We know that Google Analytics is far and away the most popular website analytics tool used in the world. In the United States, 58% of the top 100,000 websites use Google’s site visitor tracking tool.
Healthcare websites are no exception. Many of them use Google Analytics to track and analyze visitor behaviors. But, could that result in a HIPAA violation?
The short answer is that Google Analytics is not a HIPAA-compliant tool. Using Google Analytics to track visitors to the website of a healthcare organization certainly could cause a HIPAA violation, and the U.S. Department of Health and Human Services recently issued guidance warning of exactly that possibility.
The safest course of action may be for healthcare organizations to remove Google Analytics altogether and use alternate HIPAA-compliant tracking technologies, or use tools that anonymize user data to remove protected health information before sending it to Analytics. Simply installing and using Google Analytics throughout your hospital, medical office. or other covered entity’s website is no longer a safe option.
Are The Country’s Biggest Hospitals Using Google Analytics?
One way to look at the question of whether to use Google Analytics on healthcare provider websites is to look at what the biggest players in the space are doing. So, we asked our healthcare-focused marketing agency’s digital team to analyze the websites of the biggest hospitals in the United States, to see if they were using Google Analytics in 2023.
Here’s what we found.
| Rank | Beds | Hospital Name | Using Analytics? | Alternate Tracking Tech |
| 1 | 1,541 | Yale New Haven Hospital | No | Freshpaint |
| 2 | 1,488 | Jackson Memorial Hospital, Miami | Yes | |
| 3 | 1,400 | AdventHealth Orlando | Yes | |
| 4 | 1,300 | Cleveland Clinic | Yes | |
| 5 | 1,278 | Barnes-Jewish Hospital | No | MediaMath |
| 6 | 1,265 | Mayo Clinic Hospital-Saint Marys Campus | No | DeepIntent |
| 7 | 1,224 | Ascension Saint Thomas Hospital | Yes | |
| 8 | 1,207 | UAB Hospital | Yes | |
| 9 | 1,162 | The Johns Hopkins Hospital | No | CallRail |
| 10 | 1,139 | Mount Sinai Hospital | Yes |
Despite the risk of a HIPAA violation, we found that as of August 2023, 6 of the nation’s top 10 biggest hospitals were still using Google Analytics to track visitors on their websites.
Three hospitals have migrated away from Google Analytics entirely, and the biggest, Yale New Haven Hospital, uses a tool that anonymizes user data before sending it to Analytics, so they can enjoy the benefits of Analytics without risking a HIPAA violation.
Disclaimer: We’re not accusing those 6 hospitals of violating HIPAA regulations. It is possible to use Google Analytics in a way that’s HIPAA-compliant. However, doing that in any meaningful way is a complex, ever-changing task, and the risks of a HIPAA violation are, in our opinion, high enough that it’s worth implementing a better solution.
If these hospitals hired us to be their healthcare marketing agency, we’d suggest they carefully consider replacing Google Analytics. If you represent a hospital looking for a HIPAA-compliant visitor tracking solution, we have some experience, and we’d be happy to help.
The Risk of Using Google Analytics as a Covered HIPAA Entity
For a long time, it wasn’t clear that using Google Analytics the way many healthcare organizations do even could be a HIPAA violation. After all, we think of HIPAA violations as employees snooping on famous patients, or cyberattacks that target patient records, not tracking visitors on a publicly accessible website.
So, is it even possible that tracking visitors on a public website could cause a HIPAA violation?
In 2022, the U.S. Department of Health and Human Services (HHS) answered this question with a resounding, “Yes”.
The guidance that HHS issued around online visitor tracking tools has several major points that are relevant to healthcare providers using Google Analytics on their websites. The key takeaways are:
- Healthcare providers cannot use online tracking tools in ways that could cause a HIPAA violation.
- Using tracking tools like Google Analytics on an “authenticated webpage” (e.g., patient portal) could generate Protected Health Information (PHI) that’s covered by HIPAA.
- Using tracking tools like Google Analytics on a public, non-authenticated webpage could also generate Protected Health Information (PHI) that’s covered by HIPAA.
- Any PHI generated by an online tracking tool can only be shared with other entities covered by a Business Associate Agreement (BAA), and cannot be shared with organizations without a BAA in place, such as Google Analytics.
How Public Websites Can Create HIPAA-Covered Patient Information
One of the more complex questions around using Google Analytics on healthcare provider websites is how tracking visitor behavior on a public website, without a login, could generate PHI.
The simple answer is that how visitors behave on your website could tell you a lot about the medical conditions they’re experiencing.
Let’s imagine that someone Googles “What to do in the first trimester of pregnancy,” clicks on an ad for a hospital website, gets to a landing page about what to do in the first trimester of pregnancy, browses through a list of OBs, and then clicks through to make an appointment with one of those doctors.
It would be pretty easy for anyone reviewing the data sent to Google Analytics from that visitor’s session on the site to infer that that visitor is pregnant. Now, with the appointment made, they’re also a patient of the hospital, and that data is protected health information.
By sending that data to Google Analytics, a non-covered entity, the hospital has very likely just committed a HIPAA violation.
What Google Says About HIPAA-Compliant Analytics
Google has made it clear that they will not take responsibility for protecting any HIPAA-covered patient information in their Analytics platform.
From Google’s official statement on the topic:
“Please remember that to protect user privacy, Google Analytics policies and terms mandate that no data be passed to Google that Google could recognize as personally identifiable information (PII), and no data you collect using Google Analytics may reveal any sensitive information about a user, or identify them. “
Translated, “it’s up to you to make sure you’re not giving Google Analytics HIPAA-protected info, and we’re not going to help you out if you do.”
In the same help article, Google recommends that its analytics users only use Analytics on pages that “do not relate to the provision of health care services”.
In other words, go ahead and put Google Analytics tracking on your hospital’s “About Us” and “Support our Foundation” pages, but leave it off any pages about providing healthcare services.
Options for Website Analytics that Are HIPAA-Compliant
Of course, many healthcare marketers would look at Google’s suggestion and decide that it falls short of their needs to attract and inform patients. Only tracking visitors on a small percentage of your website’s content isn’t much better than not tracking site visitors at all.
So, what options do HIPAA-covered entities have for tracking visitors to their websites while safeguarding patient privacy?
1. Use an Analytics Provider that Will Sign a BAA
Google will not sign a BAA for its Analytics product (a bit unusual because the company will provide a BAA for its other tools, such as Google Workspace).
However, other website analytics providers will.
Some examples include:
While all of these providers are more costly than Google Analytics and don’t offer the same integration with Google’s broader suite of products and services, they also have unique advantages and capabilities that might make them a good option for some HIPAA-covered entities.
2. Keep Your Analytics Data In-House
Another path to HIPAA-compliant website analytics is to not share your analytics data with an outside organization. Most analytics solutions use third-party data processing and storage servers, requiring that third party to be covered by a BAA.
But some, like Matomo, allow for HIPAA compliance with a self-hosted site analytics solution. Because the analytics data is collected, stored, and analyzed on your own servers and within your own organization, there’s no need to sign a BAA with a third party.
Though, if you have a marketing agency who might be using this data, it’s important you have a BAA in place with them.
We’ve helped some of our clients implement Matomo for both HIPAA and GDPR compliance, and found it to be a good option.
3. Anonymize User Data Before Sending it to Google
Platforms like Freshpaint attempt to give covered organizations the best of both worlds: the ability to use the power of Google Analytics throughout their website without revealing any protected health information.
Freshpaint, which will sign a BAA to handle PHI, tracks and collects user data in a HIPAA-compliant, secure manner. Then, the platform will anonymize and filter out any PHI from that data before passing it on to non-HIPAA-compliant tools like Google Analytics, Facebook, and Google Ads.
While Freshpaint is currently the only player in this space that we’re aware of, we expect to see growth in similar platforms now that it’s become more clear than ever that Google Analytics represents a HIPAA compliance risk.
4. Remove Google Analytics from Large Portions of your Site
This is, frankly, probably a bad option for most healthcare facilities. But, it’s the one that Google recommends.
The problem here is that it’s unclear precisely when a user’s website visit becomes PHI. In the example we gave earlier, where a visitor referenced a good amount of pregnancy-related information before booking an appointment with an OB-GYN, it was clear that someone looking at the visitor data would be able to deduce that the visitor was pregnant.
But, where do you draw the line?
What about a contact page? Would the fact that a visitor wanted to contact your healthcare facility constitute HIPAA-protected PHI? Perhaps. Google recommends you remove Analytics tracking from any content that “relates to the provision of health care services,” and contact information for a healthcare provider probably does.
In the end, we’re not lawyers, and we try to keep well clear of any situations where lawyers might get involved. For many healthcare providers, “staying on the safe side” of sending any PHI to Google Analytics would mean removing the tracking code from such a big portion of their websites that the data they did gather would be almost useless.
A Healthcare Marketing Agency that Understands the Needs of HIPAA-Covered Entities
As a marketing agency that specializes in healthcare, we’ve covered questions in this post that we help our healthcare clients answer. One of the big ones: How can a healthcare organization optimize the performance of their website while respecting patient privacy and regulations like HIPAA?
There’s no one-size-fits-all answer, but we’ve been able to help all our healthcare clients find the answer that best fits them.
If you’re looking for a healthcare marketing partner who can do the same for you, we’d be happy to talk.
