This post is part of a series on Google embeds and HIPAA compliance. Read the companion post: Google Maps on Healthcare Websites Is a HIPAA Liability →
Here’s a question that occasionally comes up when we talk to healthcare marketers and web teams about embedded Google content: Does it matter what our domain name looks like?
The thinking goes something like this. If a hospital at XYZHospital.org embeds a Google Map or a YouTube video, it’s obvious to Google that the visitor is on a healthcare site. But what about JanesClinic.com? Or LakesideFamilyPractice.com? If Google can’t immediately identify the domain as medical, does the HIPAA risk disappear or at least diminish?
It’s a reasonable question. And the answer shows something fundamental about how HIPAA actually works: something that a lot of healthcare organizations don’t understand.
HIPAA Governs What You Transmit, Not What Google Can Infer
The most important thing to remember is: HIPAA compliance is not about what the recipient of your data can figure out. It’s about what you, the covered entity, are transmitting.
The violation isn’t Google receiving data and recognizing your domain as a clinic. The violation is your organization, a HIPAA-bound entity, transmitting individually identifiable information to a third party that has no Business Associate Agreement (BAA) with you. Whether Google’s systems classify your domain as healthcare-related is legally irrelevant to your liability.
The HHS Office for Civil Rights bulletin on online tracking technologies states directly: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin further explains that when a regulated entity collects individually identifiable information through its website, that information connects the individual to the regulated entity, it is “indicative that the individual has received or will receive health care services or benefits from the covered entity.” Your HIPAA status as a covered entity is what creates the PHI. The domain name is not important.
OCR made the enforcement stakes concrete in 2023 when it jointly issued letters with the FTC to approximately 130 hospitals and telehealth providers, warning them that tracking technologies on their websites may be collecting health information in violation of HIPAA. Those letters went to organizations across a wide range of domain names, not only to sites with “hospital” or “health” in the URL.
The Obvious Domain: XYZHospital.org
When a patient visits XYZHospital.org/oncology/find-a-location and a Google Map loads on that page, here’s just some of what Google receives: the visitor’s IP address, and the full referrer URL, including the domain, the subdirectory(s), and the page name.
Both Google Maps and YouTube’s embedded players are explicitly designed to receive the full referrer URL. Google’s Maps Embed API documentation instructs developers to use referrerpolicy="no-referrer-when-downgrade" specifically so that “the browser sends the full URL as the Referer header.” YouTube goes a step further: its Required Minimum Functionality documentation states that API clients using the YouTube embedded player “must provide identification through the HTTP Referer request header” and explicitly prohibits suppressing the referrer value.
In the case of XYZHospital.org/oncology/find-a-location, the combination of IP address and referrer URL is obviously PHI. The domain, the subdirectory, and the page all identify the clinical context. There is no question what is happening or what the patient may be seeking.
The Ambiguous Domain: JanesClinic.com
What about a domain that doesn’t advertise its healthcare nature?
The HIPAA analysis doesn’t change. JanesClinic.com is a covered entity. Its patients are seeking care. When a visitor’s IP address and the URL JanesClinic.com/find-our-location are transmitted to Google, via a Maps embed or a YouTube video that loads on page, that transmission has occurred regardless of whether Google’s systems ever classify the domain as medical.
The risk to the patient is real whether or not understood by Google to be health related. The covered entity initiated an unauthorized disclosure. That is where HIPAA places the obligation.
“Privacy Enhanced Mode” Doesn’t Fix This Either
YouTube offers a youtube-nocookie.com embed variant it calls “Privacy Enhanced Mode.” Healthcare web teams sometimes assume this resolves the compliance issue. YouTube’s own documentation describes what it actually does: videos won’t be used to personalize advertising shown to the viewer outside your site. It does not prevent YouTube from receiving the visitor’s IP address or the referrer URL of the embedding page. The network call to Google’s servers still occurs. The data still flows. And there is still no BAA.
The Actively Contested Legal Edge
There is one area that is still being contested. In June 2024, a federal court in American Hospital Association v. Becerra vacated a specific portion of the HHS guidance, the part establishing HIPAA obligations when a tracking technology connects a visitor’s IP address with a visit to an unauthenticated (not behind a login) public webpage addressing health conditions or providers. The court held that this combination of data “does not and cannot identify an individual’s PHI without an unknowable subjective-intent element” and that HHS had exceeded its statutory authority.
Notably, the court itself observed that this ruling placed covered entities in an impossible position: a user’s intent in visiting an unauthenticated public webpage is, in the court’s own words, “unknowable,” and still determining that intent was the hinge on which HHS’s guidance turned. The court’s practical conclusion was striking: because HIPAA “doesn’t mandate clairvoyance, covered entities must act as if the [original bulletin] controls.”
The HHS bulletin remains published on HHS.gov with a note that HHS is evaluating its next steps. The core obligations regarding authenticated pages, BAAs, and the prohibition on unauthorized PHI disclosures remain fully intact.
More practically: Google has already resolved the question in its own terms of service. The Google Maps Platform Terms of Service explicitly prohibit using Google Maps “to transmit, store, or process health information subject to United States HIPAA regulations.” That prohibition applies to XYZHospital.org and JanesClinic.com equally, and it exists entirely independently of whatever HHS guidance survives legal challenge. The domain name is not a factor in Google’s own terms of service.
The Same Logic Applies to Every Google Embed
Google Maps and YouTube are two of the most common Google embeds on healthcare websites, but the underlying mechanism is identical: a network request to Google’s infrastructure, carrying a lot of data on the visitor’s computer configuration, as well as their IP address and the referrer URL of the embedding page, with no BAA in place and no HIPAA-covered services on Google’s end.
The question isn’t whether your domain name is obviously medical. The question is whether you are a covered entity that has embedded Google content, and whether you have a BAA that covers it. On the first count, the answer for most healthcare organizations is yes. On the second, Google has made clear the answer is no.
What Compliant Embeds Look Like
The solution in both cases is the same: self-hosted, HIPAA-compliant infrastructure with no third-party network calls by a system that will sign a BAA. Sounder Maps replaces Google Maps with a fully self-hosted vector tile map, where no data leaves your environment, no referrer URL reaches Google, and no cookies are set. Sounder Video replaces embedded YouTube players with a self-hosted video platform. And Sounder’s services are backed by a signed BAA.
Your domain name doesn’t matter to your HIPAA obligations. But it also doesn’t have to matter to your patient experience. Both can be compliant, and still work beautifully.
Learn more about why Google Maps specifically violates HIPAA
Contact Us about Sounder Maps and Sounder Video
