Google Analytics Event Tracking

Use Case: Monitoring user interactions such as form submissions, button clicks, video plays, downloads, and other custom events

Why it matters:

Google Analytics Event Tracking is a powerful feature used to measure specific user interactions beyond basic pageviews. For example, when someone clicks a “Schedule Appointment” button, submits a form, or downloads a resource. On healthcare websites, these actions often reflect a visitor’s intent to seek care or learn about a condition, which may qualify as Protected Health Information (PHI) under HIPAA.

Event tracking sends detailed interaction data to Google’s servers, including page context and sometimes form field values (if misconfigured). This increases the likelihood of collecting sensitive data—even unintentionally.

Google does not offer a Business Associate Agreement (BAA) for Google Analytics, and it explicitly instructs customers to avoid sending any health-related data that would create HIPAA obligations. Using Event Tracking on HIPAA-covered pages heightens the risk of unauthorized PHI disclosure if not carefully controlled.

What HHS says:

According to HHS guidance, user activity on a healthcare website such as clicking links or submitting forms may be considered PHI if it indicates a user’s health condition or interest in receiving care, even on public-facing pages.

In June 2024, a federal court vacated the part of this guidance that automatically triggered HIPAA obligations when a user’s IP address was combined with visits to public health-related pages. However, HIPAA still applies when online technologies collect other data that can reasonably identify a user’s relationship to health services.

Because Google Analytics Event Tracking increases the level of user interaction data being collected, it should be used cautiously or removed entirely on health-related pages.

Recommendation:

If your site uses Google Analytics Event Tracking to monitor clicks, form interactions, or downloads on pages related to health services, appointment scheduling, or condition-specific information, it may expose sensitive user intent to Google.

We recommend disabling Event Tracking on any page where visitor actions could suggest a connection to care or treatment. If analytics are essential, consider platforms that sign Business Associate Agreements and offer more granular privacy controls. You should also conduct a thorough review of what each tracked event reveals about the user and how it’s configured.