GA4 and HIPAA: A Guide for Healthcare Providers

Learn how to implement GA4 with HIPAA guidelines in mind without putting your patients’ data at risk

Healthcare providers face a challenge when using Google Analytics 4 because they must keep HIPAA guidelines in mind. GA4 is a powerful tool that can help providers keep track of website traffic, user behavior and marketing efforts. However, it can also collect personally identifiable information (PII) which is regulated by HIPAA.

HIPAA regulations are well-known for being strict. Breaking them can lead to legal consequences. A recent study shows that almost all US hospital websites using GA4 are at risk of violating HIPAA regulations. Additionally, Google stated they will not sign a Business Associate Agreement (BAA).

Because of this, many healthcare systems are reviewing all scripts used. This includes, Salesforce, Adobe, Maps, Facebook, Amazon and more. Moreover, some hospital systems are facing class action lawsuits. To avoid these legal consequences, take action now to protect your hospital system. Otherwise, you could face a fine of up to $50,000 per offense.

For example, if there is an open text field on one of your webpages, a visitor could potentially submit PII in the text box. GA4 would then capture this information, violating patient privacy and HIPAA.

Get in touch with us today to schedule a free consultation with our GA4 experts. Our team will review your GA4 property with HIPAA regulations in mind. Additionally, we will report on areas where you might be violating HIPAA regulations. What’s more, you will also receive actionable steps to take that may help reduce legal risks. Don’t wait until it’s too late – reach out now and possibly avoid a class action lawsuit.

Data should NOT pass to Google that Google could recognize as personally identifiable information (PII)

HHS recognizes Universal Analytics (UA) as collecting PII through its logging of IP addresses, this likely means removing UA tracking from your entire website, and making a wholesale switchover to GA4 as soon as possible.

Google Analytics should NOT collect data revealing any sensitive information about a user or identify them

If you need to delete data from the Analytics servers for any reason, you can schedule a data-deletion request or use the User Deletion API. This means avoid installing any tracking (including GA and any marketing pixels) on pages that require a login to access.