If you do any work associated with websites or marketing in the healthcare industry, you’ve likely heard about the bulletin released in December 2022 by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), which addressed the use of tracking technologies on websites that require HIPAA compliance.

This new guidance makes it clear that using healthcare marketing tracking technologies (such as Google Analytics or the Meta Pixel) on a healthcare website constitutes a HIPAA violation due to their collection of protected health information (PHI).

This has caused a good deal of chaos for healthcare entities trying to collect data in a HIPAA-compliant way, as some methods previously thought to be acceptable would be in violation under this interpretation. It’s left many marketers and website owners confused and wondering: Is there such a thing as HIPAA-compliant website analytics?

To answer that question, let’s first look at an overview of the guidelines and where the major HIPAA concerns lie.

DISCLAIMER: This post is purely informational and is not legal advice. Always consult your company’s legal counsel first before making any decisions or changes.

The current state of the OCR guidance

It’s worth noting that this guidance is not a new law but rather a clarification of how the OCR is interpreting HIPAA compliance as related to tracking technologies.

Furthermore, tracking user data on healthcare websites is not prohibited completely by this guidance, but PHI can only be shared with third parties when there is an appropriate Business Associate Agreement (BAA) in place.

In July 2023, the seriousness of the matter was further highlighted when the OCR, along with the Federal Trade Commission (FTC), sent a letter to ~130 healthcare entities using tracking technologies on their websites highlighting the potential HIPAA issues and encouraging action to remediate them.

However, not everyone agrees with the OCR guidance. Specifically, one of the more contentious points is the fact that IP addresses are included in the definition of PHI, which some entities feel is too strict. There has been at least one major lawsuit from the American Hospital Association pushing back against this interpretation of HIPAA compliance.

Overall, these guidelines are likely to be further defined and revised in the near future as these legal battles play out and technologies change. In the meantime, it’s important to be aware of what options you have for your healthcare website when it comes to HIPAA-compliant website analytics.

Options for HIPAA-compliant website analytics

In order to comply with the latest guidelines, here are some approaches you can take to handle website analytics on your healthcare website.


Remove analytics completely.

This is the least ideal solution, but it is the quickest way to deal with the issue. For some healthcare entities, this might be the best temporary step while assessing other options.

However, this is a major decision that typically has numerous business implications so it should not be made lightly or without legal consultation.


Switch to a compliant analytics tool.

If you’re a service like Google Analytics that will not sign a BAA, you could consider switching to a different tool where that option exists. There are platforms out there that tout HIPAA-compliant website analytics. For example, Piwik Pro offers a HIPAA-compliant data tracking solution.

Switching services when you have established reporting processes can be a large undertaking. Make sure to do the proper research to confirm compliance with a new tool as well as what data it can provide before making that investment.


Host data on your own server with a BAA.

There are also platforms available that let you host your own analytics data, such as Matomo. This would typically require a BAA to be in place with your hosting provider and anyone else who might have access to the data but prevents the need to send PHI to a third-party service.


Use an intermediary tool to manage data sent to third-parties.

One way to achieve HIPAA-compliant website analytics is to use a HIPAA-compliant third-party service to collect data, then only send non-PHI to platforms like Google Analytics.

For example, Freshpaint is a HIPAA-compliant platform that will manage the collection of analytical data and then only send what you deem acceptable to other non-compliant third-party platforms. This allows you to continue to use the tools you prefer with minimal change to any existing processes.

The downside of this approach is that these data collection platforms often come with a hefty price tag. Depending on your budget, this might not be the most viable option.

Where to go from here

Understanding the guidance and options for HIPAA-compliant website analytics is only one part of the equation. Keeping your website HIPAA compliant is an ongoing process. Here are some steps to get you on the right path.

  • Get the right people up to speed with what your website is tracking. It’s not uncommon within a healthcare organization for only a small number of people to be aware of what tracking technologies are implemented on a website. However, those aren’t always the same people who are well-versed in HIPAA requirements. It’s important to bridge that gap so that everyone is on the same page with what data is being collected.
  • Consult with your legal team to make a plan. A lot of decisions about website analytics come down to mitigating risk. Your legal team is the best resource to weigh in on any gray areas and what is and isn’t acceptable when it comes to collecting user data.
  • Educate team members dealing with website analytics. Once you’ve defined any limitations around tracking technologies, make sure your team understands those rules. Define a process for adding new technologies or tracking codes to your website to ensure they go through the proper review process for HIPAA compliance.
  • Keep up with changes in guidelines. As the OCR bulletin shows, updated guidelines can bring commonly used technologies and marketing practices into question practically overnight. Stay up-to-date with the latest news to get ahead of any changing recommendations.

Let the experts help

The TBH Creative team has the expertise to help guide you in the right direction when it comes to the current state of website analytics. We stay up-to-date on the latest trends and best practices so we can keep you in the know.

Contact us today if you’re looking for a reliable partner to help you navigate the ins and outs of healthcare marketing.