Google Analytics is a powerful tool for optimizing websites and campaigns. Tracking user behavior helps assess campaign performance, traffic sources, user journeys, lead generation, and overall trends across the site.

However, when it comes to healthcare, it’s crucial to ensure no sensitive data or Protected Health Information (PHI) is being captured on the website. Our recommendation? Err on the side of caution.

Here are five steps to prevent tracking PHI:

1. Ensure Your Analytics Tools Are HIPAA Compliant

Verify that all analytics platforms you use comply with HIPAA regulations. Since Google Analytics is not HIPAA-compliant by default, it is crucial to implement specific configurations to ensure your account remains compliant.

2. Implement Specific Configurations to Maintain Compliance

Proper configuration is key. Adjust settings and configurations in all platforms and integrations to ensure that no PHI is inadvertently captured.

3. Regularly Audit Tracking Setup

It’s a good practice to conduct routine audits throughout the year to make sure your analytics, tag manager, or any other tools being used are not tracking any PHI. These platforms are constantly evolving and staying proactive is an essential step to compliance.

4. Exclude Tracking Beyond a Page View or a “Start” Button Click on Important Pages That Include Application Processes

On pages that include sensitive processes — such as enrollment, application forms, or patient portals — limit tracking to initial engagements only. Avoid tracking any user interactions beyond the page load or start button click.

5. If You Have Contact Forms, Only Track the Action Itself, Not The Data Entered

Do not track the information entered into contact forms. Instead, implement thank-you landing pages to track conversions without collecting sensitive data.