Is Crazy Egg HIPAA Compliant?

In 2024, Advocate Aurora Health agreed to pay $12.25 million to settle a class action lawsuit involving approximately 3 million patients. The health system had installed analytics and tracking tools on its website, mobile app, and patient portal with a straightforward goal: "better understand patient needs." The tools captured page views, clicks, and behavioral data. They transmitted that data to Meta and Google. Nobody at Advocate Aurora intended to expose protected health information. But the architecture they chose made the exposure inevitable, and it took five years (2017 to 2022) before anyone caught it.

The tools at the center of that case share a fundamental trait with Crazy Egg. They operated client-side: JavaScript loaded in the browser, captured data from the page, and sent it to a third-party server the healthcare organization did not control. That architecture is exactly how Crazy Egg works. And for healthcare organizations considering Crazy Egg for heatmaps or session recordings, the Advocate Aurora settlement is worth understanding before a single line of code is installed.

How Crazy Egg Captures Data in the Browser

Crazy Egg is a behavior analytics tool built around a simple premise: show website owners where visitors click, how far they scroll, and how they navigate through pages. It offers heatmaps, scroll maps, click reports, and session recordings. For marketing and UX teams outside of healthcare, these features help identify friction in conversion flows and prioritize design changes.

Technically, Crazy Egg operates entirely client-side. When you install Crazy Egg, you add a JavaScript snippet to your site. That script loads in every visitor's browser and begins collecting interaction data. For heatmaps, it tracks mouse movements, clicks, and scroll positions. For session recordings, it captures a reconstruction of the page's DOM, including on-screen content, form interactions, and navigation paths. All of this data is transmitted from the visitor's browser directly to Crazy Egg's servers.

On a standard e-commerce or SaaS site, the data flowing through this pipeline is relatively low-sensitivity. On a healthcare website, the same pipeline captures whatever is displayed on screen: appointment types, provider specialties, condition searches, prescription information, patient portal content, and intake form responses. A session recording does not distinguish between a product page and a patient portal page. It records what it sees.

Crazy Egg does offer a data masking feature. You can configure CSS selectors to suppress specific page elements from being recorded. But this masking operates client-side, in the browser, before the recording is sent to Crazy Egg. It requires manual configuration: your team must identify every element on every page that could display sensitive data, write the appropriate selectors, and keep them current as the site evolves. Pages added by marketing, new intake form fields, redesigned patient portal sections: all of these must be reflected in the masking rules or they will be captured and transmitted. For a smaller tool like Crazy Egg, the enterprise governance features that might help manage this at scale are limited compared to larger competitors.

The $12.25 Million Question: When "Understanding Patients" Goes Wrong

The Advocate Aurora case is instructive because the health system's goal was reasonable. Understanding how patients interact with your digital properties is a legitimate business objective. The problem was not the intent. The problem was the data path.

When analytics tools operate client-side, data flows from the visitor's browser to a third party. The healthcare organization does not control what data the script captures, does not control the transmission path, and does not control what happens to the data once it arrives at the vendor's servers. Even with careful configuration, the surface area for inadvertent PHI capture is large. Page URLs alone can contain condition names, provider specialties, or appointment types. Session recordings capture everything visible on screen.

Kaiser Permanente learned this at an even larger scale, reaching a $47.5 million settlement affecting 13.4 million members. From 2017 to 2024, their websites, patient portals, and mobile apps used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X without consent. The data included search terms, medical histories, and communications with healthcare professionals. Seven years of data exposure from tools that were installed for routine analytics purposes.

Sutter Health settled for $21.5 million after implementing Google Analytics, the Meta Pixel, and other tracking tools on its MyHealthOnline patient portal. The tools tracked and disclosed private patient data to Google and Facebook without authorization, covering California residents who logged into the portal from 2015 through 2020.

Across all 15 major enforcement cases since 2023, the combined total exceeds $193 million. Every case involved standard marketing tools. No case involved a sophisticated cyberattack. All were self-inflicted through routine marketing technology choices that shared one common trait: client-side JavaScript sending data to third-party servers.

Why Crazy Egg Cannot Serve as a Business Associate

Under HIPAA, any vendor that receives, stores, or transmits protected health information on behalf of a covered entity must sign a Business Associate Agreement. A BAA is not a formality. It is a legal contract where the vendor accepts liability for safeguarding PHI and agrees to specific obligations around breach notification, data handling, and permitted uses. Without a BAA, any PHI that reaches the vendor's servers constitutes an impermissible disclosure, regardless of whether the exposure was intentional.

Crazy Egg does not sign Business Associate Agreements. Its documentation does not reference HIPAA as a supported compliance framework. There is no enterprise tier, add-on plan, or configuration that changes this.

This matters because of what Crazy Egg's session recordings and heatmaps can capture. On a healthcare website, the tool's JavaScript runs in the same browser context as patient-facing content. If a patient searches for "diabetes management" and clicks through to book an appointment with an endocrinologist, Crazy Egg's heatmap records those clicks and its session recording captures the pages visited, the content displayed, and the booking flow. Without a BAA, that data sits on Crazy Egg's servers with no HIPAA protections governing its use, storage, or disposal.

The absence of a BAA also means there is no breach notification obligation. If Crazy Egg experiences a security incident that exposes data collected from your healthcare site, they have no legal requirement under HIPAA to notify you, your patients, or HHS. You may not learn about the exposure until it surfaces through other channels.

The Compliance Bar for Behavioral Analytics on Healthcare Sites

Healthcare organizations that want to understand how patients interact with their websites (a genuinely valuable objective) need to evaluate tools against a specific set of requirements. These are not preferences. They are the architectural and legal standards that separate tools built for healthcare from tools built for general use.

A BAA covering the full data pipeline. The agreement must cover all data the tool collects: session recordings, heatmap interactions, click data, scroll data, and any page content captured during recording. BAAs that carve out behavioral data or analytics data leave the most sensitive information unprotected.

SOC 2 Type II with all five trust criteria. Most vendors certify Security only (1 of 5). That confirms basic access controls and encryption. It says nothing about how data is processed, whether it remains confidential, or how the vendor handles privacy obligations. All five criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) verified over a sustained review period by independent auditors represent the standard healthcare data demands.

Server-side data collection. Behavioral data should be collected and processed on your infrastructure, not streamed from the visitor's browser to a third-party server. Server-side collection means you control what data is captured, how it is processed, and where it is stored. The browser never communicates with the analytics vendor. This is the architectural difference between "we hope nothing leaks" and "nothing can leak."

First-party infrastructure. Data collection should happen on your domain, through your DNS, with server-set cookies. No third-party JavaScript in the page source. No tracking endpoints visible in browser developer tools. First-party infrastructure eliminates the browser-to-third-party data path that regulators and plaintiffs have targeted in every enforcement case.

Server-side consent enforcement. Consent and privacy requirements are the next frontier of healthcare compliance, driven by an expanding landscape of state privacy laws and rising patient expectations. Data should only flow to analytics destinations after consent is verified server-side. A JavaScript consent check in the browser can be bypassed, misconfigured, or simply fail to load. A server-side consent gate cannot. Organizations that build consent into their data architecture now will be well positioned as regulatory requirements continue to tighten.

Continuous site monitoring. Installing one compliant analytics tool does not make your entire website compliant. Marketing teams add scripts, plugins update, and third-party tags load additional tags without anyone noticing. A web scanner that crawls your site on an ongoing basis detects every cookie, script, localStorage entry, and tracking pixel across every page. It flags risks specific to healthcare: which scripts lack a BAA, which cookies are set by third parties, and which pixels are sending data to ad platforms. Every enforcement case on record involved tracking that ran for years before anyone noticed.

Building a Behavioral Analytics Stack That Works for Healthcare

The goal is not to abandon behavioral analytics. Understanding how patients navigate your site, where they encounter friction, and what content resonates is valuable for improving care access and operational efficiency. The goal is to collect those insights through an architecture that does not create the same exposure that cost Advocate Aurora $12.25 million and Kaiser $47.5 million.

Ours Privacy provides server-side session replay, heatmaps, and behavioral analytics with a signed BAA covering the full data pipeline, SOC 2 Type II certification across all five trust criteria, and consent-gated data dispatch built into the architecture. Data collection happens on your domain through first-party infrastructure. The visitor's browser never communicates with a third-party analytics server.

For organizations that need to evaluate their current tracking surface, the Ours Privacy web scanner crawls your site and identifies every script, cookie, and tracking pixel that could create compliance risk. It provides the visibility that manual audits miss and that every enforcement case proves was lacking.

FAQ

Does Crazy Egg sign a Business Associate Agreement?

No. Crazy Egg does not offer a BAA and does not position itself as a HIPAA-compliant tool. There is no plan tier or configuration that changes this. Without a BAA, using Crazy Egg on any page where PHI could be present creates an impermissible disclosure under HIPAA.

Can Crazy Egg's data masking make it safe for healthcare websites?

Crazy Egg offers CSS selector-based masking that lets you suppress specific page elements from session recordings. However, this masking operates client-side, requires manual configuration for every sensitive element across every page, and must be maintained as your site changes. Any element not covered by a masking rule will be captured and transmitted to Crazy Egg's servers. Even with perfect masking configuration, the absence of a BAA means no legal framework governs how Crazy Egg handles data that reaches its infrastructure.

How are session recordings different from standard analytics in terms of healthcare risk?

Standard analytics tools collect page URLs, events, and aggregate metrics. Session recordings capture a visual reconstruction of the visitor's experience, including page content, form interactions, and on-screen text. On a healthcare website, a session recording may capture appointment types, provider names, condition information, and portal content visible on screen. The surface area for inadvertent PHI capture is substantially larger with session recordings than with standard event-based analytics.

What enforcement actions have targeted healthcare organizations using client-side tracking?

Since 2023, healthcare organizations have paid over $193 million in combined settlements and enforcement actions related to tracking technologies. Kaiser Permanente settled for $47.5 million (13.4 million members affected), Sutter Health for $21.5 million, and Advocate Aurora Health for $12.25 million. The FTC and OCR sent joint warning letters to approximately 130 hospital systems in 2023. Every case involved standard client-side tracking tools, and no case involved a sophisticated cyberattack.

What should I use instead of Crazy Egg for healthcare websites?

Look for a behavior analytics platform built on server-side architecture that signs a BAA covering all collected data, holds SOC 2 Type II certification across all five trust criteria, and enforces consent server-side before any behavioral data flows to a destination. Pair it with a web scanner that continuously monitors your site for non-compliant scripts and third-party tracking. The objective is to keep behavioral insights while collecting them through infrastructure designed for healthcare from the ground up.