Is Google Tag Manager HIPAA compliant?

Google Tag Manager is a tool that many use to simplify the process of managing various tracking codes and tags on websites. However, healthcare organizations that handle protected health information (PHI) must ensure that the tools they use are HIPAA compliant. This article evaluates whether Google Tag Manager is HIPAA compliant. 

What is Google Tag Manager?

Google Tag Manager (GTM) is a tool that allows marketers and website administrators to manage and deploy tracking tags on websites without requiring direct code modification. Instead of manually inserting individual tags into the website code, Google Tag Manager provides a centralized interface where users can add, modify, and control various tags, including analytics tracking codes, conversion tracking pixels, and marketing tags. 

Related: Is online tracking HIPAA compliant?

What data does Google Tag Manager track?

According to Google, "Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any measurement identifiers associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, and diagnostics data noted above, Google Tag Manager does not collect, retain, or share any information about visitors to our customers' properties, including page URLs visited.

Does the use of Google Tag Manager need to be HIPAA compliant?

Google Tag Manager is designed to inject tracking code like Google Analytics into a website. Google Tag Manager could better be considered a vehicle to deploy other services that, in turn, handle PHI. Therefore if used with HIPAA compliant tracking tools, the use of GTM may be HIPAA compliant. 

However, Google states, "Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google's contracts and policies. Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service."

While using code injectors like Google Tag Manager isn't directly prohibited under HIPAA, the code that is added by GTM is required to be HIPAA compliant.

Business associate agreement (BAA) provisions

According to HIPAA, a business associate is an entity or individual that performs certain functions or activities on behalf of a covered entity, typically involving access to PHI. As the provider of GTM, Google would be considered a business associate if it handles PHI on behalf of a covered entity.

A business associate agreement (BAA) is a legal contract between a covered entity and a business associate. It establishes the responsibilities and obligations of the business associate regarding the handling and protection of PHI. A BAA is necessary to ensure that both parties comply with HIPAA regulations and implement appropriate security measures when PHI is involved.

Is Google Tag Manager covered by Google's BAA?

Google Cloud Platform and Google Workspace offer HIPAA compliant products, and Google provides a BAA for these specific product suites. However, Google Tag Manager is not on the list of HIPAA compliant services offered by Google. 

Is Google Tag Manager HIPAA Compliant?

While GTM offers security features and Google provides a BAA for certain Google products, the HIPAA compliance status of GTM itself is not explicitly stated by Google. Google Tag Manager is not listed with the services that Google's BAA provisions cover. Therefore, the use of Google Tag Manager may not be HIPAA compliant if used to deploy Google Analytics.