Global Site Tag

Use Case: Tag management framework for deploying Google services like Google Analytics, Ads, and other marketing tools

Why it matters:

The Global Site Tag (gtag.js) is a JavaScript tagging framework used to implement and manage multiple Google services, including Google Analytics, Google Ads, and conversion tracking. While gtag.js itself does not collect user data independently, it serves as the delivery mechanism for tools that may not support HIPAA compliance or offer a Business Associate Agreement (BAA).

If the Global Site Tag is used to load services like Google Analytics or remarketing tools on pages tied to health services, symptoms, or appointment activity, those downstream services may collect Protected Health Information (PHI) without proper safeguards.

Because the tag executes tracking scripts, its presence should prompt a deeper review of what data is being collected, by which tools, and on what pages.

What HHS says:

According to HHS guidance, online tracking technologies including those integrated into analytics and marketing tools may result in impermissible disclosures of PHI if they collect data from individuals seeking or receiving care, even on unauthenticated (public) webpages.

While a June 2024 federal court ruling vacated part of the guidance related to IP addresses on public pages, HIPAA compliance is still required when other identifiers or user behavior could reasonably be tied to health information.

Since the Global Site Tag enables other non-compliant tools to run, it may introduce risk depending on how it's configured and what services it loads.

Recommendation:

If you find Global Site Tag on your site, audit the services it is loading especially on pages where health-related information is present or user actions may reflect care-seeking behavior.

Because tools often loaded through gtag.js (like Google Analytics or Google Ads) do not offer a Business Associate Agreement, using the tag without safeguards could expose your site to HIPAA violations. Consider removing it from sensitive pages or replacing it with HIPAA-aligned solutions that offer stronger privacy controls and BAA coverage.