The last GTM container we audited had three heatmapping tools running simultaneously, four conversion pixels including one from a campaign that ended ten months earlier, a CallRail script firing without HIPAA mode, and patient health information streaming into Google Analytics through URL paths.
None of it was producing reliable conversion data. All of it was HIPAA exposure.
That setup is more common than it should be in behavioral health. The reason is structural. Most paid media teams configure conversion tracking for treatment centers the same way they configure it for any other vertical. Pixel on the thank-you page, GA4 event, CallRail tag, done.
That standard setup is non-compliant in this industry by default. The URL paths reference protected health information. The IP address transmitted alongside is PHI.
Google does not sign Business Associate Agreements for GA4 or GTM, which means a standard configuration is moving regulated data through tools that have no legal basis to receive it.
The remedy is an architectural decision that has to be made before the first conversion fires. Settings changes alone will not get there.
Conversion tracking in behavioral health is an architectural decision, not a settings change. Standard GA4/GTM setups cannot be made HIPAA-compliant by checking boxes.
Mitch Marowitz, Director of Paid Admissions, Webserv
This guide walks through the four-step setup that produces reliable Google Ads conversion data without exposing the program to HIPAA risk.
Key Takeaways
- The standard GA4/GTM/CallRail conversion tracking setup that most agencies build for treatment centers is HIPAA-non-compliant by default. Google does not sign Business Associate Agreements for GA4 or GTM, which means a “standard configuration” is moving regulated data through tools with no legal basis to receive it.
- A compliant setup requires four components in order: a HIPAA-compliant analytics intermediary with BAA (Freshpaint, Piwik PRO, or Matomo), CallRail in HIPAA-enabled mode with its own BAA, form events that strip PHI before any pixel fires, and Google Ads conversion actions wired to the intermediary instead of directly to GA4.
- Behavioral health decision cycles run 30 to 90 days or longer. The default Google Ads attribution windows are calibrated for ecommerce and miss conversions that happen 35-60 days after the click — leading programs to cut campaigns that are actually working.
- The setup costs more upfront — typically $1,500 to $3,500 per month for the HIPAA-compliant intermediary — but takes legal exposure to zero and produces conversion data reliable enough to optimize campaigns against.
What you are actually tracking
Treatment center Google Ads campaigns convert through four primary pathways. Each one transmits different data, carries different HIPAA exposure, and requires a different piece of the tracking architecture to capture cleanly.
Phone calls are the highest-intent conversion. A patient or family member who calls is signaling immediate decision-readiness. Call tracking has to attribute the call back to the keyword and ad that produced it.
Form fills capture contact information from patients who are not ready to call yet. Most behavioral health forms collect name, phone, email, insurance, and a free-text field. Every one of those is PHI when combined with a behavioral health URL path.
Live chat conversations are increasingly common on treatment center sites. Chat platforms either need to be HIPAA-compliant by design or need to operate as a separate, non-tracked layer.
Direct contact through email, SMS, or appointment scheduling links. These are the hardest to attribute back to paid media because they often happen days or weeks after the original ad click.
A serious conversion tracking setup has to capture all four pathways without transmitting PHI to non-BAA-covered platforms. Each pathway has a slightly different architectural answer.
Step 1: Build the HIPAA-compliant analytics layer
The first decision is which analytics platform sits in front of Google Ads, GA4, and Meta. The answer cannot be GA4 directly.
The industry-standard solutions are Freshpaint, Piwik PRO, and Matomo. All three sign BAAs. All three operate as a server-side intermediary between the website and the analytics destinations. All three strip PHI before forwarding the de-identified conversion signal to GA4, Google Ads, and Meta.
The implementation pattern is the same across vendors. The browser sends conversion events to the HIPAA-compliant platform.
The platform processes the event, removes the 18 HIPAA identifiers (IP address, URL paths that reference health conditions, form field content, device identifiers), and forwards a de-identified signal to the destinations that cannot legally receive PHI.
The cost is meaningful. Freshpaint pricing for treatment centers typically runs $1,500 to $3,500 per month depending on traffic volume. Piwik PRO and Matomo are similar. The same architecture applies on the Meta side — a single intermediary serves both ad networks.
The cost is not optional. Operating without a HIPAA-compliant intermediary is a legal exposure that costs more than the platform fee on first audit.
Step 2: Set up CallRail in HIPAA-enabled mode
CallRail is the standard call tracking platform for treatment center marketing. It can be configured for HIPAA compliance. It is not configured that way by default.
The setup steps are specific. Sign a BAA with CallRail before activating the account.
Enable the HIPAA-compliant feature set in the account settings, which restricts data retention and modifies how call recordings are stored. If the program is recording intake calls, the recordings must live on a HIPAA-enabled plan with BAA coverage.
Install CallRail’s Dynamic Number Insertion via Google Tag Manager. DNI swaps the displayed phone number on the website based on the traffic source, which is what enables call attribution back to specific keywords and ads.
Without DNI, every call attributes to the same number and the keyword-level data is lost.
Configure CallRail to forward call events to the HIPAA-compliant analytics platform set up in Step 1. From there, the platform forwards the de-identified call event to Google Ads and GA4 as a conversion. The PHI never leaves CallRail’s BAA-covered infrastructure.
The key check: a call conversion firing into Google Ads should never carry the patient’s phone number, transcription content, or any free-text data from the call. The conversion is a count and a source, not the call itself.
Step 3: Configure form conversion events without PHI
Form conversions are where most treatment center setups leak PHI into non-compliant platforms.
The standard implementation pattern fires a GA4 event on form submission with the form data attached. That data flows through GTM into GA4 and from GA4 into Google Ads. Every step of that chain is non-compliant in behavioral health because the form data is PHI.
The compliant pattern strips form data before any conversion fires. The form submits to the HIPAA-compliant intermediary platform, which records the conversion, generates a de-identified signal that contains only the timestamp, source, and a hashed identifier, and forwards that signal to Google Ads and GA4.
The form data itself goes to a HIPAA-compliant CRM or intake platform with a BAA. That handoff happens server-side, not through GTM.
Configure the form to submit through the HIPAA-compliant platform’s tracking endpoint. Disable any direct GA4 or Google Ads pixel firing from the form submission. Verify in the browser that no form field content appears in the network traffic going to Google Ads or GA4.
The verification step matters. A standard GTM audit will not catch this because it shows the configured tags as working. The PHI exposure is in what the tags transmit, not whether they fire.
Step 4: Connect to Google Ads
The final step is wiring the de-identified conversion signal from the HIPAA-compliant platform into Google Ads.
Set up Google Ads conversion actions for each pathway: phone calls, form fills, chat starts, and any other conversion goal the program is tracking. Use Google Ads Enhanced Conversions only if the platform’s PHI handling is compatible. Most HIPAA-compliant platforms support enhanced conversions through their server-side integration.
Configure the conversion source as the HIPAA-compliant platform, not GA4 directly. This routing is what protects the program from PHI exposure into Google’s systems while still giving Google Ads enough conversion data to optimize against.
Set conversion attribution windows deliberately. Behavioral health decision cycles are longer than ecommerce cycles. A 30-day post-click window misses conversions that happen 35 to 60 days after the original ad. A 90-day window often captures the actual decision pattern. Coordinate the windows with the downstream conversion path so the campaign optimization sees the full picture.
Verify conversion accuracy weekly for the first 60 days after launch. Compare Google Ads conversion counts against CRM admit counts. Discrepancies of more than 10% to 15% indicate a tracking gap that needs investigation.
How Profound Treatment drove 31 admits and a 42% drop in cost per viable in one quarter
Broad match pivot, negative keyword management, and intake-level conversion tracking turned a fragmented paid strategy into a predictable admissions engine.
Read the case study →68 viable VOBs at $4,529 cost per viable
What most operators get wrong
Three patterns surface across treatment center conversion tracking audits, and each one is preventable with the right setup decisions made before the first ad goes live.
Multiple uncoordinated tracking tools. Three or four heatmap platforms, two CallRail accounts, conversion pixels from agencies that no longer work with the program. Every tag adds load time. Every tag adds PHI exposure if it is not BAA-covered. The audit and cleanup is usually a multi-week project.
Standard GA4 implementations treated as compliant. GA4 is not HIPAA-compliant. Google does not sign a BAA for it. Configuration settings cannot make it compliant. The only compliant pattern routes data through a HIPAA-compliant intermediary first.
Conversion attribution windows that are too short. Behavioral health decision cycles are 30 to 90 days, sometimes longer. Google Ads default attribution windows often miss the actual conversion. The program ends up cutting campaigns that are working because the conversion data does not reflect them.
What the right setup looks like
A HIPAA-compliant Google Ads conversion tracking setup for a treatment center has four components in this order, alongside the LegitScript certification that gates ad serving in the first place.
The HIPAA-compliant analytics intermediary with BAA coverage. CallRail in HIPAA-enabled mode with BAA. Form events that strip PHI before transmission. Google Ads conversion actions wired to the intermediary, not directly to GA4 or GTM.
The setup costs more than a standard configuration. The compliance is real. The conversion data is reliable. The campaign optimization works the way it is supposed to.
Most treatment center marketing teams inherit a setup that does not meet this standard. The fix is a multi-week implementation project that pays for itself in two ways: the legal exposure goes away, and the conversion data becomes accurate enough to optimize against. If you are evaluating a paid media partner, ask them to walk through this exact architecture before signing.
If your current Google Ads conversion tracking does not route through a HIPAA-compliant platform with a signed BAA, the data going into your campaign decisions is built on a setup that was not designed for this vertical.
The remedy is closeable in a quarter, and the foundation it builds is what every other paid media optimization gets to stand on.
The perspective in this article comes from 9 years working exclusively inside behavioral health.
We are a team built by people in recovery who understand that behind every admission is someone asking for help. If that resonates, get to know us.
Mitch Marowitz is the Director of Paid Admissions at Webserv. Webserv works with behavioral health and addiction treatment centers on SEO, paid media, and full-funnel admissions strategy.
