Costco Pharmacy lawsuit has implications for small medical practices

Costco Pharmacy finds itself entangled in a class action lawsuit for allegedly sharing confidential medical information with third parties, namely Google, through the use of Google Analytics on their website. While Google Analytics is a widely adopted free tool for tracking website traffic and gathering valuable marketing information, it raises concerns in the context of HIPAA compliance, particularly for small businesses in healthcare sectors like dentistry, chiropractic care, and ophthalmology.

HIPAA Compliance and Google Analytics: A Hidden Risk

Many small healthcare businesses use Google Analytics, often unaware if it runs in the background on their websites. If you own a small medical practice, especially if your website hasn’t been redesigned in the last six months, there’s a likelihood it may not be HIPAA compliant.

How to Check Your Website’s Compliance Status:

While Google Analytics is a common tool for tracking website traffic, it is not inherently HIPAA compliant. This poses a challenge for small healthcare businesses, as they must balance the benefits of analytics with the need for compliance.

To determine if Google Analytics is running on your website, use the free tool Simply input your URL, click “Lookup,” and the tool will reveal the components of your website. If Google Analytics is listed, it’s crucial to assess its compliance status.


If Google Analytics is detected and you own a medical practice, consult with your business attorney to understand the implications. Involve your website designer to address compliance issues, as they can guide changes to ensure your website adheres to HIPAA regulations. Running Google Analytics isn’t the only HIPPA compliance issue that you might find on your website. My client, a doctor in Chapel Hill, NC, was advised by her business attorney to not have a contact form on her website.

Balancing Compliance and Analytics Benefits:

While some business attorneys may advise removing Google Analytics, it’s worthwhile to discuss with your attorney the benefits of tracking website visitors in aggregate. This approach allows businesses to gauge the ROI of their online digital marketing efforts, including website redesign and maintenance costs.

Understanding ROI and Average Lifetime Value:

Determining the average lifetime value of a new customer is crucial. This metric reflects the total revenue expected from a customer during their engagement with your business. For instance, a chiropractic clinic attracting 50 new clients through improved online visibility may estimate an average lifetime value of $3,000 per patient.

Optimizing your Website ROI and Future Marketing Decisions:

With this data, the clinic determined that the website’s online visibility efforts resulted in an additional $150,000 in revenue over the year ($3,000 per client x 50 clients). This straightforward calculation provides a tangible measure of the website’s impact on the clinic’s bottom line.

Trends in client acquisition and lifetime value can inform future marketing decisions and optimize the ROI of your website. Therefore, having a website that doesn’t track website data in the aggregate, is like throwing money into the wind.

Ensuring HIPAA Compliance:

Fortunately, configuring Google Analytics and your website for HIPAA compliance is possible. Additionally, there are HIPAA-compliant software options available. If you have any questions or concerns, feel free to contact me for guidance.

Scroll to Top