5 min readSift Health

Does Google Analytics violate HIPAA? What the OCR guidance actually says

  • google-analytics
  • hipaa
  • tracking
  • guidance

If you run a healthcare practice's website, someone has probably told you one of two things: "Google Analytics is illegal under HIPAA" or "Google Analytics is fine, everyone uses it." Both are wrong, and the distance between them is exactly where most of the real-world risk lives.

This post walks through what the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has actually said about web analytics, what a federal court changed in 2024, and a practical way to think about analytics on a healthcare site. It is an explainer, not legal advice — for decisions about your own organization, talk to qualified counsel.

The December 2022 bulletin

In December 2022, OCR published a bulletin on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. It was the first time the regulator addressed web analytics and advertising pixels head on, and its core claims were broad:

  • Tracking technologies (analytics scripts, pixels, session-replay tools) can collect protected health information (PHI) when deployed on a regulated entity's website — including, OCR argued, on unauthenticated pages that do not sit behind a patient login.
  • An IP address combined with a visit to a webpage about a specific health condition or provider could, in OCR's reading, itself constitute individually identifiable health information.
  • Disclosing that information to a tracking vendor without a business associate agreement (BAA) or valid authorization would be an impermissible disclosure.

The bulletin named the categories that matter in practice: third-party analytics (Google Analytics among them), advertising pixels, and session recording. Google has stated that it does not sign BAAs for standard Google Analytics, which is what made the bulletin feel existential for many marketing teams.

What the court changed in 2024

The American Hospital Association and others sued, and in June 2024 a federal court in the Northern District of Texas vacated the most aggressive piece of the guidance: the idea that an IP address plus a visit to an unauthenticated public health webpage is automatically individually identifiable health information, regardless of why the visitor was there. OCR had already softened the bulletin in a March 2024 revision before the ruling.

It is tempting to read that as "analytics are fine again." That overreads the decision in three ways:

  1. Authenticated pages were never in question. Patient portals, scheduling flows that know who you are, intake forms — tracking there can still transmit PHI, and that part of the guidance stands.
  2. The court ruled on one inference, not the whole topic. Where a tracker demonstrably receives identifying information and health context — an email address in a URL parameter, form field contents captured by session replay, an appointment-booking event with a condition name — the ordinary HIPAA analysis still applies.
  3. HIPAA is not the only exposure. The FTC has pursued digital-health companies over tracking disclosures under its own authority (GoodRx and BetterHelp settled in 2023), state privacy laws are expanding, and the class-action bar has been extremely active. Several large health systems have paid multi-million-dollar settlements over pixels regardless of any OCR action.

So is Google Analytics "allowed"?

The honest answer is: it depends on where it runs and what it receives. A useful mental model is to sort your pages into two buckets.

General marketing pages — your homepage, "about us", service descriptions, blog. After the 2024 ruling, standard analytics on these pages is a defensible, mainstream position for most organizations, provided the configuration is clean: no identifiers in URLs, no events that encode health details, IP handling and data-sharing settings reviewed, and the usage disclosed in your privacy policy.

Patient-facing pages — appointment booking, intake and registration forms, the patient portal and anything behind login, symptom checkers, condition- specific landing pages tied to scheduling. Here the calculus is different. The page context plus user interaction can reveal health information, Google will not sign a BAA for standard Analytics, and these are precisely the pages regulators and plaintiffs' firms have focused on. The conservative — and increasingly common — position is simply: no third-party analytics or advertising tags on patient-facing pages.

This two-bucket distinction is also how Sift Health scores findings: the same tracker that rates as informational on a marketing page is escalated when it appears on a page classified as intake, appointment, or portal.

A practical checklist

If you want to keep analytics without keeping the risk, work through this:

  • Inventory first. You cannot reason about tags you do not know exist. Crawl your own site (or run a scanner) and list every third-party script, pixel, and iframe — including ones loaded indirectly through Google Tag Manager.
  • Strip patient-facing pages. Remove analytics, ad pixels, and session replay from booking, intake, portal, and condition-specific scheduling pages. If marketing insists on conversion measurement, explore server-side or privacy-focused alternatives and get counsel involved.
  • Audit what is transmitted, not just what is installed. Check for email addresses, names, or appointment details in URLs and event payloads; that is how "we only use it for page counts" turns into a disclosure.
  • Update the privacy policy. Disclose the analytics and advertising technologies you actually use. A policy that is silent about tracking while a dozen tags fire is a credibility problem in any dispute.
  • Re-check after every site change. Tags arrive with redesigns, new landing pages, and marketing campaigns. Continuous monitoring exists because one-time cleanups do not stay clean.

The bottom line

Google Analytics is not a HIPAA violation by existence. It becomes a problem when it (or any third-party tag) receives identifying information in a health context — and patient-facing pages are where that happens. The 2022 bulletin put the issue on the map, the 2024 ruling trimmed its most expansive theory, and the FTC and class-action activity guarantee the underlying question is not going away.

If you want to know what is actually running on your site today, a free Sift Health scan inventories the trackers on your public pages and flags the ones sitting on patient-facing flows — with plain-English recommendations for each. It is a risk indicator, not a compliance determination, but it is the inventory step most practices have never done.

Sources

  • HHS OCR, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (Dec. 2022; revised Mar. 2024) — hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking
  • American Hospital Association v. Becerra, N.D. Tex. (June 2024)
  • FTC enforcement actions: GoodRx (Feb. 2023), BetterHelp (Mar. 2023)
  • FTC & OCR joint letter to hospital systems and telehealth providers (July 2023)

This article is general information, not legal advice. Consult qualified counsel about your organization’s obligations.