Beverly Hills Growth Free audit
Resources · HIPAA

HIPAA-Compliant Websites: The 2026 Guide.

Most healthcare websites are not HIPAA-compliant, and the owners do not know it. The usual culprits are invisible: a standard analytics tag, an ad pixel, a contact form that emails patient details to a regular inbox. This guide explains exactly what makes a website HIPAA-compliant, what protected health information actually is, and which tools quietly break the rules.

By Vladan Mijatovic Updated June 17, 2026 ~13 min read

The short version

A website is HIPAA-compliant when every tool that can see protected health information (PHI) is covered by a signed Business Associate Agreement (BAA) and the data is encrypted, access-controlled, and audit-logged per the HIPAA Security Rule. The hardest part is what most owners overlook: standard Google Analytics and the Meta Pixel are not HIPAA-compliant by default, because they send identifiers to third parties with no BAA. The fix is structural. Keep public marketing pages free of PHI collection, use server-side or BAA-covered analytics, run forms and storage through vendors that sign BAAs, and route anything clinical into a compliant portal. The checklist at the bottom covers every surface.

18
categories of identifiers that make data PHI under HIPAA Safe Harbor (HHS)
2022
year HHS first warned that web tracking tech can disclose PHI illegally
BAA
the signed agreement legally required before any vendor touches PHI

This guide is written by a medical SEO agency, not a law firm. It is an educational overview of how HIPAA applies to websites and digital marketing tools, grounded in published guidance from the U.S. Department of Health and Human Services. It is not legal advice, and it does not replace a review by your own privacy counsel or compliance officer. With that framing in place, here is what every healthcare practice should understand before its website goes anywhere near patient data.

What makes a website HIPAA-compliant?

HIPAA, the Health Insurance Portability and Accountability Act, governs how covered entities (healthcare providers, health plans, and clearinghouses) and their business associates handle protected health information. A website does not become HIPAA-compliant by adding a badge or a privacy policy. It becomes compliant when the actual data flows obey three principles.

First, every vendor that can see PHI must have signed a Business Associate Agreement (BAA), a legal contract that binds them to HIPAA's rules. Second, PHI must be protected by the technical safeguards in the HIPAA Security Rule: encryption, access controls, audit logging, and integrity controls. Third, PHI must never be silently disclosed to a third party that has not signed a BAA, which is where most violations actually happen, because tracking scripts disclose data automatically without anyone clicking anything.

The most important and most misunderstood point is this: a website does not have to host a patient portal to create HIPAA exposure. A single tracking pixel on a page about a specific condition can transmit a visitor's IP address paired with the fact that they viewed that condition's page, and under HHS guidance that combination can itself be PHI. Compliance is therefore less about the obvious clinical systems and more about the quiet plumbing: the forms, the analytics, the pixels, and the inboxes that receive what visitors send.

What is PHI (protected health information)?

Protected health information is any information that relates to a person's physical or mental health, the healthcare they received, or payment for that care, when it is linked to an identifier that can single the person out. The link is what matters. A page view on its own is not PHI; a page view tied to a name, email, IP address, or device ID, in a health context, is.

HIPAA's Safe Harbor de-identification method, published by HHS, lists 18 categories of identifiers that must be removed for data to no longer count as PHI. They include names, all geographic subdivisions smaller than a state, all dates directly tied to a person (birth date, admission date, discharge date), telephone numbers, email addresses, medical record numbers, account numbers, device identifiers and serial numbers, IP addresses, web URLs, biometric identifiers, and full-face photographs. If any of these 18 identifiers remains attached to health-related data, the data is still PHI and still protected.

Two of those identifiers cause almost all website trouble: IP address and device identifier. Analytics and advertising tools collect both automatically. When they collect them on a healthcare page, the practice has potentially disclosed PHI to whoever runs that tool, unless that vendor has signed a BAA. This is the single mechanism behind the lawsuits and HHS enforcement actions against hospitals running standard analytics and ad pixels on patient-facing pages.

Why Google Analytics and the Meta Pixel are not HIPAA-compliant by default

Google will not sign a Business Associate Agreement for Google Analytics, and Google's terms explicitly forbid sending protected health information to the product. Meta will not sign a BAA for the Meta Pixel either. That is the whole problem in one sentence: these tools are designed to ship identifiers to a third party, and that third party has refused to take on HIPAA obligations for that data.

The U.S. Department of Health and Human Services made this concrete. In December 2022, HHS Office for Civil Rights published a bulletin on the use of online tracking technologies by HIPAA-covered entities, and it followed with updated guidance in 2024. The position is consistent: when a tracking technology collects and transmits PHI to a tracking vendor without a BAA and without patient authorization, that is an impermissible disclosure under HIPAA. The bulletin specifically calls out tracking on authenticated pages, appointment-scheduling pages, and pages addressing specific health conditions.

The fallout was not theoretical. Health systems across the country faced class-action lawsuits and regulatory scrutiny after security researchers found the Meta Pixel and Google Analytics transmitting patient-related data from hospital websites and patient portals. The lesson for any practice is direct: a marketing tag that is perfectly normal on an e-commerce site can be a reportable HIPAA breach on a medical site. The presence of the tool is not the violation; the disclosure of identifiers in a health context, without a BAA, is.

What compliant tracking looks like instead

There are two compliant paths. The first is to use analytics that never send identifiers to a third party at all, which is the server-side approach covered below. The second is to use an analytics or tracking vendor that will sign a BAA and that supports stripping or hashing identifiers before storage. Either way, the standard, free, consumer-grade analytics tag does not belong on a healthcare page that handles PHI.

HIPAA-compliant contact forms and chatbots

A contact form is the most common way a marketing website accidentally collects PHI. The moment a form asks "what brings you in?" or offers a dropdown of conditions or procedures, the submission becomes health-related, and the moment it is tied to a name and email it becomes PHI. From there, every system the submission passes through is a business associate that needs a BAA.

Three things make a form compliant. The submission must travel over HTTPS so it is encrypted in transit. The processor and the destination (inbox, CRM, or database) must be run by vendors who will sign a BAA. And the submission must not be silently mirrored to non-BAA tools, which is exactly what happens when an analytics tag or ad pixel captures form-field values or fires a conversion event on submit.

For most practices, the cleanest design avoids the problem entirely. Keep the public marketing form intentionally minimal: name, contact method, and a free-text "best time to reach you," with no health-condition questions at all. Put a clear note that patients should not include medical details in the form, and route anything clinical to a dedicated HIPAA-compliant patient portal or intake system. This keeps the marketing site low-risk while the regulated, BAA-covered systems handle the actual PHI.

Chatbots follow the same logic but raise the stakes, because conversational interfaces invite people to overshare. A website chatbot that discusses symptoms, medications, or appointment reasons is handling PHI, and the AI vendor behind it is a business associate. A compliant chatbot runs on infrastructure covered by a BAA, encrypts the conversation, restricts and logs access to transcripts, and is configured to avoid storing or transmitting identifiers to any tool that is not itself compliant.

HIPAA-compliant hosting and the Security Rule technical safeguards

The HIPAA Security Rule, published by HHS, sets the technical safeguards that any system storing or transmitting electronic PHI must implement. Hosting becomes HIPAA-compliant when the provider both signs a BAA and supports these safeguards, and when the practice configures them correctly. The provider signing a BAA is necessary but not sufficient; misconfigured BAA-eligible hosting is still a violation waiting to happen.

The Security Rule's technical safeguards translate into hosting requirements as follows. Access control means unique user identification and a way to restrict who can reach PHI. Audit controls mean the system logs who accessed what and when. Integrity controls mean the system can detect when PHI has been altered or destroyed improperly. Authentication means verifying that a person or system seeking access is who they claim to be. And transmission security means encrypting PHI in transit, with encryption at rest as the strongly recommended companion.

In practice, the major cloud platforms (AWS, Google Cloud, Microsoft Azure) all offer BAAs and a defined list of HIPAA-eligible services. The responsibility for choosing eligible services, signing the BAA, and configuring encryption, access controls, and logging sits with the practice or its developer, not the cloud provider. A purely static marketing website that never collects or stores PHI does not strictly require HIPAA hosting, but the instant a form, intake system, or portal stores patient submissions, the storage layer must be on compliant, BAA-covered hosting.

HIPAA-compliant analytics: server-side and no PHI to third parties

Practices still need to understand their website traffic, and they can, without breaking HIPAA. The compliant pattern is server-side analytics that processes data inside infrastructure you control and that never ships identifiers to an outside vendor that has not signed a BAA.

In a server-side model, the page does not load a third-party tracking script that beams data straight to an external analytics company. Instead, the practice's own server records the events it needs, strips or hashes identifiers like IP addresses before anything is stored, and either keeps the aggregate data in-house or sends it only to a vendor under a BAA. The result is the metric a practice actually wants, such as which pages drive contact-form starts, without disclosing an identifiable visitor in a health context to a non-compliant third party.

Two practical guardrails make this robust. Never load standard consumer ad pixels or analytics tags on appointment pages, condition pages, or any authenticated patient area. And treat the IP address as PHI in a health context by default, which means stripping or truncating it at the earliest possible point rather than logging it and hoping no one correlates it later. Server-side analytics done this way gives a practice real visibility while keeping the third-party disclosure surface at zero.

The Beverly Hills Growth approach

We are a medical and healthcare SEO agency, and HIPAA exposure on the marketing layer is something we audit as part of working with medical clients. When we take on a practice, we review the full website and tracking stack for the exact failure points above: standard analytics or ad pixels firing on patient-facing pages, contact forms routing health details to non-BAA inboxes, and missing BAAs with vendors that handle submissions. We flag every exposure so the practice and its compliance officer can close it before it becomes a reportable breach.

Our own voice infrastructure shows the standard we hold. The HIPAA-ready Concierge Ultra voice tier, built for medspa, plastic surgery, cosmetic dermatology, and medical practices, runs on a voice platform (Retell) with which we maintain a signed Business Associate Agreement, and it applies HIPAA Safe Harbor PHI scrubbing so that protected identifiers are stripped from the data we handle. That is the same posture we look for across a practice's entire stack: a BAA wherever PHI flows, encryption and access controls on storage, and zero silent disclosure to third parties that have not signed on to HIPAA's rules.

If you want a practice's tech stack reviewed for HIPAA exposure alongside its search visibility, that is part of medical SEO for HIPAA-compliant practices. For aesthetic and cosmetic practices specifically, the same posture is covered under aesthetic and cosmetic practice SEO.

The HIPAA-compliant website checklist

Use this as a structured pass over your site. Anything you cannot confirm is an exposure to close. This is an operational checklist, not a legal compliance certification; final sign-off belongs to your privacy counsel.

  1. Encrypt everything in transit.

    The entire site, not just the form page, must be served over HTTPS with a valid TLS certificate. Mixed-content or non-HTTPS pages that collect any input are an immediate fail.

  2. Sign a BAA with every vendor that can see PHI.

    Form processor, hosting and database, email or CRM that receives inquiries, scheduling integration, chatbot or AI vendor, and any analytics that could capture identifiers in a health context. No BAA means that vendor must not touch PHI.

  3. Remove standard Google Analytics and ad pixels from patient-facing pages.

    Appointment pages, condition and procedure pages, and any authenticated patient area must not load consumer-grade analytics or the Meta Pixel. Replace with server-side or BAA-covered analytics.

  4. Strip or truncate IP addresses and device IDs at the source.

    Treat IP and device identifiers as PHI in a health context. Hash or truncate them before storage rather than logging the raw value and correlating it later.

  5. Keep the public contact form free of health details.

    Collect name and contact method only, add a note telling patients not to include medical information, and route anything clinical to a HIPAA-compliant portal or intake system.

  6. Host PHI storage on compliant, configured infrastructure.

    Any system that stores submissions or patient data must run on BAA-covered hosting with encryption at rest, access controls, unique authentication, and audit logging actually turned on, not just available.

  7. Control and log access to stored submissions.

    Restrict who can read patient inquiries, give each user a unique login, enable audit logs, and set automatic logoff. The Security Rule expects you to know who accessed what and when.

  8. Audit the marketing and tracking stack regularly.

    Tags get re-added, plugins update, and a new pixel can appear after a redesign. Re-check the full stack on a schedule so a compliant site does not quietly drift back into exposure.

What this guide does not do

This is an educational resource, not legal advice and not a compliance audit. HIPAA application depends on your specific systems, vendors, and data flows, and only your privacy counsel or compliance officer can certify that a particular setup is compliant. What this guide gives you is the map of where the risk actually lives on a healthcare website, so you can ask your vendors and your developer the right questions and close the gaps that cause real breaches. For the authoritative source on the rules themselves, see the official guidance at HHS.gov on the HIPAA Security Rule.

Frequently asked questions

What makes a contact form HIPAA-compliant?

A contact form is HIPAA-compliant when every system that touches the data it collects is covered by a signed Business Associate Agreement (BAA) and the data is encrypted in transit and at rest. In practice that means: the form submission travels over HTTPS (TLS encryption); the form processor and the inbox or database that receives it are run by vendors who will sign a BAA; the data is not silently forwarded to third-party tools like analytics, marketing pixels, or non-BAA email services; and access to the stored submissions is restricted and logged. A standard form that emails a submission to a regular Gmail or Outlook inbox, or that fires a Meta Pixel event on submit, is not compliant if the form asks about symptoms, conditions, insurance, or appointment reasons. The safest pattern for a marketing website is to keep the public form free of any health-condition questions and route patients to a separate HIPAA-compliant patient portal for anything clinical.

Is Google Analytics HIPAA-compliant?

No. Google does not sign a Business Associate Agreement for Google Analytics, and Google's own terms explicitly prohibit sending protected health information to the product. That makes standard Google Analytics (GA4) non-compliant for any page where PHI could be transmitted, which includes appointment-booking pages, condition-specific landing pages, and patient portals. The U.S. Department of Health and Human Services issued guidance in 2022 and 2024 confirming that tracking technologies which disclose PHI to third parties without a BAA can be a HIPAA violation, and a wave of enforcement actions and lawsuits followed against health systems running standard analytics and the Meta Pixel on patient-facing pages. Compliant alternatives use server-side analytics that strip identifiers before any data leaves your infrastructure, or analytics vendors that will sign a BAA.

What is HIPAA-compliant hosting?

HIPAA-compliant hosting is web and data hosting where the provider will sign a Business Associate Agreement and implements the technical safeguards required by the HIPAA Security Rule: encryption of data in transit and at rest, access controls and unique user authentication, audit logging of who accessed what and when, automatic logoff, and integrity controls that detect tampering. Major cloud providers such as AWS, Google Cloud, and Microsoft Azure offer BAAs and HIPAA-eligible services, but signing the BAA and configuring the services correctly is the practice's responsibility. A marketing website that never collects or stores PHI does not strictly require HIPAA hosting, but any system that stores patient submissions, intake forms, or appointment data does.

What is PHI (protected health information)?

Protected health information, or PHI, is any information that relates to a person's health condition, the care they received, or payment for that care, when it is tied to an identifier that can single them out. HIPAA's Safe Harbor method lists 18 identifier categories, including name, address, dates tied to the person (birth date, admission date), phone number, email, medical record number, IP address, device identifiers, and full-face photographs. The key point for websites is that the data does not have to include a diagnosis to be PHI. An IP address or device ID captured on a page about a specific condition or treatment can itself become PHI, because it links an identifiable person to a health context. This is why analytics and ad pixels on healthcare pages are risky.

Do I need a BAA for my medical website vendors?

Yes, for any vendor that creates, receives, maintains, or transmits PHI on your behalf. Under HIPAA, those vendors are business associates and a signed Business Associate Agreement is legally required before they touch PHI. For a typical medical website that includes the form processor, the hosting provider that stores submissions, the email or CRM that receives patient inquiries, any chatbot that discusses health topics, the appointment-scheduling integration, and any analytics tool that could capture identifiers on health-context pages. Vendors that genuinely never see PHI, for example a CDN serving only static images, do not require a BAA. The practical test is simple: if the tool could see a patient's identity in a health context, you need a BAA or you need to remove the tool from that surface.

Does my marketing need to be HIPAA-compliant?

Your marketing infrastructure needs to be HIPAA-aware even when individual campaigns are not handling clinical data. The riskiest marketing surfaces are the tracking and retargeting tools: ad pixels, conversion tracking, and analytics that fire on patient-facing pages and quietly send identifiers to third parties without a BAA. HIPAA also restricts using PHI for marketing communications without patient authorization, so a practice cannot, for example, build an ad audience from its patient list and target it through a platform that has not signed a BAA. Good practice for a medical website: keep public marketing pages free of PHI collection, use server-side or BAA-covered analytics, never load standard ad pixels on appointment or condition pages, and route all clinical interactions into a compliant portal. We audit a practice's full marketing and tracking stack for exactly these exposure points.

Related resources

Want your medical site audited for HIPAA exposure?

We review your full website and tracking stack for the exact failure points in this guide, alongside your search visibility, and hand you a written report. Free 48-hour audit, no sales call, no obligation. This audit flags exposure; final compliance sign-off is your counsel's call.

Get the free audit