Here’s an everyday scenario: someone types “early diabetes symptoms” into a search bar. They read an article, click a related link, and scroll through treatment options. Nothing sits behind a login. No medical provider is involved.
Yet ad platforms start adjusting what they show this person almost immediately.
That’s our reality: sensitive data is getting exposed more than ever. To answer that, states are beginning to regulate health-related information that falls outside HIPAA, and they call it consumer health data. It covers the small digital traces people leave when they research symptoms, check fitness tips, or browse content that hints at their health status.
For healthcare marketers, this change matters. It reshapes what counts as regulated data and raises new questions about the tools you use every day. And because GA4 and GTM can capture far more than traditional PHI, they now sit at the center of these state-level rules.
Understanding this expanded category of health data is the first step toward protecting your strategy and keeping your analytics safe.
Health data used to be simple to define. If it came from a doctor, a clinic, or a health plan, it was protected by HIPAA. But the digital world changed the rules.
People search symptoms, track cycles, read mental health articles, and visit clinic websites long before they ever talk to a provider. After the Dobbs v. Jackson Women’s Health Organization decision, states moved fast to close gaps around reproductive and sensitive health information. To do that, they introduced broader privacy rules, and that’s how the newer category of consumer health data was born.
These two types of data now sit side by side, and marketers need to know where the line is.
Protected Health Information (PHI) comes from covered entities or their business associates. It combines an identifier with health information, and it’s tightly regulated on the federal level.
A patient’s appointment date, a diagnosis in a patient portal, or a lab result sent by a provider, even an IP address connected to patient activity, all of that is PHI.
Consumer health data is almost any detail linked to someone’s health status, intent, or future condition as protected. It’s broader than PHI, and it can come from a non-medical app, a fitness blog, or a retail website.
Browsing mental health resources, using a fertility tracker, or buying products that suggest pregnancy can fall under these laws. In some states, even biometric or genetic data, or visiting pages near clinics or urgent care locations can qualify, depending on the law.
The reach is wide enough that even businesses outside healthcare may not realize they’re handling regulated information.
Marketers now face two parallel categories of health data: PHI under HIPAA and consumer health data under state laws. Both carry real compliance requirements. Both can be exposed through everyday analytics. And enforcement is no longer aimed only at hospitals. Ad tech, publishers, agencies, and SaaS tools are now part of the picture.
This expanded data landscape shapes everything from what you collect to how your tracking tools behave.
States are no longer waiting for federal action. They’ve created their own rules around consumer health data, and they’re actively enforcing them.
Here’s what’s happening across the country:
Recent enforcement actions against fitness apps, reproductive-health apps, and pregnancy-related trackers show how quickly regulators are moving. The rules are tightening, the scope is broader, and analytics setups are often caught in the middle.
Even with new state laws, one of the most common marketing issues stays the same. GA4 and GTM record whatever flows through a page, script, or browser. They don’t distinguish harmless behavior from something sensitive. That’s how both PHI and consumer health data end up inside analytics setups without anyone intending it.
Here’s where data leaks happen:
These quiet tracking paths create real risk under HIPAA and under state laws that regulate consumer health data. And because GA4 and GTM run by default, the exposure often happens long before anyone notices.
Staying compliant in this new landscape means tightening what your analytics tools collect. GA4 and GTM will always pull in more than you expect, so the goal is to reduce exposure and keep sensitive signals (including consumer health data) out of your tracking setup from the start.
Here’s what to do to stay away from compliance headaches and fines:
These adjustments reduce risk, but they can’t fully eliminate it. GA4 and GTM still use identifiers, store data on external servers, and rely on automated collection, all of which create gaps in states with strict health-data rules.
Health data has outgrown HIPAA. People reveal sensitive details long before they see a provider, and states now treat those digital traces as protected consumer health data. GA4 and GTM were never designed for rules this strict.
This is where HIPALYTICS comes in handy. We help you keep GA4 and GTM in your stack without exposing your business to unnecessary risk. Our system removes regulated health-related signals before they reach Google, stores data safely on secure US-based servers, and provides a Business Associate Agreement so your analytics strategy stays protected.
You get reliable insights, safer tracking, and a setup that respects both HIPAA and the newest state privacy laws.
If you want analytics that work without putting your marketing at risk, we’re ready when you are.
