HIPAA and Web Analytics: What Healthcare Marketers Need to Know About GA4

The regulatory landscape

HIPAA (the Health Insurance Portability and Accountability Act) protects individually identifiable health information — called Protected Health Information (PHI). HIPAA applies to covered entities (healthcare providers, insurers, clearinghouses) and their business associates. Marketing technology vendors who receive PHI on behalf of a covered entity are typically considered business associates and must sign a Business Associate Agreement (BAA).

In December 2022, the HHS Office for Civil Rights issued a bulletin specifically addressing tracking technologies on healthcare websites and apps. The key finding: when a tracking pixel or analytics tool collects data that could be used to identify an individual in connection with their health condition or healthcare-seeking behavior, that collection may constitute an impermissible disclosure of PHI — even without any intentional action on the organization's part.

This isn't theoretical. Several healthcare systems and hospital networks received OCR investigation notices following the 2022 bulletin. The risk is specific and documented.

How GA4 can collect PHI inadvertently

Most healthcare organizations don't intend to send PHI to Google Analytics. But standard GA4 configurations can collect it through several channels:

URL parameters. If your site uses URL parameters to carry patient identifiers, appointment details, or health condition information (common with patient portal integrations, appointment booking systems, or condition-specific landing pages), GA4 collects those URLs as part of standard page_view events. Example: yourhospital.com/conditions/diabetes/resources?patient_id=12345&diagnosis=T2DM.

Search queries on health portals. If GA4 is installed on a patient portal or health information portal with internal search tracking, those search queries — "metformin side effects," "oncologist near me," "HIV treatment options" — can be collected as event parameters and arguably constitute health information linked to a site session.

Form field values. GTM can be configured to capture form field values. If someone at your agency or on your team implemented form field capture without carefully scoping it, you may be collecting names, email addresses, health conditions, or other PHI from intake forms.

Custom user IDs. GA4's user_id feature lets you associate analytics sessions with internal user identifiers. If those identifiers map to patient records in your EHR or CRM, the combination can constitute PHI.

The BAA gap

Google does not offer Business Associate Agreements for Google Analytics 4. This is a documented fact. Google's documentation explicitly states that GA4 is not intended for use in contexts where PHI is present, and that BAAs are not available for the product.

This creates a structural problem for covered entities: even if you configure GA4 carefully to minimize PHI exposure, if any PHI reaches GA4 — even inadvertently — you may lack the legal framework to make that transfer permissible under HIPAA.

By contrast, several analytics alternatives do offer BAAs: Matomo (self-hosted), Mixpanel (with a signed BAA), and some enterprise-tier analytics platforms. For covered entities with patient-facing digital properties, these may be the more defensible choice.

Practical risk mitigation for GA4 users

If you're a healthcare organization currently using GA4 — and many are — the goal is to reduce PHI exposure to the extent possible while you evaluate longer-term options. Practical steps:

• Audit what you're collecting. Use GA4's DebugView and the event stream to see exactly what data is being sent. Look specifically at page_location values for URL parameters and any custom events that may capture form data.
• Redact URL parameters. In GA4's data stream settings, you can configure URL parameter exclusions to prevent specific parameter names from being included in collected URLs. Identify any parameters that could carry identifiers and exclude them.
• Do not implement form field tracking. Avoid any GTM configuration that captures values from form fields on patient-facing pages.
• Limit GA4 to marketing pages only. If your patient portal runs on a separate domain or subdomain, ensure GA4 is not present on that domain. Keep analytics strictly on public marketing pages where no authentication or health transactions occur.
• Consult legal counsel. The OCR's 2022 bulletin represents regulatory guidance, not a final rule. The appropriate response to your specific situation depends on your organization's status as a covered entity, the nature of your digital properties, and your existing BAA landscape. This is not legal advice — it's a technical framework for a conversation with your compliance team.

For medical device companies specifically

Medical device companies are often not covered entities themselves — they're not providing healthcare, they're selling to healthcare providers. In that case, HIPAA typically doesn't apply directly to your website analytics. Your website visitors are procurement teams, clinical staff, and biomedical engineers, not patients.

However, if you run a patient registry, a device companion app, or any property where end users are patients, the calculus changes. And if you're a contractor to a covered entity handling PHI in that capacity, business associate rules apply regardless of your primary business.

Understanding your organization's HIPAA status — covered entity, business associate, or neither — is the prerequisite for making the right technology choices. Start there.