April 30, 2026 · Alex Langone · 9 min read

HIPAA-Compliant Marketing for Medical Practices: What Actually Matters

Every marketing agency that works with doctors will tell you they're "HIPAA compliant." Most of them are wrong. Not because they're lying, but because they don't actually understand what HIPAA requires when patient data touches a marketing system. Here's what you need to know and what to demand from anyone running ads for your practice.

HIPAA and Marketing: The Part Most People Get Wrong

HIPAA doesn't ban advertising. It doesn't prevent you from running Google Ads or collecting form submissions on a landing page. What it does is set strict rules about how Protected Health Information (PHI) gets handled by anyone who touches it, including your marketing vendors.

PHI isn't just medical records. In a marketing context, PHI includes:

• A patient's name paired with the fact that they called your practice
• A phone number associated with a medical appointment request
• A form submission that says "I need a consultation for my child's dental issue"
• A call recording where a patient discusses symptoms
• An IP address tied to a visit to your practice's booking page

The moment a marketing system collects, stores, transmits, or processes any of that data, HIPAA applies. And the company handling it becomes a Business Associate, whether they realize it or not.

The Business Associate Agreement: Your First and Most Basic Test

If a vendor handles PHI on your behalf, they're legally required to sign a Business Associate Agreement (BAA). This isn't optional. It's not a nice-to-have. It's federal law under the HITECH Act.

A BAA establishes that the vendor will:

• Protect PHI using appropriate administrative, physical, and technical safeguards
• Report any breaches within the required timeframe
• Only use PHI for the purposes outlined in the agreement
• Ensure their own subcontractors (sub-business associates) are also compliant
• Return or destroy PHI when the contract ends

We sign a BAA with every practice we work with. It's the first document in our onboarding packet, not an afterthought we produce when someone asks.

What a Non-Compliant Marketing Setup Actually Looks Like

The problem is that most marketing agencies use the same tools for medical practices that they use for restaurants and law firms. Those tools were never designed to handle PHI, and they have no BAA coverage.

Here's what a typical non-compliant setup looks like in practice:

Google Analytics without a BAA

Standard Google Analytics (GA4) is not HIPAA compliant. Google explicitly states in their terms of service that you should not send PHI to Google Analytics. When a patient visits your booking page and their browsing data gets sent to Google's servers alongside identifiers like IP address, device fingerprint, or a URL that contains a patient name or condition, that's a HIPAA violation.

Some agencies will say "we anonymize the data." Google Analytics doesn't give you the controls needed to guarantee PHI never reaches their servers. Google does offer HIPAA-compliant analytics through Google Cloud and will sign a BAA for certain products, but standard GA4 isn't one of them.

Call tracking on non-compliant servers

Your marketing agency sets up call tracking to measure which ads generate phone calls. Good. But where do those call recordings get stored? Who has access to them? Are they encrypted at rest and in transit?

Most call tracking platforms (CallRail, CallTrackingMetrics, etc.) store recordings on their own infrastructure. Some of these companies will sign BAAs. Many agencies don't bother to check, and they definitely don't verify that the entire chain from recording to storage to playback is encrypted and access-controlled.

A call recording where a parent says "I need to schedule my daughter Emma's follow-up appointment for her asthma" is PHI. Full stop. That recording sitting on a server without proper encryption, access logging, and a BAA is a violation.

Form submissions through standard email

A patient fills out a "Request an Appointment" form on your landing page. The form data, which includes their name, phone number, and reason for visit, gets emailed to the practice via standard SMTP. No encryption. No access controls. The email sits in a Gmail inbox alongside newsletters and spam.

This is one of the most common violations we see. Standard email is not a compliant transport for PHI unless the email service has a BAA in place and the transmission is encrypted end-to-end. Google Workspace will sign a BAA, but only if you're on a paid plan and you've actually executed the agreement. Free Gmail accounts don't qualify.

Call Tracking: Where Most Agencies Fail

Call tracking is the backbone of measuring ROI on digital advertising for medical practices. You need to know which ads generate real phone calls and which of those calls become booked patients. But every step of that process involves PHI.

A compliant call tracking system needs to handle these requirements:

• Encrypted transmission: The call audio must be encrypted from the moment it's captured to the moment it's played back. TLS 1.2 minimum for data in transit.
• Encrypted storage: Call recordings at rest must be encrypted with keys managed by a compliant key management system (like AWS KMS). Not just "the server has disk encryption."
• Access controls: Only authorized users should be able to access recordings. Role-based access, audit logging, automatic session expiration.
• BAA coverage at every layer: The cloud provider (AWS, GCP, Azure), the call platform, the transcription service, any AI that analyzes the calls. Every system that touches the audio needs BAA coverage.
• Retention policies: Recordings can't sit around forever. There need to be defined retention periods with automated deletion.

We built our call tracking infrastructure on AWS (which signs BAAs for all their core services) and process everything through Amazon Chime SDK. Call recordings are encrypted with AWS KMS, stored in S3 buckets with strict access policies, and transcribed using Amazon Transcribe. AI analysis runs through Amazon Bedrock. Every single layer has BAA coverage.

That's what compliant call tracking looks like. It's not a third-party plugin bolted onto a WordPress site.

Landing Pages and Form Submissions

When you're running Google Ads for your pediatric practice, patients click your ad and land on a page where they either call or fill out a form. Both actions generate PHI.

Landing page compliance

The landing page itself needs to be hosted on compliant infrastructure. That means:

• HTTPS everywhere (this is table stakes, but you'd be surprised)
• Hosting on a platform covered by a BAA
• No third-party scripts that transmit visitor data to non-compliant services (this rules out most analytics tools, chat widgets, heatmap tools, and retargeting pixels in their default configurations)
• Session recording, if used, must store data on compliant infrastructure with appropriate access controls

Form submission handling

When a patient submits a form with their name, phone number, and reason for visit, that data needs to:

1. Travel over an encrypted connection (HTTPS + TLS)
2. Hit a backend that's covered by a BAA
3. Get stored in an encrypted database with access controls
4. Never pass through a non-compliant intermediary (like a standard email relay or a Zapier webhook)

Our form submissions go straight from the landing page to an API Gateway endpoint, into a Lambda function, and into DynamoDB. All on AWS, all covered by our BAA. The practice gets notified through a compliant channel. No patient data ever touches a third-party server we don't control.

The Subcontractor Problem

Here's something most practices don't think about: your marketing agency's compliance is only as strong as their weakest vendor.

If your agency signs a BAA with you but then uses a call tracking tool that doesn't sign a BAA with them, you still have a problem. HIPAA requires that Business Associates ensure their subcontractors (sub-BAs) also comply. This is the "chain of custody" concept, and it breaks down constantly in marketing.

A typical marketing agency might use:

• Google Ads (will sign a BAA for certain products)
• A landing page builder like Unbounce or Instapage (check their BAA status carefully)
• CallRail or similar for call tracking (some offer BAAs, many agencies don't activate them)
• Zapier to connect form submissions to a CRM (no BAA available)
• Slack for internal notifications about new leads (no BAA)
• Google Sheets to track patient conversions (no BAA unless part of a properly configured Workspace)

If patient data flows through any of those non-compliant links, the entire chain is broken.

What to Ask Your Marketing Agency

If you're evaluating a marketing partner or auditing your current one, here are the questions that matter. Don't accept vague answers.

1. "Will you sign a BAA?" If no, walk away. If yes, read it. Make sure it covers all the services they provide, not just one piece.
2. "Where are call recordings stored, and who has access?" You want specific answers: "AWS S3, encrypted with KMS, access limited to authorized dashboard users with audit logging." Not "on our servers" or "in the cloud."
3. "How do form submissions get processed?" Follow the data path. Form to server to database to notification. Every step needs BAA coverage.
4. "What third-party tools touch patient data?" Get the full list. Then check whether each one has a BAA in place. If they use Zapier, Make.com, or any automation tool to route patient data, that's a red flag.
5. "How do you handle breach notification?" They should have a documented incident response process. HIPAA requires notification within 60 days of discovering a breach. Your agency should be able to tell you exactly how that process works.
6. "Can I see your compliance documentation?" Risk assessments, security policies, employee training records. A company that takes HIPAA seriously has this documentation ready. A company that's faking it will stall.
7. "Do you use standard Google Analytics on my landing pages?" If yes, ask them how they prevent PHI from reaching Google's servers. Most can't answer this question.

The Difference Between Compliant and "Compliant"

There's a pattern we see constantly: an agency puts "HIPAA Compliant" on their website, and when you dig into what that actually means, it turns out they use the same Unbounce landing pages, the same CallRail tracking, and the same Gmail notifications as every other agency. They've maybe added a privacy policy to their website. That's it.

Real HIPAA compliance for marketing means:

• A signed BAA covering all services
• End-to-end encryption for all PHI in transit and at rest
• Access controls with audit logging on every system that handles patient data
• BAA coverage for every subcontractor and tool in the data chain
• Documented security policies and regular risk assessments
• Employee training on HIPAA requirements
• Incident response and breach notification procedures

It's not a badge you slap on your homepage. It's an infrastructure decision you make from day one and maintain every day after.

We built Unlock Patients specifically for medical practices because we understood that compliance couldn't be an afterthought. Our call tracking, landing pages, form handling, and reporting all run on AWS infrastructure under a BAA. We don't use third-party tools that can't prove compliance. Every call recording is encrypted. Every form submission stays within our compliant environment. We sign a BAA with every practice before a single ad goes live.

That's the standard. Don't settle for less.