Built for healthcare professionals who cannot afford a single pixel of PHI exposure. Standard analytics tools were designed for e-commerce — not EMRs.
The Problem
If you run Google Analytics, Mixpanel, or similar tools on a patient-facing website, you may already be violating HIPAA's Safe Harbor de-identification standard — without knowing it.
Traditional analytics drop first- and third-party cookies that can be correlated directly to a patient's browsing session — a clear HIPAA Safe Harbor violation.
HIPAA's Safe Harbor standard lists IP addresses as a PHI identifier. Most analytics platforms log them by default, silently, on every request.
Persistent identifiers stitch visits across sessions. Even without a name, re-identification becomes trivial when combined with a medical context.
The Solution
A sub-2 KB, cookieless, fire-and-forget analytics beacon. It captures exactly what you need — page paths and referrers — and anonymizes everything on the server edge before a single byte reaches the database.
The ghost script never reads or writes a cookie, touches localStorage, or accesses any browser storage API.
An HMAC-derived salt changes every UTC midnight. No two days' hashes can ever be linked to the same visitor.
IP + User-Agent + DailySalt → a 64-char hex digest. Mathematically irreversible. Raw identifiers are discarded before any write occurs.
A fire-and-forget sendBeacon call. Loads async, never blocks your page, never delays a patient trying to book an appointment.
The Anonymizer
Our core hashing logic is the only path between a visitor's identity and our analytics store. It is one-way, salted, and time-bound.
// anonymizer.ts — runs on the Vercel Edge before any DB write
Hash = SHA‑256(IP + UA + Daily_Salt)
IP Address
Extracted from x-forwarded-for
User-Agent
Extracted from request headers
DailySalt
HMAC-SHA256(SECRET, YYYY-MM-DD) — rotates every UTC midnight
The 64-char hex digest is the only identifier stored. Raw IP and User-Agent are immediately discarded — they never appear in any log, row, or trace.
HIPAA Safe Harbor — All 18 identifiers addressed
How It Works
One line. Any HTML page, any framework.
<script src="https://cdn.securephi.com/tracker.js" async></script>On every page load, the visitor's IP and User-Agent are hashed with a rotating daily salt. The raw values are never passed to storage.
View page-level traffic and referrer sources without touching a single cookie or storing a single byte of PHI.
Deployment
One line of HTML. No npm install. No API keys exposed to the browser. Our edge function handles anonymization, salt rotation, and compliance automatically.
Drop this into your <head> or before </body>. Loads async — zero render-blocking.
<!-- SecurePHI Analytics — HIPAA Safe Harbor -->
<script src="https://cdn.securephi.com/tracker.js" async></script>Place this empty element anywhere on your page. Our script automatically injects the SecurePHI privacy badge into it.
<!-- renders the SecurePHI Trust Seal automatically -->
<div id="securephi-badge"></div>Stop worrying about your analytics stack. Start focusing on care. SecurePHI handles compliance so you never have to think about it again.
Get Started FreeNo cookies. No PII. No consent banner required.