Analytics
Tools like Google Analytics may collect visitor data considered PHI under HIPAA, requiring a signed BAA to be compliant.
Google Analytics
Tracks user behavior. Google will not sign a BAA for standard use—HIPAA risk.
Google Universal Analytics
Legacy tool that shares data with Google. Not HIPAA compliant.
Google Analytics Event Tracking
Tracks custom user actions. Can reveal sensitive behavior if misused.
Global Site Tag
Sends tracking data to Google Ads/Analytics. Not HIPAA compliant.
Trackers
Marketing trackers can capture user behavior tied to health interests, which may violate HIPAA without proper safeguards and agreements. This is typically high risk, since you can’t control what data is collected or shared—and patient consent is usually not obtained.
Facebook Pixel
Tracks visitors. May expose PHI. Flagged by HHS.
Facebook Conversion Tracking
Tracks behavior after ad clicks. May share PHI with Meta.
Facebook Signal
Content insights. Can transmit visit behavior.
Forms
Website forms collect sensitive information like names, symptoms, or contact details—making them high risk if PHI is submitted without a Business Associate Agreement or proper security.
Contact Form 7
Sends form data via email by default. Lacks HIPAA protections.