Is Google Analytics (GA4) HIPAA compliant?
No BAANot for PHI
Will Google Analytics (GA4) sign a HIPAA BAA?
No — Google Analytics (GA4) does not sign a HIPAA Business Associate Agreement (BAA).
Google does not sign a HIPAA BAA for Google Analytics / GA4 — Analytics is not on Google's list of HIPAA-eligible services (the Google Workspace / Cloud BAA covers products such as Gmail, Drive, Cloud Storage, and BigQuery, but not Analytics). Google's own Analytics policy independently prohibits sending any data 'that Google could use or recognize as personally identifiable information,' including email addresses, phone numbers, and government IDs. Together this means GA4 cannot lawfully process PHI.
PHI eligibility
Never send PHI or PII to GA4; Google will not sign a BAA for Analytics and its terms forbid PII, which disqualifies it from any PHI workflow.
SOC 2
Not publicly confirmed
Trust center
Sub-processors
—
Notes
Distinct from Google Cloud / Workspace, which do offer a BAA for a defined product list; GA4 is specifically excluded. The PII prohibition is Google's own published Analytics policy.
Get notified when this changes
We track Google Analytics (GA4)'s BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.
How to request and sign a BAA with Google Analytics (GA4)
No — Google Analytics (GA4) does not sign a HIPAA Business Associate Agreement (BAA).
There is no BAA to request — Google Analytics (GA4) will not sign one. Google does not sign a HIPAA BAA for Google Analytics / GA4 — Analytics is not on Google's list of HIPAA-eligible services (the Google Workspace / Cloud BAA covers products such as Gmail, Drive, Cloud Storage, and BigQuery, but not Analytics). Google's own Analytics policy independently prohibits sending any data 'that Google could use or recognize as personally identifiable information,' including email addresses, phone numbers, and government IDs. Together this means GA4 cannot lawfully process PHI.
Need a vendor in this space that does? See which HIPAA compliant product & web analytics sign a BAA →
Before you sign — watch for
- No BAA on the free / consumer tier — you must be on a qualifying paid plan first.
- A signed BAA here does NOT clear you to deliberately store PHI — the vendor still restricts intentional PHI collection or how it may be used. Confirm the exact scope.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with Google Analytics (GA4) before you rely on it. This is cited public information, not legal advice.
Frequently asked questions
Does Google Analytics (GA4) sign a HIPAA Business Associate Agreement (BAA)?
No — Google Analytics (GA4) does not sign a HIPAA Business Associate Agreement (BAA). Google does not sign a HIPAA BAA for Google Analytics / GA4 — Analytics is not on Google's list of HIPAA-eligible services (the Google Workspace / Cloud BAA covers products such as Gmail, Drive, Cloud Storage, and BigQuery, but not Analytics). Google's own Analytics policy independently prohibits sending any data 'that Google could use or recognize as personally identifiable information,' including email addresses, phone numbers, and government IDs. Together this means GA4 cannot lawfully process PHI.
Is Google Analytics (GA4) HIPAA compliant?
Google Analytics (GA4) is not HIPAA-ready: it does not sign a Business Associate Agreement (BAA), so you cannot use it to process protected health information (PHI). Never send PHI or PII to GA4; Google will not sign a BAA for Analytics and its terms forbid PII, which disqualifies it from any PHI workflow.
Can you store PHI (protected health information) in Google Analytics (GA4)?
Never send PHI or PII to GA4; Google will not sign a BAA for Analytics and its terms forbid PII, which disqualifies it from any PHI workflow.
Is Google Analytics (GA4) SOC 2 certified?
We could not confirm a public SOC 2 report for Google Analytics (GA4). SOC 2 is separate from a HIPAA BAA — confirm both directly with Google Analytics (GA4).
How do I request a HIPAA BAA from Google Analytics (GA4)?
You can't — Google Analytics (GA4) does not sign a HIPAA Business Associate Agreement. Google does not sign a HIPAA BAA for Google Analytics / GA4 — Analytics is not on Google's list of HIPAA-eligible services (the Google Workspace / Cloud BAA covers products such as Gmail, Drive, Cloud Storage, and BigQuery, but not Analytics). Google's own Analytics policy independently prohibits sending any data 'that Google could use or recognize as personally identifiable information,' including email addresses, phone numbers, and government IDs. Together this means GA4 cannot lawfully process PHI.
What plan do I need to sign a BAA with Google Analytics (GA4)?
Google Analytics (GA4) does not offer a BAA on any plan, so no plan qualifies. Google does not sign a HIPAA BAA for Google Analytics / GA4 — Analytics is not on Google's list of HIPAA-eligible services (the Google Workspace / Cloud BAA covers products such as Gmail, Drive, Cloud Storage, and BigQuery, but not Analytics). Google's own Analytics policy independently prohibits sending any data 'that Google could use or recognize as personally identifiable information,' including email addresses, phone numbers, and government IDs. Together this means GA4 cannot lawfully process PHI.
Sources
https://support.google.com/analytics/answer/6366371
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with Google Analytics (GA4) before processing protected health information.
Check another vendor
See all HIPAA compliant product & web analytics →
Browse all 105 vendors by category →