Analytics
Tools like Google Analytics may collect visitor data considered PHI under HIPAA, requiring a signed BAA to be compliant.
Google Analytics
Tracks user behavior. Google will not sign a BAA for standard use—HIPAA risk.
Google Universal Analytics
Legacy tool that shares data with Google. Not HIPAA compliant.
Global Site Tag
Sends tracking data to Google Ads/Analytics. Not HIPAA compliant.
Trackers
Marketing trackers can capture user behavior tied to health interests, which may violate HIPAA without proper safeguards and agreements. This is typically high risk, since you can’t control what data is collected or shared—and patient consent is usually not obtained.
Facebook Pixel
Tracks visitors. May expose PHI. Flagged by HHS.
Facebook Signal
Content insights. Can transmit visit behavior.
Facebook Conversion Tracking
Tracks behavior after ad clicks. May share PHI with Meta.
Forms
Website forms collect sensitive information like names, symptoms, or contact details—making them high risk if PHI is submitted without a Business Associate Agreement or proper security.
Contact Form 7
Sends form data via email by default. Lacks HIPAA protections.
Gravity Forms
WordPress form builder. No BAA. Not HIPAA compliant by default.