Vendor documentation review

Is Google Analytics HIPAA Compliant? (2026 Verdict)

No

Google does not offer a BAA for Google Analytics and instructs regulated entities not to send it PHI or deploy it on HIPAA-covered pages.

Last verified:

At a glance

BAA available
No
Plan required
Not applicable
Configuration required
Do not install Google Analytics on pages or flows where its collection may include PHI.
Category
Analytics Ads

What Google says officially

Google maintains a direct HIPAA and Google Analytics page . It says Google does not offer a Business Associate Agreement for Analytics and makes no representation that the service satisfies HIPAA requirements. Regulated entities are instructed not to use Analytics in a way that gives Google access to PHI.

The guidance goes further than a generic warning. Google says customers may use Analytics only on pages that are not HIPAA-covered, should not tag authenticated pages that are likely covered, and should have legal counsel identify suitable pages. Its broader privacy policy for Analytics data also prohibits sending personally identifiable information.

This is a clear “no” for any analytics deployment that may collect PHI. It is based on Google’s stated contract and product boundary, not on whether a particular privacy toggle exists.

What this means for a medical practice

An analytics tag observes more than a page title. It may receive the page URL, referral source, device identifiers, campaign parameters, events, form interactions, and custom dimensions. On a medical site, those signals can reveal that an identifiable person viewed a particular treatment page, opened a portal, or completed an appointment action.

Removing a patient’s name from a form field is not enough if the browser still sends a unique identifier and a URL containing an appointment type. Consent banners, IP controls, shorter retention, or advertising switches may improve privacy, but they do not create the missing BAA or override Google’s instruction not to expose PHI.

Our HIPAAconscious medical website guide treats trackers as part of the data flow, not merely a marketing feature. A sound healthcare marketing program can still measure public campaigns with aggregate, carefully separated methods while protecting patient journeys.

If legal review determines that a truly non-covered public page can use Analytics, isolate it from patient navigation and verify exactly what the tag sends. That limited public use does not change the verdict for HIPAA-covered pages or PHI.

Tag-management rules need the same scrutiny. Removing the visible Analytics snippet while leaving a tag-manager trigger, embedded form script, or server-side measurement endpoint can preserve the collection. Document the approved pages, block the tag everywhere else, and retest after redesigns or campaign launches. Staff should also know that adding a custom event or URL parameter can change the data classification even when the base configuration was previously reviewed.

Compliant alternatives

There is no approved setting that turns Google Analytics into a PHI processor under a Google BAA. The safer design is to keep patient collection in a contracted service such as Jotform or a protected Wix workflow, and keep marketing measurement technically separated from that route.

Practices should choose a measurement approach through their risk analysis and legal review, with enough network-level testing to confirm the implementation matches the design.

Bottom line

Do not send PHI to Google Analytics or install its tags on HIPAA-covered pages. Google does not offer a BAA for Analytics and explicitly directs regulated entities to keep it away from those pages and data flows.

Frequently asked questions

Does Google offer a BAA for Google Analytics?

No. Google's current Analytics guidance expressly says it does not offer Business Associate Agreements for this service.

Can a clinic put Google Analytics on a patient portal?

Google says authenticated pages are likely to be HIPAA-covered and regulated entities should not place Analytics tags on HIPAA-covered pages.

Does removing names make every Analytics event safe?

No. Page context, URLs, identifiers, events, and other data can reveal health information even when a name is not sent.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review