Google Analytics HIPAA Compliance - Penrod
⚠ Using Google Analytics? According to the HHS, your website may not be HIPAA compliant. Learn how to fix it here.

Penrod Blog

Google Analytics HIPAA Compliance

The Trouble with Google Analytics and HIPAA – and Ways to Fix It

It’s hard to believe that the Health Insurance Portability and Accountability Act pre-dated Google Analytics by almost 10 years.

Originally launched in 2005, Google Analytics has become a marketer’s dream. It empowers companies to understand their customers, track real-time behavior, and measure the results of digital efforts.

However, a recent Health and Human Services bulletin created a nightmare for marketers across the health provider space, as it added some new context to the 1996 law regarding third-party trackers. If you want a quick summary, it goes like this…the release doubled down on the requirements that healthcare companies must comply with because third-party tracking technologies disclose PHI.

The bulletin tackles three major concepts:

  • Tracking on webpages
  • Tracking on mobile devices
  • HIPAA compliance requirements for regulated entities that use third-party trackers

In many ways, the ruling makes total sense – feel free to watch our video for more context, or just keep reading for the summary.

The Problem with Google Analytics and HIPAA

There has never been more concern about the fragile balance between compliance and digital marketing tactics in the healthcare and life sciences industry. Because of ongoing class action lawsuits, the December bulletin from the HHS has sent healthcare marketers and compliance teams scrambling to mitigate the risk.

According to the bulletin, data like email and IP addresses may actually be considered PHI. Of course, sending PHI to any entity could be a violation of the HIPAA rule if:

  • You don’t have a signed BAA
  • The patient didn’t consent to disclosure
  • The PHI isn’t de-identified

Given that technologies like Google Analytics typically won’t sign a BAA, most users aren’t consenting to disclosure, and PHI is generally not de-identified, many providers currently using the technology may be in violation of HIPAA.

A Case Study

Let’s say Google Analytics tracks a user on a healthcare website across webpages related to cancer prevention, and then generates an event for a form submission requesting a colonoscopy.

If Google pairs that user’s self-reported healthcare needs with an IP address that identifies the specific person, that constitutes a violation of HIPAA laws.

This dilemma leaves healthcare marketers in a pickle. On one hand, they need robust analytics to identify their most successful marketing strategies. On the other, they face debilitating fines for non-compliance.

In the meantime, many have removed GA from their digital properties, while others have stopped digital advertising altogether.

Original Penrod research indicates that just under 6,000 US-based providers dropped Google Analytics since December of last year.

However, others aren’t taking the HHS guidance as seriously – we’ve determined that just over 100,000 providers are potentially using Google Analytics in a manner that violates HIPAA.

Let’s dive into some solutions to the Google Analytics for healthcare HIPAA-compliance problem.

Potential Solutions

Here at Penrod, we’ve developed a couple of solutions that allow healthcare companies to remain fully HIPAA compliant while leveraging the power of Google Analytics, or an equally powerful platform.

Let’s dive in.


The first solution we’ve come up with completely replaces Google Analytics with Marketing Cloud Personalization, a platform made by Salesforce.

Marketing Cloud secures sensitive PHI, tracks patient behavior analytics, and personalizes digital experiences in real-time.

The good news is because it’s possible to sign a BAA with Salesforce, they are able to provide services to covered entities – and handle PHI with compliance and integrity.

One potential downside to migrating analytics platforms is the loss of historical data. This could be an unacceptable cost to certain healthcare organizations with significant amounts of user data.

Our second solution avoids this entirely.

Server-Side Container

The second solution we’ve come up with relies on a secure server-side container that reduces the amount of retagging you need to do on your website.

In this example, we set up the Google server-side tag manager component on either the Google Cloud platform or a local server.

HIPAA Compliance with Server Side Container

The server-side component de-identifies PHI by making an API call to Data Cloud. The server-side task manager also has an ingestion API connector that ingests the data into Salesforce Data Cloud. This allows our customers to re-identify the encrypted data.

Our Final Take

Healthcare marketers need more robust tools than ever to make smart marketing decisions. Fortunately, you no longer have to sacrifice marketing power to remain HIPAA compliant.

Make compliance concerns a thing of the past.

If you’re concerned about HIPAA compliance and retaining the power of your digital marketing efforts, please schedule a complimentary consultation. We’ll be able to assess your compliance challenges and see if our solutions are the right fit for you.

Schedule a Demo

Ready to work towards making Google Analytics HIPAA compliant?

Leverage the power of Google Analytics to build audiences, track behaviors, and measure results.