Free Resource
HIPAA-Compliant Marketing Checklist
40+ compliance checks across website, analytics, Google Ads, email, social media, and review management — everything your practice needs to market legally and safely.
🌐 Website Compliance
SSL certificate is active (HTTPS)
CriticalAll data transmitted to/from the site must be encrypted. An HTTP site is a HIPAA violation risk if any form data is collected.
Privacy policy is present and HIPAA-specific
CriticalA generic privacy policy is not sufficient. Your policy must address how PHI is collected, stored, used, and shared.
Contact and appointment forms do not store PHI unsecured
CriticalForm submissions that include health information (conditions, medications, symptoms) must be stored on a HIPAA-compliant server.
All third-party vendors with data access have signed a BAA
CriticalA Business Associate Agreement (BAA) is legally required for any vendor (chat, CRM, form tool, analytics) that may access PHI.
No patient testimonials that identify the patient without written authorisation
ImportantUsing a patient's name, photo, or story in marketing requires a signed HIPAA authorisation — a general consent form is not sufficient.
Chat widgets use HIPAA-compliant providers
ImportantStandard chat tools (Intercom, Drift, Crisp) are not HIPAA-compliant. Use Klara, Spruce Health, or similar purpose-built tools.
Before/after photos are displayed only with proper authorisation
ImportantEach before/after image requires an individual signed authorisation specifying it will be used in marketing materials.
📊 Analytics & Tracking
Google Analytics 4 is configured with IP anonymisation
CriticalGA4 must have 'restricted data processing' enabled and IP addresses anonymised. Consider signing a BAA with Google Workspace.
Meta Pixel / Facebook Pixel is NOT installed (or is HIPAA-configured)
CriticalThe standard Meta Pixel transmits URL paths, page titles, and search terms to Meta — which may include diagnostic content constituting PHI. Remove it or use a HIPAA-compliant events API setup.
Google Ads conversion tracking does not pass PHI
CriticalEnhanced Conversions that pass email addresses or phone numbers from appointment forms may transmit PHI to Google without a BAA.
No cookie-based retargeting pixels on symptom or condition pages
CriticalPlacing retargeting pixels on pages titled 'Cancer Treatment', 'HIV Services', or similar pages means patients visiting those pages are tracked and associated with those conditions.
Heatmap tools (Hotjar, Clarity) are configured to mask form inputs
ImportantSession recording tools must be configured to mask all form fields. Out-of-the-box settings typically capture all text input, including PHI.
Analytics data retention is set appropriately
Best PracticeGA4 data retention should not be indefinite. Set a maximum retention period aligned with your data governance policy.
📢 Google Ads & Paid Search
Ad landing pages do not collect PHI without BAA-covered tools
CriticalAny landing page form that collects symptoms, conditions, or insurance details must feed into a HIPAA-compliant CRM.
Customer Match lists do not contain PHI
CriticalUploading email lists to Google Customer Match that were sourced from patient records (even with consent) is a potential HIPAA violation without a BAA.
Ads do not make guarantees or misleading clinical claims
ImportantFTC and state medical board rules prohibit guaranteed outcomes in healthcare advertising. 'We'll cure your...' is both illegal and a HIPAA marketing risk.
Remarketing audiences exclude sensitive condition pages
ImportantBuild remarketing lists from general pages (homepage, services overview) — not from condition-specific pages.
Google Healthcare and Medicines policy compliance confirmed
ImportantCertain healthcare categories (prescription drugs, clinical trials, addiction treatment) require pre-certification from Google.
📧 Email Marketing
Email platform has signed a BAA
CriticalIf your email list contains patients, you need a BAA with your email provider. Mailchimp, HubSpot Healthcare, and Constant Contact Enterprise offer BAAs. Standard plans do not.
No PHI in email subject lines or preview text
CriticalSubject lines are stored on email servers without encryption. Never include appointment types, conditions, or medications in subject lines.
Appointment reminders use a HIPAA-compliant platform
CriticalStandard email for appointment reminders is acceptable only if the email does not include the reason for the visit. Use dedicated tools (Solutionreach, Klara) for clinical reminders.
Unsubscribe mechanism is functional and prompt
Best PracticeCAN-SPAM requires honour of unsubscribe requests within 10 business days. Ignoring this exposes you to FTC penalties as well.
Email list was collected with proper consent
ImportantMarketing emails to patients require explicit consent. Implied consent from an existing care relationship does not cover marketing communications.
⭐ Review Management
Soliciting reviews does not incentivise with gifts or discounts
CriticalOffering a discount for a positive review violates FTC guidelines and potentially state medical board rules.
Review responses follow the HIPAA response framework
CriticalA compliant response: (1) Thank the reviewer, (2) State your commitment to patient satisfaction, (3) Invite them to contact you privately. Never address clinical details publicly.
Negative reviews are not disputed with patient information
CriticalUsing appointment records, diagnoses, or treatment history to counter a negative review is a HIPAA violation, even if the review is false.
Review generation platform has signed a BAA
ImportantIf your review tool sends automated emails to patients using their appointment data, it requires a BAA.
Reviews are monitored across all platforms weekly
Best PracticeUnmonitored negative reviews compound over time. Set up Google Alerts and platform notifications to respond within 48 hours.
Legal Disclaimer
This checklist is provided for informational purposes only and does not constitute legal advice. HIPAA compliance requirements are complex and fact-specific. Consult a qualified healthcare attorney and a HIPAA compliance officer to assess your specific situation. Heartbeat Marketing is a healthcare digital marketing agency, not a law firm.
Not sure if your marketing is HIPAA-compliant?
We audit your existing marketing stack and rebuild it to be compliant, effective, and set up to grow patient volume — not expose you to liability.
FAQ
HIPAA Marketing — Common Questions
Is our existing privacy policy enough for HIPAA marketing compliance?
Almost certainly not. A generic privacy policy does not meet HIPAA's Notice of Privacy Practices requirements. You need a HIPAA-specific NPP that discloses exactly how protected health information is collected, used, and shared — including for marketing purposes.
Can we use Google Analytics on our healthcare website?
Yes, but with configuration. GA4 must have restricted data processing enabled, IP anonymisation turned on, and you should avoid placing tracking on condition-specific or appointment-result pages. For practices that also serve as covered entities, a BAA with Google Workspace may be required.
Can we use the Facebook/Meta Pixel?
This is a high-risk area. Meta does not sign BAAs for the standard Pixel. The Pixel transmits page URLs (which may contain diagnostic content) and behavioural data to Meta. The FTC has taken action against healthcare providers using standard Pixels. We recommend removing it or working with a specialist to implement the Conversions API in a compliant way.
What is a Business Associate Agreement (BAA) and do we need one?
A BAA is a legally required contract between a HIPAA-covered entity (your practice) and any vendor that may access, process, or store PHI on your behalf. If your website chat tool, email platform, analytics tool, or CRM can see patient data, you need a BAA with that vendor.
Can we ask patients for Google reviews?
Yes, you can — and you should. The key rules: (1) Never offer incentives for reviews, (2) Use a HIPAA-compliant review platform if sending automated requests using appointment data, (3) Never respond to reviews in a way that confirms the person's patient status or mentions clinical details.
What happens if we get a HIPAA violation from a marketing mistake?
Penalties range from $100 to $50,000 per violation per day, capped at $1.9 million per violation category per year. Wilful neglect that is not corrected carries the maximum penalties. Beyond fines, violations require breach notification to affected patients and to HHS, and may trigger an OCR investigation.
📱 Social Media
Patient enquiries on public social profiles are directed to private channels
CriticalResponding publicly to a patient comment that includes health details constitutes a HIPAA violation. Always respond with 'Please DM us or call [number]'.
Review responses never confirm patient status
CriticalSaying 'Thank you for being our patient' or 'We remember your case' in a public review response identifies someone as a patient — a HIPAA violation.
Staff are trained on social media HIPAA policy
ImportantA staff member posting a photo that inadvertently includes a patient in the background or discusses a case is a violation. Written social media policy + training is required.
No patient photos shared without individual authorisation
CriticalA signed authorisation specifically for social media use is required — a general consent does not cover it.
Social media management tools have BAAs in place (if patient data is present)
ImportantTools like Hootsuite or Buffer used to manage accounts that handle patient DMs may require a BAA.