Healthcare Marketing Compliance Audit: A Step-by-Step Checklist
It is a Thursday afternoon when your compliance officer forwards a news article about a health system that just settled a tracking pixel lawsuit for $12 million. She asks a simple question: "Can you confirm that none of our website tracking tools are sending patient data to third parties?" You open your browser, navigate to your website, open DevTools, and discover 14 third-party scripts you did not know were there. Three of them are loading additional scripts of their own. One is a Meta Pixel that your predecessor installed two years ago. Another is a session replay tool that a developer added for a UX project that ended six months ago. Nobody removed it.
This is the moment most healthcare marketing teams realize they need a compliance audit. Not because they did something wrong intentionally, but because the marketing technology surface of a modern healthcare website grows continuously, and without systematic review, tracking tools accumulate like sediment.
Why Most Marketing Audits Miss What Matters
Traditional marketing audits focus on campaign performance, brand consistency, and messaging compliance. They review ad copy for regulatory claims, check that disclaimers appear where required, and verify that campaigns target appropriate audiences. These audits are necessary but incomplete.
The compliance risk that has generated $193M+ in enforcement actions since 2023 lives in a layer most marketing audits never examine: the tracking technology embedded in your website. Every page load, form submission, and button click may be firing scripts that transmit data to third-party servers. The audit that matters is not a review of what your marketing team created. It is a review of what your marketing technology is doing.
NewYork-Presbyterian Hospital ($300K NY AG, 2023). NYP used third-party tracking pixels on its website for marketing from 2016 to 2022. The hospital had no internal policies or procedures for vetting tracking tools before deployment. The enforcement action by the New York Attorney General specifically cited the absence of a governance process. Source
NYP's case illustrates that the failure was not a single bad decision. It was the absence of a system for making decisions. A compliance audit builds that system.
Step 1: Inventory Every Script on Every Page
The first step is discovering what is actually running on your website. This is harder than it sounds because modern web pages load scripts dynamically, and those scripts often load additional scripts.
Scan your entire site, not just the homepage. Tracking pixels may be installed on specific pages (patient portal login, appointment booking, service line pages) and absent from others. A homepage-only review will miss page-specific tracking.
Identify first-party versus third-party scripts. First-party scripts load from your own domain. Third-party scripts load from external domains (google-analytics.com, connect.facebook.net, hotjar.com). Every third-party script represents data leaving your infrastructure.
Check for piggyback loading. Some scripts load additional scripts. Google Tag Manager, for example, may be loading a Meta Pixel, a LinkedIn Insight Tag, and a session replay tool. Your Tag Manager container is a script inventory of its own.
Document cookies and local storage. Beyond scripts, check what cookies and localStorage entries exist on each page. Some tracking technologies set persistent identifiers that survive session boundaries and can be used to re-identify visitors across visits.
A web scanner automates this process by crawling your entire site and documenting every script, cookie, localStorage entry, and network request on every page. Manual audits using browser DevTools work for a point-in-time check but cannot keep pace with a website that changes weekly.
Step 2: Map Data Flows for Each Tracking Technology
For every script identified in Step 1, document what data it collects and where that data goes.
What data does it capture? Page URLs, form field values, click events, scroll depth, IP addresses, device fingerprints, user agent strings. Each data type has different compliance implications.
Where does the data go? Trace the network requests each script makes. A Meta Pixel sends data to facebook.com. Google Analytics sends data to google-analytics.com. Some scripts send data to multiple destinations.
Does the data include health context? A page URL like "/services/oncology/breast-cancer-screening" combined with an IP address and timestamp creates PHI. A form submission on a "Request an Appointment for Behavioral Health" page that passes to a CRM contains PHI. Map which data flows include health-related context.
Does the data include direct identifiers? Email addresses entered in forms, logged-in user IDs, and phone numbers are direct identifiers. When combined with health context from page URLs or form content, they become PHI.
Step 3: Verify BAA Coverage for Every Vendor
For each vendor identified in Steps 1 and 2, confirm whether a signed Business Associate Agreement is in place.
Pull your BAA inventory. Work with legal to compile a list of every vendor with a signed BAA. Compare this list against the vendors receiving data from your website.
Identify gaps. Any vendor receiving data that includes or could include PHI without a signed BAA represents an uncontrolled disclosure. Common gaps include analytics platforms, advertising pixels, session replay tools, chatbot vendors, and CRM platforms.
Evaluate BAA scope. Not all BAAs are equal. Some BAAs exclude certain data types (marketing data, analytics data, "non-clinical" data). A BAA that does not cover the specific data the vendor receives from your marketing technology is functionally the same as no BAA at all.
Confirm SOC 2 Type II certification. Beyond the BAA, verify that critical vendors maintain SOC 2 Type II certification. Specifically, check whether the certification covers all five trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most vendors certify only Security, which is one of five criteria. Type II (not Type I) means the vendor demonstrated sustained compliance over a review period, not just a point-in-time snapshot.
Step 4: Evaluate Your Consent Architecture
Consent management has evolved from a cookie banner to a core compliance infrastructure requirement. Audit how your organization collects, stores, and enforces consent.
Is consent collected before tracking fires? Many consent implementations display a banner but load tracking scripts simultaneously. If pixels fire before consent is collected, the consent mechanism is cosmetic. Verify that no tracking scripts execute until after consent is affirmatively provided.
Is consent enforced server-side? Client-side consent checks (JavaScript-based) can be delayed, bypassed by browser extensions, or broken by race conditions. Server-side consent gating verifies consent before any data leaves your infrastructure. This is the architectural standard that state privacy laws and evolving patient expectations are driving toward.
Do you honor consent withdrawal? When a patient withdraws consent, do all downstream data flows stop? Audit whether consent revocation propagates to every system that received data under the original consent.
Are consent records stored with audit trails? Regulators may ask for evidence of what consent was collected, when, and what it covered. Maintain timestamped consent records that document the specific scope of each consent action.
Step 5: Review Your Vendor Governance Process
A compliance audit is a point-in-time assessment. Without ongoing governance, the website will drift back into non-compliance the next time someone adds a script.
Who can add tracking technologies? Document the approval process for adding new scripts, pixels, or analytics tools to the website. If there is no approval process, create one. NYP's enforcement specifically cited the absence of vetting procedures.
How are changes monitored? Establish continuous monitoring for new scripts appearing on your site. Tag managers, CMS plugins, and third-party code can introduce tracking without anyone on the compliance team being aware.
Advocate Aurora Health ($12.25M class action, 2024). Advocate Aurora installed Meta Pixel and Google Analytics to "better understand patient needs." The tracking ran from 2017 to 2022, exposing data of approximately 3 million patients. Five years of unmonitored tracking produced a $12.25 million settlement. Source
When are vendors re-evaluated? Vendors change their data practices, update their terms of service, and modify their tracking code. Annual vendor reviews are the minimum. Quarterly reviews for high-risk vendors (those receiving health-related data) are better.
Step 6: Document Findings and Build a Remediation Plan
The audit produces a gap analysis. The next step is prioritizing and addressing each gap.
Classify findings by risk level. Tracking technologies sending PHI to vendors without BAAs are critical. Scripts collecting non-health data without consent are high. Missing documentation or governance processes are medium.
Set remediation timelines. Critical items (active PHI exposure) should be addressed immediately, potentially by removing the offending script while a compliant alternative is implemented. High-priority items should have a 30-day remediation window. Medium items should be addressed within 90 days.
Replace client-side tracking with server-side architecture. The most impactful remediation is also the most structural: move data collection from client-side JavaScript to server-side infrastructure. This eliminates the root cause of tracking pixel exposure by ensuring the browser never communicates with third parties.
Establish ongoing monitoring. Convert the audit from a one-time project into a continuous process. Automated web scanning, vendor review schedules, and script approval workflows transform a reactive audit into proactive compliance management.
FAQ
How often should healthcare organizations conduct marketing compliance audits?
A comprehensive audit should happen at least annually. However, continuous monitoring through automated web scanning is strongly recommended because websites change constantly. Scripts are added, plugins update, and third-party tags load other tags. An annual audit catches what was wrong once a year; continuous scanning catches changes as they happen.
Who should lead a healthcare marketing compliance audit?
The audit requires collaboration between marketing, IT, legal, and compliance. Marketing knows what tools are in use and why. IT can identify scripts and trace data flows. Legal evaluates BAA coverage and regulatory requirements. Compliance assesses overall risk. No single department has the full picture alone.
What should we do if we find a tracking pixel sending PHI without a BAA?
Remove the pixel immediately or disable it through your tag manager. Then conduct a breach risk assessment under HIPAA's four-factor test to determine whether notification is required. Document the finding, the remediation action, and the timeline. Work with legal to evaluate whether the exposure requires breach notification to affected individuals and HHS.
Does this audit need to cover mobile apps as well as websites?
Yes. Mobile apps often contain SDKs that function identically to website tracking pixels, sending data to analytics and advertising platforms. The Kaiser Permanente case involved tracking code on mobile apps as well as websites. Any digital property that collects health-related data from patients should be included in the audit scope.
Can a web scanner replace a manual compliance audit?
A web scanner automates the technical discovery portion of the audit: identifying scripts, cookies, network requests, and data flows across your entire site. It cannot evaluate BAA coverage, consent architecture, or governance processes, which require human review. Use a web scanner as the technical foundation and layer manual review on top for the legal and procedural components.
A compliance audit turns the question "are we at risk?" into a documented answer with a clear remediation path. If your team is ready to audit its marketing technology stack, Ours Privacy provides the web scanning, server-side infrastructure, and consent management that healthcare organizations need to close the gaps an audit reveals.
Related reading:
What Is a BAA and Why Does Your Analytics Vendor Need One?
What Is a Tracking Pixel? Why Healthcare Websites Should Remove Theirs
Client-Side vs Server-Side Analytics: The Healthcare Decision
HIPAA-Compliant Tools
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.