HIPAA Website Risk Checklist

Is any tracking technology (e.g., Meta Pixel, Google Ads Tag, TikTok Pixel) active on pages describing treatments, symptoms, or appointment flows?
Are analytics tools configured to strip PHI from URL parameters, form events, and page titles before data is sent to their servers?
Do third-party scripts (chat widgets, accessibility overlays, marketing tools) have visibility into user interactions or form inputs?
Are any session-replay or heatmap tools (e.g., Hotjar, FullStory, Mouseflow, Microsoft Clarity) running on patient-facing pages?
Do you maintain a current inventory of every tracking script, cookie, and third-party tool loaded on the site?
Are Business Associate Agreements (BAA) in place with every vendor whose code runs on your site and could process user interactions?

Do your forms collect health-related or identifiable data (reason for visit, insurance details, medical history, symptom descriptions)?
Is all form data encrypted in transit (HTTPS/TLS) and at rest (storage, backups, email delivery)?
Do you have a documented flow for where submitted data goes — server, CRM, email inbox, third-party integrations?
Are uploaded files (patient photos, ID scans, insurance cards) stored on BAA-covered infrastructure, isolated from public access?
Is there a defined data retention policy — how long form submissions are kept and when they are purged?
Are URLs stripped of query parameters that could leak referral source, session identifiers, or patient-entered fields?

Is HTTPS enforced on every page, including redirects, subdomains, and legacy URLs?
Are CMS, plugins, themes, and dependencies monitored and updated on a regular cadence?
Is administrative access protected with strong authentication and multi-factor authentication (MFA/2FA)?
Are backups encrypted and stored with a vendor covered by a BAA?
Is access to the site's admin panel limited to individuals with a documented business need?

Is your Notice of Privacy Practices (NPP) accessible at every point where patient information is collected — not only on a hidden legal page?
Does your privacy policy accurately describe the tracking, analytics, and data handling actually in use on your site?
Are patients clearly informed about the tracking technologies on the site and how to exercise their rights?
Is explicit consent obtained for non-secure communication channels (unencrypted email, standard SMS)?
If your practice serves patients in Washington, California, Texas, or New York, do you have state-specific notices and consent flows (MHMDA Consumer Health Data Privacy Policy, CMIA/CCPA rights, HB 300, SHIELD Act)?

Do you have a documented process for handling website-related patient data, including a named owner and list of who has access to what?
Are staff aware of common website risks — tracking, forms, third-party widgets, email communication — and is this covered in onboarding?
Is there a documented incident response plan for suspected data exposure, including the HIPAA 60-day breach notification requirement?
Do you review the site's compliance posture on at least a quarterly basis, including a fresh inventory of all third-party tools?

Interpreting your results

If any item is marked "No" or "Unsure," your website may be exposing patient data through a common misconfiguration. Most compliance gaps on healthcare websites come from the same handful of patterns — tracking pixels, non-BAA forms, analytics capturing URL parameters, missing state-law notices. None of them require malicious intent to create liability.

Recent enforcement trends

In 2025, Aspen Dental agreed to an $18.5 million class action settlement related to tracking technologies on its website.
The HHS Office for Civil Rights (OCR) has issued direct guidance stating that tracking technologies capturing patient-related interactions without a BAA constitute a violation — regardless of intent.
Enforcement actions have repeatedly cited missing BAAs with common vendors: analytics providers, form services, chat widgets, and hosting platforms.
State-level laws — Washington MHMDA, California CMIA/CCPA, Texas HB 300, New York SHIELD — extend exposure beyond federal HIPAA. Several allow patients to sue the practice directly, without a regulator.

Many of these patterns come from tools set up without compliance in mind: analytics copied from a marketing agency's template, a chat widget added by a well-intentioned office manager, a plugin installed years ago and never reviewed.

Next step

A structured technical audit:

maps every tracker, cookie, form, and third-party tool on your site
identifies which pose actual compliance risk under HIPAA and your state's privacy law
delivers a prioritized remediation plan — the material issues first

Request Free Audit

Free report delivered as a PDF to your email within 3–5 business days. No commitment.

Tracking & Third-Party Exposure

Forms & Patient Data Handling

Security & Infrastructure Controls

Privacy & Regulatory Alignment

Internal Controls & Accountability

Interpreting your results

Recent enforcement trends

Next step