HIPAA

Your IT Guy Is Violating HIPAA — And Doesn't Even Know It

LoricaWeb
Your IT Guy Is Violating HIPAA — And Doesn't Even Know It

Most small clinics have someone who “handles the website.” It might be the owner’s nephew, a $15/hour freelancer from Upwork, or a small agency that specializes in “beautiful websites for businesses.” They know how to set up WordPress, install a plugin, connect analytics.

They have no idea about HIPAA.

And that’s your problem — not theirs.

Why the liability falls on you, not them

HIPAA is structured so that compliance responsibility always falls on the medical practice — that’s you. Your technical contractor can make dozens of violations while genuinely believing everything is fine. The fine will come to you.

This is why it’s critical to understand what exactly “IT specialists” who are unfamiliar with medical compliance are doing to your website.

Facebook Pixel: the most common accidental landmine

Imagine: your webmaster wants to set up Facebook advertising to attract new patients. A logical desire. He installs Facebook Pixel on every page of your site — standard procedure for any regular business.

The problem: Pixel collects behavioral data on every page. If a patient visits “Periodontal Treatment,” “Post-Spinal Surgery Rehabilitation,” or “Schedule a Chiropractic Appointment” — Facebook receives this information linked to a user identifier.

This is transmission of PHI to a third party. Facebook is not your Business Associate. A BAA with Facebook doesn’t exist — the company refuses to sign them.

Your webmaster didn’t do anything technically wrong from a standard marketing perspective. He simply didn’t know that the rules are different for medical practices.

Real precedents: In 2022–2023, HHS issued specific guidance on tracking pixels in healthcare. Several large hospital networks have already paid multimillion-dollar settlements. For small clinics, the threshold for entering the “risk zone” is significantly lower.

Google Analytics, forms, chats — same story

Every tool your contractor connects to the site “for convenience” potentially becomes a PHI leak channel:

Google Analytics records the URL of every page a user visits. If your URL looks like /appointment-confirmation?patient=John+Smith&service=root-canal — Google Analytics has stored PHI. Google does not sign BAAs for standard GA4.

Live chats (Intercom, Drift, Tidio, and others) — a patient writes in the chat “my tooth hurts, when can I schedule?” Where does that data go? To the chat company’s servers. Do you have a BAA with them? Almost certainly not.

Embedded forms through Typeform, Google Forms, Wix Forms — if form data goes to a standard account without a BAA, that’s a violation.

A regular web developer installs these tools automatically, on autopilot, because they’re convenient and free. He doesn’t ask himself: “Did we sign a BAA with this service?” — because for all his other clients, that question doesn’t exist.

Your contractor doesn’t have a BAA with you — and that’s also a violation

This is the point that most often surprises clinic owners.

If your web developer or IT contractor has access to your website, server, or database containing patient data — he is a Business Associate by HIPAA definition. And you must have a signed BAA with him.

Most freelancers and small agencies have never heard of a BAA. They won’t offer one. And you probably didn’t ask — because you didn’t know you had to.

Working with such a contractor without a BAA is a HIPAA violation, regardless of how well they do their work technically.

If you’re in Washington: you have double liability

Federal HIPAA is only half the problem. Washington State passed the My Health My Data Act (MHMDA) in 2023 — the first law in the country specifically aimed at protecting personal health data that falls outside HIPAA’s scope.

Here are the key differences that are critically important for small businesses:

1. Broader scope than HIPAA

MHMDA was enacted to close gaps in health data protection not covered by HIPAA. This means that data HIPAA doesn’t consider PHI (for example, fitness tracker information, symptom search history on your website, over-the-counter medication purchases) is still protected by law in Washington.

2. No business size threshold

Unlike other privacy laws, MHMDA contains no applicable thresholds based on revenue or consumer count. A small dental practice with three employees is subject to the same requirements as a large clinic chain.

Collecting health data requires patient consent. Sharing that data with third parties requires separate, independent consent. This means even if a patient agreed to schedule an appointment with you, that doesn’t give you the right to send their data to an analytics service without separate permission.

4. Patient’s right to data deletion

MHMDA — unlike HIPAA — includes the patient’s right to request deletion of their data. Your infrastructure must technically support this. Most standard websites don’t.

5. Patients can sue you directly

This is the most important difference. MHMDA provides a broad private right of action, including presumptions in favor of the plaintiff, which will very likely trigger a wave of litigation. Under HIPAA, complaints go to HHS, and cases rarely reach court. Under MHMDA, any of your patients can hire an attorney and file a lawsuit directly.

Any violation of the law is an automatic violation of the Washington Consumer Protection Act, which can be enforced by both the Attorney General and through private lawsuits.

Signs your contractor is putting you at risk

Ask your current web specialist these questions:

  • Have you signed a Business Associate Agreement with us?
  • What third-party scripts are installed on our site, and do we have a BAA with each of them?
  • How is data from our forms transmitted and where is it stored?
  • How can we technically delete a specific patient’s data upon their request?

If the response is a pause, a subject change, or “don’t worry, everything’s fine” — you’re in the risk zone.

What we do

We specialize in technical support specifically for small medical practices in Washington — dental, chiropractic, physical therapy. We know both HIPAA and MHMDA, and we sign a BAA with every client from day one.

Free audit includes:

  • Complete inventory of all third-party scripts and services on your website
  • BAA verification for each of them
  • Washington My Health My Data Act compliance analysis
  • Prioritized list of violations with specific remediation steps

Most problems we find didn’t arise from malice — they appeared because your previous contractor simply lacked the necessary expertise. This is fixable.

Schedule your free compliance audit →

This material is for informational purposes only and does not constitute legal advice. For assessment of specific legal risks, we recommend consulting an attorney specializing in HIPAA and Washington MHMDA.