New Tool Alert: Quickly audit your Google Analytics 4 setup with InfoTrust's GA4 Scorecard.
Talk To Us
Who We Are
Who We Are
InfoTrust is a close-knit group of developers, engineers, analysts, and visionaries.
Learn More
Culture & Values Client Reviews Why We're Different InfoTrust Foundation
What We Do
What We Do
InfoTrust is a digital analytics consulting, data governance, and technology agency that works with many of the world's best-known brands.
Learn More
Data Insights and Activation Data Privacy, Strategy, and Governance Google Cloud Services Google Marketing Platform Implementation and Integration Privacy Services and Products
Industries
Industries
InfoTrust boasts a team of analytics specialists adept at serving various industries. Discover more about the sectors we cater to.
Retail & eCommerce CPG & Multi-Brand Media & Publishing Finance, Insurance, & Crypto Health & Fitness
Resources
Resources
Explore a wealth of knowledge at your fingertips with our curated selection of webinars, insightful articles, and downloadable resources, designed to empower and inspire.
Go to Resource Library
Books Articles and Guides Videos Webinars and Events Case Studies Business Risk Assessment Newsletter
Careers
Talk To Us

HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

Estimated Reading Time: 7 minutes

,

February 20, 2024
HIPAA Legislation: What Impact Does This Have on Your Analytics Platforms?

If you are a healthcare organization operating in the United States, you are likely aware of the significant increase in the focus on the privacy of health data over the past year. The shift started in December 2022 with a bulletin issued by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services that highlights obligations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that organizations must meet when leveraging online tracking technologies. 

This bulletin and the associated rise in enforcement activities focused on tracking technologies have a significant impact on the compliance risk HIPAA-covered entities face when using third-party tracking platforms. 

If you are a HIPAA-covered entity that conducts advertising and measures site engagement and conversions within an analytics platform, you might be wondering what impact this has on how you collect analytics data and want to understand how to navigate this regulated environment moving forward. 

Some Key Definitions Regarding HIPAA

Before we dive into the details of your analytics platforms and considerations as they pertain to the use of tracking technology, it’s important to understand some of the key areas and terms surrounding HIPAA. We will touch on two key terms lightly here, but if you are not familiar I highly recommend you read this post on the InfoTrust blog as a prerequisite as it goes into the granular details.

    • HIPAA applies to any organization that is a covered entity as defined in the law. Covered entities are generally classified as the following:
      • health plans
      • healthcare clearinghouses
      • healthcare providers
  • Protected Health Information (PHI): 
    • PHI is information that is transmitted or maintained by a HIPAA-covered entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and either identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
  • Electronically Protected Health Information (ePHI): Essentially, this is PHI when found in an electronic form. This is PHI that is transmitted, maintained, or simply saved.

So what does this mean for us?

Put simply: if dealing with health data on a HIPAA-covered entity website, assume it is PHI unless there is explicit documentation available that it can not be used to identify an individual or if none of the listed data points are included in the dataset that can be associated with the health data in question.

Analytics Platforms: What You Should Know

If you are a HIPAA-covered entity, it’s important to note that Google and Adobe Analytics make no representation that they satisfy HIPAA requirements. In fact, Google recommends that entities using Google Analytics “must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google’s contracts and policies.”  

PHI is only allowed to be collected as long as it is passed to a business associate. Unfortunately, that business associate must sign a Business Associate Agreement (BAA) with the covered entity, which is something that both Google Analytics and Abobe Analytics are unwilling to complete at the time of this article.

Next Steps for Analytics

Our first recommendation for any client in this space is to ensure their legal team is in the loop and aware of the above HIPAA rules vs. what marketing technology is in place. From there, it’s important to take an inventory of the data being collected by your analytics tool as well as how that data is being used across all areas of the site. 

Some key considerations:

  • What data configurations do I have in place and to what platforms is data being sent?
  • If you are using Google Analytics (GA) or Adobe Analytics, do you have them integrated with other GA/Adobe platforms? For example, GA can be connected to products within the Google Marketing Platform such as Google Ads, BigQuery, Search Ads 360, etc. The same thing goes for Adobe.
  • Am I bringing in any custom information that might be considered PHI?
  • Where am I collecting this information? Many healthcare patients have patient portals behind logged-in pages, which are much more sensitive than other pages. 
  • How do I collect this information? Is your analytics tool hardcoded on the site or is it deployed via a tag management system such as Google Tag Manager? If you are using a third-party scheduling tool, what information are they collecting and do you have inventory of that data? (Consider our proprietary tool, Tag Inspector, which can scan your site quickly to determine what data is being sent from different platforms and how it’s sent.) 
  • Are you leveraging your analytics for any type of retargeting? If so, are you retargeting based on user information that may be sensitive?
  • Are you collecting data on any form submissions on your website? Forms usually contain personal information and are deemed ‌sensitive.
  • App tracking: Usually all behind a login and contain PHI. 

The above considerations need to be taken into account, and the removal of any data that could be considered PHI is crucial as part of risk mitigation due to the uptick in enforcement for HIPAA and tracking technologies. 

For many organizations, there is still a need to collect and analyze more granular data as well as understand user interactions that occur on sensitive pages. There are platforms out there that were built based on satisfying HIPAA requirements in that they will sign a BAA and have mechanisms in place to prevent any violations as it pertains to HIPAA, but through working with clients, we have found this holds some challenges.

Here’s a short list of some of these challenges:

  • The reporting is not granular enough to meet the KPIs of the business.
  • The reporting model is different and not as flexible as that of Google Analytics and Adobe Analyics.
  • There is often a lot of up-front technical debt to deploying a new tool to match business needs. 
  • Training and upskill teams to leverage new tools is not ideal.
  • Historical reporting all in GA/Adobe.
  • Integrations with other products of your current tool will no longer be possible to leverage.
  • Many of our clients have spent years customizing the architecture of GA in a way that meets their unique business needs. They don’t want to have to start from square one due to the above legislation.

What’s Next?

There has been an industry-wide shift in the way that healthcare organizations have been collecting and leveraging data for marketing and analysis. If you are a healthcare organization, it’s important to understand how the ongoing protections for health data impact your business to ensure your marketing technology is working in a compliant way. There are solutions out there to make sure that your analytics and marketing tools remain in tact—it’s just a matter of understanding what works best for your business.

Do you have questions about HIPAA or privacy at your organization?

Our team is here to help whenever you need us.
Talk to Us

Author

  • Andrew Witherow is a Lead of Enterprise Technology and Consulting on the Health and Fitness Team. IAs part of his job, he aids companies in overcoming healthcare obstacles and has a strong interest in teaching both clients and colleagues about technical setups for gathering data across various systems. In his free time, Andrew loves to travel the world and as a Florida resident, is likely spending his weekend on a boat in the Gulf of Mexico.

    View all posts
Last Updated: September 29, 2025
Share This Page
Related Articles
Latest Articles

Stay in the loop with our latest updates!

Subscribe Now
Talk To Us
Who We Are
What We Do Data Privacy, Strategy & Governance Data Insights & Activation Implementation & Integration Google Cloud Services
What We Do
Industries Retail & eCommerce CPG & Multi-Brand Media Publishing Analytics Finance, Insurance & Crypto Health & Fitness
Resources Careers

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.