Google Analytics

Use Case: Website traffic analysis, user behavior tracking, and performance reporting

Why it matters:

Google Analytics is widely used to understand how users interact with your website by tracking page visits, time on site, user location, referral sources, and more. While this data is generally considered non-identifiable, on healthcare websites it can become sensitive if it reflects a visitor’s intent to seek care or research specific health conditions. This may turn otherwise routine web data into Protected Health Information (PHI) under HIPAA.

Google has made clear that customers must not use Google Analytics in any way that may expose PHI even if the data isn’t expressly classified as Personally Identifiable Information (PII) under their terms. Google does not offer a Business Associate Agreement (BAA) for this service and makes no representations that it is HIPAA-compliant.

HIPAA-regulated entities should only use Google Analytics on pages that are not related to protected health topics or patient interactions. The HHS bulletin offers guidance on when data may and may not be considered PHI, and entities must take care to configure analytics appropriately.

What HHS says:

The U.S. Department of Health and Human Services (HHS) has stated that online identifiers (such as IP addresses, URLs, and page activity) can qualify as PHI if they relate to an individual’s past, present, or future health or care.

However, on June 20, 2024, a federal court vacated part of the HHS guidance. Specifically, the court ruled that HIPAA is not automatically triggered just because a user’s IP address is associated with visiting a public (unauthenticated) health-related webpage. HHS is currently reviewing how to proceed in light of the ruling.

Nonetheless, HIPAA obligations still apply in many tracking scenarios especially when user behavior or contextual clues can reasonably be linked to someone seeking or receiving care. Because Google Analytics does not provide a Business Associate Agreement, its use requires careful review and restricted application.

Recommendation:

Evaluate how much detail your website provides about health conditions, services, or appointment scheduling, especially on landing pages, forms, and blog content. If user behavior on those pages could imply that someone is seeking care or treatment, then Google Analytics could lead to unauthorized disclosure of PHI.

While some providers continue to use Google Analytics, it should be done cautiously, and only after a risk assessment and technical safeguards are in place. Alternatives do exist that offer HIPAA support and Business Associate Agreements, but they also require correct configuration and ongoing oversight to ensure compliance.