Note: HHS guidance on tracking technologies has been evolving since 2022. A 2024 federal court ruling narrowed one aspect — it struck down the claim that combining an IP address with a public page visit automatically constitutes patient data. But requirements for authenticated pages, patient portals, symptom checkers, and appointment flows remain in full effect. When in doubt, apply the stricter interpretation.
Will they sign a BAA?
Vendor signs a Business Associate Agreement (BAA)
A BAA is a contract that makes the vendor legally responsible for protecting patient data. Without one, you can’t legally send them data that could identify a patient.
The BAA covers analytics — not just CRM or data storage
Some vendors sign BAAs but leave out reporting features. Check the covered services list, not the sales deck.
BAA is available on the plan you’re buying
Some vendors only offer BAAs on enterprise plans. Find out before you start a trial.
Their terms of service allow patient data
Google explicitly says healthcare organizations must not send patient data to GA, and won’t sign a BAA for it. Using GA on health pages breaks two rules at once: HIPAA, and the vendor’s own contract.
Are your high-risk pages covered?
Patient portals and any logged-in pages use only BAA-covered tools
Any page behind a login is patient data territory — no exceptions.
Symptom checkers and self-assessments use only BAA-covered tools
No login is needed to create a problem. A user’s IP address combined with a visit to a symptom page can count as patient data under HIPAA.
Appointment booking flows use only BAA-covered tools
Linking an ad click to an appointment type is enough to create patient data. Hospital systems have settled suits for $2M+ over exactly this.
Page URLs have been reviewed for embedded patient IDs or appointment references
These often end up in URLs and get picked up automatically by tracking scripts.
Can they keep the data secure?
Access logs show who viewed patient data and when
Data retention is configurable (HIPAA minimum: 6 years)
Access controls limit which team members can see individual patient records
Vendor doesn’t use your data to train models or improve their product
Common in ad platforms. Check the data processing agreement, not just the privacy policy.
Will you stay compliant as things change?
Every tool downstream of this vendor is also BAA-covered
A compliant tool feeding patient data into a non-BAA ad platform is still a violation.
Tracking setup is reviewed before and after every site release
In 2025, Blue Shield of California disclosed that one misconfiguration had silently sent member data to Google Ads for nearly 3 years.
Marketing and legal both signed off on the vendor
Google Analytics (GA4)
Google’s own support page states healthcare organizations must not send patient data to GA, and that Google won’t sign a BAA for it. You can use it on purely public pages, but once a user hits a symptom page or starts booking an appointment, you’re at risk. Most healthcare sites can’t reliably draw that line.
Meta Pixel
Meta won’t sign BAAs. The pixel collects IP addresses and browsing behavior that counts as patient data in healthcare. GoodRx and BetterHelp faced FTC enforcement for sharing health data via Meta. Multiple hospital systems have settled class-action suits for $2M+. Don’t use it on health-related pages.
Hotjar
No
Hotjar’s own documentation lists GDPR, CCPA, ISO, and SOC 2 certifications — but no HIPAA. Third-party compliance sources confirm they won’t sign a BAA and explicitly state the platform isn’t designed for HIPAA-regulated sites. Now part of Contentsquare, which also has no HIPAA coverage.
Heap (Contentsquare)
No
Heap’s current terms of service explicitly list HIPAA-regulated data as prohibited. This changed after the Contentsquare acquisition — an older Heap blog post claimed BAA support, but that no longer applies. Heap’s auto-capture model records all interactions by default, making accidental collection of patient data especially likely.
HubSpot
Partial
BAA available on Enterprise only, but analytics reporting and customer journey reports are excluded from BAA coverage. You can store patient data in the CRM — you just can’t run analytics on it freely. Requires careful setup and ongoing checks to stay compliant.
Freshpaint
Partial
Sits between your site and downstream tools, removing patient data before it passes through. BAA availability varies by plan – on lower tiers you agree to standard terms and can’t negotiate. Not a standalone analytics tool; you’ll need one connected to it.
Mixpanel
Enterprise Only
BAA on Enterprise plan, with controls to reduce accidental exposure of patient data. Works well for digital health teams tracking in-app behavior. Check that your specific use case — and any integrations — are covered before you sign.
Piwik PRO
Enterprise Only
BAA available with the paid Piwik PRO Enterprise plan. SOC 2 Type II certified. Combines web analytics with consent management.
Amplitude
Contact Sales
Amplitude’s own security page states they can enter a BAA for covered entities and business associates under HIPAA. Check which plan and configuration your use case requires before relying on this for patient data.
Adobe Analytics / CJA
Add-on required
CJA is HIPAA-ready – but only with Adobe's Healthcare Shield add-on, which must be licensed separately. Without it, you have CJA with no HIPAA coverage. If you're on standard Adobe Analytics, you'd need to migrate to CJA first, then license Healthcare Shield on top – a significant cost and migration commitment for any large organization deeply embedded in AA.
Piano Analytics
Yes
Signs BAAs at all tiers. Tracks portal logins, appointment flows, and post-authentication activity — the pages most analytics tools can’t reach. Unsampled, real-time data across every touchpoint, with pre-built healthcare dashboards and native integrations with Snowflake, Salesforce, and 70+ tools.
Vendor positions as of early 2026. For informational purposes only — not legal advice. Talk to your legal team before making compliance decisions.
Save this checklist as a PDF
Get a formatted copy to share with your team or use in vendor reviews.
By submitting, you agree to Piano's Privacy Policy and End User Terms.
