Insight

HIPAA-Conscious Analytics and Call Tracking for Healthcare

July 14, 2026 · 4 min read

The letter from the Office for Civil Rights

A mid-sized health system got a letter it did not expect. An investigation had found that the tracking code on its appointment pages, the ordinary Meta and Google pixels its marketing team had installed years earlier, was transmitting information about which patients viewed which condition pages and which ones booked. That data had flowed into advertising platforms the patients never authorized. The technical setup was completely standard, the kind of thing on thousands of healthcare sites. That was exactly the problem. Standard, in healthcare, can be a violation.

This is not a hypothetical or a scare story. Regulators have issued specific guidance on tracking technologies, hospitals have settled, and class actions have followed. If your site handles anything a patient would consider private, the way you measure it is a compliance question, not just a marketing one. The good news is that you can measure honestly and stay compliant. It just has to be built deliberately.

What counts as PHI on a website

People underestimate how easily ordinary web data becomes protected health information. PHI is not only a name and a diagnosis together. It is any information that can identify a person combined with something about their health or care. On a website that happens constantly. An IP address plus a visit to a page about a specific cancer treatment. A device identifier plus a booking confirmation for an oncology consult. A phone number captured on a form about substance use treatment.

Standard analytics and advertising tools were built to collect exactly these identifiers, because in retail that is how you retarget a shopper. In healthcare, the same collection turns a page view into a disclosure of someone’s medical situation to a third party with no right to it. The identifier and the health context do not have to be in the same field. If they can be connected, and these platforms exist to connect things, you have a problem.

The advertising pixels are the sharpest risk

The most common exposure is the marketing pixel dropped site-wide. A pixel’s entire purpose is to send behavioral data back to an ad platform so it can build audiences and optimize campaigns. On a plumber’s site that is fine. On a page about a health condition, or a booking flow, or a patient portal login, that same pixel can ship health-revealing behavior straight into an ad account, often without anyone on the marketing team realizing what is being transmitted.

The fix is not to abandon measurement. It is to draw a firm line. Pages that carry health context, condition pages, symptom checkers, booking confirmations, portal areas, get no third-party marketing pixels at all. General pages with no health signal can be handled more normally, but even there the safer default is server-side control over what leaves the site, so you decide exactly what is shared rather than letting a script decide for you. Building the site so that line is enforced structurally, not by hoping nobody pastes a tag in the wrong place, is part of doing web design and development properly for a medical client.

Call tracking without the leak

Phones still book a large share of medical appointments, so practices want to know which channels drive calls. Call tracking can do that, and it can also quietly create PHI. The moment a call-tracking system records the call, transcribes it, stores the reason for the visit, and ties that to a marketing source inside a platform that is not covered by a business associate agreement, you have routed protected health information through an uncovered vendor.

Compliant call tracking is entirely achievable, but the details decide it:

  • A signed business associate agreement with any vendor that could touch call data, no exceptions.
  • No call recordings or transcripts flowing into advertising or analytics platforms.
  • Source attribution kept separate from anything about the patient’s health or reason for calling.
  • Data retention limited to what you genuinely need, deleted on a real schedule.

Done this way you still learn that, say, organic search drove more calls than paid last month, which is the thing you actually needed to know, without recording anyone’s medical business in a place it does not belong.

You can still measure what matters

The fear that compliance means flying blind is misplaced. Everything a practice needs to run its marketing well can be measured within the lines. Aggregate traffic and rankings do not require personal identifiers. Conversion counts can be handled server-side so the sensitive part never leaves your control. First-party intake questions, asking new patients how they found you, often beat pixel-based attribution anyway, and they carry no third-party exposure at all.

The practices that get burned are not the ones that measured too much. They are the ones that measured carelessly, pasting the same tags a marketing agency would use for a car dealership onto pages about people’s health. The work is to keep the analytics that inform your decisions strictly walled off from the advertising systems that could misuse them, and to build that separation into the site rather than bolting it on after a letter arrives.

Where North Sea comes in

We build healthcare websites and measurement setups that respect the line between useful data and protected health information, because we would rather you sleep at night than chase a marginally richer dashboard. We do the technical work ourselves, we understand where the tags go and where they must never go, and we set it up so the compliant path is the default one. You can see how this fits the broader approach in our healthcare work.

If you are not certain what your current tracking is sending, and most practices are not, start a project with us and let’s make it safe and still useful.

Let’s build something that performs.

Tell us where you are and where you want to go — we’ll come back with a plan, not a calendar invite.