What ‘HIPAA-aware’ actually means in marketing

HIPAA compliance shows up in healthcare marketing as a checkbox. The intake form has a disclaimer. The email platform was selected because it’s “HIPAA compliant.” The website has a privacy policy. The agency proposal mentions HIPAA in the discovery phase. Box checked.

What’s actually compliant — what would survive scrutiny in an audit or after an incident — is different from what’s checked. The gap matters because the consequences for getting it wrong are real, and because the workflows that create the risk usually live inside marketing.

“HIPAA-aware” is a way of describing marketing operations that take the rules seriously enough to design around them, not just disclose around them.

What HIPAA actually covers in a marketing context

The Health Insurance Portability and Accountability Act of 1996 — and its enforcing regulations, the Privacy Rule and the Security Rule — protect “protected health information” (PHI) created or received by covered entities and their business associates. The Office for Civil Rights (OCR) at HHS enforces it.¹

In marketing, the PHI question usually comes up at three places: intake forms, web analytics, and advertising platforms. Each is a place where data that identifies a patient and connects them to a health interaction can flow into systems that aren’t built to hold it.

Intake forms are the most obvious. A contact form that asks for name, email, phone, and reason for visit is collecting PHI the moment someone fills it out from a clinic or practice context. The data has to flow through systems that have business associate agreements (BAAs) with you. If the form posts to a generic form vendor that doesn’t sign a BAA, you have a problem.

Web analytics is the place most agencies get wrong. Standard analytics tools collect information about page views, which can include the condition pages a user visited, the appointment forms they submitted, and the procedure information they consumed. Combined with identifiers in the data stream (IP addresses, user IDs, cookies), this can constitute PHI under the OCR’s current interpretation. The Office for Civil Rights issued specific guidance on the use of online tracking technologies by HIPAA-regulated entities — originally in December 2022, and updated in March 2024 — and that guidance has shaped enforcement priorities.²

Advertising platforms are the third surface. Conversion pixels, retargeting tags, and audience-building features can pass identifiers and behavioral data to platforms that don’t sign BAAs with healthcare entities. Several enforcement actions in recent years have focused on this — most notably actions involving major hospital systems and the transmission of identified browsing data to advertising platforms.

What “HIPAA-aware” looks like in practice

HIPAA-aware marketing isn’t about avoiding modern marketing tools. It’s about routing data through them deliberately.

Forms get evaluated for what they collect and where it goes. Anything that touches PHI flows through systems with BAAs — a HIPAA-compliant form vendor, into a HIPAA-compliant CRM or practice management system. Non-PHI inquiries (general newsletter signups, content downloads with no health context) can live in standard marketing infrastructure.

Analytics gets configured to strip identifiers and avoid collecting protected combinations. This usually means server-side analytics implementations, IP anonymization, and exclusion of certain page paths from tracking entirely. It also means choosing analytics platforms that the OCR’s tracking guidance treats as defensible.

Advertising platforms get used with caution. Conversion tracking gets configured to send only the data needed for optimization — without identifiers that would let a platform reconstruct who a patient is. Retargeting based on protected pages (specific conditions, specific procedures) gets avoided. The platforms that have healthcare-specific advertising policies have specific rules; following them is part of the architecture, not an afterthought.

Email gets segmented. Marketing emails to patients (general practice updates, educational content) can run through standard email platforms with appropriate care. PHI-containing emails (appointment-specific, treatment-specific) get sent through encrypted, BAA-covered email platforms — or aren’t sent at all and become patient-portal messages instead.

The architecture decision

The reason “HIPAA-aware” matters as a phrase is that compliance is mostly an architecture decision, not a checkbox.

An agency that says “we’re HIPAA compliant” typically means they have a BAA they can sign and a list of tools they’ll use. An agency that designs HIPAA-aware programs maps the data flows during onboarding, identifies where PHI will enter the marketing stack, and routes it through systems that can hold it — while keeping the rest of the marketing infrastructure as flexible as possible.

The difference shows up in moments that don’t seem like compliance moments. When a campaign launches that needs to track conversions for paid optimization, an HIPAA-aware approach asks where the data goes before the campaign goes live. When a new analytics platform gets evaluated, an HIPAA-aware approach asks what gets collected by default and what would need to be turned off. When an integration gets built between the marketing platform and the practice management system, an HIPAA-aware approach asks what flows in each direction and which BAAs are required.

None of this is exotic. It’s the work that has to happen for a healthcare marketing program to be defensible in a way that doesn’t show up as a problem only after something goes wrong.

What it’s not

HIPAA-aware marketing isn’t a moat against analytics or measurement. The practices that take compliance seriously have just as much insight into their funnels as the ones that don’t — they just have it through different tools and configurations.

It also isn’t a guarantee. HIPAA enforcement evolves, the OCR’s interpretations shift, and the line between defensible and risky moves as platforms change. The point isn’t to be unimpeachable; it’s to be defensible by design rather than by accident.

For practices choosing an agency, the question to ask isn’t “are you HIPAA compliant?” The answer is always yes. The question is: “Walk me through how data flows from a patient filling out a form on the website to my CRM, my practice management system, and any advertising platforms you’ll set up. Where does PHI live? Where doesn’t it?”

If the agency can answer that question in detail, they take HIPAA seriously. If they can’t, they have a checkbox.

Sources & references

1. U.S. Department of Health & Human Services, Office for Civil Rights (OCR) — HIPAA Privacy, Security, and Breach Notification Rules, and enforcement actions. https://www.hhs.gov/hipaa
2. HHS OCR — Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (issued December 2022; updated March 2024). https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
3. 45 CFR Parts 160 and 164 — HIPAA Privacy, Security, and Breach Notification Rules. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C

Also from the Journal

More thought pieces.

Thought piece · 6 min read

The two audiences healthcare marketing forgets

Most agencies build for patients and ignore the doctors who send them. For specialty practices, that’s the wrong end of the funnel.

Read the piece →

Thought piece · 7 min read

The compounding cost of un-automated marketing operations

Manual marketing workflows look free until you do the math. Then they look like the most expensive line item in the practice.

Read the piece →

Let’s talk

Want to discuss any of this?

If something in here lands — or you violently disagree — we’d like to hear about it.

Start a conversation →