Is Google Tag Manager HIPAA Compliant?

A single line of JavaScript loads a container. That container loads dozens of other scripts, each one opening its own connection to a third-party server. The visitor's browser becomes a switchboard, sending data to Google, Meta, advertising networks, and analytics platforms simultaneously. This is how Google Tag Manager works, and it is the architecture behind the majority of healthcare tracking violations that have produced $193M+ in settlements since 2023.

The question isn't whether GTM itself collects patient data. It doesn't. GTM is an orchestration layer: a tool that makes it easy to deploy and manage other tracking scripts. The real question is whether an orchestration layer that hands marketing teams the keys to deploy unlimited client-side scripts can ever be made safe for healthcare.

How Google Tag Manager Actually Works Under the Hood

To evaluate GTM's compliance posture, you need to understand its architecture.

When you install GTM, you add a single JavaScript snippet to every page. That snippet loads a "container" from Google's servers (googletagmanager.com). The container holds your configured tags: Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar, conversion pixels, remarketing scripts, and anything else your team has added.

Each of those tags executes in the visitor's browser. Each one creates its own direct connection to the tag vendor's servers. The browser sends data along each of those connections: the page URL, referrer, IP address, device information, cookies, and any custom data layer variables your team has configured.

Here is the critical point: GTM is a multiplier. A healthcare website with 15 tags in its GTM container has 15 separate client-side data paths, each one capable of transmitting protected health information (PHI) to a different third party. And because GTM is designed to let marketing teams add tags without touching the codebase, those data paths often appear without engineering review.

This is not a hypothetical risk. It is the exact mechanism behind nearly every healthcare tracking enforcement case on record.

The Tag Sprawl Problem in Healthcare

In most organizations, GTM starts with a few essential tags: Google Analytics, a conversion pixel, maybe a chat widget. Over time, marketing adds retargeting pixels, A/B testing scripts, heatmap tools, session replay platforms, and ad network tags. Agencies request their own tracking. Vendors recommend "just adding a tag" during onboarding calls.

Within a year, a typical GTM container holds 20 to 40 tags. Each tag fires on different triggers across different pages, including pages that contain health conditions in the URL path, appointment scheduling flows, symptom checker results, and patient portal login pages.

No one person has full visibility into what data each tag collects. No single audit has reviewed every firing rule. And because tags load in the browser, the data they capture and transmit is invisible to server-side security controls.

This is how Advocate Aurora Health ended up exposing the data of approximately 3 million patients. The health system installed Meta Pixel and Google Analytics on its website, app, and patient portal to "better understand patient needs." The pixels transmitted health information to Meta and Google without patient consent from 2017 to 2022, resulting in a $12.25M class action settlement.

The well-intentioned analytics setup became a breach. GTM made it easy to deploy those tags. The ease of deployment was part of the problem.

Why Google Does Not Sign a BAA for GTM

Google does not offer a Business Associate Agreement for Google Tag Manager. This is a significant compliance gap for any HIPAA-covered entity.

A BAA is the legal contract that makes a vendor a Business Associate under HIPAA, binding them to specific obligations around handling PHI. Without a BAA, any PHI that passes through the vendor's infrastructure represents an unauthorized disclosure, regardless of intent.

Even if you configure GTM carefully, the container itself loads from Google's servers. Every page view generates a request to googletagmanager.com, transmitting the page URL and visitor metadata to Google infrastructure that is not covered by any healthcare agreement.

Some organizations argue that GTM "doesn't collect data." Technically, GTM's primary function is tag orchestration rather than data collection. But the container load request itself transmits data, and more importantly, every tag that GTM fires creates a data relationship between the visitor and the tag vendor. GTM is the mechanism that establishes those relationships.

Compare this to the compliance bar set by vendors that take healthcare seriously. A legitimate healthcare vendor provides a comprehensive BAA covering the full data pipeline: collection, processing, storage, and transmission. They maintain SOC 2 Type II certification across all five trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy), not just the Security criterion that most vendors stop at.

Server-Side GTM: A Partial Solution with Remaining Gaps

Google introduced server-side GTM (sGTM) as an alternative architecture. Instead of tags firing in the browser, sGTM routes events through a cloud server (typically on Google Cloud Platform) before forwarding data to destination platforms.

This is a meaningful architectural improvement. The visitor's browser no longer makes direct connections to dozens of third-party servers. Data flows through a server you control, giving you the ability to inspect, filter, and redact information before it reaches downstream vendors.

However, sGTM does not fully resolve the compliance picture for healthcare:

Data still flows through Google infrastructure. The sGTM server runs on Google Cloud, and the container configuration is still managed through Google's Tag Manager interface. Google does not sign a BAA for GTM, including the server-side variant.

Implementation complexity creates risk. Server-side GTM requires significant configuration to ensure PHI is stripped before data reaches destination tags. Misconfiguration means PHI flows downstream, and most implementations are not audited by compliance teams with healthcare expertise.

Client-side components persist. Most sGTM setups still use a lightweight client-side snippet to capture events and forward them to the server container. The browser still makes requests, and URL paths containing health information are still transmitted in those requests.

Destination tags still receive data. Even with sGTM, the ultimate destinations (Google Analytics, Meta CAPI, ad platforms) receive event data. If those destinations lack BAAs, the compliance gap shifts rather than disappears.

Server-side GTM is better than client-side GTM for healthcare use cases. But "better" is not the same as "compliant."

$47.5 Million Started with Tags on a Patient Portal

The largest healthcare tracking settlement to date illustrates the scale of what can go wrong. Kaiser Permanente used third-party tracking code on its websites, patient portals, and mobile apps from 2017 to 2024. The tracking transmitted health information, including search terms, medical histories, and communications with healthcare professionals, to Google, Microsoft, Meta, and X without member consent. The breach affected 13.4 million members across 9 states, resulting in a $47.5M class action settlement.

Kaiser's tracking infrastructure relied on the same tag management patterns that GTM enables: multiple third-party scripts deployed across sensitive pages, each opening its own data path to external servers.

Henry Ford Health followed a similar pattern, using Meta Pixel and Google tracking technologies on its website and MyChart patient portal between 2020 and 2023. The result: over 819,000 consumers affected and a $12.2M settlement.

In both cases, the organizations did not intend to share PHI. The tracking tools operated exactly as designed. The architecture itself was the problem.

Building a Tag Management Strategy That Meets the Healthcare Bar

If your organization uses GTM today, replacing it requires a deliberate approach. Here is what a healthcare-grade tag management architecture looks like:

Server-side collection with a BAA-covered vendor. Data should flow from the browser to infrastructure operated by a vendor that has signed a comprehensive BAA and maintains SOC 2 Type II certification across all five trust criteria. This replaces the GTM container entirely. The browser connects to your domain, not to googletagmanager.com or any third-party endpoint.

First-party infrastructure. All data collection should happen through custom domains on your own domain, with server-set cookies and no third-party tracking endpoints visible in the browser. This eliminates the client-side data paths that GTM creates.

Consent-gated dispatch. Data should only flow to downstream destinations after consent has been verified server-side, not through a JavaScript-based consent check that can be bypassed or misconfigured. This means the server decides what data goes where based on verified consent status, not the browser.

Continuous scanning and monitoring. Installing a compliant tag manager does not guarantee ongoing compliance. Marketing teams add scripts. Plugins update. Third-party tags load other tags through piggybacking. A web scanner that crawls your site continuously and flags every cookie, script, localStorage entry, and tracking pixel is the difference between "we set it up right once" and "we know it is still right today." Every enforcement case in the record involved tracking that ran for years before anyone noticed.

Engineering governance over tag deployment. One of GTM's selling points is that marketers can add tags without developer involvement. In healthcare, this is a liability. Any tool that sends data from a patient-facing website should require review by someone who understands HIPAA obligations.

A server-side CDP with healthcare-specific controls can replace GTM's orchestration function while keeping all data server-side and within the scope of a BAA. The browser never talks to Facebook, Google, or any ad platform directly.

Evaluating Your Current GTM Setup

If you are a HIPAA-covered entity currently using GTM, here is how to assess your risk:

1. Audit your container. Export your GTM container and list every tag, trigger, and variable. Identify which tags fire on pages that could contain health information (appointment pages, condition pages, provider search results, patient portals).

2. Map your data flows. For each tag, document what data it captures and where it sends that data. Check whether each destination vendor has signed a BAA with your organization.

3. Check for tag piggybacking. Some tags load additional third-party scripts that are not visible in your GTM container. Use browser developer tools to identify all network requests on key pages.

4. Review access controls. Identify who has publishing access to your GTM container. In many organizations, agencies and junior marketers can push tags live without compliance review.

5. Scan continuously. A point-in-time audit tells you about today. A continuous web scanning solution tells you about tomorrow.

Frequently Asked Questions

Does Google Tag Manager itself collect protected health information?

GTM's primary function is orchestration, not data collection. However, loading the GTM container generates requests to Google's servers that include the page URL and visitor metadata. If page URLs contain health-related information (such as /conditions/diabetes or /appointments/cardiology), that metadata is transmitted to Google without a BAA in place. More importantly, every tag GTM fires creates its own data collection path.

Can server-side Google Tag Manager make GTM HIPAA compliant?

Server-side GTM improves the architecture by routing data through a server you control instead of firing tags in the browser. However, Google does not sign a BAA for server-side GTM. The server runs on Google Cloud infrastructure, and destination platforms still receive event data. sGTM reduces risk but does not eliminate the compliance gaps on its own. See our server-side GTM configuration guide for a deeper analysis.

What tags in GTM create the highest HIPAA risk?

Advertising and remarketing tags (Meta Pixel, Google Ads remarketing, TikTok Pixel) carry the highest risk because they transmit data to platforms that use it for ad targeting. Analytics tags (Google Analytics, Hotjar) are also significant because they record behavioral data, including page paths and user interactions that may reveal health information. Any tag that fires on pages containing health conditions, appointment details, or patient portal content represents elevated risk.

Can I use GTM on public-facing pages that don't involve patient data?

Even on unauthenticated public pages, URLs and browsing patterns can constitute PHI when combined with health context. A visitor browsing /services/oncology followed by /locations/cancer-center creates a behavioral record tied to their IP address. HHS OCR's December 2022 guidance clarified that tracking technologies on regulated entity websites can create PHI disclosure risks even on public pages.

What should I replace Google Tag Manager with?

Look for a tag management or CDP solution that operates entirely server-side, is backed by a comprehensive BAA, holds SOC 2 Type II certification across all five trust criteria, and provides consent-gated data dispatch. The replacement should give you the same orchestration capabilities (routing events to analytics, ad platforms, and CRMs) without requiring any third-party JavaScript to load in the visitor's browser.