Penrod Blog

Google Analytics HIPAA Compliance

The Trouble with Google Analytics and HIPAA – and Ways to Fix It

It's astonishing to think that the Health Insurance Portability and Accountability Act predates Google Analytics by nearly a decade. Since its launch in 2005, Google Analytics has become a marketer's dream, empowering companies to gain insights into their customers, monitor real-time behavior, and evaluate the outcomes of their digital endeavors.

Woman nurse standing next to Google Analytics logo

However, a recent bulletin from the Health and Human Services has presented a daunting challenge for marketers in the healthcare industry. This bulletin has shed new light on the 1996 law regarding third-party trackers, resulting in additional requirements for healthcare companies to ensure compliance, especially when it comes to the disclosure of protected health information through third-party tracking technologies.

For a brief summary, the release emphasizes the need for healthcare companies to double down on their efforts to comply with these requirements, as third-party tracking technologies may expose patients’ sensitive information.

The bulletin tackles three major concepts:

  • Webpage tracking
  • Mobile device tracking
  • HIPAA compliance requirements for regulated entities utilizing third-party trackers

The ruling, in numerous aspects, is completely logical. You’re welcome to watch our video for a more comprehensive understanding, or simply continue reading for a concise summary.

The Problem with Google Analytics and HIPAA

There is growing concern over the delicate balance between compliance and digital marketing strategies in the healthcare and life sciences industry. Ongoing class action lawsuits have caused healthcare marketers and compliance teams to scramble in order to mitigate risks, as highlighted in the December bulletin from the HHS.

According to the bulletin, certain data, such as email and IP addresses, may now be considered PHI. It is important to note that sharing PHI with any entity could potentially violate the HIPAA rule if:

  • A signed BAA is missing
  • The patient did not provide consent for disclosure
  • The PHI has not been properly de-identified

Since technologies like Google Analytics typically do not sign a Business Associate Agreement (BAA), most users do not give their consent for disclosure. Furthermore, Protected Health Information (PHI) is generally not de-identified. As a result, many providers who currently utilize this technology may be in violation of HIPAA.

A Case Study

Imagine if Google Analytics tracks a user on a healthcare website as they navigate through pages about cancer prevention. Later, when the user submits a form requesting a colonoscopy, Google generates an event.

If Google combines the user’s self-reported healthcare needs with an IP address that identifies them personally, it becomes a violation of HIPAA laws. This predicament poses a challenge for healthcare marketers.

On one hand, they require comprehensive analytics to pinpoint their most effective marketing strategies. On the other hand, they risk severe penalties for non-compliance. Consequently, some have removed Google Analytics from their digital properties, while others have ceased digital advertising altogether.

According to original research conducted by Penrod, nearly 6,000 US-based providers have discontinued the use of Google Analytics since December of last year. Nonetheless, it appears that over 100,000 providers may be potentially using Google Analytics in a way that violates HIPAA, disregarding the guidance provided by the HHS. In the following sections, we will explore potential solutions to the challenge of achieving HIPAA compliance with Google Analytics in the healthcare industry.

Potential Solutions

At Penrod, we have developed innovative solutions that enable healthcare companies to maintain full HIPAA compliance while harnessing the capabilities of Google Analytics or other robust platforms.

Let’s dive in.


The first solution we’ve come up with completely replaces Google Analytics with Marketing Cloud Personalization, a platform made by Salesforce.

Marketing Cloud ensures the security of sensitive PHI, while also tracking patient behavior analytics and delivering real-time personalized digital experiences. The great news is that Salesforce offers the possibility to sign a BAA, enabling them to provide services to covered entities and handle PHI with compliance and integrity.

However, one potential drawback of migrating analytics platforms is the potential loss of historical data, which could be a significant cost for healthcare organizations with substantial user data. Our second solution completely avoids this issue.

Server-Side Container

The second solution we’ve come up with relies on a secure server-side container that reduces the amount of retagging you need to do on your website.

In this example, we set up the Google server-side tag manager component on either the Google Cloud platform or a local server.

HIPAA Compliance with Server Side Container

The server-side component utilizes an API call to Data Cloud to de-identify PHI. Additionally, the server-side task manager incorporates an ingestion API connector to seamlessly ingest the data into Salesforce Data Cloud. This empowers our customers to re-identify the encrypted data, ensuring utmost security and privacy.

Our Final Take

Healthcare marketers now have access to more robust tools than ever before, empowering them to make informed and intelligent marketing decisions. The good news is that you no longer have to compromise marketing power in order to remain HIPAA compliant.
Leave your compliance concerns in the past.

If you’re worried about maintaining HIPAA compliance while still maximizing the impact of your digital marketing efforts, we invite you to schedule a complimentary consultation. During our session, we will assess your compliance challenges and determine if our solutions are the perfect fit for your needs.

Schedule a Demo

Ready to work towards making Google Analytics HIPAA compliant?

Leverage the power of Google Analytics to build audiences, track behaviors, and measure results.