HIPAA Compliance with Third-Party Services


In the healthcare industry, compliance with the Health Insurance Portability and Accountability Act (HIPAA) extends beyond the confines of your practice. It also encompasses the third-party services you use, such as electronic health record systems, cloud storage providers, and analytics tools. A critical component of ensuring HIPAA compliance when using these services is the execution of Business Associate Agreements (BAAs). This article explores the process of reviewing third-party services for HIPAA compliance and the importance of obtaining BAAs, with a special note on services like Google Analytics.

Reviewing Third-Party Services for HIPAA Compliance

When incorporating third-party services into your healthcare practice, it’s essential to conduct a thorough review of their compliance with HIPAA standards.

  1. Conduct a Risk Assessment: Evaluate the service’s data handling and security measures. Ensure they align with HIPAA’s requirements for protecting Protected Health Information (PHI) [1].
  2. Check for HIPAA Compliance Statements: Many third-party service providers who are familiar with the healthcare industry will explicitly state their compliance with HIPAA on their websites or product literature [2].

Obtaining Business Associate Agreements (BAAs)

A BAA is a contract between a HIPAA-covered entity and a third-party service provider that has access to PHI. It outlines the responsibilities of each party in protecting PHI.

  1. Understand the Necessity of BAAs: Under HIPAA, covered entities must have a BAA in place with any third-party service provider that handles PHI [3].
  2. Negotiating and Signing BAAs: Ensure that the BAA clearly defines PHI use, safeguards for its protection, and the reporting process in the event of a breach.

Special Note: Google Analytics and BAAs

It’s important to note that some popular third-party services, like Google Analytics, do not offer BAAs. Google Analytics, widely used for website traffic analysis, does not align with HIPAA compliance requirements, as it does not provide a BAA and may collect information that could be considered PHI [4].

  1. Alternative Solutions: If you need analytics for your website, consider HIPAA-compliant alternatives or configure your analytics tools to avoid collecting PHI. Blue Burst Media has a specialized team that can properly set up Google Analytics to be HIPAA Compliant.
  2. Regular Audits: Regularly audit the data collected by your analytics tools to ensure no PHI is being captured inadvertently.


For healthcare providers, ensuring HIPAA compliance is a multifaceted task that extends to the third-party services they utilize. Careful review of these services and obtaining BAAs where necessary are critical steps in maintaining compliance. For services like Google Analytics, which do not offer BAAs, it’s important to seek alternatives or take steps to ensure that no PHI is collected. Staying vigilant and proactive in these efforts is key to safeguarding patient privacy and adhering to legal requirements.


  1. U.S. Department of Health & Human Services. (n.d.). Business Associate Contracts. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
  2. HealthIT.gov. (n.d.). Health IT Privacy & Security Resources. https://www.healthit.gov/topic/privacy-security-and-hipaa
  3. U.S. Department of Health & Human Services. (n.d.). HIPAA for Professionals. https://www.hhs.gov/hipaa/for-professionals/index.html
  4. Google Analytics Help. (n.d.). Data privacy and security. https://support.google.com/analytics/answer/6004245