Back to blog

Is Google Analytics HIPAA-compliant?

,

Written by Karolina Lubowicka, Małgorzata Poddębniak

Published February 20, 2025

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney.

Webinar on-demand

A practical guide to digital analytics and advertising under HIPAA

Watch the webinar

SUMMARY

  • Google Analytics isn’t HIPAA compliant for covered entities handling Protected Health Information (PHI). Google doesn’t offer a Business Associate Agreement (BAA), which is crucial for HIPAA compliance when using a third-party analytics platform.
  • Using Google Analytics while collecting PHI/ePHI puts healthcare organizations at risk of violating HIPAA regulations. Google may store data in various locations and use it for advertising or improving their services, which conflicts with HIPAA’s requirements.
  • Healthcare organizations must ensure that no traces of PHI are sent to Google Analytics, which can be challenging due to the potential for accidental disclosures. For full HIPAA compliance, healthcare organizations should consider using analytics platforms that offer a BAA and provide specific safeguards.
  • Vendors like Piwik PRO, Mixpanel, Heap, Amplitude, and Freshpaint will sign a BAA, with Piwik PRO offering comprehensive analytics and data activation capabilities along with HIPAA-specific compliance features.

Healthcare organizations use analytics platforms to collect and analyze data about their patients. The data helps them improve the quality of digital services and personalize content and advertising. It also contributes to reducing data administration costs.

Using analytics tools in a strictly regulated sector such as healthcare requires caution, especially if you operate in the US or work with US patients. In this case, you must process and store protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Healthcare entities cannot engage in the impermissible disclosure of PHI to tracking technology vendors. This is particularly important now with the expansion of sensitive information collected by vendors like Google Analytics. Disclosing PHI in a manner consistent with HIPAA has become more critical than ever.

In addition, patients are increasingly aware of their legal rights and data security. A focus on HIPAA compliance helps maintain patients’ trust.

What is HIPAA?

HIPAA is a federal law that sets standards for processing, storing and disclosing sensitive protected health information. It applies to all forms of protected health information – electronic, written or spoken.

If you want to know more about HIPAA requirements for professionals, check the website of the US Department of Health & Human Services.

Healthcare analytics – Google Analytics and HIPAA

If you use Google Analytics or similar software, you’re likely already optimizing your website to serve your customers better. But what about Google Analytics and HIPAA compliance?

In short – if you’re a HIPAA-covered entity, using GA4 puts you at serious risk of a HIPAA breach. 

Using Google Analytics to collect and process PHI and ePHI

In this scenario, you want to use analytics data and protected health information (PHI and ePHI).

PHI refers to any information relating to a patient´s condition, the past, present, or future provision of healthcare, such as lab or imaging results and medical history, or payment for such services. When identifiers are included in the same record set, PHI becomes individually identifiable health information and is thus protected when it is transmitted or maintained in any form by a covered entity.

Not all health information gathered by healthcare organizations is considered PHI. For example, in most cases, phone numbers, email addresses, or social security numbers alone are not PHI. However, if this data is connected to details about a health condition, treatment plan, or other particular health information, it would transform from PII into PHI.

Meanwhile, using GA4 to track PHI is far from being HIPAA-compliant.

Take a look at the HIPAA disclaimer from Google’s website:

HIPAA disclaimer
Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.

Google states that Google Analytics doesn’t satisfy HIPAA requirements. And you can’t use Google Analytics for any purpose involving PHI if you are:

  • A covered entity – hospital, clinics, insurance company, healthcare clearinghouse, etc.
  • A business associate – for example, an external company hired to perform legal services, data aggregation, management or data analysis.

Moreover, if you want to use a tracking technology (such as an analytics platform) that collects and processes PHI, you must sign a business associate agreement (BAA) with the vendor. Google does not offer this option.

Why Google won’t sign a BAA with you

There are two possible reasons why Google won’t sign a BAA with organizations covered by HIPAA:

  • Google doesn’t offer on-premises hosting and data residency of your choice. It means that all data tracked by the platform will be stored in randomly assigned data centers within and outside the US. This breaks the HIPAA accountability rule – you don’t know your patients’ exact data location.
  • Google’s terms and conditions describe how it uses tracked data. Google uses the data to develop new services, measure the effectiveness of advertising, and personalize content and ads. Using any PHI or ePHI in an advertising context might be a serious violation of HIPAA.

As a result, if you pass any trace of PHI/ePHI into Google Analytics, you’rebreaking HIPAA regulations and Google’s terms of service. This may result in the termination of your GA account.

Many ways in which third-party tracking technologies, like Google Analytics, collect and track user information are not apparent to users visiting your website or app. These technologies send information directly to the third parties that develop them. Users’ unique identifiers and other collected information allow Google Analytics to create individual profiles for each user. They may continue to track users and gather information about them even after they navigate away from the original website to other websites. Such practices are particularly serious when they concern sensitive information like healthcare data.

Also, consider this case from your patients’ perspective. Your visitors trust your website and search for information about their illnesses, including cancer or depression. If they later see ads related to that illness on an unrelated page, you’ll be in trouble. This not only violates HIPAA provisions but also leads to the loss of patients’ trust in your organization.

Using Google Analytics without collecting and processing ePHI or PHI

If you use Google Analytics as a healthcare organization without collecting and processing PHI/ePHI, you might comply with HIPAA. However, this requires additional work and precaution from your side. You need to ensure you don’t send any traces of PHI/ePHI to Google Analytics – mistakes can be damaging to your company’s reputation and result in HIPAA breaches. This is also the case if you violate HIPAA rules unknowingly.

According to the OCR’s Bulletin, PHI can be found on different parts of your website, such as post-login areas, which will likely contain lots of PHI, but also on unauthenticated pages or mobile apps. For example, PHI disclosures can occur if a patient’s use of the page or app is related to a health condition (for example, they are using appointment scheduling pages and symptom-checker tools, or they are looking for specific treatment options) and is coupled with PII (for example, name, email address or IP address).

Whether PHI is being disclosed depends on whether the page visit relates to the individual’s health care or what the visitor’s underlying intentions are – and that’s difficult to determine with complete certainty.

Note: In June 2024, a judge ruled in favor of the AHA, declaring that OCR had overstepped its authority when issuing its guidance. On August 29, the OCR decided not to appeal the district court’s decision.

The court ruling and HHS’ decision not to appeal it do not mean that the issue of protecting PHI in the context of analytical tools has been settled once and for all. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals. While the court’s verdict may serve as a benchmark for later decisions on possible HIPAA violations, the complexity of PHI protection and the multiplicity of contexts involved would dictate special caution.

The fundamental issues surrounding healthcare organizations’ collection and use of PHI remain unchanged. Therefore, it’s wiser to stay safe rather than rely on a gray-area interpretation of PHI that maintains the status quo. Organizations must remain vigilant about the data they collect and share with analytics vendors in order to protect patient privacy and reduce the risk of hefty fines and loss of trust.

Learn more: The AHA’s lawsuit against HHS guidance on online tracking technologies: What it means for HIPAA-covered entities and their use of analytics

GA4 and client-side vs. server-side Google Tag Manager (GTM)

There is a difference between using client-side and server-side GTM when it comes to HIPAA compliance. 

When using client-side GTM, the user’s browser communicates directly with third parties, making it challenging to control the information bring shared. Depending on how your website or app processes user information, there might be a risk of sharing PHI in HTTP requests. Consequently, this option is far from compliant with HIPAA.

Server-side GTM, when correctly set up, helps you control what data you share with Google. User data is only sent to the server hosting the GTM container rather than being shared with multiple third-party servers. You can remove any PII within the server container before passing the data on to marketing partners. However, consider two things:

  • GTM’s use policy also requires compliance with Google Analytics’s terms of service, which state that you can’t send PII to GA4 – and PHI is a subset of PII.
  • You must adequately de-identify any data matching the definition of PHI before sending it to Google, which is a lengthy and error-prone process.

Read more about using server-side GTM and GA4 as a HIPAA-covered entity.

Considering all these aspects, using Google Analytics by HIPAA-covered entities is very risky. If you want to take that risk, you must ensure no PHI finds its way into the platform. 

Take a look at these sample URLs:

The first URL contains PHI – your patient’s name and their doctor’s name and specialization. Meanwhile, the second URL is scrubbed of PHI and shows only a universally unique identifier. Ensure your settings and site architecture are properly configured so the first URL switches to the second one before it reaches your analytics.

One way is to de-identify data so it is no longer considered PHI and does not fall under HIPAA. However, de-identification is a complex and time-consuming process that requires strict organizational measures. It’s especially difficult for certain types of data, such as custom dimensions or event attributes.

The rules under HIPAA concerning the use of tracking technologies like analytics platforms continue to be subject to interpretation. While the definitions of PHI and ePHI are well-established, the broad adoption and connectivity of modern technologies increase the risk of PHI accidentally leaking into your website or app.

De-identified data may be less valuable for those who analyze it. Because it’s stripped of identifiers, you can’t use it to personalize content for returning visitors – they always appear as new visitors. You also can’t analyze patients’ journeys and create detailed conversion attribution.

Issues with user privacy and data security are not the only limitations of Google Analytics 4 (GA4). The platform continues to offer significant conversion tracking discrepancies, inaccurate traffic reports, problems with the Google Ads integration, and other issues that can lead to confusion and misinterpretation of marketing performance metrics.

Learn more: Google Analytics 4 (GA4) problems: The state of GA4 4 months after UA sunset

How to make your analytics HIPAA-compliant

Switching to an analytics platform that allows you to process patient data with the proper safeguards can help you avoid the risks and limitations of using GA4.

The best way to support your HIPAA compliance efforts is to find an analytics vendor that will sign a business associate agreement (BAA). This will allow you to share PHI/ePHI without de-identifying or restricting its flow to the platform.

Here are a few analytics vendors that offer a BAA:

  • Piwik PRO
  • Mixpanel
  • Heap
  • Amplitude
  • Freshpaint
  • Adobe* (Applies to Adobe Customer Journey Analytics. You can’t sign a BAA to use Adobe Analytics.)

Some platforms offer on-premises hosting, which means you don’t share data with third parties and thus don’t need to sign a BAA. However, this option makes you responsible for your data infrastructure’s security, so ensure you have the resources and expertise to maintain it. You can self-host your analytics with Piwik PRO by storing your data in a dedicated database.  

When selecting the right tool, review each platform’s strengths individually and look in detail at your specific needs in terms of functionality, ease of use, resources, and cost.

Learn more: A review of HIPAA-compliant analytics platforms

Piwik PRO vs. Freshpaint

Both Piwik PRO and Freshpaint offer HIPAA compliance, but they differ significantly regarding the provided features. 

Piwik PRO is an all-in-one platform with analytics and data activation capabilities that can be further extended through integrations with other tools and platforms. It also employs high-level privacy and security features. Overall, you get HIPAA compliance and full analytics capabilities within one platform.

Freshpaint, on the other hand, doesn’t offer analytics capabilities. It sits between data sources (such as data warehouses) and third-party data destinations and acts as a buffer to prevent PHI from being sent to non-compliant tools. As a result, setup and maintenance require significant technical skills, resources, and coordination across multiple teams, making the tool very resource-intensive. 

HIPAA compliance with Piwik PRO

Piwik PRO Analytics Suite allows you to collect and analyze PHI and ePHI, helping you provide an even better and more personalized patient experience while employing the highest privacy and security safeguards. Depending on your organization’s needs, it enables you to track both basic and advanced data.

By signing a BAA with us, you can safely send all types of PHI to your analytics setup. If you prefer, you can de-identify all PHI before sending it to our platform. Either way, you can ensure you stay compliant with regulations. 

On top of a BAA, healthcare organizations can benefit from Piwik PRO through the following features: 

  • Hosting on select HIPAA-compliant Microsoft Azure data centers located in the US
  • 100% data control – Piwik PRO doesn’t share or reuse your data for its own purposes
  • High-level privacy and security features (compliance with ISO 27001 and SOC 2 standards, including HIPAA certification)
  • Granular data access controls to restrict data access only to authorized personnel
  • Detailed audit logs to efficiently track data access and changes to the data collection configuration
  • Integrated analytics, tag manager, consent management platform, and customer data platform
  • User-friendly interface and customizable reports and dashboards
  • Integrations with other platforms, marketing tools, data storage and more
  • Personalized support and onboarding

After signing a BAA, you can safely use our Customer Data Platform (CDP) and activate the data to acquire new clients, better respond to patients’ needs, improve contact center interactions, and much more. 

Best practices for HIPAA compliance in analytics

Healthcare providers must carefully assess and monitor their tracking technologies, what tools can access PHI, and whether they have business associate agreements (BAAs) in place.

Start by reviewing your website architecture, the types of scripts you’re using, and the implementation and settings of your analytics software and tag manager. Consult your legal department or hire an analytics auditor to review your digital infrastructure and determine whether a BAA is necessary.

Consider the following questions:

  • Are you tracking user IDs? If yes, how do you use them?
  • What data appears in page URLs, titles and query strings?
  • What information do you collect in the analytics platform with website forms? How do you use form data in personalization or analytics?
  • Have you anonymized/hashed visitors’ IP addresses? Do you avoid tracking GPS or fine-grained location information?
  • What other tags and third-party scripts (for example, from your partner’s website) do you use on your website?

Your legal and security teams should monitor changes in HIPAA and other applicable state regulations and guidelines issued by HHS/OCR, the FTC, and others and regularly evaluate your analytics setup for compliance with US law.

Additional security measures include addressing the use of tracking technologies in your risk analysis and risk management processes. To protect PHI/ePHI, implement appropriate administrative, physical, and technical safeguards.

Learn how to ensure your campaigns are HIPAA-compliant: HIPAA, marketing and advertising: How to run compliant campaigns in healthcare.

Final thoughts

The use of Google Analytics by HIPAA-covered entities poses many compliance risks. While it’s technically possible to de-identify PHI and still use Google Analytics, much is at stake. Even minor mistakes can lead to costly lawsuits, civil penalties, and damage to your business’ reputation. 

With Piwik PRO, you can apply appropriate safeguards to protect your patient data rather than following a bare minimum approach. We help healthcare companies meet the stringent requirements of HIPAA and offer our clients informative, valuable, and actionable insights.

Want to learn how Piwik PRO can help you comply with healthcare regulations?

Request a demo of the Enterprise plan or sign up for a free 6-month BAA-covered trial – get HIPAA-compliant analytics with either option:

Get a custom demo
Try out for free

Learn more about HIPAA and analytics:

FAQ

Is Google Analytics HIPAA-compliant?

No, Google Analytics is not HIPAA-compliant. Google explicitly states that it doesn’t satisfy HIPAA requirements, and you can’t use it for any purpose involving protected health information (PHI) if you are a covered entity (e.g., hospital, clinic, insurance company) or a business associate. Google also does not offer a business associate agreement (BAA).

What is a business associate agreement (BAA)?

A business associate agreement (BAA) is a contract between a HIPAA-covered entity and a business associate. It ensures that the business associate understands its responsibilities regarding PHI and will protect it according to HIPAA guidelines. If you want to use a tracking technology that collects and processes PHI, you must sign a BAA with the vendor.

Why doesn’t Google offer a BAA for Google Analytics?

There are two main reasons:

  • Data hosting and residency: Google doesn’t offer on-premises hosting or guaranteed data residency. Data is stored in randomly assigned data centers, potentially outside the US, which conflicts with HIPAA’s accountability rule regarding knowing the location of patient data.
  • Data usage: Google’s terms allow them to use collected data to develop new services, measure advertising effectiveness, and personalize content. Using PHI for advertising purposes would be a HIPAA violation.

What happens if I pass PHI/ePHI into Google Analytics?

You would be violating HIPAA regulations and Google’s terms of service. This could result in the termination of your Google Analytics account, breaches of HIPAA, fines and damage to your organization’s reputation.

Can I use Google Analytics if I don’t collect PHI/ePHI?

Yes, but it requires significant caution and effort. You must ensure that no PHI/ePHI is transmitted to Google Analytics. Mistakes can be costly. PHI can be found in many different places, including post-login areas, unauthenticated pages, or mobile apps (e.g., in URLs, form fields, or event data).

What is considered PHI?

Protected health information (PHI) is any information relating to a patient’s condition, the past, present, or future provision of healthcare, such as lab or imaging results and medical history, or payment for such services. When identifiers are included in the same record set, PHI becomes individually identifiable health information (IIHI), and it becomes protected when transmitted or maintained in any form by a covered entity. Even seemingly innocuous data like IP addresses, combined with information about a patient’s visit related to a health condition, can be considered PHI.

How can I make my analytics HIPAA-compliant?

  • Switch to a HIPAA-compliant analytics platform: The best approach is to use an analytics platform that offers a BAA and provides the necessary safeguards for handling PHI.
  • De-identify data: You can attempt to de-identify all PHI before sending it to Google Analytics, but this is a complex, time-consuming, and potentially error-prone process.
  • Consider on-premises hosting: Some platforms offer on-premises hosting, giving you complete control over your data and eliminating the need to share it with third parties. However, this option requires significant resources and expertise to maintain data security.

Which analytics platforms offer a BAA?

Analytics vendors that offer a BAA include:

  • Piwik PRO
  • Mixpanel
  • Heap
  • Amplitude
  • Freshpaint
  • Adobe* (for Adobe Customer Journey Analytics but not Adobe Analytics)

Karolina Lubowicka

Senior Content Marketer and Social Media Specialist

An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

Małgorzata Poddębniak

Senior Content Marketer

Senior content marketer at Piwik PRO, copywriter, translator and editor. She started as a freelancer, gaining experience with creating versatile marketing content for various channels and industries. Later, she began working as a translator and editor, specializing in academic articles and essays, mainly in the field of history and politics. After becoming interested in SEO, she moved on to work as a content writer for a technical SEO agency. While there, she designed the company newsletter and planned and created in-depth articles, practical guides, interviews, and other supporting marketing materials. She joined Piwik PRO with extensive knowledge of technology, SEO, and digital marketing. At Piwik PRO, she writes about analytics, privacy, marketing, personalization, and data management and explains product best practices and industry trends for different industries.