PII/PHI considerations for GA

Last Updated: January 27, 2025

This page outlines general guidelines and considerations for the collection of personally identifiable information (PII) and protected health information (PHI) as part of any web tracking implementation for Google Analytics (GA) or any other third-party analytics tools.

Can we collect PII or PHI as part of GA tracking?

No.

• Collection of PII in GA is strictly forbidden by Google as part of the agreement to use the analytics tool.

• PHI – as information generally found in or related to a person’s medical records – falls under HIPAA guidelines, which have strict requirements for how data is stored, accessed, and used. GA cannot be made to meet these requirements.

How do we avoid sending PII or PHI to GA (or other data collection tools)?

Build with tracking in mind

By default, most web tracking tools like GA, Adobe, or DataDog collect URLs and page titles. It is a best practice to avoid any possible collection by building your product or site so that no PII or PHI is passed thru the URL or appears in the <title> meta tag.

It is also strongly recommended to avoid including PII and PHI in link click text and destination URLs. We might be able to override these data points as part of the VA.gov’s GA implementation, but we don’t have that level of control for other points of collection like the Digital Analytic Program (DAP).

Be mindful when implementing events/tracking and loop in the Analytics and Insights Team

We use GA to measure and analyze web/app interactions but not any information a user might submit. For example, GA collects that a user saw and completed a COVID vaccination questionnaire, but not the submitted answers, which goes to a backend data source.

When looking to add a new tracking event for GA (or any other tool):

• Review the event information for possible PII and PHI.

  • Reach out to the Analytics and Insights Team if you’re not sure if something is PII or PHI.

• Event tracking on design system form components is disabled by default to avoid accidental PII or PHI collection and should be enabled only after careful review.

• Avoid using open text field submissions.

• Have the Analytics and Insights Team review all new events before they go live.

How to report any PII/PHI found in GA

If any PII or PHI is found or suspected when browsing Google Analytics, teams should alert the Platform Analytics and Insights Team immediately via the vfs-analytics Slack channel. At which point, the team will review and, if needed, contact the Security Team and report the incident to the appropriate Privacy Officer.

Reference links:

• Personally Identifiable Information (PII) and Protected Health Information (PHI)

• Personal Identifiable Information (PII) guidelines

Help and feedback

• Suggest content changes to this page.

• Submit new Platform Website content.

• Get help from the Platform Support Team in Slack.

• Submit a feature idea to the Platform.