View All Blog Posts

Is Google Tag Manager HIPAA-Compliant?

As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.


This week, we’re taking a closer look at Google Tag Manager (GTM).

What Is Google Tag Manager?

Google Tag Manager, or GTM, is a powerful tool that allows you to track user activity on your website or mobile app with minimal coding knowledge required. By putting one snippet of code on a website, GTM creates a container that can manage all of the various tracking codes on your website. GTM is also a great way to improve your website analytics, track conversions, and retarget visitors (when compliant) from and to a variety of platforms. It’s also a valuable tool for businesses of all sizes, from small businesses to large enterprises.

Here are some of the benefits of using Google Tag Manager:

  • No coding required: You don’t need to be a developer to use GTM. The user interface is intuitive and easy to use for users with basic technical knowledge.
  • Increased security: GTM helps to protect your website from security risks by preventing unauthorized access to your tag code.
  • Improved collaboration: GTM makes it easy to collaborate with other team members on tag management. You can share tags and permissions with other users, and you can track changes to tag configurations.
  • Scalability: GTM can be scaled to meet the needs of businesses of all sizes. You can add as many tags as you need, and you can manage multiple websites and mobile apps from a single account.

What Data Does Google Tag Manager Collect?

GTM is probably unique in your tech stack in that it itself does not collect any data – instead, it provides a container with easily configurable tags, triggers, & variables that allow you to control exactly what tracking tools are on your website and how they send information back and forth. Common tags to have in GTM include:

  • Google Analytics: The most popular analytics tool in the world, GA ties directly into GTM with minimal setup.
  • Conversion Tracking Pixels: Google Ads, Meta Ads, LinkedIn Ads, and most other digital advertising platforms can use a conversion tracking pixel on your site to improve ad performance. At Hedy & Hopp, we consider these pixels to be a high risk in terms of HIPAA-compliance, since they share user data with third parties.
  • Engagement/UX tools: Heatmapping tools like Lucky Orange, A/B testing tools like Optimizely, and countless other tools are routinely installed via Google Tag Manage

Is Google Tag Manager HIPAA-Compliant?

A good way to look at GTM through the lens of HIPAA-Compliance is that it can be the vehicle for compliance issues, and that it completely depends on how a specific site is using their tagging setup. A GTM container can manage tags for everything from a Google Search Console verification tag (completely HIPAA-compliant) to a Facebook Pixel that is gathering personal data about users who may be visiting sensitive pages on a site (completely non-compliant!). 

PRO TIP: As a general rule, conversion pixels are concerning in terms of HIPAA-compliance and should be avoided. Learn more about the recent updates in HIPAA guidance by listening to our HIPAA & FTC 101 podcast.

Risk Mitigation

While Google Tag Manager supports some obfuscation options that grant some level of increased data privacy and protection, this is not a watertight approach. Often, the obfuscated data is still being shared with some third party processors. Server-side Google Tag Manager (sGTM) can be a much safer approach, offering more options for data privacy and allowing users to completely control which data is shared (and not shared) with each platform. 

If you want to assess your GTM risk in it’s current set up, a great place to start is by extensively documenting the functionality of each tag in your account. From there, you can assess the risks of each tag and make a plan to improve data privacy. 

PRO TIP: While server-side tagging is not for everyone and does not eliminate issues associated with third party tracking tags, this approach puts more power in the hands of your team to ensure that you are protecting your users’ data.

Not sure how to get started?

Hedy & Hopp’s Analytics experts can help by auditing your GTM account for you, so reach out if your team is struggling with how to approach what can be quite the can of worms! Our team has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!



About the Author

The Hedy & Hopp analytics team is the cornerstone to patient-centered activation. This team is responsible for building measurement plans and data visualizations that provide useful and action-oriented insights for all of our marketing campaigns. Insightful and curious, for this team of lovable geniuses, decision science is their marketing happy.

More from this author
Next Blog Post

Mental Health Marketing (A Clinician’s Perspective) with Megan Cornish

Today Jenny welcomes Megan Cornish, a licensed clinical social worker turned healthcare marketer. Megan shares…