2024 Update: We’ve updated this post with additional detail after the U.S. Department of Health and Human Services (HHS) updated its guidance for HIPAA compliance when using online tracking technologies in March of 2024. Instead of softening its initial stance, HHS has strengthened it with additional detail and clarification.
We know that Google Analytics is far and away the most popular website analytics tool used in the world. In the United States, 58% of the top 100,000 websites use Google’s website visitor tracking tool.
Healthcare websites are no exception. Many of them use Google Analytics to track and analyze visitor behaviors. But could that result in a HIPAA violation?
The short answer is that Google Analytics is not a HIPAA-compliant tool. Using Google Analytics to track visitors to the website of a healthcare organization certainly could cause a HIPAA violation, and the U.S. Department of Health and Human Services recently issued updated guidance warning of exactly that possibility.
The safest course of action may be for healthcare organizations to remove Google Analytics altogether and use alternate HIPAA-compliant tracking technologies or use tools that anonymize user data to remove protected health information before sending it to Analytics. Simply installing and using Google Analytics throughout your hospital, medical office, or other covered entity’s website is no longer safe.
Are The Country’s Biggest Hospitals Using Google Analytics?
One way to look at the question of whether to use Google Analytics on healthcare provider websites is to look at what the biggest players in the space are doing. So, we asked our healthcare-focused marketing agency’s digital team to analyze the websites of the biggest hospitals in the United States to see if they were using Google Analytics.
Here’s what we found in 2023.
| Rank | Beds | Hospital Name | Using Analytics? | Alternate Tracking Tech |
| 1 | 1,541 | Yale New Haven Hospital | No | Freshpaint |
| 2 | 1,488 | Jackson Memorial Hospital, Miami | Yes | |
| 3 | 1,400 | AdventHealth Orlando | Yes | |
| 4 | 1,300 | Cleveland Clinic | Yes | |
| 5 | 1,278 | Barnes-Jewish Hospital | No | MediaMath |
| 6 | 1,265 | Mayo Clinic Hospital-Saint Marys Campus | No | DeepIntent |
| 7 | 1,224 | Ascension Saint Thomas Hospital | Yes | |
| 8 | 1,207 | UAB Hospital | Yes | |
| 9 | 1,162 | The Johns Hopkins Hospital | No | CallRail |
| 10 | 1,139 | Mount Sinai Hospital | Yes |
Despite the risk of a HIPAA violation, our analysis found that 6 of the nation’s top 10 biggest hospitals were still using Google Analytics to track visitors on their websites in 2024.
Three hospitals have migrated away from Google Analytics entirely, and the biggest, Yale New Haven Hospital, uses a tool that anonymizes user data before sending it to Analytics so they can enjoy the benefits of Analytics without risking a HIPAA violation.
Disclaimer: We’re not accusing those 6 hospitals of violating HIPAA regulations. It is possible to use Google Analytics in a way that’s HIPAA-compliant. However, doing that in any meaningful way is a complex, ever-changing task, and the risks of a HIPAA violation are, in our opinion, high enough that it’s worth implementing a better solution.
If these hospitals hired us to be their healthcare marketing agency, we’d suggest they carefully consider replacing Google Analytics. If you represent a hospital looking for a HIPAA-compliant visitor tracking solution, we have some experience and would be happy to help.
The Risk of Using Google Analytics as a Covered HIPAA Entity
For a long time, it wasn’t clear that using Google Analytics the way many healthcare organizations do even could be a HIPAA violation. After all, we think of HIPAA violations as employees snooping on famous patients, or cyberattacks that target patient records, not tracking visitors on a publicly accessible website.
So, is it even possible that tracking visitors on a public website could cause a HIPAA violation?
In 2022, the U.S. Department of Health and Human Services (HHS) answered this question with a resounding, Yes. Then again, in 2024, HHS released updated guidance on using analytics in even more detail, revealing that HSS clearly hasn’t backed away from its original stance.
The guidance that HHS issued around online visitor tracking tools has several major points that are relevant to healthcare providers using Google Analytics on their websites. The key takeaways are:
- Healthcare providers cannot use online tracking tools in ways that could cause a HIPAA violation.
- Using tracking tools like Google Analytics on an “authenticated webpage” (e.g., patient portal) could generate Protected Health Information (PHI) that’s covered by HIPAA.
- Using tracking tools like Google Analytics on a public, non-authenticated webpage could also generate Protected Health Information (PHI) that’s covered by HIPAA.
- Any PHI generated by an online tracking tool can only be shared with other entities covered by a Business Associate Agreement (BAA) and cannot be shared with organizations without a BAA in place, such as Google Analytics.
- Simple opt-in buttons are not a solution: HHS writes, “Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.”
How Public Websites Can Create HIPAA-Covered Patient Information
One of the more complex questions around using Google Analytics on healthcare provider websites is how tracking visitor behavior on a public website without a login could generate PHI.
The simple answer is that how visitors behave on your website could tell you a lot about the medical conditions they’re experiencing.
Let’s imagine that someone Googles “What to do in the first trimester of pregnancy,” clicks on an ad for a hospital website, gets to a landing page about what to do in the first trimester of pregnancy, browses through a list of OBs, and then clicks through to make an appointment with one of those doctors.
It would be pretty easy for anyone reviewing the data sent to Google Analytics from that visitor’s session on the site to infer that that visitor is pregnant. Now, with the appointment made, they’re also a hospital patient, and that data is protected health information.
By sending that data to Google Analytics, a non-covered entity, the hospital has very likely just committed a HIPAA violation.
What Google Says About HIPAA-Compliant Analytics
Google has made it clear that it will not take responsibility for protecting any HIPAA-covered patient information in its Analytics platform.
From Google’s official statement on the topic:
“Please remember that to protect user privacy, Google Analytics policies and terms mandate that no data be passed to Google that Google could recognize as personally identifiable information (PII), and no data you collect using Google Analytics may reveal any sensitive information about a user, or identify them.“
Translated, “It’s up to you to make sure you’re not giving Google Analytics HIPAA-protected info, and we’re not going to help you out if you do.”
In the same help article, Google recommends that its analytics users only use Analytics on pages that “do not relate to the provision of health care services.”
In other words, go ahead and put Google Analytics tracking on your hospital’s “About Us” and “Support our Foundation” pages, but leave it off any pages about providing healthcare services.
Options for Website Analytics that Are HIPAA-Compliant
Of course, many healthcare marketers would look at Google’s suggestion and decide that it falls short of their needs to attract and inform patients. Only tracking visitors on a small percentage of your website’s content isn’t much better than not tracking site visitors at all.
So, what options do HIPAA-covered entities have for tracking visitors to their websites while safeguarding patient privacy?
1. Use an Analytics Provider that Will Sign a BAA
Google will not sign a BAA for its Analytics product (a bit unusual because the company will provide a BAA for its other tools, such as Google Workspace).
However, other website analytics providers will.
Some examples include:
While these providers are more costly than Google Analytics and don’t offer the same integration with Google’s broader suite of products and services, they also have unique advantages and capabilities that might make them a good option for some HIPAA-covered entities.
2. Keep Your Analytics Data In-House
Another path to HIPAA-compliant website analytics is not sharing your analytics data with an outside organization. Most analytics solutions use third-party data processing and storage servers, requiring that the third party be covered by a BAA.
But some, like Matomo, allow for HIPAA compliance with a self-hosted site analytics solution. Because the analytics data is collected, stored, and analyzed on your own servers and within your own organization, there’s no need to sign a BAA with a third party.
Though, if you have a marketing agency who might be using this data, it’s important you have a BAA in place with them.
We’ve helped some of our clients implement Matomo for both HIPAA and GDPR compliance and found it to be a good option.
3. Anonymize User Data Before Sending it to Google
Platforms like Freshpaint attempt to give covered organizations the best of both worlds: the ability to use the power of Google Analytics throughout their website without revealing any protected health information.
Freshpaint, which will sign a BAA to handle PHI, tracks and collects user data in a HIPAA-compliant, secure manner. Then, the platform will anonymize and filter out any PHI from that data before passing it on to non-HIPAA-compliant tools like Google Analytics, Facebook, and Google Ads.
While Freshpaint is currently the only player in this space that we’re aware of, we expect to see growth in similar platforms now that it’s become more clear than ever that Google Analytics represents a HIPAA compliance risk.
4. Remove Google Analytics from Large Portions of your Site
This is, frankly, probably a bad option for most healthcare facilities. But it’s the one that Google recommends.
The problem is that it’s unclear precisely when a user’s website visit becomes PHI. In the earlier example, where a visitor referenced a good amount of pregnancy-related information before booking an appointment with an OB-GYN, it was clear that someone looking at the visitor data could deduce that the visitor was pregnant.
But where do you draw the line?
What about a contact page? Would the fact that a visitor wanted to contact your healthcare facility constitute HIPAA-protected PHI? Perhaps. Google recommends removing Analytics tracking from any content that “relates to the provision of health care services.”
In the end, we’re not lawyers, and we try to keep well clear of any situations where lawyers might get involved. For many healthcare providers, “staying on the safe side” of sending any PHI to Google Analytics would mean removing the tracking code from such a big portion of their websites that the data they did gather would be almost useless.
A Healthcare Marketing Agency that Understands the Needs of HIPAA-Covered Entities
As a marketing agency that specializes in healthcare, we’ve covered questions in this post that we help our healthcare clients answer. One of the big ones: How can a healthcare organization optimize the performance of its website while respecting patient privacy and regulations like HIPAA?
There’s no one-size-fits-all answer, but we’ve been able to help all our healthcare clients find the answer that best fits them.
We’d be happy to talk if you’re looking for a healthcare marketing agency that can do the same for you.
