When to use the HIPAA checker
Use this tool to check whether your marketing setup could be exposing patient information (what HIPAA calls protected health information, or PHI). It's especially worth running before you add any new tracking, retargeting, or analytics tool — that's where most clinics get caught out.
US regulators tightened the rules in December 2022, going after clinics that retarget people who visited pages about mental health, addiction, or other sensitive conditions. Several clinics have been penalised since for tracking code that once seemed harmless.
What HIPAA actually covers in marketing
Patient data on intake forms — name, email, phone, date of birth, condition, insurance — all count as protected patient information when they're tied to a clinic. Forms must use a secure (HTTPS) connection, store data only with vendors who've signed a data-handling agreement, and ask for clear consent.
Tracking code on sensitive pages — simply visiting a depression treatment page counts as protected information under the rules. Meta Pixel, Google Analytics, and similar trackers that send page-visit data to other companies without a signed agreement break the rules on those pages.
Email marketing — your patient email lists are protected information. To send marketing emails you need people to opt in and an email provider that has signed a data-handling agreement. Mailchimp's protected plan is fine; the standard plan is not for patient marketing.
CRM data — patient names, appointment details, and condition information sitting in your CRM are protected information. Salesforce Health Cloud is built to meet the rules; standard Salesforce needs a signed agreement plus careful setup.
Ad conversion tracking — sending Google or Meta data about which patients booked is protected information. Tracking done from your own server with scrambled identifiers is fine; ordinary cookie-based tracking on sensitive pages is not.
How the checker works
The tool runs through your current marketing setup and marks each item Pass, Flag, or Fail:
- Pass: set up correctly under the current rules
- Flag: unclear or borderline — check with whoever handles compliance
- Fail: a clear breach; fix it straight away
Each flagged item comes with the exact rule it relates to and the steps to fix it. You can hand the result straight to your compliance officer or lawyer.
Common HIPAA marketing failures
Retargeting people who viewed mental health, addiction, or other sensitive pages. A clear breach under the December 2022 rules. Most clinics doing it have no idea — the ad platforms turn it on by default.
Mailchimp on the standard plan. The standard plan has no data-handling agreement, so clinics using it for patient marketing are exposed. Either move to the protected plan or switch to a provider that offers one.
Google Analytics on patient portals. Patient portal pages hold protected information even if the analytics never sees the form data — the web address alone can give it away. Clinics usually need privacy-first analytics (such as Plausible or Fathom) or server-based tracking.
Lead forms without a protected backend. Form entries land in a CRM or email tool. If that tool hasn't signed a data-handling agreement, the clinic is in breach the moment someone fills in the form.
Marketing abroad without the right local rules. Clinics marketing overseas need to follow India's DPDP law and the EU's GDPR on top of HIPAA. The rules overlap but aren't the same — DPDP needs its own consent step for patients in India.
What to do after the audit
- Fix the Fail items first — these are open breaches.
- Go over the Flag items with a compliance adviser — borderline cases that need a judgement call.
- Write down what you changed — keep a record showing exactly what was fixed.
- Re-check every quarter — the rules keep changing; what's fine this year may not be next year.
- Train your marketing team — most breaches happen because someone didn't know the rules.

