Date

Share this post

Is GA4 a HIPAA risk? Liz Griffin, Piano's Global SVP Sales, answers

Most healthcare organizations run Google Analytics. Free, familiar, and nobody ever questioned it. But what GA4 actually collects – and where it goes – is a compliance problem that's already cost the industry $144M in fines.

What does GA4 actually collect?

Every visit to your site, GA4 captures URLs, IP addresses, and device data, and sends it to Google's servers. In healthcare, that's not just web traffic. When someone visits /mental-health-intake and fills out an appointment form, that combination identifies them and why they came – and you have no say in what Google does with it next.

Does GA4 comply with HIPAA?

HIPAA requires any vendor touching Protected Health Information to sign a Business Associate Agreement. Google won't sign one for GA4. Their own documentation says so. No configuration changes that.

HIPAA tracking violations: $144M and counting

Advocate Aurora Health paid $12.25M. Mass General Brigham settled for $18.4M. GoodRx paid $25M. All for sharing patient data with third-party tracking tools without consent. The FTC and HHS jointly wrote to 130 major hospitals naming Google Analytics and Meta pixels directly. OCR fines rose 37% in 2024, and US providers have paid over $144M in total – more than $100M from tracking pixels alone.

What should healthcare organizations do next?

If you're using GA4 on a healthcare site, you're exposed to fines, federal investigation, and public settlements. To find out where you stand, we put together a compliance checklist and a list of vendors who sign BAAs.

Sources

  1. Google Analytics Help – GA4 data collection and HIPAA policy: support.google.com/analytics/answer/13297105

  2. HHS OCR bulletin on tracking technologies, December 2022, updated June 2024: hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking

  3. Foley & Lardner legal analysis of HHS 2024 update: foley.com/insights/publications/2024/03/hhs-updates-pixels-and-trackers-guidance-for-hipaa-regulated-entities

  4. HIPAA Journal – Advocate Aurora Health $12.25M settlement: hipaajournal.com/advocate-aurora-health-settles-pixel-lawsuit-for-12-25-million

  5. HIPAA Journal – Mass General Brigham $18.4M settlement: hipaajournal.com/mass-general-brigham-settles-cookies-without-consent-lawsuit-for-18-4-million

  6. HIPAA Journal – GoodRx $25M settlement: hipaajournal.com/goodrx-25-million-settlement-tracking-technology-lawsuit

  7. FTC/HHS joint letter to 130 hospitals, July 20, 2023: ftc.gov/news-events/news/press-releases/2023/07/ftc-hhs-warn-hospital-systems-telehealth-providers-about-privacy-security-risks-online-tracking

  8. Pixel tracking violations cost US healthcare $100M+: feroot.com/blog/pixel-tracking-violations-us-healthcare-100m

  9. Clark Hill legal analysis – HHS bulletin court ruling: clarkhill.com/news-events/news/ocr-bulletin-on-online-tracking-technologies-declared-unlawful-what-covered-entities-and-business-associates-need-to-know-about-the-aha-lawsuit

  10. Quarles law firm – HHS guidance vacated: quarles.com/newsroom/publications/hhs-tracking-technology-guidance-vacated-by-federal-court

Date

Tags

Share this post

Date

Tags

Share this post