When to use the HIPAA checker
The HIPAA compliance checker is the right tool when you're auditing your healthcare marketing stack for protected health information (PHI) exposure risk. It's also the right tool before you launch any new tracking, retargeting, or analytics integration — these are the most common HIPAA failure points in 2025-2026.
The HHS Office for Civil Rights tightened enforcement on healthcare marketing technology in December 2022, specifically targeting practices that retarget users who have visited mental health, addiction, or sensitive condition pages. Multiple practices have faced enforcement actions in 2023-2024 for tracking pixels that previously seemed innocuous.
What HIPAA actually covers in marketing
Patient data on intake forms — name, email, phone, DOB, condition, insurance — all PHI when associated with a healthcare practice. Forms must use HTTPS, store data on BAA-covered platforms, and have explicit consent flows.
Tracking pixels on protected pages — visiting a depression treatment page is itself protected information per HHS guidance. Meta Pixel, Google Analytics, and similar trackers that send page-visit data to third parties without BAA are HIPAA violations on those pages.
Email marketing — email lists of patients are PHI. Sending marketing emails requires opt-in consent + BAA-covered email service provider. Mailchimp's BAA tier is acceptable; standard Mailchimp is not for patient marketing.
CRM data — patient names + appointment data + condition information held in CRM is PHI. Salesforce Health Cloud has built-in HIPAA compliance; standard Salesforce requires BAA + careful field-level configuration.
Ad platform conversion tracking — first-party conversion data sent to Google Ads or Meta about which patients booked is PHI. Server-side conversion APIs with hashed identifiers are compliant; client-side cookie-based conversion tracking on protected pages is not.
How the checker works
The tool walks through your current marketing stack and flags items as Pass / Flag / Fail:
- Pass: configured correctly per current HHS guidance
- Flag: ambiguous or borderline — review with your compliance lead
- Fail: definite violation; remediate immediately
Each flagged item includes the specific rule reference + remediation steps. The output is suitable for sharing with your compliance officer or legal counsel.
Common HIPAA marketing failures
Retargeting on mental health, addiction, or sensitive pages. Direct violation per HHS December 2022 guidance. Most practices doing it don't realise it; the platforms enable it by default.
Mailchimp without BAA tier. Standard Mailchimp doesn't have a BAA. Practices using it for patient marketing are exposed. Either upgrade to BAA tier or migrate to BAA-covered alternative.
Google Analytics on patient portals. Patient portal pages have PHI even if the analytics doesn't capture form data — the URL itself contains protected information. Practices typically need BAA-covered analytics (Plausible, Fathom) or server-side analytics.
Lead capture forms not BAA-secured. Form submissions go to a CRM/email backend. If that backend isn't BAA-covered, the practice is non-compliant from the moment the form is filled.
International marketing without DPDP/GDPR layer. Practices marketing internationally need DPDP (India) and GDPR (EU) compliance in addition to HIPAA. The frameworks overlap but aren't identical — DPDP requires separate consent flows for patients in India.
What to do after the audit
- Address Fail items first — these are direct exposures.
- Review Flag items with compliance counsel — borderline cases that need legal judgement.
- Document your remediation — keep audit trail showing the specific changes.
- Re-audit quarterly — HHS guidance evolves; what's compliant in 2025 may not be in 2026.
- Train marketing staff — most violations come from team members not knowing the rules.