Blog Articles
HealthcareBest Practices

Get your analytics back on track: 3 HIPAA-compliant alternatives to GA

Summary: Finding a HIPAA-compliant alternative to Google Analytics is daunting. There are numerous alternatives, with different approaches and equally different pricepoints. Here are our favorites, and why we recommend them.

With the US Department of Health and Human Services guidance about IP addresses constituting PHI, many hospitals, systems, and practices shut down Google Analytics out of an abundance of caution. Yet, you’re still doing all the business-as-usual stuff, which probably feels like you’re riding in an airplane with no pilot. 

Luckily, the tech industry has been quick to respond to the ever-growing need for privacy and security in analytics data. Like any problem that requires specific tech to solve, there are numerous options for HIPAA-compliant analytics platforms on the market, with various pros, cons, price points, and implementation requirements. 

We performed extensive research into alternative platforms in the market to determine which platforms provide a viable alternative to Google Analytics. After narrowing down the field to a short list, we demoed each platform, and found three that we are recommending to our clients.  

Piwik Pro

Piwik is a HIPAA compliant, full analytics platform, with its own tag management module incorporated into the platform. It offers a robust feature set with an interface providing the same data metrics and reports you are accustomed to in Google Analytics. The user-friendly interface incorporates both standard and custom reports and dashboards, and implementation and tag setup is similar to what you’re accustomed to with Google Tag Manager, using Piwik’s integrated Tag Manager. Piwik also incorporates heatmapping and integrates with Looker Studio, Google Search Console and Google Ads. 

However, you’ll need to set up quite a few custom dashboards and reports to see the data you are used to seeing in GA’s standard reports. The interface isn’t quite as robust as GA, and you can’t use existing GTM container tags; all tags must be set up in Piwik Pro’s tag manager. 


Another HIPAA-compliant platform to completely replace Google Analytics is Heap. It includes many of the same functions as Piwik, but with an added data science layer that allows marketers to also qualitatively understand user behavior, with features such as session playback. Functions like Illuminate, which uncovers hidden points of friction and offers opportunities for continuous improvement, as well as journey maps which visualize actual user flows, are powerful value-adds for marketers who want to get a more holistic view of how their sites are being used, rather than a standard set of moment-in-time analytics. 

With Heap, setup is more complex and user training will be necessary to orient yourself to the platform and its many features. Pricewise, Heap is roughly double the price of Piwik, and offers tiered solutions based on your traffic. 

Google Analytics + Freshpaint

Not ready to completely give up GA4? Freshpaint is an analytics and customer data platform solution that allows you to continue using Google Analytics, but in a HIPAA compliant way. With Freshpaint, you configure your event tracking in Freshpaint. Freshpaint then collects the tracking data, and through IP Masking and PHI Guard, masks anything that would be considered PHI. The data is then sent to Google Analytics. Freshpaint also offers a customer data platform. All your events to be tracked in GA are set up in Freshpaint, via your existing GTM account.

Freshpaint integrates with a large number of other platforms, which streamlines ad tracking , and sends HIPAA-compliant data to your social media platforms. However, because of the complexity of the implementation (which Freshpaint will assist you with), integration with third party tools is an additional fee. Overall, Freshpaint’s price point is double that of Piwik. 

Server-side tagging

There is one additional alternative that allows you to keep GA4 in place: server-side tagging. Server-side tagging allows you to implement website analytics on the server side, rather than on the client side (i.e. within the user's browser). The tags are implemented and executed on the server before the webpage loads on the client's browser. This approach requires additional infrastructure and technical expertise compared to traditional client-side tagging.

Decisions, decisions

Of course, these are only a few of a multitude of options on the market, and there are an equal number of drivers that can determine what direction you take. Team size, skillset, reporting preference, and budget all play large roles in the decision-making process. And as mentioned, more platforms exist that may be more suited to your unique needs or budget, which is why it’s helpful to have an agency partner to help sort all the ins and outs and help narrow the field based on your unique requirements.

Get the Ultimate Guide to HIPAA-Compliant Tech!

From analytics to CMS platforms to hosting and more, we're taking the guesswork out of selecting HIPAA-compliant platforms and approaches. Coming Summer 2024, The Ultimate Guide to HIPAA-Compliant Tech will help marketers narrow their options for future-forward tech.

Sign up for our newsletter below, and you'll be the first to receive it!