The HIPAA Compliance Checklist

A 25-Point Review Across the 5 Risk Areas Found in Every Healthcare Marketing System

See how this fits into the bigger picture.

Explore the Framework

Category 1 - Tracking + Tagging Risk

“Where most HIPAA violations hide — and most teams don’t know it.”

1. Are any Meta, Google, or tracking tags firing on pages where health condition, treatment, program, or insurance intent can be inferred?

2. Do any event names include terms related to symptoms, conditions, programs, exams, or insurance verification?

3. Could URL paths or parameters reveal health-related behavior (ex: /depression-treatment/, /verify-insurance)?

4. Are any remarketing audiences being created from condition-specific pages or content?

5. Is there any place where identity (email, phone, CRM ID) is tied to behavior that could imply a health condition?

Why it matters:

Most recent enforcement cases involve ads pixel or analytics script misconfigurations showing this is among the highest risk compliance categories for healthcare marketers.

Most violations come from tagging decisions marketers didn't even know were happening.

Category 2 - Data Collection + Storage Safety

“HIPAA isn't just where data goes — it's what it could imply.”

6. Are behavioral events and metadata stored in tools that do not hold a Business Associate Agreement (BAA)?

7. Is Google Analytics, or any analytics tool, receiving URLs, events, or metadata that could imply a health condition?

8. Are marketing automations (email/SMS) triggered by behavior tied to conditions, programs, or insurance?

9. Are third-party scripts (chat widgets, schedulers, analytics, heatmaps) collecting sensitive behavior?

10. Is any raw data stored in a CRM, CDP, or warehouse without being de-identified or transformed first?

Why it matters:

This is where brands often unknowingly store PHI in non-compliant systems — even without collecting “medical information.”

Category 3 - Website + Landing Page Exposure

“The website itself can reveal PHI — even if no forms are filled out.”

11. Do any call-to-action buttons reference exams, diagnoses, programs, or insurance? (“Verify insurance,” “Schedule exam”)

12. Can page content, structure, or naming conventions disclose a visitor’s possible condition?

13. Are forms collecting health-related details that could be transmitted to non-BAA vendors?

14. Could session replay tools or chat widgets capture typed or sensitive content?

15. Are there redirects, UTM parameters, or page flows that expose condition-specific navigation paths?

Why it matters:

Most PHI exposure comes from implied health status, not the explicit collection of medical data.

Category 4 - Marketing Platform Setup

“HIPAA restrictions have permanently changed the way Google and Meta optimize.”

16. Are ads optimizing for conversion events that fire too infrequently to train the algorithms?

17. Are Meta’s health restrictions (Core Setup) blocking key data signals?

18. Are offline conversions being uploaded to ad platforms in a properly de-identified way?

19. Are remarketing and audience-building settings referencing pages or behaviors that violate HIPAA?

20. Are Google Consent Mode + platform settings aligned with compliant data flows?

Why it matters:

HIPAA-compliant brands have fewer signals which increases cost-per-lead unless signal strategy is redesigned.

Category 5 - Signal Architecture +

Optimization Strategy

“This is the hidden engine of all performance under HIPAA.”

21. Are early-intent behavioral signals being captured (scroll depth, page time, CTA interactions)?

22. Are surrogate events defined to replace restricted conversion events?

23. Is a compliant CDP transforming raw events into de-identified signals before sending them to platforms?

24. Is there a signal ladder (low → mid → high intent) powering platform optimization?

25. Are optimization events aligned with HIPAA rules and algorithmic requirements?

Why it matters:

Under HIPAA, platforms like Meta + Google can’t learn from the signals they used to rely on.

Your signal architecture replaces what the algorithms can no longer access.

Next Steps...

Most healthcare organizations are unknowningly exposed in at least 3-4 of these risk areas.

If you want an expert to review your entire marketing ecosystem — tracking, data flows, website, platform setup, and signal architecture — you can begin the full HIPAA Marketing Intelligence Diagnostic below.

Explore the Diagnostic

This is not legal advice.

Privacy Policy | TOS | Disclaimer | Cookie Policy

Privacy Settings

The HIPAA Compliance Checklist

A 25-Point Review Across the 5 Risk Areas Found in Every Healthcare Marketing System

See how this fits into the bigger picture.

Category 1 - Tracking + Tagging Risk

“Where most HIPAA violations hide — and most teams don’t know it.”

1. Are any Meta, Google, or tracking tags firing on pages where health condition, treatment, program, or insurance intent can be inferred?

2. Do any event names include terms related to symptoms, conditions, programs, exams, or insurance verification?

3. Could URL paths or parameters reveal health-related behavior (ex: /depression-treatment/, /verify-insurance)?

4. Are any remarketing audiences being created from condition-specific pages or content?

5. Is there any place where identity (email, phone, CRM ID) is tied to behavior that could imply a health condition?

Why it matters:

Most recent enforcement cases involve ads pixel or analytics script misconfigurations showing this is among the highest risk compliance categories for healthcare marketers.

Most violations come from tagging decisions marketers didn't even know were happening.

Category 2 - Data Collection + Storage Safety

“HIPAA isn't just where data goes — it's what it could imply.”

6. Are behavioral events and metadata stored in tools that do not hold a Business Associate Agreement (BAA)?

7. Is Google Analytics, or any analytics tool, receiving URLs, events, or metadata that could imply a health condition?

8. Are marketing automations (email/SMS) triggered by behavior tied to conditions, programs, or insurance?

9. Are third-party scripts (chat widgets, schedulers, analytics, heatmaps) collecting sensitive behavior?

10. Is any raw data stored in a CRM, CDP, or warehouse without being de-identified or transformed first?

Why it matters:

This is where brands often unknowingly store PHI in non-compliant systems — even without collecting “medical information.”

Category 3 - Website + Landing Page Exposure

“The website itself can reveal PHI — even if no forms are filled out.”

11. Do any call-to-action buttons reference exams, diagnoses, programs, or insurance? (“Verify insurance,” “Schedule exam”)

12. Can page content, structure, or naming conventions disclose a visitor’s possible condition?

13. Are forms collecting health-related details that could be transmitted to non-BAA vendors?

14. Could session replay tools or chat widgets capture typed or sensitive content?

15. Are there redirects, UTM parameters, or page flows that expose condition-specific navigation paths?

Why it matters:

Most PHI exposure comes from implied health status, not the explicit collection of medical data.

Category 4 - Marketing Platform Setup

“HIPAA restrictions have permanently changed the way Google and Meta optimize.”

16. Are ads optimizing for conversion events that fire too infrequently to train the algorithms?

17. Are Meta’s health restrictions (Core Setup) blocking key data signals?

18. Are offline conversions being uploaded to ad platforms in a properly de-identified way?

19. Are remarketing and audience-building settings referencing pages or behaviors that violate HIPAA?

20. Are Google Consent Mode + platform settings aligned with compliant data flows?

Why it matters:

HIPAA-compliant brands have fewer signals which increases cost-per-lead unless signal strategy is redesigned.

Category 5 - Signal Architecture +

Optimization Strategy

“This is the hidden engine of all performance under HIPAA.”

21. Are early-intent behavioral signals being captured (scroll depth, page time, CTA interactions)?

22. Are surrogate events defined to replace restricted conversion events?

23. Is a compliant CDP transforming raw events into de-identified signals before sending them to platforms?

24. Is there a signal ladder (low → mid → high intent) powering platform optimization?

25. Are optimization events aligned with HIPAA rules and algorithmic requirements?

Why it matters:

Under HIPAA, platforms like Meta + Google can’t learn from the signals they used to rely on.

Your signal architecture replaces what the algorithms can no longer access.

Next Steps...

Most healthcare organizations are unknowningly exposed in at least 3-4 of these risk areas.

If you want an expert to review your entire marketing ecosystem — tracking, data flows, website, platform setup, and signal architecture — you can begin the full HIPAA Marketing Intelligence Diagnostic below.

This is not legal advice.

Privacy Policy | TOS | Disclaimer | Cookie Policy

Copyright 2025. ConvergePoint Marketing LLC. All Rights Reserved.