HHS OCR has explicitly stated that standard tracking technologies on patient-facing websites can constitute impermissible PHI disclosures under HIPAA — even on pages that require no login.
Why Now
What started as an informal warning has become a body of enforceable guidance with real settlements, real class actions, and real OCR investigations.
December 2022
The Office for Civil Rights published guidance explicitly naming web tracking technologies — including analytics scripts and pixels — as potential HIPAA violations when deployed on patient-facing websites. The bulletin states that if a tracking technology transmits a visitor's IP address alongside a URL that relates to healthcare services, that constitutes a disclosure of PHI to a third-party vendor without a BAA.
HHS OCR Bulletin, Dec. 1, 2022
2023
Novant Health settled for $4.2 million after using a Meta Pixel on its patient portal. The FTC ordered BetterHelp to pay $7.8 million for sharing health data with Facebook and Snapchat. Dozens of health systems — including Advocate Aurora Health, WakeMed, and Dignity Health — faced class-action lawsuits. The plaintiff's bar discovered that any lawyer can verify pixel deployment with browser developer tools.
FTC v. BetterHelp (2023); Novant Health class settlement
March 2024
Following healthcare industry pushback, HHS issued a revised bulletin that maintained its core position: regulated entities are not permitted to use tracking technologies in a manner that results in impermissible disclosures of PHI to tracking vendors. The revised guidance clarified that this applies to unauthenticated pages — not just patient portals — if health conditions are inferable from the URL or page context.
HHS OCR Revised Bulletin, Mar. 18, 2024
Today
GA4 sends the full page URL, the visitor's IP, and behavioral data to Google's servers. Meta Pixel does the same to Meta — plus fingerprinting. Neither offers a BAA. Neither strips IP addresses before transmission. Any clinic running these tools on a patient-facing site is operating in direct conflict with HHS's published guidance.
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
— HHS Office for Civil Rights, Revised Bulletin on Tracking Technologies, March 18, 2024
Side-by-Side Comparison
Measured against the criteria HHS OCR uses to evaluate HIPAA risk for tracking technologies on patient-facing websites.
| Criteria | SecurePHI | Google Analytics 4 | Meta Pixel |
|---|---|---|---|
BAA Available Required by HIPAA for any vendor receiving PHI | |||
IP Address Handling IP is a named PHI identifier under Safe Harbor §164.514(b) | SHA-256 hashed — raw value discarded | ||
Referrer URL Handling Condition-specific URLs (e.g. /book/oncology) can constitute PHI | Truncated, never linked to visitor | ||
Zero Cookies Persistent identifiers enable cross-session re-identification | |||
Data Stays Off Third-Party Servers Transmission of page URL + IP to a vendor = potential PHI disclosure | |||
Cross-Session Linking Prevented Daily salt rotation makes longitudinal tracking impossible | |||
HHS 2024 Guidance Compliant March 2024 bulletin on use of online tracking technologies |
Business Associate Agreement
HIPAA requires a signed BAA with every vendor that handles Protected Health Information on your behalf. Here is exactly what SecurePHI’s BAA commits to — in plain terms, not legalese.
Permitted Uses of PHI
SecurePHI may only use de-identified analytics data to provide the analytics service. We are explicitly prohibited from using data for any secondary purpose — including marketing, profiling, or sale to third parties.
Breach Notification
In the event of a security incident, SecurePHI commits to notifying you within 60 days of discovery — in line with HHS requirements. The notification includes the nature of the breach, data affected, and remediation steps taken.
Data Retention & Deletion
Upon termination of your subscription, all data associated with your account is deleted within 30 days. You may also request immediate deletion at any time by contacting compliance@securephi.app.
Subcontractor Management
SecurePHI uses Supabase (database) and Vercel (infrastructure) as subcontractors. Both operate under their own HIPAA-eligible agreements. We are responsible for ensuring their compliance obligations mirror our own.
BAA included on HIPAA Clinic, Growth, and Enterprise plans.
Your BAA is countersigned and delivered within 24 hours of your first payment. It is available at any time from your compliance dashboard. Starter plan customers may request a BAA separately — contact compliance@securephi.app.
HIPAA Safeguards — Plain English
The HIPAA Security Rule requires three categories of safeguards for any vendor that touches patient data. Here is how SecurePHI satisfies each — without the cryptography.
Administrative Safeguards
Physical Safeguards
Technical Safeguards
SecurePHI’s compliance posture is reviewed annually. This page reflects our current safeguard implementation. For a full security overview or to request documentation, contact compliance@securephi.app.
Technical Deep Dive
HIPAA Safe Harbor (45 CFR §164.514(b)(2)) requires the removal or transformation of all 18 PHI identifiers before data can be considered de-identified. Here is exactly how SecurePHI addresses each relevant identifier.
Safe Harbor identifier #8 is “IP addresses.” Identifier #14 is “device identifiers and serial numbers.” The User-Agent string falls under this category because it identifies device type, OS, and browser version. Simply deleting these fields before storage satisfies the removal requirement — but we go further.
// edge/anonymize.ts — runs before any database write
const visitorHash = await SHA-256(
ip +
userAgent +
dailySalt
);
// Raw IP and User-Agent are discarded — never passed to storage
// Only the 64-char hex digest reaches the database
IP Address
PHI identifier #8. Extracted from x-forwarded-for, hashed immediately, raw value discarded.
User-Agent
Device/browser fingerprint. Hashed as part of the composite input, raw string discarded.
Output Hash
A 64-char SHA-256 hex digest. Mathematically irreversible — cannot be reverse-engineered back to IP or UA.
Even a one-way hash can become a re-identification risk if the same visitor produces the same hash across multiple days — allowing visit patterns to be correlated over time. HHS specifically flagged longitudinal tracking as a key risk factor. Our salt rotation eliminates this entirely.
// The daily salt is derived fresh every UTC midnight
const dailySalt = HMAC-SHA256(
SECRET_KEY,
“2024-03-18” // today's UTC date — changes at midnight
);
Same visitor, Day 1
SHA-256(192.168.1.1 + Chrome/122 + salt_2024-03-18)
= a3f8c2d1e9b4…
Same visitor, Day 2
SHA-256(192.168.1.1 + Chrome/122 + salt_2024-03-19)
= 7e1d9a4b82f3…
Two completely different hashes — the same visitor cannot be linked across days. No long-term identifier ever exists.
HIPAA Safe Harbor — All 18 Identifiers Addressed
SecurePHI is the only analytics platform built from the ground up for HIPAA Safe Harbor. No configuration required — compliant by default on every page load.
View Pricing & PlansBAA included on HIPAA Clinic, Growth, and Enterprise plans. Five-minute setup. Cancel any time.