What counts as PHI online
The 18 identifiers and the everyday ways they leak into analytics data.
Run the free HIPAA analytics self-audit below to see where your site stands against the safeguards a compliant setup requires.
You have a signed BAA with your analytics provider.
PHI is stripped from URLs, page titles, and form fields before storage.
All analytics data is stored on US-based infrastructure.
IP addresses are anonymized or hashed, never stored raw.
Visitors have a clear consent mechanism for analytics.
Granular access logs and audit trails are available.
You can export or permanently delete your data on request.
Session recordings automatically mask sensitive inputs.
Each item is a HIPAA best practice for website analytics. The more you can honestly check "Yes," the lower your exposure.
The six areas every compliant measurement setup has to cover.
The 18 identifiers and the everyday ways they leak into analytics data.
What "no BAA" really means and the risk it creates for your practice.
What a BAA covers, who needs one, and what to look for before signing.
Encryption, 100% US-hosted infrastructure, PHI redaction, and access controls.
Consent mechanisms, data export, and the right to deletion.
A repeatable checklist to keep every property compliant over time.
Book a full HIPAA analytics audit with our compliance team, and get a signed BAA on day one.