Adam Putterman
Choosing a HIPAA-compliant customer data platform (CDP) is a high-stakes decision for any healthcare company. The wrong choice can mean compliance violations, data breaches, engineering headaches, performance drops, or integration failures.
This guide breaks down every key question you should ask when evaluating a vendor, covering compliance, data control, implementation complexity, pricing, and long-term viability.
If a vendor can’t confidently answer these, consider it a red flag. We’ll start with a few must-asks and then end with a comprehensive list.
Must-Ask Questions Before Signing a Healthcare Privacy Platform / CDP Contract
1. Features & Destinations: What’s Included vs. What’s Not?
Not all CDPs support the same destinations or functionalities. Get clarity on:
Which third-party destinations (analytics, ad platforms, CRMs, EHRs, call tracking tools, etc.) are included?
Do you have solutions for Maps or Video hosting? If so, do they cost extra?
Do they support first-party data connections for better privacy control and performance?
How customizable is the platform when it comes to tracking, mapping, and sending data?
If a key integration isn’t included, what’s the process for adding it?
Can you control data flows / modifications per destination?
2. Support & Customer Service: What Do They Charge For?
Is customer support included, or do they charge extra?
What’s their response time for critical issues?
Is there dedicated support, or will you be routed through generic ticketing systems?
Do they offer technical implementation help, or is that an added cost?
What’s the SLA (Service Level Agreement) for uptime and support response?
3. Implementation Time & Cost: How Long and How Expensive?
What’s the expected implementation time?
How much engineering effort is required?
Can they migrate existing CDP setups easily?
What ongoing engineering resources are needed for maintenance and updates?
Are there any hidden costs for onboarding, training, or setup assistance?
Comprehensive Questions Before Signing a Healthcare Privacy Platform / CDP Contract
4. Pricing & Contract Terms
Avoid pricing surprises by getting clear answers on:
Do you charge overages on MTUs (Monthly Tracked Users)?
What if we have bot traffic or fraudulent clicks, do we still get billed?
What’s the payment cadence? Monthly, quarterly, annual?
What are the cancellation terms?
If we need to redline the BAA or main contract, what’s the process & cost?
5. Compliance: Is the Platform Truly HIPAA-Compliant?
HIPAA compliance isn’t just about signing a BAA, it’s about ensuring the entire data lifecycle is secure. Ask:
Do you sign a BAA?
How do you handle data deletion? Is it automatic or manual?
How soon do you notify customers of a breach?
Do you use contractors, and how do you ensure they comply with HIPAA?
Are you SOC 2 certified?
What audit logs and security controls do you provide for compliance tracking?
6. Data Control & Performance: Can You Control What Gets Sent?
A good CDP should let you control data flows per event, per destination and offer reliable delivery. Ask:
Can we control what data gets sent per event, per destination?
Are all connections and events server-side?
Can we use first-party domains to maintain better privacy and data integrity?
Can we connect CDP data to offline booking systems or EHRs?
Do you support multi-region data routing?
Is there a CDN for faster loading speeds?
What happens if an event delivery fails? Is there an automated retry system?
7. Identity Resolution: How Sophisticated is the Platform?
Does it support identity stitching across devices and platforms?
How does multi-touch attribution (MTA) work within your system?
Can we control per-destination identity mapping?
Implementation & Long-Term Operations: How Much Effort is Required?
8. Engineering Time & Maintenance
Some CDPs require heavy engineering involvement, while others are more plug-and-play. Ask:
How much engineering time is required for initial setup?
For ongoing changes, how easy is it to modify configurations?
Is there an API or UI for non-technical users to make changes?
Can we replicate our current setup, or will we have to start from scratch?
What’s the shortest implementation they’ve ever seen? The longest?
Can we use Google Tag Manager?
9. Customer Retention & Reference Checks
Don’t just take their word for it, check how customers actually feel about the platform.
Do you have customer references we can speak to?
Have you had customers migrate from competitors? What was their reason?
What are the common reasons customers leave your platform?
Destination-Specific Questions: The Details That Matter
Not all CDPs are equally effective across all platforms. If you rely on Google, Meta, or other ad and analytics destinations, dig into specifics:
How easy is it to rename custom events in Meta?
Do you normalize data before hashing it for Meta?
Do you restart your tasks weekly as recommended by Google to prevent failures?
How does your GA4 setup compare to first-party tracking solutions?
Final Thoughts: Make the Right Choice
The right HIPAA-compliant CDP should:
Offer full transparency on pricing, compliance, and data handling
Provide clear controls over what data gets sent and where
Require minimal engineering effort for setup and ongoing changes
Enable HIPAA compliance and have strict security measures
Deliver high performance, reliability, and first-party data support
If a vendor can’t confidently answer these questions, it’s a sign they aren’t truly built for HIPAA-compliant data management.
Choosing the wrong CDP can cost you time, money, and even regulatory penalties. Take your time, ask the tough questions, and make sure the platform you choose is built for the unique challenges of healthcare marketing and data operations.
At Ours Privacy, we are experts in CDP transitions and can typically drive significant performance, privacy, and / or cost improvements while minimizing any lost momentum or transition time.