foco
Back to Intelligence

Your "HIPAA-Compliant" Tracking Probably Isn't

Published: 3/28/2026
2 min read

This is a draft outline. Full article coming soon.

The Problem

Healthcare marketing teams are told their tracking is "HIPAA compliant" by their agency, their CMP vendor, or their internal IT team. In most cases, nobody has actually verified what data is flowing through marketing tags.

What I Keep Finding

PHI in Google Ads tags

URL parameters containing patient IDs, appointment types, or condition-specific page paths are being passed to Google Ads via auto-configured conversion tracking. Google's Enhanced Conversions feature can inadvertently send hashed email addresses that, combined with the page URL, constitute PHI.

The consent banner shows up. The user clicks "reject." The tags fire anyway. This happens because Consent Mode v2 is configured in the CMP dashboard but the GTM container doesn't have the corresponding consent checks on each tag.

LiveChat, Hotjar, Meta Pixel, and similar scripts often load via hardcoded <script> tags in the HTML, completely bypassing the tag management and consent layer.

No BAA with analytics vendors

Using GA4 in a healthcare context without a Business Associate Agreement with Google means you're in violation even if no PHI is technically flowing through the tags. Most teams don't know this.

How to Audit Yourself

  1. Open your site in Chrome DevTools. Go to the Network tab. Filter by "google" and "facebook." Look at the request payloads. Is any PII visible?
  2. Reject all cookies in your consent banner. Do any marketing tags still fire? Check the Network tab again.
  3. Review your GTM container. Does every tag have a consent trigger? Is Consent Mode v2 actually configured?
  4. Check your URLs. Do any page paths contain condition names, provider IDs, or appointment types?
  5. Ask your legal team: Do we have a BAA with Google? With Meta? With every analytics vendor?

The Fix

This isn't a 30-minute fix. It's a measurement architecture rebuild with compliance as the primary constraint. Server-side tracking with data filtering, proper consent gating, and audit documentation. But the first step is knowing what you're actually sending.

Share this article

X LinkedIn