HIPAA & BAA · Analytics
Is Google Analytics HIPAA compliant?
No. Google explicitly does not offer a BAA for Google Analytics and states it is not a HIPAA-eligible service, so PHI must never be passed to it.
Key facts
- BAA available: No — vendor will not sign a BAA
- Official source: Google Analytics Help — HIPAA and Google Analytics — https://support.google.com/analytics/answer/13297105?hl=en (verified 2026-06)
What to do instead of Google Analytics
- Do not place Google Analytics tags on authenticated pages or any healthcare-service pages where PHI could be collected.
- Ensure no data Google could recognize as PII/PHI (names, emails, identifiers, health context in URLs) is ever sent to Analytics.
- For analytics on HIPAA-covered properties, use a HIPAA-friendly, BAA-signing analytics vendor (e.g., Piwik PRO or a self-hosted/first-party option).
- Consult legal counsel to map which pages are safe to tag and audit existing tags for leakage.
Important caveats
- Google's own documentation says it makes no representation that Analytics meets HIPAA and will not sign a BAA for it.
- Other Google products (Workspace, Cloud) can be BAA-covered, but that coverage does NOT extend to Analytics.
- URL parameters and query strings can inadvertently carry PHI into Analytics; review tracking carefully.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Google Analytics correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Google Analytics.
Frequently asked questions
Does Google Analytics sign a BAA?
No. Google Analytics does not sign a Business Associate Agreement, so it should not be used to create, receive, store, or transmit protected health information (PHI).
Is Google Analytics HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Google Analytics offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Google Analytics with PHI?
Google's own documentation says it makes no representation that Analytics meets HIPAA and will not sign a BAA for it.