Making Google Analytics a HIPAA Compliant Tracking Solution

Google Analytics is one of the most popular tools to track web performance. Unfortunately for providers, the way Google accesses user data means it's not HIPAA complaint.

In this use case, we'll discuss how providers can utilize Google Analytics in a HIPAA compliant manner.


Configuring Google Analytics to be HIPAA compliant


A server-side container that de-identifies PHI in the BA perimeter


Compliance with OCR guidelines and uninterrupted use of Google Analytics

Solving the Use Case


Ongoing class action lawsuits have prompted healthcare marketers and compliance teams to scramble, aiming to mitigate risks as highlighted in the December bulletin from the HHS.

According to the bulletin, certain data, such as email and IP addresses, may now be categorized as PHI. It's important to note that sharing PHI with any entity could potentially violate the HIPAA rule.

Current Gaps

As technologies like Google Analytics generally do not enter into Business Associate Agreements (BAA), most users do not provide consent for disclosure. Moreover, Protected Health Information (PHI) is often insufficiently de-identified. Consequently, many providers currently utilizing this technology may be in violation of HIPAA regulations.

As a result of the ruling, several providers have been compelled to discontinue their use of Google Analytics. Unfortunately, this action eliminates a critical element in tracking success across their web properties.


To address web tracking compliance, a secure server-side container is crucial for reducing the need to retag a website. By implementing the Google server-side tag manager component, either through the Google Cloud platform or a local server, we can ensure enhanced data privacy and security.

The server-side component leverages an API call to Salesforce Data Cloud for de-identifying Personal Health Information (PHI), ensuring the highest level of confidentiality. Additionally, the server-side task manager incorporates an ingestion API connector to seamlessly ingest the de-identified data into Salesforce Data Cloud.

This empowers our customers with the ability to re-identify the encrypted data, while maintaining the utmost level of security and privacy. With this comprehensive solution, we are able to provide a robust and reliable framework for safeguarding sensitive data and complying with web tracking regulations.

Google Analytics Server Side Container

Request Free Consultation

Need and a partner who can help?

We're here for you. Fill out the form on the right for a free consultation!