Google Universal Analytics

Use Case: Legacy website tracking, behavioral data collection, and performance reporting

Why it matters:

Google Universal Analytics (UA) was the predecessor to Google Analytics 4 and is no longer actively supported by Google as of July 1, 2023. However, many websites still have old UA tracking code embedded in their pages. Like its successor, UA collected detailed user interaction data, such as page views, click events, referral paths, IP addresses, and location data.

While that data may seem non-sensitive, it becomes a compliance risk on healthcare-related websites when it reflects user intent to research conditions, schedule appointments, or access care. In such cases, even a simple page visit can create Protected Health Information (PHI) under HIPAA.

Google has never offered a Business Associate Agreement (BAA) for Universal Analytics and does not claim that it meets HIPAA requirements. Use of UA on HIPAA-covered websites especially where PHI could be inferred presents a regulatory risk.

What HHS says:

Per HHS guidance, tools that collect IP addresses, URLs, or behavior data from health-related websites may be collecting PHI if that data relates to a user’s health condition or care-seeking behavior.

In June 2024, a federal court vacated the part of this guidance that claimed HIPAA obligations are automatically triggered when someone visits a public health-related webpage and their IP address is captured. However, HHS is still actively enforcing HIPAA in other scenarios where PHI may be disclosed to third parties especially when no BAA exists.

Because Universal Analytics is deprecated and never supported HIPAA compliance, its presence may expose your site to unnecessary and outdated tracking risks.

Recommendation:

If your website still includes Google Universal Analytics code, we recommend removing it particularly from any pages where patient behavior, health topics, or appointment interest could be inferred. Because UA is no longer supported and offers no HIPAA-compliant configuration path, keeping it installed offers little value and creates avoidable risk.

If you need analytics, explore platforms that offer Business Associate Agreements and allow more control over PHI exposure. Just as important, evaluate each page’s content and user flow to assess whether user actions could reasonably indicate a relationship to healthcare services.