Hotjar

Use Case: Session recording, heatmaps, on-page behavior analytics, and user feedback collection

Why it matters:

Hotjar is a behavior analytics tool that records user sessions, tracks cursor movements, generates heatmaps, and collects feedback via polls and surveys. These features help website owners understand how users interact with their pages but also introduce serious privacy risks, particularly in healthcare settings.

On HIPAA-covered websites, session recordings or behavioral data can inadvertently capture Protected Health Information (PHI) such as typed input into forms, navigation patterns, or content viewed about specific conditions. Even if this information is not directly identifiable, it may still be classified as PHI under HIPAA if it reveals someone’s intent to seek or receive care.

Hotjar does not offer a Business Associate Agreement (BAA) and explicitly states that its platform is not intended for use on HIPAA-regulated websites.

What HHS says:

According to HHS guidance, third-party tracking technologies that gather behavioral or contextual data tied to an individual’s interaction with health-related content may be collecting PHI even on public pages.

Although a June 2024 court ruling vacated the part of the guidance that automatically applied HIPAA to IP addresses on public health pages, HIPAA still applies when other behavioral signals or patterns link a person to healthcare activity.

Since Hotjar captures highly granular session data often including clicks, scrolling, and input it significantly increases the risk of PHI exposure when used in a HIPAA-covered environment.

Recommendation:

We recommend removing Hotjar entirely from any website that discusses health conditions, treatment options, or offers appointment scheduling even on unauthenticated pages. Hotjar does not sign Business Associate Agreements and is not configured to meet HIPAA requirements.

If behavior analytics are important to your organization, look for privacy-first alternatives that explicitly support HIPAA compliance and offer full BAA coverage. Additionally, assess whether the level of behavioral tracking is appropriate given the sensitivity of your website content.