Is Google Analytics HIPAA Compliant? 

Google Analytics is a powerful data tracking tool, but it is not HIPAA compliant out of the box. Planet 9 explains how to make your Google Analytics HIPAA compliant. 

On Oct. 14, 2022, a data breach at Advocate Aurora Health exposed up to 3 million patients’ electronic personal health information (ePHI) due to using Google-powered tracking technologies. The consequences of such an incident involved substantial financial and reputational losses for the company. Advocate Aurora is not the only one. Businesses often use data tracking tools without getting a better idea of how their users interact with sites and applications. 

Google makes no representations that Google Analytics satisfies HIPAA requirements; hence HIPAA-regulated entities shouldn’t use Google Analytics in any way that may provide ePHI to Google Analytics.

However, the ways to use Google Analytics without endangering ePHI still exist and we discuss the main “how to” in this article. 

What Does HIPAA Say About Tracking Technologies?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of federal regulations that aim to protect the privacy and security of patients’ sensitive health information. Failure to comply with these regulations can result in fines and legal and reputational consequences for any HIPAA-regulated entity. HIPAA applies to healthcare providers, healthcare plans, and healthcare clearinghouses that transmit electronically protected health information (ePHI) as well as any third parties that have signed a Business Associate Agreement (BAA).

HIPAA-regulated entities must consider that they are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of the individual’s medical record number, home or email address, dates of appointments, geographic location, or any other ePHI, to tracking technology vendors that are not HIPAA compliant. Furthermore, HIPAA warns that third-party tracking technology vendors, like Google Analytics, may continue to gather information about users even after they navigate away from the original website.

Concerns with Google Analytics

On the business side, tracking tools help better understand patients’ needs and preferences; hence helping provide more efficient services. On the legal side, “pixels” and “cookies” may expose ePHI to unauthorized third parties which is impermissible in terms of HIPAA compliance. 

Google Analytics works with cookies, tracking pixels, fingerprinting scripts, etc. that track website/app traffic. Every time a user visits a web page, the tracking code collects information about how that user interacted with the page. The information may include any personally identifiable information (PII), varying from an individual’s gender and geographic location to any unique identifier, resulting in multiple data privacy concerns. 

At the same time, Google Analytics terms and policies state that it neither passes PII to Google nor reveals sensitive information about a user. It also allows you to delete data from the Analytics servers for any reason. 

Can Google Analytics be Used in Compliance with HIPAA?

The only way for a business to share ePHI with a data analytics vendor is for them to sign a BAA. The bad news is that Google does not offer BAA, as it is written in the Google Data Privacy and Security Statement. HIPAA-regulated entities may use Google Analytics only on websites that do not contain ePHI and must refrain from exposing ePHI.

Google Analytics should not be used on user-authenticated web pages. These are the pages requiring a user to log in before accessing the web page. The user-authenticated web pages may provide ePHI access to Google Analytics and other tracking technologies

Using Google Analytics is permissible on unauthenticated web pages – those with general business information like services they provide, location, or policies and procedures. These pages generally don’t contain ePHI, so they are not regulated by the HIPAA rules. 

This is important to note that some unauthenticated pages may still contain ePHI, for example:

  • The login page may collect credentials or registration ePHI (e.g., name, email address) after the user enters this data.
  • Unauthenticated web pages that address specific symptoms or health conditions, such as pregnancy or miscarriage, or that permit individuals to search for doctors or schedule appointments without entering credentials may have access to ePHI. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a web page to search for available appointments. 

Work with your legal team to identify pages on your site that do not relate to the provision of healthcare services, so that the configuration of Google Analytics does not violate HIPAA laws. 

What’s the Alternative to Google Analytics for HIPAA?

The alternative to Google Analytics for HIPAA-regulated organizations is those tracking technology vendors who can sign BAA and confirm their compliance with HIPAA requirements. Remember, Google Analytics does not commit to HIPAA compliance requirements. As a result, if you pass ePHI into Google Analytics, you are in violation of HIPAA. 

Use tracking tools cautiously and feel free to contact Planet 9 team with any HIPAA compliance issues. We’ll be happy to assist!



Phone:  888-437-3646

Leave a Reply