What Google says officially
Google maintains a direct HIPAA and Google Analytics page . It says Google does not offer a Business Associate Agreement for Analytics and makes no representation that the service satisfies HIPAA requirements. Regulated entities are instructed not to use Analytics in a way that gives Google access to PHI.
The guidance goes further than a generic warning. Google says customers may use Analytics only on pages that are not HIPAA-covered, should not tag authenticated pages that are likely covered, and should have legal counsel identify suitable pages. Its broader privacy policy for Analytics data also prohibits sending personally identifiable information.
This is a clear “no” for any analytics deployment that may collect PHI. It is based on Google’s stated contract and product boundary, not on whether a particular privacy toggle exists.
What this means for a medical practice
An analytics tag observes more than a page title. It may receive the page URL, referral source, device identifiers, campaign parameters, events, form interactions, and custom dimensions. On a medical site, those signals can reveal that an identifiable person viewed a particular treatment page, opened a portal, or completed an appointment action.
Removing a patient’s name from a form field is not enough if the browser still sends a unique identifier and a URL containing an appointment type. Consent banners, IP controls, shorter retention, or advertising switches may improve privacy, but they do not create the missing BAA or override Google’s instruction not to expose PHI.
Our HIPAAconscious medical website guide treats trackers as part of the data flow, not merely a marketing feature. A sound healthcare marketing program can still measure public campaigns with aggregate, carefully separated methods while protecting patient journeys.
If legal review determines that a truly non-covered public page can use Analytics, isolate it from patient navigation and verify exactly what the tag sends. That limited public use does not change the verdict for HIPAA-covered pages or PHI.
Tag-management rules need the same scrutiny. Removing the visible Analytics snippet while leaving a tag-manager trigger, embedded form script, or server-side measurement endpoint can preserve the collection. Document the approved pages, block the tag everywhere else, and retest after redesigns or campaign launches. Staff should also know that adding a custom event or URL parameter can change the data classification even when the base configuration was previously reviewed.
Compliant alternatives
There is no approved setting that turns Google Analytics into a PHI processor under a Google BAA. The safer design is to keep patient collection in a contracted service such as Jotform or a protected Wix workflow, and keep marketing measurement technically separated from that route.
Practices should choose a measurement approach through their risk analysis and legal review, with enough network-level testing to confirm the implementation matches the design.
Bottom line
Do not send PHI to Google Analytics or install its tags on HIPAA-covered pages. Google does not offer a BAA for Analytics and explicitly directs regulated entities to keep it away from those pages and data flows.