Healthcare Marketing With HIPAA Compliant Google Analytics

PatientGain gets questions from medical and dental practice managers every day, common question is Do I need to use HIPAA Compliant Google Analytics? Answer is YES.

Can Google Analytics be used in compliance with HIPAA?

According to Google: Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google’s contracts and policies. Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service. For HIPAA-regulated entities looking to determine how to configure Google Analytics on their properties, the HHS bulletin provides specific guidance on when data may and may not qualify as PHI. 

The problem is extended to other technology stacks also:

1. Pixels ​- Meta and other platforms
2. Google Analytics
3. Google Search Console
4. Google Tag Manager
5. Google PPC Ads Account(s)

None of these platforms are HIPAA compliant out of the box. Because healthcare platforms (like Meta, Google Ads, Google Analytics, and Tag Manager) collect device identifiers and often transmit data to third parties, using them without highly specific privacy configurations can result in HIPAA violations.

1. Meta (Facebook) and Other Tracking Pixels

• Compliance Status: Not Compliant
• Why: Standard tracking pixels are designed to follow user activity across the web. Transmitting this data (even browsing behavior paired with an IP address) to Meta can constitute an unauthorized disclosure of Protected Health Information (PHI).

2. Google Analytics (GA4)

• Compliance Status: Not Compliant
• Why: Google explicitly refuses to sign a Business Associate Agreement (BAA) for Google Analytics. Their official documentation states that these tools must not be used to process or store PHI.

3. Google Tag Manager (GTM) & Google Search Console

• Compliance Status: Not Compliant out-of-the-box
• Why: GTM processes and routes raw user data to various marketing platforms. If it is allowed to read and pass through sensitive health data or PII, it breaks compliance.

4. Google Ads Account

• Compliance Status: Not Compliant out-of-the-box
• Why: Running retargeting or standard conversion tracking on pages where users are logged into patient portals or reading specific health conditions risks associating an individual’s device with a medical concern.

The Core Problem First

Google does not offer a BAA for Google Analytics — Google has explicitly stated it never intended GA4 to be HIPAA-compliant. This means standard GA4 installed on any healthcare website page that discusses conditions, treatments, or services is likely a HIPAA violation, even on public-facing pages before a patient logs in. Every page of a med spa or clinic website “talks about the provision of healthcare services,” which means virtually the entire site is in scope.

The fix is either a purpose-built HIPAA analytics platform (replacing GA4 entirely) or a server-side privacy intermediary that strips PHI before passing anonymized data to GA4 and ad platforms.

How Healthcare Organizations Mitigate the Risk

Which healthcare marketing companies provide solutions?

Category 1 — HIPAA-Compliant Analytics Platforms (Replace GA4)

These platforms sign a BAA, store your data on HIPAA-certified infrastructure, and give you full analytics without needing to de-identify everything first.

Platform	What It Does	BAA	Pricing	Best For
Piwik PRO	Full analytics suite — tracks complete patient journeys including PHI, 256-bit AES encryption, HIPAA-certified Microsoft Azure hosting in the US, built-in tag management and consent management	Yes — customizable BAA	Custom quote (enterprise-tier) Example for a 5 location practice – will require Enterprise contract approx $800/mon with annual contract	Health systems, multi-location groups needing full behavioral analytics with PHI intact
Mixpanel	Product and behavioral analytics — tracks user actions across web and app; signs BAA	Yes	Starts at $20/mo; enterprise $3,000–$5,000+/mo – Example for a 5 location practice – will require Enterprise contract approx $1000/mon with annual contract	Mid-size healthcare groups
Amplitude	Behavioral analytics and product intelligence; BAA available at enterprise tier	Yes (enterprise)	Custom – Enterprise only – Not offered for example for a 5 location practice	Large health systems and digital health companies
Heap	Auto-captures all user interactions; BAA available	Yes	Custom – Not offered for example for a 5 location practice	Teams that want zero-config event tracking
Matomo	Open-source analytics with self-hosted or cloud options; full data ownership; BAA available on cloud	Yes	Free (self-hosted) to custom (cloud) This is for technical staff to implement the tool on their own.	Budget-conscious practices wanting data ownership

Category 2 — Server-Side Privacy Intermediaries (Make GA4 + Meta Usable)

These act as a compliant middleman — they intercept all tracking data, strip PHI before it reaches Google or Meta, and forward only anonymized conversion signals to the ad platforms. This is how you use GA4, Google Ads conversion tracking, and Meta Pixel in a HIPAA-safe way.

Platform	How It Works	BAA	Best For
Freshpaint	Purpose-built for healthcare — replaces all tracking pixels with a single privacy-first layer; uses cryptographic hashing and anonymous user IDs; routes only compliant data downstream to GA4, Google Ads, Meta	Yes	Healthcare marketers who want to keep using GA4 and Meta without replacing them; strong fit for med spas and specialty clinics
Pilot Digital	Agency + server-side analytics solution — strips PHI before sending to GA4 and ad platforms; signs BAA as agency	Yes	Small-to-mid healthcare practices working with a managed agency
Improvado	Cross-channel marketing data aggregation with HIPAA-compliant data pipelines; connects to 500+ sources; used alongside analytics tools	Yes	Multi-location groups needing attribution across many ad channels
Tealium	Enterprise tag management and customer data platform with HIPAA-compliant routing	Yes	Large enterprise health systems

---

Category 3 — Healthcare Marketing Agencies That Handle HIPAA Analytics for You

These agencies implement and manage the HIPAA-compliant analytics infrastructure on behalf of the practice — so the practice never has to touch the technical setup – However you will still need to pay for the software licences. Only exception is PatientGain – Which has it’s own software, implementation and technical management, so it is all done for you.

Agency	Approach	BAA	Notes
Cardinal Digital Marketing	Server-side tracking implementation, call tracking with AI call analysis, HIPAA-compliant attribution across CRM and ad platforms; signs BAA	Yes	Specialty healthcare and multi-location groups
Hedy & Hopp	Healthcare-only agency; server-side tracking, consent management, first-party data architecture	Yes	Community health systems and specialty practices
Full Media	HIPAA-compliant martech stack design, BAA documentation, server-side tracking	Yes	Healthcare organizations with complex attribution needs
PatientGain	Proprietary HipaaServer infrastructure — scrubs personal identifiers server-side before any data reaches Google or Meta; built-in HIPAA-compliant dashboards replace GA4 entirely; single BAA covers the full stack	Yes — single BAA	Med spas, primary care, dental, wellness — single or multi-location – 42 different specialties.

---

How They Compare on Key Dimensions

Solution Type	Replaces GA4?	Keeps GA4 + Meta?	BAA Required?	Pricing Range	Technical Complexity

Solution Type	Replaces GA4?	Keeps GA4 + Meta?	BAA Required?	Pricing Range	Technical Complexity
Piwik PRO / Matomo	Yes	No	Yes	$0–$5,000+/mo	Low–medium
Freshpaint	No — intermediary	Yes	Yes	Custom (mid-market)	Low (marketer-friendly)
Improvado	No — aggregation layer	Yes	Yes	$3,500–$6,000+/mo	Medium–high
Cardinal / Agency model	Depends on setup	Yes	Yes	$4,000–$6,000+/mo retainer	Handled by agency
PatientGain PLATINUM	Yes — proprietary dashboards	No GA4/Meta pixel needed	Yes — single BAA	$1,699–$3,000/mo (includes full stack)	None — fully managed

If you want everything — analytics, ads management, SEO, chatbot, texting, scheduling, and compliance — under one contract and one BAA with no separate analytics vendor to manage, PatientGain PLATINUM’s proprietary HipaaServer handles the tracking layer internally, which is why no separate analytics vendor or additional BAA is required.