How to Handle HIPAA Authorization and Control Data Dispatch with Custom Properties
Oct 10, 2025
Tyler Zey
Signup forms that include HIPAA authorization create a common question for healthcare organizations: how does that consent decision control what data flows to analytics and advertising platforms?
This guide demonstrates how to connect HIPAA authorization status directly to data dispatch rules, ensuring that consent decisions automatically determine what information gets sent to downstream marketing and analytics tools.
Two potential scenarios they need to handle:
Full data sharing: When someone gives HIPAA authorization, share all data without redaction
Complete blocking: When someone doesn't give authorization, block all data from being sent
This isn't just about HIPAA—any organization dealing with consent management, regional compliance, or user preferences faces the same challenge: how do you control what data gets sent where based on visitor attributes?
Important Disclaimer: This guide demonstrates how you can configure custom properties and is for example purposes only. It is not legal advice and does not constitute a recommendation for how you should configure your privacy setup. Regulatory requirements vary by jurisdiction and may change over time. Always consult your own legal counsel and privacy officers when determining compliance strategies for your organization.
What We're Building
We'll create a system that:
Captures visitor consent status using custom properties
Uses the Global Consent Center to control data dispatch based on that consent
Demonstrates both client-side and server-side implementations
Shows how to handle scenarios where you want to either share all data or block everything based on consent
Step 1: Understanding Custom Properties
Custom properties let you attach any attributes to a visitor that can then be used to control data dispatch. You can store consent status, user preferences, regional information, or any other visitor-specific data.
Key concepts:
Custom properties are stored on the visitor profile
They persist across sessions
They can be used in Global Consent Center rules
They work with both client-side and server-side implementations
Step 2: Client-Side Implementation
Basic Identify Call with Custom Properties
Start by capturing consent status when a user interacts with your form or consent mechanism:
Note: you can send this in via the Web SDK or Google Tag Manager
What this does:
Stores the consent status on the visitor profile
Includes metadata about when and how consent was given
Makes this data available for Global Consent Center rules
You can also do this from the backend using the server-side identify API
Step 3: Configuring Global Consent Center Rules
The Global Consent Center lets you create rules that control data dispatch based on custom properties.
Rule 1: Block All Data When Not Authorized
Create a rule that blocks all data when consent is not given:
Rule Configuration:
Condition:
custom_properties.hipaa_consentdoes not equal'authorized'Action: Block all data to all destinations
Priority: High
Rule 2: Selective Data Sharing
For more granular control, create rules for specific destinations:
Google Analytics Rule:
Condition:
custom_properties.hipaa_consentequals'authorized'Action: Allow all data to Google Analytics
Priority: Medium
Meta Pixel Rule:
Condition:
custom_properties.hipaa_consentequals'authorized'Action: Allow all data to Meta Pixel
Priority: Medium
Step 4: Testing Your Implementation
Test Your Implementation
Test it by reviewing your recent events to verify that:
Custom properties are being captured correctly
Rules are working as expected (authorized users get data, unauthorized users don't)
Data is flowing to the intended destinations
Wrapping Up
This guide showed you how to use custom properties and the Global Consent Center to control data dispatch based on visitor attributes. The key concepts are:
Custom Properties: Store any visitor attributes you need
Global Consent Center: Create rules that control data dispatch
Client-Side & Server-Side: Both approaches work with the same payload structure
Testing: Always verify your implementation works as expected
Whether you're handling HIPAA consent, regional compliance, or user preferences, this approach gives you the flexibility to control exactly what data gets sent where.
