25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is Google Analytics HIPAA Compliant?

Posted By on Dec 15, 2023

Google Analytics is not HIPAA compliant and cannot be used by HIPAA covered entities or business associates to track the activity of website visitors if any metrics collected by the analytics service include individually identifiable health information. However, if data is anonymized before being sent to Google Analytics, HIPAA compliance is not an issue.

In December 2022, the Department of Health and Human Services (HHS) released a bulletin discussing the use of online tracking technologies by HIPAA covered entities and business associates. The bulletin explains what tracking technologies are and how the HIPAA compliance rules apply to covered entities and business associates that use tracking technologies.

The key takeaway from the bulletin is that tracking technologies such as Google Analytics can be used by HIPAA covered entities and business associates on most “unauthenticated” web pages (i.e., a general information web page) but not on “user-authenticated” web pages that require a user to login or create a user profile (i.e., a patient portal or telehealth portal).

Unauthenticated Vs User-Authenticated Web Pages

The difference between the two types of web pages is that although tracking technologies used on unauthenticated web pages collect metrics such as IP addresses and visitors’ locations, they cannot collect individually identifiable health information because none is provided by visitors.  This means the data collected by tracking technologies on unauthenticated web pages is not PHI.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In contrast, tracking technologies used on user-authenticated web pages collect metrics about how visitors interact with the web page. As visitor interactions are likely to involve the disclosure of individually identifiable health information (which, in some cases, the technologies have access to anyway), PHI is effectively being transmitted from a covered entity or business associate to the vendor of the tracking technology (in this case, Google).

In order for Google or any other tracking technology vendor to receive PHI from a covered entity or business associates, there has to be a Business Associate Agreement in place. With regards to providing a Business Associate Agreement in order to make  Google Analytics HIPAA compliant, Google states:

“Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. […] Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service”.

Making Google Analytics HIPAA Compliant

The refusal of Google to offer a Business Associate Agreement that would make Google Analytics HIPAA compliant does not mean covered entities and business associates cannot use Google Analytics on user-authenticated web pages. Google’s concern is it will be exposed to PHI that create obligations under HIPAA, so the way to circumnavigate the concern is to ensure Google is not exposed to PHI.

Covered entities and business associates can prevent Google being exposed to PHI by installing anonymizing software between user-authenticated web pages and the analytics service. The anonymizing software will irreversibly mask individually identifiable health information so Google Analytics receives data about user activity, but not who the user is.

Strictly speaking, the installation of anonymizing software does not make Google Analytics HIPAA compliant because the service is not receiving data that would require HIPAA compliance. However, it does mean Google’s analytics service can be used on all covered entities’ and business associates’ web pages without violating HIPAA.

One final point to consider is, prior to installing anonymizing software to use Google Analytics on user-authenticated web pages, it will be necessary to enter into a Business Associate Agreement with the vendor of the anonymizing software. Covered entities and business associates with concerns about this requirement should seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist