HIPAA Analytics

HIPAA Compliant Analytics Solutions

March 2024 Update - HIPAA Analytics

HIPAA Non-Compliance in Website Analytics is now a Priority for OCR

Despite the good intentions of Healthcare Business owners, using analytics tools like Google Analytics, Adobe Analytics, or various plugins on platforms such as WIX, WordPress, or GoDaddy can inadvertently lead to non-compliance if not handled correctly.

HIPAA Compliance icon set w hippa image involving medical privacy
Years of Experience

Managed HIPAA Website Solution

All in One Click - Get Setup With HIPAA Emails

Switching over the management of your website to HIPAA Digital is easy and remarkably cost effective. We sign a Business Associate Agreement and switch your existing website over to our systems and HIPAA Compliant Hosting. And with our Analytics add-on at just $39 p/m you get the peace of mind that your Analytics are Compliant, including:

  • ePHI Configuration of Analytics
  • First Party Data Protocols
  • Access Controls
  • Visitors’ IP Address Security
  • Server Log Compliance
  • IP anonymization and ID masking
  • Disabled data sharing
  • Regular Privacy and Security audits
  • Safe Tag Management System
  • Pixel Cleansing & Management

HIPAA Website

We approach our SEO campaigns with an all-inclusive strategy.

HIPAA Hosting

Everything required to deliver your business instant results.

Now is the time to get serious

Many healthcare practitioners overlook a critical aspect of HIPAA compliance—analytics tracking on their websites. And as of 18th March 2024 it’s time to get serious about tracking software and plugins on your site.

OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity and availability of ePHI.

HIPAA Analytics Compliance
HIPAA Analytics from HIPAA Digital

Have you overlooked HIPAA Analytics?

HIPAA governs regulated entities’ use and disclosure of PHI, which is defined as individually identifiable information that relates to the past, present or future physical or mental health or condition of, the provision of health care to, or the past, present or future payment for the provision of health care to an individual.

Cookies, pixels and other online tracking technologies collect and disclose, based on their configurations and placement, information about an individual, including actual or potentially implied health information.

HIPAA Digital - Website, Hosting, Email, Analytics


Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. It’s important not to assume that your current developer or marketing contractors have ensured compliance in this area, especially if they haven’t signed a Business Associate Agreement with you.

PHI Configuration of Analytics

Server Log Compliance

IP Anonymization

Safe Tag Management

Done For You Service

Access Controls

IP Address Security

Disabled Data Sharing

Privacy and Security Audits

Pixel Cleansing

HIPAA Analytics from HIPAA Digital
Years of Experience

Do You Know What Data You're Collecting?

Analytics are a Priority for OCR

The ePHI Analytics Risk

Often, we hear claims that “my website does not specifically collect PHI or ePHI” which is always worrying, because it’s simply the Business Owner deciding what is, and what is not, ePHI.

For example:

The analytics and server logs relating to a relative searching a website to find visiting times is obviously not ePHI, nor would be a user searching for a Job.

Yet, by the same definition, it’s abundantly clear from HHS guidance that in some cases, analytics and server logs will constitute ePHI. For example, a potential patient searching for information on specific medical conditions or treatments on a healthcare provider’s website could easily generate ePHI if you know where to look, especially if this user visits the same page multiple times, leaving no doubt about their intentions.

So, unless you’re using very sophisticated page analytics segmentation silos on your website and can tell the intention of a website visitor 100% of the time, you now have a risk that needs to be mitigated.

Google Analytics are not Compliant

Let’s take a look at what Google Analytics has to say about whether their data constitutes ePHI:


  • Google won’t sign a Business Associate Agreement for the use of Google Analytics


  • You must strip all PII/ PHI from data before sending it to GA4


  • Google uses all data within its systems to develop new services, improve existing offerings, and creates personalized advertising experiences, which is a breach of HIPAA’s Privacy Rule


  • Google stores all tracked data in databases located around the world and offers neither on-premise hosting nor bespoke data residency services. Covered entities cannot control where their patient data is stored, which is a HIPAA breach of accountability.


  • Google Tag Manager’s use policy obliges you to respect Google Analytics’ terms of service and not share any personally identifiable information (PII) with Google.

HIPAA Compliant Website, Hosting & Marketing Education

Welcome to the HIPAA Compliant Website, Hosting & Marketing Education podcast! We're here to help healthcare professionals stay compliant. Join us for valuable insights on HIPAA regulations, secure hosting, and compliant marketing strategies. Stay informed and ahead of the curve with your host, Alexander Bentley-Sutherland.

News & Resources