Note: HHS guidance on tracking technologies has been evolving since 2022. A 2024 federal court ruling narrowed one aspect — it struck down the claim that combining an IP address with a public page visit automatically constitutes patient data. But requirements for authenticated pages, patient portals, symptom checkers, and appointment flows remain in full effect. When in doubt, apply the stricter interpretation.
Will they sign a BAA?
Vendor signs a Business Associate Agreement (BAA)
A BAA is a contract that makes the vendor legally responsible for protecting patient data. Without one, you can’t legally send them data that could identify a patient.
The BAA covers analytics — not just CRM or data storage
Some vendors sign BAAs but leave out reporting features. Check the covered services list, not the sales deck.
BAA is available on the plan you’re buying
Some vendors only offer BAAs on enterprise plans. Find out before you start a trial.
Their terms of service allow patient data
Google explicitly says healthcare organizations must not send patient data to GA, and won’t sign a BAA for it. Using GA on health pages breaks two rules at once: HIPAA, and the vendor’s own contract.
Are your high-risk pages covered?
Patient portals and any logged-in pages use only BAA-covered tools
Any page behind a login is patient data territory — no exceptions.
Symptom checkers and self-assessments use only BAA-covered tools
No login is needed to create a problem. A user’s IP address combined with a visit to a symptom page can count as patient data under HIPAA.
Appointment booking flows use only BAA-covered tools
Linking an ad click to an appointment type is enough to create patient data. Hospital systems have settled suits for $2M+ over exactly this.
Page URLs have been reviewed for embedded patient IDs or appointment references
These often end up in URLs and get picked up automatically by tracking scripts.
Can they keep the data secure?
Access logs show who viewed patient data and when
Data retention is configurable (HIPAA minimum: 6 years)
Access controls limit which team members can see individual patient records
Vendor doesn’t use your data to train models or improve their product
Common in ad platforms. Check the data processing agreement, not just the privacy policy.
Will you stay compliant as things change?
Every tool downstream of this vendor is also BAA-covered
A compliant tool feeding patient data into a non-BAA ad platform is still a violation.
Tracking setup is reviewed before and after every site release
In 2025, Blue Shield of California disclosed that one misconfiguration had silently sent member data to Google Ads for nearly 3 years.
Marketing and legal both signed off on the vendor
一見ユーザー
一見ユーザー
一見ユーザー
一見ユーザー
一見ユーザー
No
一見ユーザー
一見ユーザー
No
一見ユーザー
一見ユーザー
Partial
一見ユーザー
一見ユーザー
Partial
一見ユーザー
一見ユーザー
Enterprise Only
一見ユーザー
一見ユーザー
Enterprise Only
一見ユーザー
一見ユーザー
Contact Sales
一見ユーザー
一見ユーザー
Add-on required
一見ユーザー
一見ユーザー
Yes
一見ユーザー
一見ユーザー
Save this checklist as a PDF
Get a formatted copy to share with your team or use in vendor reviews.
By submitting, you agree to Piano's Privacy Policy and End User Terms.
