Comment by reaperducer

3 years ago

The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.

That gives you an indication of how invasive it is — that even Google doesn't want to handle the personal information, because it can't be made HIPAA-safe.

Naturally, the majority of healthcare web sites use Google Analytics, because nobody ever reads the Terms of Service.

1 comment

reaperducer

Reply
paulcole  3 years ago

> The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.

You're missing a key part of the sentence you're remembering:

> If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.

Healthcare companies can absolutely use GA on their websites as long as the website isn't involving PHI or ePHI.