A compliance scan shut down a psychiatric practice's entire analytics stack two years ago. Every pixel, every tracking tag, every GA4 event - gone overnight. The practice had been running what they thought was standard Google Ads tracking. Nobody had thought to check whether it was compliant.
They came to us six weeks later with no conversion data, no baseline, and a Google Ads account that had been running blind since the shutdown. They were spending money and had no way to know if it was working.
This guide covers what we rebuilt and why - so your practice doesn't end up in the same place.
Why Therapy Practice Tracking Is Different
Most Google Ads guides are written for e-commerce or B2B SaaS. Those businesses can track everything: who clicked, who signed up, what they bought, where they dropped off. The more data, the better.
Therapy practices operate under HIPAA. The moment someone submits an intake form on your website, the information they've provided - their name, their email, the fact that they're seeking therapy - becomes protected health information (PHI). Standard tracking tools are not designed for this.
The risk isn't theoretical. HIPAA violations from pixel tracking in healthcare have resulted in millions in fines and settlements. The FTC has also pursued separate enforcement actions against health companies that shared user data with ad platforms without consent.
This guide covers general tracking principles for therapy practices running Google Ads. It is not legal advice and does not substitute for a review by a HIPAA compliance attorney or your practice's privacy officer. Compliance requirements vary by jurisdiction and practice type.
What You Can Safely Track
The goal of HIPAA-compliant tracking is to measure campaign performance without capturing or transmitting any information that could identify a specific person as a therapy patient or prospective patient.
These are the signals that are generally safe to track:
- Form submission event (not form content). You can fire a conversion event when someone submits your contact or intake form. What you cannot do is send the form field values - name, email, phone, reason for seeking therapy - to Google or any analytics platform. The conversion is the action, not the data inside it.
- Phone call connections. Tracking that a call was made and lasted longer than a threshold (e.g., 90 seconds, indicating a real conversation) is generally safe. Call recording or transcription by third-party ad platforms is a different story.
- Device type, browser, and geographic region. These are aggregate signals that don't identify individuals and are standard practice across all industries.
- Traffic source and landing page. Which campaign, which ad, which keyword led someone to your site. This is necessary for any ROI calculation and does not touch PHI.
- Session-level behavior (time on page, page depth) - anonymized. Only if your GA4 configuration is set to IP anonymization, with no user-level IDs enabled, and with data sharing to Google set to off.
What You Must Never Send to Ad Platforms
The following should never reach Google Ads, Google Analytics, Meta Pixel, or any other advertising platform:
- Names, email addresses, or phone numbers collected in intake forms
- Any field that indicates a health condition, reason for seeking therapy, or insurance information
- User IDs that could be cross-referenced with health information elsewhere
- Enhanced conversions using email address as the matching key (Google's "enhanced conversions" feature hashes and sends the email - this is PHI in a therapy context)
- Remarketing audience lists built from people who visited specific condition or therapy-type pages (e.g., "visited /anxiety-therapy") - this implies a health condition
Google's Enhanced Conversions feature is designed to improve tracking accuracy by hashing and sending email addresses to Google when someone converts. For most businesses, this is helpful. For therapy practices, sending any identifier from an intake form submission is a HIPAA risk. Do not enable Enhanced Conversions on your intake form thank-you page.
The Setup We Use
For therapy practice clients, our standard tracking stack is Google Tag Manager + GA4 + Google Ads conversion tracking, configured specifically to avoid PHI transmission.
Google Tag Manager Configuration
GTM is the container that controls what fires and when. Our setup:
- One conversion trigger fires when the intake form thank-you page loads. The trigger is URL-based, not form-field-based. It confirms the submission happened without capturing what was submitted.
- Phone call tracking uses a click listener on the phone number link - not a call recording service. The event captures that the link was clicked. Duration tracking (if used) is handled by a HIPAA-conscious call analytics provider, not Google's built-in call tracking.
- All custom variables that could contain user-entered text are explicitly excluded from any tags that fire to Google or analytics platforms.
- Data layer pushes are audited quarterly to confirm no PII is included in any payload.
GA4 Configuration
- IP anonymization enabled (now default in GA4, but confirm it is on)
- User-ID feature disabled
- Google signals disabled (this feature uses logged-in Google account data for cross-device tracking - off limits for health contexts)
- Data sharing with Google set to off
- Retention period set to 2 months (minimum)
- No audience definitions that reference health-related pages
Google Ads Conversion Actions
- One conversion action for form submissions (fires from the thank-you page URL)
- One conversion action for phone call clicks (fires from the phone link click event in GTM)
- No enhanced conversions
- No customer match lists using emails from intake forms
Tracking Audit Checklist
Run this before launching any new campaign
- Intake form thank-you page fires a conversion event (not the form page itself)
- Confirm no form field values are included in any GTM data layer push or tag payload
- GA4 IP anonymization confirmed on
- GA4 Google Signals confirmed off
- GA4 User-ID feature confirmed off
- No Enhanced Conversions enabled on intake or contact form actions
- No remarketing audiences built from specialty or condition pages
- Phone tracking uses click-through measurement only, not call recording via ad platform
- Any third-party call analytics provider has a BAA in place
- GTM container reviewed for any tags that fire on form submission with user-entered data
Red Flags to Look For in an Existing Account
If you're auditing an account that's already running, these are the signals that something may be out of compliance:
- Enhanced Conversions is enabled. Check Google Ads → Goals → Conversions → Settings. If it says "Enhanced conversions for web" is on, and your conversion actions include intake forms, this needs to be reviewed immediately.
- Customer match lists exist. If there are audience lists in Google Ads that were built from email addresses, check the source. Email addresses from intake forms should never be in these lists.
- GTM tags fire on the intake form page, not the thank-you page. If the conversion trigger is on the form page itself (meaning it fires as the user is filling it out), there's a risk that form field values are being captured. Triggers should be on the post-submission confirmation URL.
- GA4 is tracking user-level data. In GA4's Data Settings, check whether User-ID collection is on. Also check whether any custom dimensions are collecting text from form fields.
- The ad account uses "Observation" audiences that include therapy-specific page visitors. This is lower risk than "Targeting" audiences but still creates a data set linking individuals to health-seeking behavior.
The psychiatric practice that had their analytics shut down wasn't doing anything unusual. They were running tracking that would have been fine for a dental office or a chiropractor. Therapy is different. The information someone shares when booking a therapy intake is protected in a way that other healthcare categories often aren't.
What Good Tracking Looks Like When It's Working
When the setup is right, you can answer these questions from your Google Ads dashboard without touching any PHI:
- Which campaigns are generating form submissions?
- What is the cost per inquiry for each specialty campaign?
- Which geographic areas are producing the most conversions per dollar spent?
- Is phone call volume increasing or decreasing as campaigns mature?
- Which landing pages have the highest form submission rate?
You cannot know (and should not try to know): who specifically submitted the form, what they wrote, or what their health history is. That's the line. Stay on this side of it and you have everything you need to run a well-optimized campaign without any compliance exposure.