Skip to main content
Article

Is Google Tag Manager HIPAA Compliant? The Verdict for Healthcare Websites

No, Google Tag Manager is not HIPAA compliant on its own. Google does not sign a Business Associate Agreement (BAA) for Tag Manager, and without a BAA the tool cannot be used in any configuration where it processes, transmits, or stores protected health information (PHI). Because GTM's standard client-side container runs JavaScript directly in the visitor's browser, it can collect and forward data elements (IP addresses, page URLs containing condition names, form field values) that qualify as PHI under HHS guidance. As of July 2026, no amount of tag configuration alone makes GTM compliant; compliance requires an architectural change to how data flows from the browser to Google's servers. The question "is google tag manager hipaa compliant" therefore has a conditional answer: the container technology itself is not covered by a BAA, but a carefully architected server-side deployment can reduce risk to an acceptable level if paired with a compliant intermediary.

TL;DR

  • Google will not sign a BAA for Google Tag Manager; using it in a default client-side configuration on a healthcare website that handles PHI violates HIPAA.
  • HHS OCR's December 2022 bulletin (updated June 2024) treats tag managers, pixels, and SDKs identically: if they can access individually identifiable health information, you need a BAA and patient authorization or an applicable exception.
  • A GTM server-side container hosted in your own cloud environment can strip PHI before data reaches Google, but you must control the server, sign a BAA with the hosting provider, and validate every tag fires only de-identified data.
  • Client-side GTM on pages that reveal health conditions (appointment schedulers, symptom checkers, provider directories filtered by specialty) is the highest-risk pattern regulators have targeted.
  • Alternatives exist: purpose-built HIPAA-compliant analytics platforms that sign BAAs and handle PHI stripping automatically before sending conversion data downstream.

What Google Tag Manager Actually Does With Visitor Data

Google Tag Manager is a container that loads and executes JavaScript tags in the end user's browser (client-side mode) or on a server you control (server-side mode). In client-side mode, GTM itself does not permanently store data on Google's infrastructure in the way Google Analytics does; it acts as a conduit. However, that conduit has direct access to the full Document Object Model (DOM), cookies, URL parameters, and any data layer values you push. Every tag inside the container (Google Ads conversion tags, Meta Pixels, analytics libraries, heatmap scripts) inherits that same access. The compliance problem is threefold:

  • GTM's built-in variables can capture page paths that contain health information (e.g., /schedule/oncology, /conditions/hiv-testing).
  • Third-party tags loaded through GTM fire network requests from the user's browser directly to external ad platforms, each of which receives the user's IP address and often a client ID or click ID.
  • Google's own documentation states that Tag Manager may process certain data to deliver container configurations, and Google does not classify this processing under its HIPAA-covered services.

In short, even though GTM is "just a tag manager," its position in the data pipeline gives it (and every tag it loads) unrestricted access to data that HHS considers PHI on healthcare websites.

BAA Availability: The Core Blocker

Google offers BAAs for a defined set of services under its Google Cloud and Google Workspace agreements. As of mid-2026, the services covered by a Google Cloud BAA include Cloud Storage, BigQuery, Compute Engine, and others listed in Google's "HIPAA Covered Services" page. Google Tag Manager, Google Ads, and Google Analytics 4 are explicitly not on that list. Google's own support documentation confirms that "Google Ads and related measurement products are not designed for use with PHI." Without a signed BAA, any disclosure of PHI to Google through Tag Manager constitutes an impermissible disclosure under the HIPAA Privacy Rule (45 CFR 164.502) and a breach under the Breach Notification Rule (45 CFR 164.400-414). This is the single most important legal fact healthcare marketers need to know about GTM.

What HHS OCR Guidance Says About Tracking Technologies

In December 2022, HHS OCR published a bulletin titled "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates." The bulletin was updated in March 2024 and again clarified through FAQ guidance in June 2024. Its key holdings apply directly to GTM:

  • Regulated entities may not use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.
  • IP addresses combined with a visit to a health-condition-specific page constitute PHI because they are individually identifiable health information.
  • The bulletin does not distinguish between a tag manager, a pixel, or an SDK; all are "tracking technologies" subject to the same rules.
  • Authentication status matters: on authenticated (patient-portal) pages, virtually all tracking data is PHI. On unauthenticated pages, data is PHI if it relates to an individual's health condition, treatment, or payment.

The practical effect for google tag manager healthcare deployments: if your site has pages where the URL, page title, or data layer reveals a health condition, and GTM loads tags that send requests to non-BAA-covered vendors, you are disclosing PHI without authorization.

Configurations That Are Unsafe

Client-side GTM on authenticated patient portals

Any GTM container running inside an EHR patient portal, appointment scheduler behind login, or billing page. This is the most clearly impermissible pattern because the user is identified and the context is clinical or financial.

Client-side GTM on condition-specific landing pages

A cardiology practice running Google Ads to pages like /services/heart-failure-treatment with a GTM container that fires a Google Ads conversion tag. The conversion tag sends the user's IP, Google Click ID (gclid), and the page URL to Google, effectively telling Google that this individual is seeking heart failure treatment.

Client-side GTM with data layer events that expose diagnosis or treatment

Pushing events like "appointment_booked" with parameters such as "service: substance_abuse_counseling" into the data layer where any tag in the container can read them.

Configurations That Can Be Made Safer

A GTM server-side container, hosted on infrastructure you control (Google Cloud Run, AWS, or another HIPAA-eligible environment with a signed BAA), can act as a proxy between the browser and downstream vendors. In this architecture, the browser sends a single request to your first-party server endpoint. The server-side container then processes, filters, and forwards only de-identified data to Google Ads, GA4, or Meta. When implemented correctly, this pattern prevents PHI from reaching non-BAA-covered services. For detailed implementation steps, see GTM Server-Side Container for Healthcare: HIPAA-Compliant Tag Manager Setup and the companion GTM Server-Side Container for Healthcare: HIPAA-Compliant Tag Manager Setup Guide.

However, "safer" does not mean "automatically compliant." You must still:

  • Ensure the hosting environment is covered by a BAA.
  • Strip or hash all identifiers (IP addresses, email addresses, names) before forwarding to Google.
  • Remove URL path segments and query parameters that reveal health information.
  • Audit every tag in the server container to confirm no tag re-introduces PHI into outbound requests.
  • Maintain documentation of your data flow and risk assessment under the HIPAA Security Rule.

Safe-Use Checklist for GTM in Healthcare

Architecture

  • Deploy GTM in server-side mode only; never allow client-side tags to fire on pages that could expose PHI.
  • Host the server-side container on infrastructure covered by a signed BAA (e.g., Google Cloud with a Cloud BAA, or AWS with a BAA in place).
  • Route all browser hits through a first-party subdomain to your server-side endpoint.

Data Handling

  • Strip or truncate IP addresses before any data leaves your server.
  • Remove or generalize URL paths (e.g., map /services/hiv-testing to /services/general).
  • Never forward raw form-field data, appointment details, or insurance information downstream.
  • Hash any user identifiers (email, phone) using SHA-256 before sending to ad platforms for conversion matching.

Governance

  • Conduct a HIPAA Security Rule risk assessment that explicitly covers your tag management architecture.
  • Maintain an inventory of every tag deployed in the container, its vendor, and whether a BAA is in place with that vendor.
  • Assign a named owner responsible for approving new tags; no marketing team member should be able to publish a tag without compliance review.
  • Log and audit server-side container request/response payloads periodically to verify no PHI leakage.

Legal

  • Confirm you have a BAA with your server hosting provider.
  • Document that Google's BAA does not cover Tag Manager, Google Ads, or GA4; your architecture must prevent PHI from reaching those services.
  • Review state-specific laws. Washington's My Health My Data Act (MHMDA) and other state consumer health data statutes impose additional consent and data-handling obligations beyond HIPAA.
  • Ensure your Notice of Privacy Practices and website privacy policy accurately describe your tracking practices.

Related Compliance Considerations

GTM is rarely used in isolation. If you fire Google Analytics 4 tags through GTM, GA4 itself is also not covered by a BAA. See Is Google Analytics 4 HIPAA Compliant? No -- Here Are 3 Alternatives That Are for a full breakdown. If you use GTM to manage Google Ads remarketing or conversion tags, be aware that audience-building strategies must also be PHI-safe; Custom Intent Audiences for Healthcare: Building HIPAA-Compliant Google Ads Targeting covers compliant targeting approaches that do not rely on health-condition page visits as signals.

Compliant Alternatives

Healthcare organizations that find the server-side GTM architecture too complex or too risky to maintain have several alternatives:

  • Purpose-built HIPAA-compliant analytics and tracking platforms that sign BAAs, process PHI server-side, strip or tokenize identifiers automatically, and deliver clean conversion data to Google Ads, Meta, and Microsoft without exposing PHI. These platforms replace both GTM and GA4 in one layer.
  • First-party data pipelines built on cloud data warehouses (BigQuery, Snowflake) with custom ETL jobs that de-identify data before loading it into ad platforms via offline conversion imports. This approach is powerful but requires engineering resources.
  • Consent-gated client-side tagging (suppressing all tags unless a user provides affirmative, HIPAA-compliant authorization). This is legally defensible but dramatically reduces data volume, harming campaign optimization.

If you are evaluating a migration away from client-side GTM, Curve Migration From Google Tag Manager: Healthcare 30-Day Switch Plan walks through the process of transitioning your conversion tracking, analytics, and event collection to a compliant architecture in 30 days.

Enforcement and Real-World Consequences

The wave of hospital pixel litigation from 2022 through 2024 demonstrated that plaintiffs' attorneys and regulators treat impermissible disclosures through tracking pixels and tag managers as actionable HIPAA violations and state-law privacy violations. The FTC's settlements with BetterHelp, GoodRx, and Cerebral each involved tracking technologies (including tag-manager-deployed pixels) sharing health information with advertising platforms without adequate authorization. OCR has publicly stated it is investigating regulated entities for tracking-technology violations. The financial exposure includes OCR civil monetary penalties (up to $2,067,813 per violation category per year, adjusted for inflation), FTC enforcement under the Health Breach Notification Rule, state attorney general actions, and class-action settlements that have reached eight figures in aggregate across the healthcare sector.

A Practical Path Forward

For healthcare marketers who need conversion tracking, campaign attribution, and site analytics without the compliance burden of maintaining a custom server-side GTM infrastructure, Curve offers a HIPAA-compliant tracking and analytics platform purpose-built for the problem. Curve signs a BAA, processes data server-side, strips PHI before sending conversion events to Google, Meta, and Microsoft, and provides session replay, form analytics, and attribution reporting in a single platform. If your team is spending more time auditing tag containers than optimizing campaigns, it may be worth evaluating a dedicated solution.

Frequently Asked Questions

Can I use Google Tag Manager on my healthcare website if I only track non-health pages like the homepage or blog?

Potentially, but with significant caveats. If a page does not reveal any health condition, treatment, or provider relationship, the data collected may not constitute PHI. However, HHS OCR has noted that even a visit to a hospital's website can imply a healthcare relationship. The safest approach is to use server-side tagging and strip IP addresses regardless of page type, because risk assessment is page-by-page and easily breaks when new content is published.

Does Google's BAA for Google Cloud cover Tag Manager if I host a server-side container on Cloud Run?

No. Google's Cloud BAA covers the Cloud Run infrastructure itself, meaning Google will protect data at rest and in transit on that infrastructure. However, the BAA does not extend to the GTM server-side container software or to any downstream Google service (Google Ads, GA4) that receives data from the container. You are responsible for ensuring no PHI leaves your Cloud Run instance and reaches a non-covered service.

Is GTM HIPAA compliant if I turn on IP anonymization in Google Analytics tags?

No. IP anonymization in GA4 (which now truncates by default) does not address the full scope of PHI. Page URLs, click IDs, client IDs, and user-provided data in forms can all constitute PHI independent of the IP address. Additionally, the truncated IP still reaches Google's servers before anonymization is applied in many configurations, which itself may be an impermissible disclosure. IP anonymization alone is not sufficient.

What is the difference between client-side and server-side GTM for HIPAA purposes?

Client-side GTM runs JavaScript in the user's browser and sends data directly from the browser to third-party vendors like Google or Meta. You have no opportunity to intercept and scrub PHI before it leaves. Server-side GTM runs on a server you control; the browser sends data only to your server, and your server decides what (if anything) to forward downstream. This intermediary step is what makes PHI stripping possible, though it must be configured correctly to be effective.

If I get patient consent, can I use client-side GTM freely?

HIPAA authorization and website cookie consent are not the same thing. A valid HIPAA authorization under 45 CFR 164.508 requires specific elements (description of information, who will receive it, expiration, right to revoke) that a typical cookie banner does not satisfy. Even with valid authorization, you must still comply with the minimum necessary standard and your own Notice of Privacy Practices. Relying on consent alone without architectural safeguards is legally fragile and has not protected organizations in recent enforcement actions.

Are there any tag managers that are HIPAA compliant out of the box?

No tag manager is compliant purely "out of the box" because compliance depends on configuration, data flows, and legal agreements, not just the software. However, some healthcare-focused platforms combine tag management, analytics, and PHI-stripping into a single product with a signed BAA, removing the need to maintain a separate tag manager. Confirm current BAA availability and scope directly with any vendor you evaluate.

Stay Compliant. Scale Confidently.

Join healthcare innovators who trust Curve for HIPAA-compliant ad tracking.Launch in hours, not months. Your growth stack, now HIPAA-safe.