Buyer beware: GA4 isn’t compliant with HIPAA

If there’s one thing that healthcare websites need to be aware of when they’re evaluating an analytics solution, it’s this: Google Analytics (GA4) is not a HIPAA-compliant choice.  

The risks of GA4  

GA4 provides insights into user interactions across websites and apps and can track users across different platforms so you can get a unified view of interactions. It focuses on events, like page views, clicks, scrolls, and purchases, and gives granular insights into user actions. It also relies on AI to predict trends and user behaviors.  

There’s no doubt that GA was the early pioneer of website analytics — but there’s also no doubt that it doesn’t comply with HIPAA (the Health Insurance Portability and Compliance Act) for a few critical reasons but chiefly because they still own all of the data collected from your users.  

This might seem obvious to many in the business of dealing with patient data, but even with tons of secure web analytics options out there, there are plenty of hospitals that violate HIPAA when it comes to their web tracking tools. Just a few years ago an investigation revealed 33 hospitals were sending patient data to Facebook. 

And when not doing the right thing puts you at risk of a class action lawsuit, “better safe than sorry” carries particular weight.  

With GA4, all data from unauthenticated sources — including third-party data — is fair game  

The US Department of Health and Human Services (HHS) gets into some detail from its point of view, stating that “Tracking technologies on a regulated entity’s unauthenticated webpage that permits individuals to schedule appointments or use a symptom-checker tool without entering credentials may have access to PHI in certain circumstances.”  

HHS poses this scenario: If an individual visits a regulated entity’s web page and makes an appointment or enters symptoms into an online tool, some tracking technologies could collect the individual’s email address or reason for seeking healthcare. That’s PHI, and therefore violates HIPAA.  

Also, from the HHS: “... if tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login information or registration information, that information is a disclosure of PHI and is subject to the HIPAA Rules.” 

Then there’s the issue of third-party data sharing. GA4 often passes data to Google, and Google uses that data for analytical and marketing purposes. HIPAA requires that any sharing of PHI be strictly controlled and used solely for permitted purposes. PHI can be shared with the individual (it’s their data, after all), or within the entity itself for treatment, payment, and healthcare operations activities (e.g., if your doctor orders an X-ray, your PHI is shared with the radiology department and the billing department).  

But GA4 has no guardrails. Put another way, it’s like a fishing net that’s designed to catch all kinds of fish, indiscriminately: large, small, inedible, edible, etc. But the fishing net doesn’t know to not catch no-take species, like manta rays and sea turtles. That’s what GA4 is like: It casts a wide net and gathers all types of user data without distinguishing between general information and PHI.  

To be clear, it’s not like Google is trying to pull the wool over anyone’s eyes. They’re very transparent: “Google makes no representations that Google Analytics satisfies HIPAA requirements.”  

Business Associate Agreements  

For any entity to be HIPAA-compliant while using a third-party service (like a data analytics provider), a Business Associate Agreement (BAA) must be in place. This agreement ensures that the third party (the provider) will safeguard PHI according to HIPAA standards (it will protect the metaphorical manta rays and sea turtles).  

Google’s clear on this point, too: It doesn’t provide a BAA for GA4, which makes it non-compliant for handling PHI. Without a BAA, any use of GA4 in contexts involving PHI is a violation of HIPAA regulations.  

Consent management issues 

 
HIPAA mandates explicit patient consent for data usage, like if a patient agrees to participate in a study. GA4's data collection mechanisms might not align with the stringent consent requirements for collecting and processing PHI. For example, users might not be fully aware of the extent to which their interactions are tracked, leading to a lack of informed consent. 

Alternatives that comply with HIPAA and keep patient data safe 

If you’re a healthcare organization and you’re searching for a web analytics provider, find one that comes with built-in compliance features, allows you to keep ownership of all collected data, and includes BAAs and strict data security measures such as an ISO 27001:2022 accreditation. (Hint: Siteimprove has solutions designed for healthcare that will tick all the boxes.) Then, once you’ve got your analytics tool in place, minimize the amount of data that you collect. When you collect only essential data, you reduce the risk of handling PHI inadvertently.  

Other best practices include encrypting data, of course, so that all data is safe whether it's in transit or at rest; regular audits of data collection to identify and mitigate risks related to PHI exposure; and creating and maintaining clear and comprehensive privacy policies that inform users about data collection practices and patient rights.  

It can be tempting to consider going with the biggest name in analytics, but not at the risk of running afoul of HIPAA. The risks are simply too great, whether it’s lack of a BAA, the potential for PHI leakage, or inadequate consent mechanisms. No matter what your business goals are, safeguarding patient privacy and maintaining trust are at the very core of your success.