This post is the third in a series on Google embeds and HIPAA compliance. Read the companion posts:
- Google Maps on Healthcare Websites Is a HIPAA Liability
- Does Your Domain Name Protect You From HIPAA Liability?
If you’ve read our previous posts on Google Maps and HIPAA compliance, you already know that embedding Google Maps or YouTube on a healthcare website transmits visitor IP addresses and the full page URL to Google, without a Business Associate Agreement, and in direct violation of Google’s own platform terms. You may also know that this applies regardless of whether your domain name obviously identifies your site as a healthcare organization.
But here’s a question we hear next: Does the content of the page where the embed lives make a difference?
The short answer is yes, but probably not in the way you’re thinking. And one of the most common pages on every healthcare website illustrates the risk more clearly than any condition-specific treatment page ever could.
First, an Important Clarification: Google Doesn’t See Your Page Content
Before going further, it’s worth being precise about what Google actually receives when a map or video loads on your page.
Google does not receive the rendered content of the page: the text, the images, the form fields, the clinical descriptions. What Google receives is:
- The visitor’s IP address (via TCP/IP)
- The full URL of the embedding page
- Cookies and persistent identifiers — including the NID cookie, which stores a user ID that persists across sessions
- Browser and device fingerprint data, which Google’s own privacy policy describes as including:
- Browser information — browser type, browser settings, and browser language
- Device information — device type, device settings, and operating system
- Network information — mobile carrier name, phone number (on mobile devices)
- Application data — application version number and crash reports
- Activity signals — system activity, date and time of request
That’s it. The transmission happens at the network request level, the moment the embed loads, before the visitor has read a word, clicked anything, or filled out a single form field. The page content itself never leaves your environment.
This distinction matters because many healthcare web teams assume the compliance risk is about data entered into forms or content displayed on screen. It isn’t. The exposure is structural, not behavioral. It happens automatically, on every page load, to every visitor. The HHS Office for Civil Rights bulletin on online tracking technologies describes exactly this mechanism, and specifically names fingerprinting scripts as one of the tracking technologies that websites commonly use to collect information from users. It notes that these technologies, “collect information and track users in various ways, many of which are not apparent to the website or mobile app user.”
The compliance question isn’t what Google does with this data after receiving it. It’s that your organization, a HIPAA-covered entity, transmitted it to a third party with no BAA. The moment the page loads, the violation has already occurred.
What the URL Carries, And What It Implies
Because the full URL is transmitted, the path and subdirectory structure of your site do significant work in terms of what gets signaled to Google.
JanesClinic.com/contact-us looks generic. JanesClinic.com/breast-cancer-treatment/patient-stories does not. The same Google Maps embed sitting on both pages creates meaningfully different exposure, not because the page content is transmitted, but because the URL itself encodes clinical context.
The HHS OCR bulletin is explicit that tracking technologies disclose information including “an individual’s IP address or geographic location, device IDs, or any unique identifying code” along with information about which pages they visited. On a URL about a specific health condition, the page visit itself implies clinical context even before any user interaction occurs.
The Contact Us Page: The Most Overlooked Compliance Risk on Your Site
Here’s where the real-world example gets uncomfortable.
Many healthcare websites have a Contact Us page. A large percentage of Contact Us pages have an embedded Google Map showing the facility’s location(s). And in many cases, that same page has a contact form: one that the web team may have carefully made HIPAA-compliant, with a signed BAA with the form provider, proper encryption, and all the right safeguards.
Here’s the problem: the form’s compliance is completely irrelevant to the map’s compliance. They are two entirely separate data flows.
When a visitor lands on a Contact Us page with a compliant form and an embedded Google Map:
- The Google Map loads automatically
- Google receives, via TCP/IP the visitor’s IP address, and via the request headers the browser and device fingerprint data, and the full URL (
/contact-us) before the visitor has touched anything - That data travels to Google’s servers with no BAA in place
- Meanwhile, if the visitor fills out the form, that data travels separately to your HIPAA-compliant form processor, correctly and safely
The map fires on page load. The form fires on submission. They are independent transmissions to independent third parties under entirely independent compliance frameworks, and only one of them has a BAA. Under HIPAA, the violation is not Google receiving the data. It is your organization transmitting it, and that transmission happens before your visitor has done anything at all.
The HHS bulletin uses appointment scheduling pages as a direct analogue for this mechanism, “If an individual makes an appointment through the website of a covered health clinic for health services and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor.” The same automatic transmission occurs on a Contact Us page with an embedded map. The page loads, the map fires, the data leaves, before a single form field is touched.
But Doesn’t /contact-us Look Innocuous to Google?
This is actually the wrong question to ask. Because HIPAA doesn’t regulate what Google can infer from your data. It regulates what you, as a covered entity, transmit. The compliance obligation is on your side of the transaction, not Google’s. Whether Google’s systems recognize your domain as a healthcare site, or can determine the clinical significance of the URL, is legally irrelevant to your liability.
With that reframe in place, the more useful question is: what does the page context imply about visitor intent, and does that intent matter under HIPAA?
This is where the June 2024 federal court ruling in American Hospital Association v. Becerra becomes relevant. The court vacated a portion of the HHS guidance precisely because visitor intent on unauthenticated (not behind a login) pages is, in the court’s own words, “unknowable.” No one can tell from the data alone whether the person visiting a healthcare page is a patient seeking care or a student writing a term paper.
But a Contact Us page on a healthcare website is a meaningful edge case in that framework. Someone navigating to /contact-us on a clinic’s website has self-selected into a fairly clear intent signal. They are not researching for academic purposes. They are trying to reach a healthcare provider. The URL may look generic, but the behavioral context is not.
More importantly: the court’s ruling applies to the narrow question of whether an IP address combined with a visit to an unauthenticated page automatically constitutes PHI under HIPAA. It does not resolve (and was not asked to resolve) whether embedding a tool from a vendor with no BAA is permissible on that page. Those are separate questions. The HHS bulletin remains clear that, “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors.” And Google’s own Maps Platform Terms of Service prohibit using Google Maps “to transmit, store, or process health information subject to United States HIPAA regulations.” This is a prohibition that applies to both Contact Us pages and oncology pages.
The enforcement stakes are real. In July 2023, HHS OCR and the FTC jointly issued warning letters to approximately 130 hospital systems and telehealth providers about “serious privacy and security risks related to the use of online tracking technologies” on their websites and mobile apps. Those letters went to organizations across a wide range of site types, not only to sites with obviously clinical page structures.
A Practical Risk Framework by Page Type
Because the URL is what gets transmitted — and because your organization bears the compliance obligation for that transmission, the nature of the URL and the intent it implies shapes the risk level of any Google embed on that page. Here’s how to think about it:
Lowest risk – General informational pages where visitor intent is genuinely ambiguous: job postings, visiting hours, about the organization, news and press releases. The court ruling provides the most cover here. That said, Google’s own terms of service prohibition still applies, and your organization is still the one transmitting.
Elevated risk – Service line or condition-specific pages: /oncology, /mental-health, /addiction-treatment. The URL encodes clinical context even though no page content is transmitted. A visitor’s presence on these pages is a stronger signal of healthcare-seeking intent, and your organization transmitted the data that created that signal.
High risk – Contact, appointment request, and provider search pages. The visitor’s navigation to these pages implies intent to engage with the healthcare organization as a patient or prospective patient. An embedded map on a Contact Us page is one of the most common and most overlooked compliance exposures on healthcare websites — made more serious by the fact that many web teams believe their HIPAA-compliant form provides cover for the entire page.
Highest risk – Pages with interactive tools: appointment scheduling, symptom checkers, provider finders, intake forms. The HHS bulletin explicitly addresses this category: “Tracking technologies on a regulated entity’s unauthenticated webpage that permits individuals to schedule appointments or use a symptom-checker tool without entering credentials may have access to PHI in certain circumstances.” Any Google embed on these pages is transmitting in a context where PHI is clearly being created, regardless of what the court ruling says about unknowable intent.
Unambiguous PHI regardless of page – The court ruling explicitly did not disturb the category of a authenticated (behind a login) pages, such as patient portals. The HHS bulletin states that tracking technologies on user-authenticated webpages “generally have access to PHI” including IP addresses, medical record numbers, appointment dates, diagnosis and treatment information, and billing information. A BAA is required. Full stop.
The Takeaway
The content of your page doesn’t travel to Google. But the URL does — and under HIPAA, your organization is responsible for that transmission regardless of what Google does with it on the other end. The more clearly that URL implies healthcare-seeking behavior, the more clearly the exposure compounds. But even on the most innocuous-looking page, the transmission itself is the event that matters.
And for the most common case is hiding in plain sight: a Contact Us page with an embedded map next to a HIPAA-compliant form. The form is the part everyone worries about. The map is the part that fires before anyone touches anything.
The Compliant Alternative
Sounder Maps replaces Google Maps with a fully self-hosted vector tile map — no data leaves your environment, no IP address, URL, or fingerprint data reaches Google, no cookies are set, on any page of your site. Sounder Video does the same for embedded YouTube players. And if you’re rethinking your Contact Us page holistically, Sounder Form Consulting can help you evaluate whether your current form setup is creating exposure alongside your map.
The goal isn’t to remove maps and videos from your healthcare website. It’s to keep them — without the data leaving.
You can read more on this topic at:
Or you can contact us about Sounder Maps, Video, and Form Consulting.
