Don't Remove It! Make Google Analytics HIPAA Compliant Instead

One of the last things any web developer does as they are about to push a site live is add this code:

<!-- Google tag (gtag.js) -->
<script async src="<https://www.googletagmanager.com/gtag/js?id=G-ABCDEFGH1J>"></script>
<script>
 window.dataLayer = window.dataLayer || [];
 function gtag(){dataLayer.push(arguments);}
 gtag('js', new Date());

 gtag('config', 'G-ABCDEFGH1J');
</script>

Then, they can sit back, relax, and know that, whatever else happens, they can track pageviews and sessions on their site through Google Analytics. Website Managers, Marketers, the C-suite—they’ll all be able to get their metrics buzz. Job done.

If that developer happens to be working for a healthcare provider of any kind—health tech, insurance, hospital system, any organization that deals with PHI—then they’ve just exposed their company to a huge liability.

Google Analytics Is Not HIPAA Compliant

The Health and Human Services (HHS) have updated its guidance on online tracking. It makes clear that, in its basic configuration, you cannot have Google Analytics anywhere on your site that could expose both PHI and individual identifiers.

• You might think it’s OK to have this tracking pre-sign-in. It’s not.
• You might think it’s OK to have this tracking as it aggregates data. It’s not.
• You might think it’s OK to have this tracking if you have a banner telling the user they can opt-out of tracking or cookies. It’s not.

The tracking technology behind Google Analytics is not HIPAA-compliant. You cannot use GA tracking on any page on your site that might have access to PHI and individual identifiers. Here we’re focusing on Google Analytics, but it's true for other tracking tools that don’t sign a BAA, such as Meta’s Pixel tracking, as a new class action lawsuit shows.

Their reasoning for this is clear.

Learn how to find and prevent PHI from getting to your analytics tools: A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites

Say you're a pregnant woman looking for an OBGYN in the area. You google ‘obgyn near me’ and click on the first link, a local healthcare system’s pregnancy services page. The GA tracking snippet will collect that page URL along with your IP address. This is protected health information—anyone with this data could surmise that an individual woman is pregnant.

A quick aside about IP addresses: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact, and OCR has formally filed an appeal against this ruling. If OCR wins this part of the guidance will be reinstated. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.

Google Analytics does aggregate this data for you. You won’t see the woman’s IP address in your dashboard. But Google still has the data. And it will still tell you the general location of the viewers of that specific page, which is granular enough to fall foul of the HIPAA privacy rule.

The same could be true of a sign-in page or a scheduling page. Medical information about individuals can be inferred from the data tracked on these pages, so HIPAA rules apply if Google has access to any of these eighteen individual identifiers.

You might get away with Google tracking technology on a home page, a general services page, or an office location page. But the point of GA is it is site-wide. So if you are building or running a healthcare site, the tracking technology behind Google Analytics is putting you at a compliance risk.

This updated guidance is becoming a massive problem for healthcare providers dealing with PHI. As one team told us:

It’s chaos. It’s taken us seven years to create a culture of data, and it’s completely up in flames.

Because the data doesn’t stop at GA. Google Analytics is usually just the collection point for the data that is then passed into a warehouse, a BI tool, or custom analysis. If you can’t continue to use Google Analytics, an entire tool stack can go “up in flames.”

An important note: Google Analytics 4 claims to not store IP addresses. While that may be true, it doesn't help with HIPAA compliance because storage of the IP address is not the issue. Simply collecting an IP address is the problem from a website visitor is the problem.

GA4 still uses IP address, and other signals, to understand the location of your website visitors. And in your GA4 dashboard, you can see specific cities in which your visitors live. City-level demographic data is detailed enough to lead to a HIPAA violation, according to the HHS.

Using Freshpaint To Make Google Analytics HIPAA Compliant

You can continue to use Google Analytics with a simple twist—you need to stop using Google's tracking technology and trade it for a platform that is HIPAA compliant. We’ve outlined four approaches to this process in our post on BAAs and anonymizing data, including a DIY version. But if you want no interruption to your GA data, the easiest way is going to be to use Freshpaint’s ID Masking and Allowlist setup:

• ID Masking. Freshpaint masks user identifiers irreversibly. No downstream tracking tool will have access to raw identifiable information about a user.
• Allowlists. By default, no data is sent to non-compliant destinations such as Google Analytics. Instead, you choose the data and events you want to continue to send to Google Analytics, eliminating the risk of accidentally sending PHI.

Sending data to Google Analytics through Freshpaint is easy to set up. You’ll need HIPAA mode enabled, and to set up your allowlist, then you just need two pieces of information.

First, your measurement ID. You can get this by going to Admin > Data Streams > choose your stream > Measurement ID:

You’ll also need your API secret. You can get this by going to Admin > Data Streams > choose your stream > Measurement Protocol > Create:

You can then add this information within the Google Analytics Configuration:

Then go through each of the events you want to send to Google Analytics and toggle them on:

That’s it. Your data will then continue to go to the same GA property as before. As you can set this up in minutes, you won’t lose data.

Treating your users with care

Google Analytics is a powerful tool to help give you a better view of your visitor and member experience across your site. Unfortunately, Google's tracking technology that feeds the data into GA is putting you at risk of HIPAA compliance. The answer isn't to stop using Google Analytics. The answer is to stop using Google's unsafe tracking technology.

Freshpaint is the safe by default replacement so you can continue using Google Analytics and avoid losing all the work you've put into it.

If you want to learn more about how Freshpaint can make Google Analytics HIPAA compliant, reach out to us.

‍