convesio logo

Using Google Analytics Can Constitute a HIPAA Data Breach


In this Article

Looking for HIPAA-compliant web hosting for your WordPress or WooCommerce site? Convesio’s cutting-edge security infrastructure makes it an excellent choice for WordPress and WooCommerce sites that need to be HIPAA compliant.

Learn more about our HIPAA-compliant hosting plans.

Last month, the U.S. Department of Health and Human Services (HHS) updated its guidelines pertaining to online tracking via pixels, cookies, and other online tracking technologies. Specifically, the updated guidelines clarified what counts as PHI (Protected Health Information) in the context of automatic tracking services like Google Analytics that gather data about a user, even if that user doesn’t have a previous relationship with the entity.

In this post, we’ll talk about the new guidelines, what prompted them, and what you should do about it if you run a website that falls under HIPAA.

What Are the Updated Guidelines About?

This update is intended to clarify the rules for regulated entities and builds upon the original bulletin from December 2022. The key point, quoted directly from the bulletin, is:

“IIHI (individually identifiable health information) collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.

On the whole, the rules are still the same. Here’s a breakdown of the key points from this latest clarification:

  • Analytics data can also be PHI – Any health-related information captured through websites or apps is considered PHI, even if there’s no direct treatment or billing information involved. In other words, the data captured by Google Analytics or another analytics app can still be considered PHI.
  • Privacy policies aren’t enough – Merely disclosing the use of tracking technologies in privacy policies or via user consent mechanisms does not suffice as HIPAA authorization. This means that an “opt-in” button or banner isn’t enough for HIPAA-compliance.
  • Third-party sharing – Sharing PHI with third parties requires HIPAA-compliant authorizations or agreements. This can include tracking data.
  • Breaches – HIPAA-regulated sites that share PHI with tracking tech companies (like Google Analytics) must follow the existing HIPAA Breach Notification Rule.

What’s in This New Update?

The major clarification in this update concerns exactly what counts as PHI, in the context of tracking technology. Some things may not count as PHI if the visit to the webpage is not related to the individual healthcare or payment for healthcare. For example, if the individual visited the site accidentally, to search for a job, or to find the visiting hours, this likely will not be considered PHI.

However, if the visitor does an action that involves seeking healthcare services (like booking an appointment or searching for symptoms) that will be considered PHI, and the HIPAA entity needs to have a Business Associate Agreement (BAA) with the analytics technology provider.

Can You Keep Using Google Analytics?

If you are currently using Google Analytics and are a HIPAA-regulated entity, it’s very important to read this section. Google Analytics is the most popular analytics tool, especially on WordPress websites. Unfortunately, it is extremely easy to breach HIPAA data using Google Analytics with the incorrect settings. In addition Google is constantly updating these settings, so you need to stay on top of these issues.

Why? The simple version is this: Google uses logged-in sessions for cross-site tracking, ad personalization, remarketing, and retargeting. For example, imagine you’re logged into your Google account and you’re looking at a doctor’s website. If you then go on to your mobile device, Google knows that you’re logged into multiple devices.

This is where this becomes an issue. If Google knows John Smith was visiting your site because you have cross device tracking enabled, then you are sharing the session data from that visit to Google – Google knows who this individual is. Same goes for all of your social media retargeting pixels, as well. Under the HHS guidelines, this constitutes an immediate data breach because you’ve shared medical browsing information with Google Analytics. As such, Google Analytics is not a HIPAA-compliant solution for any pages that fall under HIPAA regulations – at least by default.

To quote Google’s article on the topic:

  • Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI, and may only use Google Analytics on pages that are not HIPAA-covered.
  • Authenticated pages are likely to be HIPAA-covered and customers should not set Google Analytics tags on those pages.
  • Unauthenticated pages that are related to the provision of health care services, including as described in the HHS bulletin, are more likely to be HIPAA-covered, and customers should not set Google Analytics tags on HIPAA-covered pages..

A Possible Option

That all said, there is a way to turn off the tracking mentioned above – and potentially make your site HIPAA-compliant.  To turn off this tracking, go into Google Analytics and find Data collection in the left hand side navigation menu. Then, uncheck the item in the top right.


But: still be careful to make sure that your site is HIPAA compliant. It is still unclear if turning off this feature is sufficient for making your site HIPAA-compliant. Again, you should proceed with caution and still make sure that you are not collecting and sharing PHI.

The good news: Convesio’s new dashboard, which is launching in the next month, is entirely integrated with Cloudflare. We have a signed BAA with Cloudflare, which means we can provide you with HIPAA-compliant analytic data.

That’s right: Convesio will be offering a HIPAA-compliant analytics service as a part of our hosting dashboard.

Learn more about Convesio’s HIPAA-compliant website hosting.


In this Article

Convesio Hosting Dashboard
Related Articles

Convesio Acquires WooCommerce Marketing Automation Platform Growmatik

Get WordPress Performance Tips
Subscribe to our monthly newsletter covering performance, innovation & running WordPress at scale.