



Google Tag Manager is a tool used by many to simplify the process of managing various tracking codes and tags on your website. However, any healthcare organization that deals with Protected Health Information (PHI) must ensure that the tools they use are compliant with his HIPAA. This article evaluates whether Google Tag Manager is HIPAA compliant for her.

What is Google Tag Manager?

Google Tag Manager (GTM) is a tool that allows marketers and website administrators to manage and deploy tracking tags on their websites without directly modifying their code. Instead of manually inserting individual tags into your website code, Google Tag Manager provides a centralized interface where users can add, modify and control various tags such as analytics tracking code, conversion tracking pixels and marketing tags. increase.

What data does Google Tag Manager track?

According to Google, “Google Tag Manager may collect some aggregated data about tag issuance. This data does not include user IP addresses or measurement identifiers associated with specific individuals. All data will be deleted except for data in standard HTTP request logs.” For 14 days after receiving the above diagnostic data, Google Tag Manager will retain information about visitors to customer properties, including the page URLs visited. We do not collect, retain or share

Do I need to be HIPAA compliant to use Google Tag Manager?

Google Tag Manager is designed to insert tracking codes like Google Analytics into your website. Google Tag Manager should be viewed as a vehicle for deploying other services that handle PHI. Therefore, the use of GTM may make him HIPAA compliant when used in conjunction with HIPAA compliant tracking tools.

However, Google states, “Customer must refrain from using Google Analytics in any manner that may impose obligations on Google under HIPAA. Any HIPAA-regulated entity that uses Google Analytics shall: You must refrain from disclosing data to Google that may be considered Protected Health Information (PHI).” Google makes no representations that Google Analytics meets his HIPAA requirements, even if Google’s contracts and policies do not explicitly list him as PII, and does not provide a business associate agreement related to this service. I don’t. ”

While the use of code injectors such as Google Tag Manager is not directly prohibited by HIPAA, code added by GTM must be HIPAA compliant.

Business Associate Agreement (BAA) Clauses

According to HIPAA, a business associate is any entity or individual that performs a specified function or activity on behalf of a covered entity, which typically includes access to PHI. Google, as a provider of GTM, is considered a business associate when processing his PHI on behalf of a Covered Entity.

A Business Associate Agreement (BAA) is a legal agreement between a covered entity and a business associate. It sets out the responsibilities and obligations of business partners regarding the handling and protection of PHI. A BAA is required to ensure that both parties comply with her HIPAA regulations and implement appropriate security measures when PHI is involved.

Is Google Tag Manager covered by Google’s BAA?

Google Cloud Platform and Google Workspace offer HIPAA-compliant products, and Google offers BAAs for these specific product suites. However, Google Tag Manager is not on his list of HIPAA compliant services provided by Google.

Is Google Tag Manager HIPAA compliant?

Although GTM provides security features and Google provides BAAs for certain Google products, the HIPAA compliance status of GTM itself is not explicitly stated by Google. Google Tag Manager is not among the services covered by Google’s BAA provision. Therefore, using Google Tag Manager to implement Google Analytics may not be HIPAA compliant.

