Why we built this
In December 2022, OCR changed the rules.
The HHS Office for Civil Rights issued a bulletin specifically warning healthcare providers that tracking technologies on their websites — Facebook Pixel, Google Analytics, session replay tools — can constitute unauthorized disclosure of protected health information. A patient visiting your appointment page while logged into Facebook is enough. The pixel fires. The data leaves. That is a HIPAA violation.
Since then, healthcare organizations have faced class-action lawsuits, OCR enforcement actions, and settlements exceeding $12 million over website tracking alone. The largest — a hospital system running Meta Pixel on patient portal login pages — settled for $12.25 million in 2023.
We built this scan because most practice owners have no idea what their website is transmitting. They didn’t install the tracking. Their web developer did — because that’s standard practice for every other industry. The scan gives you the same view an OCR investigator would have, in 30 seconds, for free.
40+ checks
What the scan looks for — and why OCR cares
The scan analyzes your homepage and up to five patient-facing pages (appointment booking, contact forms, patient portals) — the same pages an investigator would examine first.
Third-Party Tracking — 16 checks
Facebook Pixel, Google Analytics, Google Tag Manager, TikTok Pixel, LinkedIn Insight, Pinterest, session replay tools (Hotjar, FullStory, Microsoft Clarity, LogRocket, Mouseflow, Smartlook), Google Ads conversion tags, chat widgets (Tawk.to, Drift, Olark, LiveChat), and third-party form embeds (Typeform, Jotform, Google Forms).
OCR position: Any technology that transmits individually identifiable health information to a third party without a BAA and valid authorization is an impermissible disclosure under the HIPAA Privacy Rule.
Website Security — 11 checks
TLS certificate validity and protocol version, HSTS headers, Content Security Policy, frame protection, MIME-type protection, server version disclosure, and exposed sensitive files (.env, .git/config, backup.sql) and admin panels (wp-admin, wp-login).
The Security Rule requires encryption of ePHI in transit (§ 164.312(e)(1)) and access controls that prevent unauthorized access (§ 164.312(a)(1)). An exposed admin panel or an unencrypted form submission violates both.
Email Authentication — 3 checks
SPF records (who can send email from your domain), DMARC policy (what happens when spoofed email is detected), and whether your practice lists consumer email addresses (Gmail, Yahoo, Hotmail) for patient contact.
Without SPF and DMARC, an attacker can send email that appears to come from your practice. Phishing emails impersonating healthcare providers are the #1 initial attack vector in healthcare breaches.
Required Documents — 2 checks
Scans all discovered pages and probes common paths (/privacy-policy, /hipaa-privacy, /legal) for your Notice of Privacy Practices and privacy policy.
The Privacy Rule (§ 164.520) requires covered entities to provide their NPP and make it available on their website. A missing NPP is one of the first things OCR checks during an investigation.
The other 80%
Your website is roughly 20% of HIPAA. What about the rest?
This scan examines what’s visible from outside your practice — the technical safeguards an investigator can see without walking through your door. But most HIPAA obligations live inside: policies, workforce training, Business Associate Agreements, access controls, risk assessments, and incident response plans.
The website issues this scan finds are the ones your web developer can fix. The internal compliance work is what Patient Protect is built for — continuous monitoring, automated task management, and live scoring across every HIPAA requirement, starting at $39/month.
Frequently Asked Questions
Common questions about the scan
▶What does this scan actually check?
The scan analyzes your website from the outside — the same perspective a patient or an OCR investigator would have. It checks for third-party tracking technologies (like Facebook Pixel and Google Analytics), security configurations (encryption, security headers), email authentication (SPF, DMARC), exposed admin pages, and whether required HIPAA documents like your Notice of Privacy Practices are posted.
▶Is this scan safe? Will it affect my website?
Completely safe. The scan only observes publicly available information — it visits your site like a normal browser would. No login credentials are needed, no files are modified, and no vulnerability testing is performed. It's the digital equivalent of walking past your office and looking at the sign on the door.
▶Why does my practice website matter for HIPAA compliance?
Your website is often the first point of contact between patients and your practice. If it runs tracking technologies like Facebook Pixel or Google Analytics on pages where patients book appointments or fill out contact forms, those tools may be transmitting protected health information to third parties without authorization. The HHS Office for Civil Rights issued a bulletin in December 2022 specifically addressing this issue, and multiple healthcare organizations have faced enforcement actions.
▶My website was built by a professional — do I still need to scan it?
Yes. Most web developers are not HIPAA specialists. They install standard marketing tools — Google Analytics, Facebook Pixel, session recorders — that are perfectly appropriate for a restaurant or retail store, but create compliance risks on a healthcare provider's site. The scan identifies these gaps so you can share specific findings with your web team.
▶What's the difference between this scan and a HIPAA risk assessment?
This scan looks at the outside of your practice — your public-facing website. A HIPAA risk assessment examines the inside — your policies, training, Business Associate Agreements, access controls, and documentation. Both matter. This scan covers roughly 20% of your HIPAA obligations (the technical safeguards visible from outside). The other 80% requires an internal assessment, which is what Patient Protect's platform is built to guide you through.
▶Will Patient Protect fix the issues this scan finds?
The website-specific issues (tracking pixels, security headers, missing policies on your site) need to be addressed by your web developer or IT provider — we provide the specific findings and recommended actions to share with them. Patient Protect focuses on the internal compliance infrastructure: policies, BAA tracking, risk assessments, workforce training, and continuous monitoring. We advise on the website issues, but our platform addresses the operational foundation that OCR actually audits.
▶What does my score mean?
Your score reflects the public-facing HIPAA standing of your website on a 0–100 scale. An A means your website shows strong attention to patient privacy and security. A D or F means we observed issues that OCR has specifically targeted in enforcement actions. The score is based on what's visible from outside — the compliance areas you can't see from outside (policies, training, BAAs) are equally important but require an internal assessment.
▶Is my scan data kept private?
Yes. Your scan results are not published, shared, or visible to anyone except you. Patient Protect does not maintain a public directory of scan results, and we never use individual practice names in any public context. We may aggregate anonymized scan data for compliance research — but your practice is never identified.
Next step
Fix the gaps this scan found — continuously.
Patient Protect monitors your compliance standing daily — risk assessments, vendor BAA tracking, workforce training, and breach prevention. Starting at $39/mo. 14-day free trial.
Related Tools