View All Blog Posts

Is Google Analytics HIPAA-Compliant?

As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.


This week, we’re taking a closer look at Google Analytics (GA4).

What Is Google Analytics?

GA4 is the latest version of Google Analytics, the most popular analytics tool in the world. It is also the biggest change to the tool since its original release in 2005. For the first time ever, Google Analytics will not be backwards compatible with previous versions of the platform’s tags. GA4 requires a complete reinstallation of tracking tags, which has many users reevaluating their tracking platforms. Paired with OCR’s recent bulletin which identified IP addresses as PHI, this shift in the ecosystem has made the question of how Google Analytics fits in HIPAA-compliance a hot topic for healthcare marketers

What Data Does Google Analytics Collect?

Google Analytics, unsurprisingly, collects a lot of data about your user:

  • User ID: This is a unique identifier that is assigned to each user. GA4 uses this ID to track users across multiple sessions and devices.
  • User properties: These are additional pieces of information about users, such as their age, gender, location, and interests.
  • Events: These are actions that users take on your website or app. For example, an event could be a pageview, a download, or a purchase. These events need to be setup by the owner .
  • Sessions: A session is a group of interactions that a user takes on your website or app within a certain period of time.
  • Dimensions: These are the different attributes of your data, such as the date, time, and page URL.
  • Metrics: These are the measurements of your data, such as the number of users, sessions, and events.

Is Google Analytics HIPAA-Compliant?

Google Analytics 4 has made a lot of improvements that make it easier for companies to utilize stronger data privacy standards and move further into the age of cookieless tracking. These changes allow the tool to be used more in line with GDPR, CCPA, & other privacy policies. Despite these changes, however, Google Analytics is not HIPAA-compliant, as it still receives and stores PII/PHI, including device IDs, browser information, and location data, and does not offer a BAA. Google even explicitly states that “Google makes no representations that Google Analytics satisfies HIPAA requirements” and instructs users to refrain from exposing the software from any information that could be considered PII/PHI.

Risk Mitigation

There are several ways to make Google Analytics safer with strong data privacy standards. These are available in the Privacy Controls section of your Google Analytics settings. While enabling these settings will not satisfy HIPAA guidelines, it could help safeguard some user data while you determine a path forward (see our blog, Auditing your marketing plan for HIPAA compliance)

  • Data collection: You can disable the collection of certain types of data in Google Analytics, such as location data, device information, and user-agent strings.
  • Data sharing: You can control how your data is shared with other Google products and services, including Google Ads & YouTube.
  • Consent mode: You can enable consent mode, which allows you to collect data from users who have given their consent.
  • Data retention: You can control how long your data is retained by Google Analytics.
  • User-level data access and portability: You can grant users access to their own data in Google Analytics.


PRO TIP: Server-side tagging is a data tracking method that can help organizations protect user data. While it requires a well thought out digital infrastructure, it can give organizations more control over their data and help them comply with privacy regulations while still using Google Analytics.

Where do you go from here?

Hedy & Hopp’s Analytics experts can help by auditing your Google Analytics account for you, so reach out if your team is struggling with how to approach what can be quite an undertaking!

We have already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!



About the Author

The Hedy & Hopp analytics team is the cornerstone to patient-centered activation. This team is responsible for building measurement plans and data visualizations that provide useful and action-oriented insights for all of our marketing campaigns. Insightful and curious, for this team of lovable geniuses, decision science is their marketing happy.

More from this author
Next Blog Post

Is Google Tag Manager HIPAA-Compliant?