Google Analytics on Healthcare Sites: The BAA Problem Nobody Talks About

The Problem

Google Analytics tracks: IP address, browser fingerprint, page URL, referrer, and device info. When a user visits a page titled "Medicaid Eligibility Assessment" or "Home Care Services," that visit data becomes associated with a health condition.

Under HIPAA, that association makes it Protected Health Information (PHI).

Google does not sign Business Associate Agreements (BAAs) for Google Analytics, Site Kit, or Tag Manager.

That means you are sharing PHI with a vendor that has no contractual obligation to protect it. That is a HIPAA violation — right now, today.

OCR Guidance (2022 + 2023)

The Office for Civil Rights issued two bulletins specifically about tracking technologies:

•December 2022: Warned that IP addresses combined with health-related page visits constitute PHI

•March 2023: Updated guidance confirming that regulated entities must obtain a BAA before using any tracking technology that accesses PHI

Who This Affects

Any website that:

Describes health services (clinics, hospitals, medical practices, Medicaid consultants)

Has pages related to health conditions

Runs Google Analytics, Meta Pixel, TikTok Pixel, or similar trackers

If your site has a "Services" page that mentions medical services AND runs Google Analytics, you are likely in violation.

What To Do

Remove Google Analytics from all pages that reference health services

Replace with a HIPAA-compliant alternative: Plausible ($9/mo, signs DPA) or Fathom ($14/mo, signs DPA)

Audit all tracking: Meta Pixel, Hotjar, FullStory, Clarity — check BAA status for each

Scan your site: 0nCore HIPAA Scanner detects Google Analytics and flags it automatically

What We Found

In our assessment of Expert Medicaid Consultants, we found Google Site Kit 1.172.0 actively loading on all pages — including pages describing Medicaid eligibility, home care, and pooled trusts. This is a textbook OCR violation.

The fix took 30 minutes: deactivate Site Kit, install Plausible, verify no remaining GA references.

---

0nCore HIPAA Scanner checks for Google Analytics, Meta Pixel, and 4 other trackers without BAAs. Scan your site free →