Is Google Analytics HIPAA Compliant? What Healthcare Sites Must Do in 2026
Last updated: June 10, 2026
Is Google Analytics HIPAA compliant? No. Google will not sign a Business Associate Agreement (BAA) for Google Analytics, and HIPAA requires a BAA before any vendor can receive protected health information (PHI) under 45 CFR § 164.308(b). So the answer to "is Google Analytics HIPAA compliant" is settled by Google itself. Google's own help docs say it makes no claim that Google Analytics meets HIPAA rules, and it offers no BAA for the tool. No setting changes that. The real question is which of your pages collect PHI. Booking pages, intake forms, and patient portals do. On those pages, GA4 has to go.
TL;DR: Is Google Analytics HIPAA compliant?
Google Analytics is not HIPAA compliant. Google will not sign a BAA for it, and 45 CFR § 164.308(b) requires a BAA before any vendor receives PHI.
A federal court struck down part of the HHS tracking guidance on June 20, 2024. The ruling only covered IP addresses on public health pages. Trackers on portals, booking pages, and intake forms still violate HIPAA.
The lawsuit risk is real money. Advocate Aurora Health paid $12.25 million to settle a tracking pixel case. Novant Health paid $6.6 million.
You can check your own site in about 15 minutes with browser dev tools. Watch which third parties get data when a booking or intake page loads.
Safer tools exist, including self-hosted analytics and vendors that sign BAAs. Dropping GA4 does not mean losing your traffic data.
Google will not sign a BAA, and that settles it
HIPAA treats any vendor that gets PHI from you as a business associate. Before that vendor touches one record, 45 CFR § 164.308(b) and § 164.504(e) require a signed BAA. Google does sign BAAs for some products. Google Workspace and Google Cloud each cover a set list of services. Google Analytics is not on either list. Google's HIPAA page for Analytics says so in plain terms.
Google's terms add a second wall. The Google Analytics terms ban sending Google any data it could tie to a person. So even with a BAA, the tool is not built to hold health data. No plugin or IP masking feature makes Google Analytics HIPAA compliant. A setting cannot fix a missing contract.
When does analytics data become PHI?
PHI is health information that points to a person, or could, under 45 CFR § 160.103. On a website, identity and health context combine fast. A tracking script on a booking page can grab a visitor ID, the page URL, the provider picked, and the visit type in one request. Together, that says a known person sought care for a condition. That is PHI. Sending it to a vendor with no BAA is an illegal disclosure under 45 CFR § 164.502(a).
The highest-risk spots we see are patient portals and any page behind a login, booking and scheduling flows, intake and contact forms that ask about symptoms, and condition pages that feed a booking funnel. A blog post read by an unknown visitor is a different case. That is where the 2024 court ruling comes in.
The 2024 ruling narrowed OCR guidance, not your lawsuit risk
In American Hospital Association v. Becerra, a federal court in Texas ruled on June 20, 2024 that part of the HHS Office for Civil Rights (OCR) tracking guidance went too far. The court struck the claim that an IP address plus a visit to a public health page is PHI by itself. HHS later dropped its appeal, so that part of the guidance is gone.
Here is what did not change. Trackers on login-protected pages, like patient portals, still trigger HIPAA. Trackers that grab form entries, visit details, or anything a user types about their health still break the rules. And the ruling did nothing to stop class actions, state privacy laws, or Federal Trade Commission cases. It did not make Google Analytics HIPAA compliant, either.
The lawsuits show where the money goes. Advocate Aurora Health paid $12.25 million to settle a class action after its pixels sent patient data to third parties. Novant Health paid $6.6 million over pixels on its patient portal. Both began as routine marketing choices. Someone added a pixel, and nobody checked what it sent. Tracking pixels also appear in our roundup of eight unintentional HIPAA violations for that reason. They are the violation teams find last, because nothing visibly breaks.
Where Google Analytics can and cannot run
Since Google Analytics is not HIPAA compliant, GA4 cannot run on patient portals or any page behind a login. It cannot run on booking flows, intake forms, or thank-you pages that confirm a visit. Those pages tie a known visitor to a care decision. It should not run on condition pages that collect any user input.
After the 2024 ruling, GA4 on plain public pages, like a general blog, carries lower HIPAA risk. It is not zero risk. State laws such as Washington's My Health My Data Act cover consumer health data more broadly than HIPAA, and people can sue under them. Privacy suits over health-related tracking keep coming. In the compliance reviews we run, the most common finding is a forgotten Google Tag Manager container. It loads GA4 and ad pixels on every page, including the booking flow the marketing team forgot it touched. The second most common finding is a GA4 tag that was "removed" from the theme but still loads through a plugin.
How to check your own site in 15 minutes
Open your booking or intake page in Chrome. Press F12 and select the Network tab. Reload the page. Then filter requests by "google-analytics," "googletagmanager," "facebook," and "doubleclick." Each match is a third party getting data from that page. Next, submit a test form entry and watch for new requests. If a request contains your test name, email, or answers, that data is leaving your site. Repeat this on every page where patients type anything. Last, open your tag manager account and look for tags you do not know. Agencies, old plugins, and theme demos all leave trackers behind.
This quick check finds the obvious leaks. It will not catch everything. Scripts can load only on some devices, or pass data through server-side proxies and chained tags that a manual check misses.
When to bring in a professional review
If your site takes booking requests, intake details, or any patient information, a one-time audit is cheap insurance against a seven-figure settlement. Our client-side compliance review covers up to five pages for $500. We audit every tracking script, cookie, form, and third-party tool on your site. You get a findings report with risk levels and clear fix-it steps. HIPAA Compliant Hosting sells this service, so we have a commercial interest here. We still publish the manual check above, because a practice that finds its own pixel problem this week beats one that waits.
Safer ways to measure your traffic
Dropping GA4 from patient-facing pages does not mean flying blind. Self-hosted tools such as Matomo keep visitor data on your own server, so no third party gets it. Some privacy-focused vendors, like Piwik PRO and Freshpaint, will sign BAAs and are built for healthcare. Cookieless, count-only tools collect so little that they avoid identity problems on info pages. Server logs can answer basic traffic questions with data you already hold. Whichever you pick, get the BAA answer in writing before the tag goes live.
Frequently asked questions
Is Google Analytics HIPAA compliant?
No. Google will not sign a BAA for Google Analytics, and HIPAA requires one under 45 CFR § 164.308(b) before a vendor can receive PHI. No setting changes this.
Can I use GA4 if I turn on IP masking?
Not on pages that handle PHI. Masking limits what Google stores, but the missing BAA is the failure, not the IP address. GA4 also collects device IDs and page context beyond IP. It does not make Google Analytics HIPAA compliant.
Did the 2024 ruling make tracking pixels legal on health sites?
Only partly. The court struck OCR's claim about IP addresses on public health pages. Trackers on portals, booking flows, and forms still violate HIPAA. Class actions and state laws apply either way.
Is Google Tag Manager HIPAA compliant?
No. Google does not sign a BAA for Tag Manager either. Tag Manager is also a common leak source, since one container can load many third-party tags that staff edit without review.
What analytics tools can healthcare websites use?
Self-hosted Matomo, BAA-signing vendors such as Piwik PRO or Freshpaint, cookieless count-only tools on info pages, and server log reports. Confirm BAA coverage in writing before you deploy any of them.
Recap: is Google Analytics HIPAA compliant?
To recap, Google Analytics is not HIPAA compliant, because Google will not sign a BAA for it. The 2024 ruling trimmed OCR's tracking guidance for public pages. But trackers on portals, booking flows, and intake forms still create violations, and pixel class actions have already cost health systems $12.25 million and $6.6 million in single settlements. Run the 15-minute check above. Remove GA4 from every page that touches patient data. Replace it with a self-hosted or BAA-covered tool. If you want a documented answer on whether your setup is Google Analytics HIPAA compliant or not, a client-side compliance review gives you findings and fixes for $500.
This article is general information, not legal advice. Details reflect the HIPAA Privacy and Security Rules (45 CFR Parts 160 and 164), the status of the OCR tracking guidance after American Hospital Association v. Becerra, and Google's published HIPAA position as of June 2026. Confirm your obligations with qualified legal counsel.