HIPAA Compliance Resources for Healthcare

Yes. If your website collects, transmits, or enables the collection of Protected Health Information (PHI), it falls under HIPAA requirements. This includes analytics tools like Google Analytics that capture a wide range of information on the visitor’s browser, combined with healthcare page visits, embedded YouTube videos, Google Maps, and contact forms. The HHS Office for Civil Rights has made clear that tracking technologies on healthcare websites can create HIPAA violations.

We are a managed service with a dedicated team. FreshPaint and Ours Privacy are software platforms you configure and manage yourself. We have been doing healthcare marketing since 2009. We are not a software startup. Our team implements compliance for you, monitors your website ongoing, and fixes issues before they become problems. You get a compliance team, not a login to software. We also have not taken on investors, so our fee structure can be very different.

A BAA is a legal contract required by HIPAA between a covered entity (your healthcare organization) and any vendor that handles PHI on your behalf. Without a signed BAA, any data sharing with that vendor is a likely HIPAA violation, regardless of whether actual patient data was exposed. Google, Meta, YouTube, and most advertising platforms do not offer BAAs, which is why standard implementations of their tools create compliance risk.

Yes. We have a balanced BAA we have developed, or we are open to reviewing and redlining your BAA. Getting to an agreement on a BAA is generally the most time-consuming part of coming to a signed proposal, so if you intend for us to sign your BAA, we recommend sharing it with us as early in the process as possible so our legal team can review it.

Yes, if you implement Sounder Analytics. Standard Google Analytics (GA4) is not HIPAA-compliant because it transmits visitor data to Google without a BAA. Sounder uses server-side tracking to strip PHI and PII before sending data to GA4, Google Ads, Meta Ads, and other platforms. You keep using the tools you already know, but the data is processed compliantly.

Most sites are compliant within 4 to 6 weeks. Larger health systems with multiple web properties typically take 8 to 10 weeks. Because we are a managed service, our team does the implementation work, so your team’s involvement is minimal. Be aware that some HIPAA compliant SaaS platforms say they are enacted in a few weeks. Generally, that means the software is turned on and configured for you to begin to use it to become compliant. We have seen healthcare organizations take as much as six months to finish implementing these platforms.

Minimally. We need Google Tag Manager installed on your site (which is HIPAA-compliant by itself since it does not share any data — it is simply a container for scripts) and access granted to us. To maximize effectiveness, we also ask your IT team to set up a subdomain (e.g., data.yourdomain.com) for our first-party cookie support. We can work with your team to make this happen.

YouTube is owned by Google, which does not sign BAAs for YouTube users. Every embedded YouTube video automatically transmits visitor IP addresses, device identifiers, URL information, and cookies to Google’s servers, even if the embedded video on the page is not watched. If the embedded video is watched, viewing behavior is also sent to Google. When this data comes from a healthcare website, the combination of the visitor’s browser information and health-related page content constitutes PHI under HHS guidance.

No. You continue to build and promote your YouTube channel as you always have. YouTube is a powerful marketing channel. The only change is that instead of using YouTube to provide embedded videos on your website, you use Sounder Video. Your YouTube channel remains a social media and marketing tool.

Yes. Embedded Google Maps transmit information about your visitor: IP address, device identifiers even if the map is not interacted with. If there are map interactions or search queries, that information is also passed along to Google. And Google will not sign a BAA for Maps users. Each embedded Google Map on your healthcare website is a separate violation. Sounder Maps replaces Google Maps with an interactive, fully compliant, accessible alternative hosted on our HIPAA-compliant servers.

No. Google Forms does not offer a BAA and is not HIPAA-compliant for collecting any information on a healthcare website. Even forms that collect “non-PHI” data are risky on healthcare sites. Our forms consulting service evaluates your needs and recommends the right HIPAA-compliant form platform for your tech stack.

Our pricing is transparent and public. Sounder Analytics starts at $935/month for up to 200,000 page views. Sounder Video is $550/month. Sounder Maps is $130/month plus a $1,250 one-time setup fee. Forms consulting starts at $1,750 for research and strategy, with implementation priced separately. Visit our pricing page for full details.

We require a one-year initial contract for analytics and video services. After the first year, services continue month-to-month. There will be no massive annual price increases and no long-term lock-in.

It means our team does the work. We can implement compliance, configure tracking, migrate videos, replace maps, set up forms, monitor your website ongoing, and fix issues proactively. You do not need to learn a software platform, hire a different consultant, or dedicate IT resources. You get a compliance team, not a login to software.