If you’ve spent any time researching HIPAA-compliant marketing for therapists, you’ve probably come across conflicting advice about Google Analytics.
One article says it’s perfectly fine, while another says you should remove it immediately.
Some website developers install it on every therapist website without a second thought. Others refuse to use it under any circumstances. So… who’s right? Let’s dive in.
The Facts at a Glance
- Google Analytics is not marketed as a HIPAA-compliant product, and Google does not offer a Business Associate Agreement (BAA) for Google Analytics.
- Google instructs users not to send Protected Health Information (PHI) to Google Analytics.
- The biggest gray area is determining what qualifies as Protected Health Information and when anonymous website data could become PHI under HIPAA.
- Some HIPAA attorneys and compliance professionals recommend avoiding Google Analytics altogether, while others believe it can be used in certain situations if it is carefully configured and does not collect or transmit PHI.
- There is currently no universal legal consensus on whether Google Analytics can be used on a therapist website in a HIPAA-compliant manner.
As you can see, this isn’t a simple yes-or-no question. Let’s take a closer look at why Google Analytics has become one of the most debated marketing tools in healthcare.
Disclaimer: I’m not an attorney, and this article should not be considered legal advice. Its purpose is to help you better understand the conversation surrounding Google Analytics and HIPAA so you can make informed decisions with your legal counsel.
Defining a “Therapist Website”
The research done for this article specifically relates to a therapist’s public marketing website. That includes the pages prospective clients can freely access, such as your homepage, about page, service pages, blog, and contact page.
I’m not referring to systems like electronic health records (EHRs), client portals, secure messaging platforms, telehealth software, or electronic intake forms. Those technologies have very different HIPAA requirements and raise a separate set of privacy and security considerations.
By narrowing our focus to public therapist websites, we can have a much clearer conversation about whether Google Analytics belongs there and why the answer isn’t as straightforward as many people assume.
How Google Analytics Collects Information
Before we talk about whether Google Analytics is HIPAA compliant, it helps to understand how it works.
Google Analytics is designed to measure anonymous website traffic, not identify individual visitors. Google also instructs users not to send Protected Health Information (PHI) to Google Analytics.
When someone visits your therapist website, Google Analytics collects information about that visit using browser information, IP addresses, and a small browser cookie that helps recognize returning visitors. The goal is to help website owners understand how people use their website by answering questions like:
- How many people visited my website?
- Which pages are the most popular?
- How did visitors find my website?
- How long did they stay?
The important thing to understand is that Google Analytics was never designed specifically for healthcare. It’s a general website analytics platform used by millions of businesses.
The HIPAA debate isn’t about what Google Analytics was intended to do. It’s about whether the information it collects on a therapist’s website could, in certain situations, qualify as Protected Health Information.
Where Does the HIPAA Concern Come From?
Most therapists think of PHI as therapy notes, diagnoses, or treatment plans. Those certainly qualify. But HIPAA also protects health-related information that can be connected to an identifiable person. This is where the debate begins.
Imagine someone visits these pages on your website:
- Anxiety Therapy
- EMDR Therapy
- Trauma Counseling
- Schedule a Consultation
Google Analytics may record those page visits along with technical information such as an IP address, a browser cookie that recognizes a returning visitor, and the date and time of the visit.
Some privacy attorneys argue that, taken together, those data points could identify someone who is seeking mental health treatment. If so, they may qualify as Protected Health Information under HIPAA.
Others disagree. They believe the information remains anonymous because it does not identify a specific individual.
That difference in interpretation is why Google Analytics has become such a controversial topic for therapist websites.
Why Attorneys Disagree
Different attorneys often reach different conclusions about whether Google Analytics can be used on a therapist’s website.
That isn’t because one group understands HIPAA and the other doesn’t. It’s because the law doesn’t provide a simple, black-and-white answer for every situation involving website analytics.
The U.S. Department of Health and Human Services (HHS) has issued guidance explaining that HIPAA may apply when online tracking technologies collect or disclose Protected Health Information (PHI). However, the challenge is determining **when** information collected by a tool like Google Analytics actually becomes PHI. (HHS Guidance)
That’s where reasonable legal professionals begin to disagree.
Some attorneys take a more conservative approach. They point out that Google does not offer a Business Associate Agreement (BAA) for Google Analytics and argue that if there’s any possibility Google Analytics could receive Protected Health Information, it simply shouldn’t be used on a therapist’s website.
Other attorneys focus on how Google Analytics is configured. They argue that if it isn’t collecting or transmitting Protected Health Information, HIPAA may not be implicated in the first place. From that perspective, the key question isn’t whether Google Analytics exists on the website, but whether the information being shared actually qualifies as PHI. (Hall Render Analysis)
Adding to the complexity, the legal landscape has continued to evolve. In 2022, HHS issued guidance that many interpreted as taking a broad view of online tracking technologies. In 2024, a federal court ruled that HHS exceeded its authority in one important respect, vacating the portion of the guidance that treated the combination of an IP address and a visit to an unauthenticated public webpage as automatically creating Protected Health Information. Importantly, the court did **not** rule that Google Analytics is HIPAA compliant, nor did it eliminate HIPAA’s application to online tracking technologies altogether. (Arnold & Porter Summary)
That’s why you’ll find well-qualified attorneys reaching different conclusions.
They’re often starting from the same facts but applying different legal interpretations to an area of privacy law that is still evolving.
The Legal Argument for Using Google Analytics
Those who believe Google Analytics can be used appropriately on therapist websites generally make a few key points:
- A website visitor isn’t automatically a client or patient.
- Anonymous website traffic isn’t necessarily Protected Health Information.
- Google Analytics was designed to measure website performance, not collect health records.
- When carefully configured, Google Analytics may avoid collecting or transmitting PHI.
From this perspective, Google Analytics isn’t inherently a HIPAA problem. The focus is on making sure no Protected Health Information is shared with Google.
The Legal Argument Against Google Analytics
Others take a much more conservative approach.
Their concerns usually include:
- Google does not offer a Business Associate Agreement (BAA) for Google Analytics.
- Visitors to a therapist’s website may already be seeking mental health care.
- Combining technical information with visits to therapy-related pages could reveal health information.
- Because the legal landscape continues to evolve, it’s safer to avoid the risk altogether.
From this perspective, even if Google Analytics isn’t intended to identify people, there may still be situations where the information it collects could be considered Protected Health Information.
So… Is Google Analytics HIPAA Compliant for Therapist Websites?
If you’ve made it this far, you can probably guess my answer.
It depends.
I know that’s probably not the definitive yes-or-no answer you were hoping for, but I also think it’s the most honest one.
Google Analytics is not marketed as a HIPAA-compliant product. Google does not offer a Business Associate Agreement (BAA) for Google Analytics, and Google explicitly instructs users not to send Protected Health Information (PHI) to the platform.
At the same time, there is currently no law or court ruling that says simply installing Google Analytics on a therapist’s public website automatically violates HIPAA.
That’s why attorneys continue to disagree.
Frequently Asked Questions
Is Google Analytics itself HIPAA compliant?
Google does not market Google Analytics as a HIPAA-compliant service, and it does not offer a Business Associate Agreement (BAA) for Google Analytics.
Does Google Analytics collect PHI?
Not necessarily.
The debate centers on whether information collected from visitors to a therapist’s website could become Protected Health Information when combined with other identifiers.
Does a cookie banner make Google Analytics HIPAA compliant?
A cookie banner may help address certain privacy regulations, but it does not automatically resolve HIPAA compliance questions.
Should I remove Google Analytics from my therapist website?
That depends on your attorney’s guidance, your website configuration, and your comfort with the current legal landscape.
Does Google offer a Business Associate Agreement (BAA) for Google Analytics?
No. Google does not offer a Business Associate Agreement for Google Analytics. This is one of the primary reasons some attorneys and HIPAA compliance professionals recommend against using it on therapist websites. However, Google Workspace does offer a BAA (if you set it up correctly – here’s a guide)
Do you use Google Analytics at Goodman Creatives?
I want to be transparent about something. At Goodman Creatives, we currently install Google Analytics on the therapist websites we build.
Why? Because I believe it’s one of the best tools available for understanding how a website is performing. It helps answer important questions like:
- Which pages are attracting the most visitors?
- Where is website traffic coming from?
- Which blog posts are resonating with people?
- Is the website improving over time?
That information helps us make better marketing decisions for our mental health SEO and marketing clients.
At the same time, I take the privacy concerns seriously. That’s why I think it’s important for every therapist to understand the debate rather than simply accepting someone’s opinion at face value.
Could the legal landscape change in the future?
Absolutely.
Privacy laws continue to evolve, and guidance around online tracking technologies has already changed over the past few years.
If that happens, I’ll adapt right along with it.
For now, my goal isn’t to tell you what decision to make.
My goal is to help you understand the facts, recognize that there are thoughtful professionals on both sides of this discussion, and encourage you to make an informed decision with the guidance of an attorney who understands HIPAA.
I think that’s a far better approach than pretending this is a settled issue when, quite honestly, it isn’t.
Got questions? Want to debate the issues? Need help getting a steady flow of clients you love? Fill out the form below and schedule a time to chat.









