Is Google Analytics HIPAA Compliant? What Healthcare Websites Must Know (2026)

No. Google Analytics is not HIPAA compliant, and Google will not sign a Business Associate Agreement for it. Google's own documentation explicitly states that Google Analytics should not be used to collect protected health information. There is no configuration, setting, or add-on that changes this. If your healthcare website runs Google Analytics and patients interact with it, you have a compliance problem.

Why Google Analytics Fails HIPAA Requirements

Under HIPAA, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity must sign a Business Associate Agreement before handling that data. Google explicitly declines to sign a BAA for Google Analytics. That alone disqualifies it. But the structural problems go deeper:

PHI is prohibited in Google's Terms of Service. Google Analytics ToS forbid sending personally identifiable information to the platform. On a healthcare website, that restriction is nearly impossible to honor — the data GA collects by default (page URLs, IP addresses, device identifiers, geographic location, referral sources) becomes PHI the moment it is associated with a healthcare context.

Data is sent to Google's servers for Google's purposes. Google retains Analytics data on its own infrastructure and uses it across its product ecosystem. A covered entity cannot control how Google processes that data, which violates the minimum necessary standard.

Page URLs on healthcare websites constitute PHI. When a patient visits /appointments/depression-screening or /services/std-testing, the URL reveals health information. Combined with an IP address, you have an identifier linked to a health condition. That is PHI.

There is no way to prevent PHI from flowing through Analytics on a healthcare site. The nature of web analytics on a site that serves patients means behavioral data will inevitably intersect with health information. You cannot sanitize what you cannot predict.

The Tracking Pixel Enforcement Wave

In December 2022, HHS published a bulletin specifically addressing the use of tracking technologies on healthcare websites. The guidance was direct: when a regulated entity's website or app uses tracking technologies that transmit PHI to third parties, HIPAA rules apply — including the requirement for a BAA.

Both HHS OCR and the FTC pursued enforcement actions against healthcare organizations transmitting patient data to technology companies through analytics scripts, tracking pixels, and advertising tags. Multiple healthcare organizations — including hospitals and telehealth companies — faced settlements between 2023 and 2025.

The problem: when a patient visits /appointments/depression-screening or searches "STI testing near me" on your site, GA captures the URL and IP address. That combination is PHI. The HHS bulletin made the regulatory position unambiguous: tracking technologies on pages where patients interact with health-related content trigger HIPAA obligations, regardless of whether the covered entity intended to collect PHI.

What Google Analytics Actually Collects

GA4 captures the following on every page load: IP addresses, full page URLs and navigation paths, device fingerprints (browser, OS, screen resolution, language), referral sources, and geographic location.

On a general-purpose website, this is standard measurement data. On a healthcare website, these data points combine to identify an individual and associate them with specific health information. A visitor's IP address + a page path like /conditions/diabetes-management + a referral from a health-related search query = PHI under HIPAA's definition. GA4 collects all of this automatically, with no way to selectively prevent the health-related data from reaching Google's servers.

Common Mistakes Healthcare Websites Make

These are the configurations that create the most exposure:

Running GA on appointment and scheduling pages. Selecting a provider, choosing a service type, picking a time — every scheduling interaction generates events that GA captures, and those events contain health-related data by nature.

Running GA on patient portal login pages. A specific IP address accessing a portal login confirms that person is a patient. That confirmation alone is PHI.

Collecting form submission events. GA4's enhanced measurement can capture form interactions, including field values. On an intake form, that means diagnostic information flowing to Google.

Relying on IP anonymization as a fix. Even without full IP logging, URL paths still reveal health information and device fingerprints still enable identification. IP anonymization addresses one data element while the PHI pathway remains open.

Using Google Tag Manager to fire multiple tracking pixels. GTM deploys dozens of third-party scripts — Meta Pixel, LinkedIn Insight, retargeting tags — all receiving the same behavioral data, each an additional third party receiving PHI without a BAA.

What You Can Do Instead

Compliant analytics exists. The options are fewer and less feature-rich than GA4, but they provide the traffic data you need without HIPAA exposure.

Self-hosted analytics. Plausible, Matomo, and Fathom all offer self-hosted deployments that keep data on your infrastructure — no third-party BAA needed.

Server-side analytics. Log-based analytics processed on your own servers never transmit visitor data to external parties and can provide page view counts, referral sources, and geographic data.

Consent-based models with proper disclosure. Some organizations implement analytics with explicit patient consent. However, consent does not substitute for a BAA. Even if a patient agrees to tracking, HIPAA still requires a BAA with any vendor that handles PHI. Consent addresses the patient relationship. The BAA addresses the vendor relationship. Both are required.

Where Website Analytics Fits in Your Compliance Program

Your website is a regulated surface. Most compliance programs focus on EHR access, email encryption, and staff training — and overlook the analytics scripts running on every page. That gap is exactly what HHS addressed in its 2022 bulletin.

A complete compliance program accounts for every system that touches patient data, including your website's tracking technologies. Patient Protect monitors your full compliance posture — including vendor configurations and data flow mapping — so gaps like uncontrolled tracking scripts are identified before they become enforcement actions.

Frequently Asked Questions

Is GA4 HIPAA compliant?

No. Google does not sign a BAA for any version of Google Analytics, including GA4. Google's terms explicitly prohibit PHI collection through Analytics. No configuration or setting changes this.

Can I use Google Analytics with patient consent?

Consent does not make Google Analytics HIPAA compliant. HIPAA requires a BAA with any vendor that handles PHI, and Google will not sign one for Analytics. Consent addresses the provider-patient relationship but does not eliminate the BAA requirement.

Does IP anonymization make Google Analytics HIPAA compliant?

No. IP anonymization removes one data element, but page URLs, device fingerprints, and navigation patterns on a healthcare website still constitute PHI. Anonymizing the IP does not prevent health-related behavioral data from reaching Google through other identifiers.

Is Google Tag Manager HIPAA compliant?

GTM enables the deployment of GA4, Meta Pixel, and other tracking scripts that receive visitor data from your healthcare website. If GTM fires tags that transmit PHI to third parties without BAAs, the compliance violation exists regardless of the delivery mechanism.

What about Google Analytics on non-patient-facing pages?

If a page contains no health information and patients cannot access it, the risk is lower. But GA4 runs site-wide by default and patients may visit any page. Most healthcare websites cannot cleanly separate patient-facing traffic. The safer approach is to assume every page is in scope.

Are there HIPAA-compliant analytics alternatives?

Yes. Self-hosted platforms like Plausible, Matomo, and Fathom keep all visitor data on your infrastructure, eliminating the third-party BAA requirement. Server-side log analysis is another option. The trade-off is reduced feature depth, but the compliance risk is eliminated.

---

Patient Protect tracks your full compliance posture, including website and vendor configurations, starting at $39/month.