green 
  • https://healthclinics.com/url8554

The first URL contains PHI – your patient’s name, and their doctor’s name and specialization. Meanwhile, the second URL has PHI scrubbed and shows only a universally unique identifier. Ensure your settings and site architecture are properly configured so the first URL switches to the second one before it reaches your analytics.

De-identifying data to remove PHI is technically possible since it would no longer fall under HIPAA, but it presents significant challenges:

  • It’s time-consuming and requires strict organizational processes
  • It’s especially difficult for custom dimensions and event attributes
  • De-identified data loses value for personalization, patient journey analysis (returning visitors will appear as new visitors) and detailed conversion attribution 
  • Even minor errors can result in HIPAA violations

What about server-side Google Tag Manager?

Server-side GTM gives you more control over data sharing, but it doesn’t solve the HIPAA problem: 

  • GTM’s use policy requires compliance with GA4’s terms of service, which prohibit sending PII (and PHI is a subset of PII) 
  • You must de-identify all PHI before sending data to Google – a complex, error-prone process 
  • The risk of accidental PHI disclosure remains high

How to make your analytics HIPAA-compliant

To achieve HIPAA compliance in analytics, use a platform that signs a business associate agreement (BAA). This allows you to track PHI without de-identification or data restrictions.

Here are some full-featured enterprise analytics platforms offering BAAs:

  • Piwik PRO – offering analytics + data activation, US-based hosting and enhanced privacy capabilities
  • Adobe Customer Journey Analytics (note that standard Adobe Analytics doesn’t offer BAAs)

Other options include platforms focused on product analytics, like:

  • Mixpanel
  • Heap  
  • Amplitude

For a healthcare data pipeline, you can opt for Freshpaint, which provides HIPAA compliance but requires connecting a separate analytics tool for measurement and analysis. 

When selecting the right tool, review each platform’s strengths individually and examine your specific needs in terms of functionality, ease of use, resources, and cost.

Learn more: A review of HIPAA-compliant analytics platforms

HIPAA compliance with Piwik PRO

Piwik PRO enables you to securely collect and analyze PHI and ePHI, helping you deliver an even better, more personalized patient experience. 

It provides a strong HIPAA-compliant analytics foundation through:

  • Business associate agreements (BAA) tailored to your needs
  • HIPAA-compliant Microsoft Azure hosting in the US
  • ISO 27001 and SOC 2 certification, including HIPAA certification
  • 100% data control – we don’t share or reuse your data
  • Granular access controls restricting data to authorized personnel
  • Detailed audit logs tracking data access and configuration changes

Piwik PRO’s integrated platform includes:

  • Analytics, Tag Manager, Consent Manager, and Data Activation in one solution
  • User-friendly interface with customizable dashboards and reports, enabling both basic and advanced analytics
  • Integrations with marketing tools and data storage platforms

Piwik PRO vs. Freshpaint

Both Piwik PRO and Freshpaint offer HIPAA compliance, but they differ significantly in the features they provide. 

Piwik PRO is an all-in-one platform with analytics and data activation capabilities that can be further extended through integrations with other tools and platforms. It also employs high-level privacy and security features. Overall, you get HIPAA compliance and comprehensive analytics capabilities within a single platform.

Freshpaint, on the other hand, doesn’t offer analytics capabilities. It sits between data sources (such as data warehouses) and third-party data destinations, acting as a buffer to prevent PHI from being sent to non-compliant tools. As a result, setup and maintenance require significant technical skills, resources, and coordination across multiple teams, making the tool very resource-intensive.

Best practices for HIPAA compliance in analytics

Start by reviewing your website architecture, analytics implementation, and tag management setup. Work with your legal team or hire an analytics auditor to assess your digital infrastructure.

Key areas to audit include:

Data collection

  • Are you tracking user IDs? How are they used?
  • What PHI appears in URLs, page titles, or query strings?
  • What information do forms collect, and how is it used?

Privacy measures

  • Are IP addresses anonymized or hashed?
  • Do you track GPS or precise location data?
  • What third-party scripts run on your site?

Vendor management

  • Which tools have access to PHI?
  • Do you have BAAs in place for all vendors handling PHI?

Your legal and security teams should monitor regulatory changes from HHS/OCR and FTC, and regularly evaluate your analytics setup for compliance.

Learn how to ensure your campaigns are HIPAA-compliant: HIPAA-compliant marketing & advertising: How to run compliant campaigns in healthcare.

Final thoughts

Google Analytics isn’t HIPAA-compliant and poses significant risks for covered entities. While de-identifying PHI is technically possible, the margin for error is thin and the consequences are severe.

For healthcare organizations serious about compliance, the solution is straightforward: use an analytics platform that signs a BAA and provides HIPAA-specific safeguards. This approach lets you gain valuable patient insights while protecting privacy and maintaining compliance.

Your next steps should be to:

  • Consult your legal team about BAA requirements
  • Audit your current analytics setup for PHI exposure
  • Evaluate HIPAA-compliant alternatives

With Piwik PRO, you can apply appropriate safeguards to protect your patient data rather than following a bare minimum approach. We help healthcare companies meet the stringent requirements of HIPAA and offer our clients informative, valuable, and actionable insights.

Ready to implement HIPAA-compliant analytics?

Healthcare organizations can’t afford to compromise on compliance or data quality. Piwik PRO delivers both, giving you comprehensive analytics capabilities with full HIPAA safeguards.

Not sure where to start? Our team specializes in helping healthcare organizations transition to compliant analytics solutions.

Get a personalized demo
Ask us about HIPAA

Learn more about HIPAA and analytics:

FAQ

Is Google Analytics HIPAA-compliant?

No. Google explicitly states that Google Analytics doesn’t satisfy HIPAA requirements and won’t sign a business associate agreement (BAA) with covered entities or business associates.

What is a business associate agreement (BAA)?

A business associate agreement (BAA) is a contract between a HIPAA-covered entity and a business associate. It ensures that the business associate understands its responsibilities regarding PHI and will protect it according to HIPAA guidelines. If you want to use a tracking technology that collects and processes PHI, you must sign a BAA with the vendor.

Why doesn’t Google offer a BAA for Google Analytics?

There are two main reasons:

  • Data hosting and residency: Google doesn’t offer on-premises hosting or guaranteed data residency. Data is stored in randomly assigned data centers, potentially outside the US, which conflicts with HIPAA’s accountability rule regarding knowing the location of patient data.
  • Data usage: Google’s terms allow them to use collected data to develop new services, measure advertising effectiveness, and personalize content. Using PHI for advertising purposes would be a HIPAA violation.

What happens if I pass PHI/ePHI into Google Analytics?

You would be violating HIPAA regulations and Google’s terms of service. This could result in the termination of your Google Analytics account, breaches of HIPAA, fines and damage to your organization’s reputation.

Can I use Google Analytics if I don’t collect PHI/ePHI?

Yes, but it requires significant caution and effort. You must ensure that no PHI/ePHI is transmitted to Google Analytics. Mistakes can be costly. PHI can be found in various locations, including post-login areas, unauthenticated pages, or mobile apps (e.g., in URLs, form fields, or event data).

What is considered PHI?

PHI includes any health information (diagnoses, treatments, lab results, payment details) combined with personal identifiers. When IP addresses or other identifiers are linked to health-related page visits or form submissions, this combination can constitute PHI.

How can I make my analytics HIPAA-compliant?

Use an analytics platform that signs a BAA (like Piwik PRO, Mixpanel, or Heap), de-identify all PHI before collection (though it’s a complex and risky process), or choose on-premises hosting for complete data control.

Which analytics platforms offer a BAA?

Analytics vendors that offer a BAA include:

  • Piwik PRO
  • Mixpanel
  • Heap
  • Amplitude
  • Freshpaint
  • Adobe* (for Adobe Customer Journey Analytics but not Adobe Analytics)

Karolina Lubowicka

Senior Content Marketer and Social Media Specialist

An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

Małgorzata Poddębniak

Senior Content Marketer

Senior content marketer at Piwik PRO, copywriter, translator and editor. She started as a freelancer, gaining experience with creating versatile marketing content for various channels and industries. Later, she began working as a translator and editor, specializing in academic articles and essays, mainly in the field of history and politics. After becoming interested in SEO, she moved on to work as a content writer for a technical SEO agency. While there, she designed the company newsletter and planned and created in-depth articles, practical guides, interviews, and other supporting marketing materials. She joined Piwik PRO with extensive knowledge of technology, SEO, and digital marketing. At Piwik PRO, she writes about analytics, privacy, marketing, personalization, and data management and explains product best practices and industry trends for different industries. | LinkedIn Profile