A Tool You Trust May Be Working Against You
Google Analytics is on millions of websites. It is free, well-documented, and widely recommended — including, unfortunately, to healthcare providers who have no idea it may be putting them in violation of HIPAA.
This is not a hypothetical risk. In December 2022, the U.S. Department of Health and Human Services issued a bulletin specifically addressing the use of tracking technologies on healthcare websites. It named tools like Google Analytics and Meta Pixel directly. Since then, enforcement interest in this area has only increased, and class-action litigation has followed.
If you are a private practice physician with a website, this affects you — whether or not you have ever thought about it.
What HIPAA Actually Protects
HIPAA protects Protected Health Information, or PHI. Most physicians think of PHI as records inside their EHR — chart notes, lab results, billing data. That is correct, but it is not the full picture.
PHI is any information that connects a person's identity to their health status or healthcare activity. The key word is "connects." You do not need a patient's name attached to a diagnosis for it to qualify as PHI. You need two things: an identifier and a health signal.
This is where your website comes in.
How Google Analytics Creates a HIPAA Problem
When a visitor lands on your website, Google Analytics collects data about them automatically. This includes their IP address, the pages they visited, how long they stayed, and how they got there.
Now consider what your pages are called. If someone with a traceable IP address visits a page titled /services/weight-loss-injections or /conditions/anxiety-treatment, Google now has a record connecting an identifiable person to a health-related inquiry. That is PHI — and it just left your site and went to Google's servers.
Google does not sign a Business Associate Agreement (BAA) for Google Analytics. That means there is no HIPAA-compliant data sharing agreement in place. You are transmitting what may constitute PHI to a third party with no legal framework protecting it. Under HIPAA, that is a breach.
The HHS Bulletin Changed Everything
Before 2022, many healthcare marketers operated in a gray area, assuming that web analytics were outside HIPAA's scope. The HHS bulletin closed that door. It stated clearly that tracking technologies used on webpages where patients seek care information — including appointment scheduling pages and condition-specific landing pages — can constitute impermissible disclosures of PHI when data is transmitted to third parties.
The bulletin also made clear that patient authorization does not fix the problem. You cannot put a cookie banner on your site and consider yourself covered. HIPAA compliance in this context requires either not sending the data in the first place, or routing it through a system that is specifically built for healthcare compliance.
What a Compliant Setup Looks Like
There are several approaches depending on your practice's size, budget, and tolerance for technical complexity.
Server-side Google Tag Manager is one option. Instead of tracking scripts firing directly from a visitor's browser to Google's servers, data is routed through a server you control first. You can strip out identifiers like IP addresses before anything is passed along. This keeps the Google Analytics toolset largely intact while removing the most problematic data points.
HIPAA-compliant analytics platforms such as Piwik PRO or Freshpaint are purpose-built for regulated industries. They sign BAAs, give you full data ownership, and are designed from the ground up to handle healthcare environments. Freshpaint in particular was built specifically for healthcare marketers and acts as a privacy layer between your website and downstream tools like Google Analytics or ad platforms.
Replacing standard analytics entirely with a privacy-first platform like Plausible or Fathom is another path. These tools collect no personally identifiable information at all, require no cookie consent banners, and are GDPR and HIPAA-friendly by design. You lose some of the behavioral depth that Google Analytics provides, but for many practices, aggregate traffic data is sufficient.
What About Meta Pixel and Google Ads Tags?
The same problem applies. If you are running a Meta Pixel or a Google Ads conversion tag on your website — and most practices are — those tools are also collecting and transmitting user-level data. The HHS bulletin addressed both explicitly.
This does not mean you cannot run paid advertising. It means the tracking infrastructure needs to be configured correctly. Conversion tracking can be done in ways that do not expose PHI, but it requires intentional setup. Default installation of any advertising pixel on a healthcare website is not compliant.
How Doctor Rebrand Handles This
When we build or audit a practice website, analytics and tracking configuration is part of the technical review. We evaluate what data is being collected, where it is going, and whether the appropriate agreements are in place.
We do not recommend one-size-fits-all solutions because practices vary in how they use data. A single-physician cash-pay practice has different needs than a multi-provider group running active Google Ads campaigns. What we do is make sure the tracking setup matches what the practice actually needs — without creating unnecessary legal exposure.
What You Should Do Right Now
- Ask whoever manages your website whether Google Analytics is installed and how it is configured
- Ask whether a BAA is in place with any analytics or advertising platform you use
- Review your page URLs — if any page name reflects a condition, procedure, or patient status, it is a higher-risk page
- Ask whether your advertising pixels are firing on pages beyond just the homepage
If you cannot get clear answers to these questions, that itself is an answer.
The Bottom Line
Google Analytics is not inherently evil. It is a powerful tool that was not designed with healthcare compliance in mind. The responsibility for using it appropriately falls on the practice — not on Google.
Most practices have never been told this. That is not an excuse regulators will accept, but it is why we consider it our job to make sure every practice we work with understands it. A compliant tracking setup is not complicated once you know what you are building toward. The first step is knowing the problem exists.