The Analytics Tag You Forgot to Check and the EHR Renewal You Need to Plan: A Practical GA4 Configuration Audit for Healthcare Portals and the 2026 MEDITECH Expanse Renewal Guide for CAHs
I. Two Things Your EHR Ecosystem May Be Doing Without Your Knowledge
A patient types 'cardiologist near me' into the search box on your health system's website. She clicks through to your Find a Doctor page, selects cardiology from the specialty filter, and reviews three provider profiles. She does not log in. She does not submit any form. She leaves without making an appointment.
If Google Analytics 4 is running on that page, Google now knows -- through the combination of her IP address, the URL path she visited, and the specialty she filtered -- that someone at her location was looking for a cardiologist. Under the 2022 HHS bulletin on tracking technologies and HIPAA, that combination may constitute protected health information. Google does not sign a Business Associate Agreement for GA4. The disclosure is yours to own.
Separately, if your organization is one of the more than 400 hospitals still running legacy MEDITECH -- MAGIC, Client/Server, or 6.x -- your EHR vendor is actively pushing you toward a decision: migrate to MEDITECH Expanse via the MEDITECH as a Service subscription model, or start looking at alternatives. The 2024 data shows that 63 percent of legacy MEDITECH customers who made a go-forward decision chose Expanse -- more than double the 30 percent retention rate from 2023. That shift reflects meaningfully improved pricing and migration experience for small hospitals. But it also means the window for negotiating favorable terms is now, not at the deadline.
These two issues are connected. MEDITECH Expanse patient portals run on Google Cloud infrastructure as part of MEDITECH's Google Cloud partnership. A GA4 audit that misses your MEDITECH portal is an incomplete audit. This article covers both: a step-by-step GA4 configuration audit for healthcare teams, and a 2026 vendor strategy guide for MEDITECH users at the renewal decision point.
II. The GA4 HIPAA Problem: What It Is and Why It Is Harder Than It Looks
Google Will Not Sign a BAA -- and That Is Not the Whole Problem
The foundational GA4 compliance problem is widely understood: Google explicitly states that it does not offer Business Associate Agreements in connection with Google Analytics, and that HIPAA-regulated entities using Google Analytics must refrain from exposing any data that may be considered Protected Health Information -- even data not expressly described as personally identifiable information in Google's contracts.
But the BAA absence is actually the simpler part of the problem. The deeper issue is structural. GA4 is designed for marketing attribution, audience segmentation, and advertising integration. Its Enhanced Measurement features automatically capture form interactions, site search queries, video engagement, file downloads, and scroll depth -- without pausing to evaluate whether any of that data is PHI. Its Google Signals feature links behavioral data to Google's advertising profiles across the web. These are not malicious configurations. They are the default behavior of a marketing tool running on a healthcare website.
Google's own HIPAA guidance states: "Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google's contracts and policies."
That language places the full compliance burden on the covered entity. Not on Google. If PHI reaches Google because your GA4 configuration fires on an appointment booking page, the violation is yours regardless of what Google's terms say about not receiving it.
The 2022 Bulletin, the 2024 Court Ruling, and What They Mean Together
In December 2022, HHS OCR issued a bulletin stating that tracking technologies embedded in healthcare websites and patient portals are subject to HIPAA, including on unauthenticated pages where users can schedule appointments or use symptom-checker tools. That bulletin created significant compliance activity across the industry.
In 2024, federal courts vacated part of that guidance -- specifically the portion addressing IP addresses on unauthenticated public health pages. That ruling was widely misread as reducing the overall tracking technology risk. It did not. What the 2024 ruling addressed was a narrow scenario: an IP address alone on a purely public, health-general webpage. It did not address: search queries with symptom or condition terms, URLs revealing appointment specialty or type, authenticated portal page data, or identifiers combined with health interactions. All of those scenarios remain clearly within HIPAA's scope. And the 2022 guidance's core requirement -- that covered entities cannot use tracking technologies that result in impermissible PHI disclosures -- remains in effect.
| THE BLUE SHIELD CONNECTION: The most important GA4 lesson from the settlement landscape is not from a pixel lawsuit -- it is from the Blue Shield of California self-disclosure. Blue Shield's GA4 misconfiguration enabled member data to flow into Google Ads through the Google Signals feature between April 2021 and January 2024, affecting 4.7 million members. It was not an intentional pixel installation. It was a default feature left enabled. The same Google Signals toggle is present in every GA4 property. If yours is enabled on any patient-facing page, the Blue Shield exposure mechanism is active in your environment right now. |
The Six-Step GA4 Configuration Audit
The following table maps the six most important GA4 audit steps for healthcare organizations. Each step identifies where to look, what to check, and what the PHI risk is if the issue is not addressed. Complete this audit on every GA4 property associated with a patient-facing website or portal.
| Step | Where to Look | What to Check / Fix | PHI Risk If Missed |
| 1. Data Stream Settings | GA4 Admin > Data Streams > Web Stream > Configure | Enhanced Measurement: disable Form Interactions, Site Search, and Video Engagement. These capture form field text, search queries, and page titles that may contain PHI. Also disable if URL contains appointment or portal path fragments. | Form submissions capturing appointment type, symptoms, or insurance ID. Site search queries revealing condition names or specialist type. Both qualify as PHI inference under Sec. 164.502. |
| 2. URL and Query Parameter Audit | Browser Developer Tools > Network tab > filter 'google-analytics' or 'collect'. Review dl= parameter. | Look for: ?patientID= , ?appointmentType= , /cardiology-scheduling , /patient-portal-login in the dl= (document location) parameter. Any URL fragment that reveals a health condition, appointment specialty, or authenticated portal session must be stripped before GA4 fires. | URL /find-a-doctor?specialty=oncology combined with IP address = PHI inference even on a public page per the 2022 OCR bulletin. The 2024 court ruling narrowed but did not eliminate this risk. |
| 3. User-ID and Custom Dimensions | GA4 Admin > Data Streams > Measurement Protocol API > Custom Dimensions and Metrics | Confirm no patient MRN, email address, date of birth, insurance member number, or internal patient identifier is mapped to a GA4 User ID or custom dimension. Even pseudonymized IDs that can be cross-referenced to patient records are PHI. | A GA4 User ID that maps to a patient account is PHI. Once linked, all behavioral data in GA4 associated with that user becomes PHI-adjacent and subject to HIPAA. |
| 4. Page Scope -- Authenticated vs. Public | Review your Google Tag Manager or GA4 tag firing rules; identify every page or page pattern where GA4 fires | GA4 must NOT fire on: patient portal login pages, portal dashboard pages, appointment confirmation pages, MyChart or equivalent pages, lab result pages, any page requiring credentials. Use GTM triggers to exclude any URL containing /portal, /patient, /login, /myhealth, /appointment-confirmation, or similar patterns. | Login event on a patient portal page is PHI -- it confirms the user is a patient of that covered entity. Appointment confirmation page transmits appointment details. Both were cited in the Northwell and Catholic Health settlements. |
| 5. GA4 Google Signals and Advertising Features | GA4 Admin > Data Settings > Data Collection > Google Signals Data Collection | Disable Google Signals entirely if your site has any patient-facing pages. Google Signals links GA4 behavioral data to Google's advertising profiles. This is the mechanism that caused the Blue Shield of California 4.7M member exposure -- a GA4 configuration that enabled data flow to Google Ads. | This is the exact Blue Shield of California exposure mechanism. Google Signals + any health-related page activity = advertising profile enrichment with PHI-adjacent behavioral data. No BAA exists for this data flow. |
| 6. Server-Side Tagging (Recommended) | Google Tag Manager server container; your own cloud infrastructure (Google Cloud Run, AWS Lambda, or Azure Functions) | Route all GA4 traffic through your own server-side GTM container before forwarding to Google. This allows you to: strip IP addresses, remove PHI-containing URL parameters, validate events before transmission, maintain complete audit logs of what was sent. No PHI that you strip server-side can reach Google. | Server-side tagging is the most robust compliant architecture. It shifts data control from the client browser (where users can inspect it) to your own infrastructure. Google's own documentation supports this approach. |
The GA4-MEDITECH Portal Connection: The Audit Step Most Organizations Miss
This is the compliance gap that is easiest to miss. MEDITECH Expanse patient portals are hosted on Google Cloud infrastructure as part of MEDITECH's Google Cloud partnership. Your web and marketing team may have added GA4 tags to your MEDITECH patient portal independently -- through your own Google Tag Manager container, not MEDITECH's -- without realizing that the portal pages are health-context pages where GA4 creates direct PHI exposure risk. MEDITECH's cloud hosting agreement with Google does not extend HIPAA coverage to third-party analytics tags your team added client-side. The six-step audit above applies directly to your MEDITECH portal. Run it there first.
When GA4 Cannot Be Configured Safely: Alternative Tools
Some healthcare organizations will find that their patient portal or EHR vendor has integrated GA4 in ways that cannot be easily controlled through client-side configuration -- or that the marketing team's requirements cannot be met within a safe GA4 configuration. The following alternatives offer HIPAA-compatible analytics with varying levels of capability and complexity.
| Tool | BAA Available? | HIPAA Notes | Best For |
| Plausible Analytics | Yes (on request) | Cookie-free; no cross-site tracking; EU-hosted; no advertising integrations; minimal data collection by design; no IP storage | Organizations that want Google Analytics-style traffic insights without any PHI exposure risk; good fit for public healthcare marketing sites |
| Fathom Analytics | Yes | Cookie-free; privacy-first; GDPR and HIPAA-compatible; no individual tracking; aggregated metrics only; no third-party data sharing | Simple page-view and referral analytics for healthcare marketing sites; low setup complexity |
| Piwik PRO | Yes | On-premises or private cloud deployment option; HIPAA and GDPR compliance built-in; full GA4 feature parity; customer data ownership; no advertising integrations | Organizations that need GA4-equivalent capabilities (funnels, events, goals) with a BAA and data residency control; higher setup cost than Plausible/Fathom |
| GA4 with Server-Side GTM | No (GA4 still no BAA) | Server-side tagging allows PHI stripping before data reaches Google; significantly reduces risk but does not create a compliant arrangement -- Google still receives de-identified behavioral data; audit logs and controls are in your hands | Organizations that cannot migrate from GA4 immediately and need an interim risk reduction strategy while evaluating full alternatives; requires technical implementation |
| BOTTOM LINE ON GA4: You cannot make GA4 fully HIPAA-compliant. You can make your use of GA4 less risky by preventing PHI from reaching Google's servers. Server-side tagging is the most robust approach. Complete removal from patient-facing pages is the most straightforward. A HIPAA-compatible alternative with a BAA is the cleanest long-term solution. The right choice depends on your marketing team's requirements and your organization's technical capacity. What is not acceptable is leaving the default GA4 configuration in place on any page where patients interact with your health system. |
III. MEDITECH Expanse in 2026: What CAHs Need to Know Before the Next Renewal
The Market Position: Consistent Excellence in a Narrow Segment
MEDITECH Expanse earned Best in KLAS recognition for the 12th consecutive year in 2026 -- the second year in a row at #1 in the combined Acute Care EHR and Patient Accounting (Small 1-150 Beds) segment. This is the 7th consecutive year MEDITECH Expanse has led in the Small Acute Care EHR category. For Critical Access Hospitals and independent community hospitals evaluating whether to stay with MEDITECH or migrate, that track record matters. KLAS rankings reflect actual customer satisfaction data -- not vendor marketing. Twelve consecutive years at or near the top of the small hospital segment is the most reliable public signal of sustained vendor-customer relationship quality available.
What MEDITECH customers say: One CIO surveyed by KLAS in November 2025 stated: "I have been in this industry for many years. I have given MEDITECH pretty high marks, so there is no way that our organization would even contemplate moving away from the solution. The vendor has just been too good." A CEO surveyed in December 2025 about MaaS noted: "One of the biggest strengths of MaaS is the cost compared to the alternatives. We are able to work with the vendor directly rather than having to go through a larger healthcare system."
The Market Share Context: What the Numbers Actually Mean for CAHs
MEDITECH's 2024 market share decline requires context. MEDITECH's overall acute care market share declined from 16% to 14.8% in 2024 -- a net loss of 57 hospitals. On its face that sounds significant. But the data tells a more specific story: one large health system moved 41 hospitals from Expanse to Epic, accounting for the vast majority of that decline. Of the 23 organizations that competitively replaced MEDITECH, 19 chose Epic -- and 6 of those went through Epic Community Connect rather than a full Epic implementation, suggesting interoperability with surrounding Epic-heavy networks was the primary driver, not dissatisfaction with MEDITECH.
For standalone Critical Access Hospitals and independent community hospitals, the health system standardization trend that drives Epic wins is largely irrelevant. A CAH that is not part of a health system network is not being pulled toward Epic by organizational standardization pressure. Its EHR decision is driven by cost, support quality, and clinical functionality -- the dimensions where MEDITECH Expanse consistently outperforms its peer set.
The Legacy Migration Decision: 2026 Is a Key Window
If your organization is still on legacy MEDITECH -- MAGIC, Client/Server, or 6.x -- the 2024 retention data contains an important signal. The legacy retention rate jumped from 30% in 2023 to 63% in 2024. That jump reflects two things: MEDITECH improved its MaaS pricing and migration experience for small hospitals, and customers who evaluated alternatives found that the total cost of migrating to Epic or Oracle was substantially higher than staying with Expanse on MaaS.
The MEDITECH as a Service model is specifically designed for small hospital operational realities. It is a cloud subscription -- one contract, no hardware ownership, updates managed by MEDITECH -- with a smaller implementation footprint than comparable alternatives. By early 2026, more than 260 hospitals were licensed on MaaS, with 23 new hospitals signing in 2026 alone. The customer testimonial from KLAS captures the core value proposition: an independent organization gets to work directly with MEDITECH rather than through a larger health system's managed contract structure.
| LEGACY MEDITECH: WHAT TO DO NOW: If you are on MAGIC or C/S and have not had a current MaaS pricing conversation with MEDITECH, request one this quarter -- before your legacy support timeline creates pressure. Ask specifically for: (1) current MaaS subscription pricing for your bed count and module set, (2) migration timeline and implementation resource requirements, (3) reference contacts at comparable-size CAHs that completed MaaS migrations in 2024-2025, and (4) the current legacy support end date for your platform version. The 63% retention rate in 2024 suggests negotiating leverage is available -- but it is easier to exercise before a deadline than after. |
MEDITECH vs. TruBridge: The Side-by-Side
For CAHs considering alternatives to MEDITECH, TruBridge (formerly CPSI) remains the primary budget-focused comparison. The following table maps the two options across dimensions relevant to CAH decision-makers.
| Dimension | MEDITECH Expanse (MaaS) | TruBridge (Formerly CPSI) | Notes for CAH Decision-Makers |
| KLAS Recognition (2026) | #1 Best in KLAS -- Acute Care EHR & Patient Accounting (Small 1-150 Beds), 7th consecutive year. #2 Midsize (151-400 Beds). 12th consecutive Best in KLAS year overall. | Viable option for small hospitals with budget constraints; slightly higher overall customer satisfaction in 2024; net increase in bed market share but net hospital loss | MEDITECH Expanse has the most consistent KLAS recognition of any vendor in the small hospital segment. For CAHs, that track record is the most reliable proxy for long-term vendor stability. |
| Deployment Model | MEDITECH as a Service (MaaS): cloud subscription, single contract, no hardware ownership. 260+ licensed MaaS customers as of early 2026. 23 new hospitals signed for MaaS in 2026 alone. | Cloud-hosted model available; lower upfront cost profile; smaller implementation footprint than Expanse | MaaS is the recommended path for CAHs with limited IT staff -- no on-premises infrastructure to maintain, updates managed by MEDITECH, lower total cost of ownership than legacy deployment. |
| Market Trajectory (2024) | 14.8% acute care hospital market share (down from 16%); net loss of 57 hospitals in 2024, largely due to one health system moving 41 hospitals to Epic; 63% legacy retention rate (up from 30% in 2023) | 7.6% acute care hospital market share; negative net hospital market share; five hospitals moved from TruBridge to Expanse in 2024; nine moved to Epic | MEDITECH's market share decline is concentrated in large health system consolidation decisions. Standalone CAHs and independent community hospitals are not meaningfully affected by the health system standardization trend. |
| Legacy Migration Path | 63% of legacy MEDITECH customers (MAGIC, C/S, 6.x) who made a go-forward decision in 2024 chose to migrate to Expanse -- more than double the 30% retention rate in 2023. MEDITECH has over 400 legacy customers still on older platforms. | TruBridge (formerly CPSI) Evident platform is the go-forward path for legacy CPSI customers; some legacy Healthland Centriq customers also migrated to Evident | If you are on legacy MEDITECH (MAGIC or C/S), the 2024 retention data suggests Expanse is significantly more competitive on value and migration experience than it was three years ago. Get current pricing before assuming alternatives are cheaper. |
| Google Partnership / AI | Active Google Cloud partnership for cloud hosting and AI capabilities including Google Health clinical AI tools. MEDITECH's AI tools are described as designed to reduce clinician burden and improve financial resilience. | No equivalent major cloud AI partnership documented at this scale | The Google Cloud partnership is relevant to the GA4 compliance discussion: MEDITECH Expanse patient portals built on Google Cloud infrastructure require the same GA4 audit steps as any other healthcare portal. |
| HIPAA / BAA Profile | MEDITECH is a business associate for all cloud-hosted MaaS customers; BAA covers the Expanse platform and associated data processing. MaaS migration involves documented data transfer that must be reflected in your risk analysis. | TruBridge is a business associate for all customers; BAA required; same data transfer documentation obligations for any platform migration | Any EHR platform migration requires: updated BAA with new vendor terms, documented data transfer in risk analysis, business associate relationship review for all subcontractors, breach notification plan update |
IV. HIPAA Compliance Intersections: Where Both Issues Touch the Same Obligations
Risk Analysis -- Sec. 164.308(a)(1)
Both GA4 configuration and EHR vendor stability must be explicitly addressed in your HIPAA risk analysis. OCR's 2026 Risk Management Initiative expansion means the analysis itself is no longer sufficient -- you must document what you did about each identified risk. For GA4: document the audit performed, the specific configurations remediated, and the ongoing monitoring in place. For MEDITECH: document the vendor stability assessment, the BAA review, and the contract terms evaluated. An organization that identifies GA4 as a tracking risk but cannot produce evidence of the audit and remediation is in the same position as an organization that did nothing.
Business Associate Agreements -- Sec. 164.308(b)
Any EHR platform migration creates BAA obligations. When your organization moves from legacy MEDITECH to Expanse MaaS, the cloud infrastructure changes -- and your BAA must reflect the new subprocessor relationships, including MEDITECH's Google Cloud partnership. Review whether your current MEDITECH BAA covers the MaaS cloud environment or whether an updated agreement is required. Add explicit data portability terms: the format, timeline, and cost of extracting your historical patient data if you ever decide to switch.
V. 2026 Unified Action Roadmap
Red rows address GA4 configuration -- immediate priority. Teal rows address MEDITECH vendor strategy. Amber rows address risk analysis documentation. The footer note connects both stories.
| Priority | Category | Action | How to Execute | Timeline |
| IMMEDIATE | GA4 -- Page Scope | Audit every page where GA4 fires; disable GA4 on all authenticated portal pages, login pages, appointment confirmation pages, and any URL containing health-condition path fragments | In Google Tag Manager: add a blocking trigger for any URL containing /portal, /patient, /login, /myhealth, /appointment-confirmation. Verify by using browser dev tools (Network tab, filter 'collect') on each page type. | THIS WEEK |
| IMMEDIATE | GA4 -- Google Signals | Disable Google Signals and all advertising-linked features in GA4 for any property that includes patient-facing pages | GA4 Admin > Data Settings > Data Collection > Google Signals Data Collection > Deactivate. This is the Blue Shield of California exposure mechanism. It is a single toggle that eliminates the most consequential PHI-to-advertising data flow. | THIS WEEK |
| IMMEDIATE | GA4 -- Enhanced Measurement | Disable Form Interactions, Site Search, and any other Enhanced Measurement features that capture page titles, form field text, or search queries | GA4 Admin > Data Streams > Web Stream > Configure > Enhanced Measurement. Toggle off Form Interactions and Site Search. These features capture text that frequently contains PHI when users interact with appointment booking or portal pages. | THIS WEEK |
| HIGH | GA4 -- URL Parameters | Audit all URL query parameters for PHI and implement GTM filters to strip sensitive parameters before GA4 fires | In GTM: use Custom JavaScript variables to scrub ?patientID=, ?appointmentType=, and similar parameters. Best practice: redesign URLs to use POST requests rather than GET parameters for any health-sensitive data. | 30 DAYS |
| HIGH | GA4 -- Server-Side Tagging | Implement server-side Google Tag Manager to route all GA4 traffic through your own infrastructure before forwarding to Google | Deploy a GTM server container on Google Cloud Run, AWS, or Azure. Configure your client-side GTM to send events to your server container instead of directly to Google. Strip IP addresses, PHI parameters, and User IDs at the server layer before forwarding. Maintain audit logs of all data transmitted. | 60-90 DAYS |
| HIGH | MEDITECH -- Contract Review | If you are on legacy MEDITECH (MAGIC, C/S, or 6.x), request current Expanse MaaS pricing and migration timeline before your next renewal cycle | Schedule a MEDITECH account review; request MaaS subscription pricing for your bed count and module set; ask for reference contacts at comparable CAHs that completed MaaS migrations in 2024-2025. The 63% legacy retention rate in 2024 suggests Expanse pricing has become more competitive for small hospitals. | THIS QUARTER |
| HIGH | MEDITECH -- BAA Review | Review your current MEDITECH BAA for data portability language, migration support terms, and notification obligations | Locate change-of-control provisions; confirm data export format and timeline if you decide to move; verify that the BAA covers the MaaS cloud infrastructure and any Google Cloud subprocessors in MEDITECH's environment. | 30 DAYS |
| MEDIUM | Risk Analysis Update | Update your HIPAA risk analysis to explicitly document GA4 configuration status and EHR vendor transition risk | OCR's 2026 Risk Management expansion requires evidence of mitigation for every identified risk. Your risk analysis must show: GA4 audit was performed, specific configurations were remediated, and ongoing monitoring is in place. For MEDITECH: document vendor stability assessment and contract terms reviewed. | 60 DAYS |
| CONNECTED RISK NOTE: If your organization uses MEDITECH Expanse and has a patient portal on Google Cloud infrastructure, the GA4 audit applies directly to your portal. MEDITECH's Google Cloud partnership does not create HIPAA coverage for client-side analytics tags your web or marketing team may have added independently of MEDITECH's infrastructure. | ||||
VI. Looking Ahead
The GA4 Alternative Landscape Will Improve
The healthcare analytics market is actively developing HIPAA-compatible alternatives to GA4. Piwik PRO, Plausible, and Fathom have all strengthened their BAA offerings and healthcare-specific feature sets in 2025-2026. More importantly, the server-side tagging ecosystem has matured significantly -- cloud platforms now offer well-documented deployment patterns for GTM server containers that were significantly more complex to implement two years ago. Organizations that make the investment in server-side tagging now are building infrastructure that will accommodate future analytics requirements regardless of which tool is used.
MEDITECH MaaS Growth Will Continue
MEDITECH's MaaS subscriber base has grown substantially since the model launched, and the 23 hospitals that signed for MaaS in 2026 alone suggest continued momentum. The model's appeal for independent CAHs -- direct vendor relationship, no hardware overhead, subscription pricing -- aligns with the operational constraints that define the CAH market. MEDITECH COO Helen Waters stated at the 2026 KLAS recognition announcement: "For community and rural hospitals in particular, interoperability and fiscal sustainability aren't optional -- they're essential to breaking down barriers to data exchange and preserving the independence needed to serve their communities." That framing is deliberately responsive to the concern that small hospitals have about health system consolidation and vendor standardization pressure.
The 2026 HIPAA Security Rule Update and Analytics
The proposed HIPAA Security Rule updates explicitly reference AI tools and third-party data processors in the context of risk analysis requirements. When the rule is finalized -- with a May 2026 target -- organizations that have not documented their GA4 configuration status in their risk analysis will face explicit enumerated compliance gaps rather than guidance-based ones. The window for proactive documentation is now.
VII. Conclusion
The cardiologist search that opened this article is not a hypothetical edge case. It is a routine interaction that happens thousands of times a day on healthcare websites with GA4 running. The compliance question it raises is not whether GA4 is a malicious tool -- it is not. The question is whether the default behavior of a marketing analytics platform, running on a healthcare website without specific configuration controls, results in a PHI disclosure. The answer, under HIPAA as currently interpreted by OCR, is yes in many common configurations.
The fix is not complicated. Disable Google Signals this week. Disable Enhanced Measurement form and search capture. Audit every page where GA4 fires and remove it from authenticated portal pages. Document what you found and what you changed. If you want a more durable solution, implement server-side tagging or migrate to a HIPAA-compatible alternative with a BAA.
The MEDITECH decision is not urgent in the same way, but it is time-sensitive in a different one. If you are on legacy MEDITECH and have not had a current MaaS pricing conversation, the 63% retention rate from 2024 tells you that conversation has become significantly more favorable to small hospitals than it was three years ago. Get the current numbers before your renewal pressure creates a deadline that limits your negotiating position.
Both issues live in the same EHR ecosystem. A GA4 audit that misses your MEDITECH patient portal is incomplete. A MEDITECH contract review that does not include BAA terms for the Google Cloud subprocessor relationship is incomplete. Treat them as the connected compliance priorities they are.
| RESOURCES: Google HIPAA and Analytics guidance: support.google.com/analytics/answer/13297105 | HHS OCR tracking technologies bulletin (Dec 2022): hhs.gov/hipaa | MEDITECH Expanse MaaS information: ehr.meditech.com | TruBridge (formerly CPSI): trubridge.com | KLAS Research EHR market share: klasresearch.com | Plausible Analytics (HIPAA-compatible): plausible.io | Piwik PRO (BAA available): piwik.pro | Fathom Analytics (BAA available): usefathom.com | OCR breach portal: hhs.gov/hipaa | NIST 800-207 Zero Trust (companion): nist.gov |
This article is for informational purposes only and does not constitute legal advice. GA4 compliance analysis is based on Google's published HIPAA guidance, HHS OCR bulletins, and publicly available enforcement records as of March 23, 2026. MEDITECH market data is sourced from KLAS Research published reports and MEDITECH press releases. Consult qualified legal counsel regarding your organization's specific HIPAA obligations and EHR vendor contract terms.
