Is GA4 a HIPAA risk? Liz Griffin, Piano's Global SVP Sales, answers
Most healthcare organizations run Google Analytics. Free, familiar, and nobody ever questioned it. But what GA4 actually collects – and where it goes – is a compliance problem that's already cost the industry $144M in fines.
What does GA4 actually collect?
Every visit to your site, GA4 captures URLs, IP addresses, and device data, and sends it to Google's servers. In healthcare, that's not just web traffic. When someone visits /mental-health-intake and fills out an appointment form, that combination identifies them and why they came – and you have no say in what Google does with it next.
Does GA4 comply with HIPAA?
HIPAA requires any vendor touching Protected Health Information to sign a Business Associate Agreement. Google won't sign one for GA4. Their own documentation says so. No configuration changes that.
HIPAA tracking violations: $144M and counting
Advocate Aurora Health paid $12.25M. Mass General Brigham settled for $18.4M. GoodRx paid $25M. All for sharing patient data with third-party tracking tools without consent. The FTC and HHS jointly wrote to 130 major hospitals naming Google Analytics and Meta pixels directly. OCR confirmed 22 enforcement actions in 2024, one of its busiest enforcement years on record, and US providers have paid over $144M in total – more than $100M from tracking pixels alone.
What should healthcare organizations do next?
If you're using GA4 on a healthcare site, you're exposed to fines, federal investigation, and public settlements. To find out where you stand, we put together a compliance checklist and a list of vendors who sign BAAs.
Sources
Google Analytics Help – GA4 data collection and HIPAA policy: support.google.com/analytics/answer/13297105
HHS OCR bulletin on tracking technologies, December 2022, updated June 2024: hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking
Foley & Lardner legal analysis of HHS 2024 update: foley.com/insights/publications/2024/03/hhs-updates-pixels-and-trackers-guidance-for-hipaa-regulated-entities
HIPAA Journal – Advocate Aurora Health $12.25M settlement: hipaajournal.com/advocate-aurora-health-settles-pixel-lawsuit-for-12-25-million
HIPAA Journal – Mass General Brigham $18.4M settlement: hipaajournal.com/mass-general-brigham-settles-cookies-without-consent-lawsuit-for-18-4-million
HIPAA Journal – GoodRx $25M settlement: hipaajournal.com/goodrx-25-million-settlement-tracking-technology-lawsuit
FTC/HHS joint letter to 130 hospitals, July 20, 2023: ftc.gov/news-events/news/press-releases/2023/07/ftc-hhs-warn-hospital-systems-telehealth-providers-about-privacy-security-risks-online-tracking
Pixel tracking violations cost US healthcare $100M+: feroot.com/blog/pixel-tracking-violations-us-healthcare-100m
Clark Hill legal analysis – HHS bulletin court ruling: clarkhill.com/news-events/news/ocr-bulletin-on-online-tracking-technologies-declared-unlawful-what-covered-entities-and-business-associates-need-to-know-about-the-aha-lawsuit
Quarles law firm – HHS guidance vacated: quarles.com/newsroom/publications/hhs-tracking-technology-guidance-vacated-by-federal-court
OCR's own report to Congress: hipaajournal.com/ocr-reports-congress-hipaa-compliance-data-breaches-2024

