Is Hotjar HIPAA Compliant?

Hotjar has become one of the most popular behavior analytics tools on the web. Its heatmaps show where visitors click, scroll, and hover. Its session recordings replay individual user journeys frame by frame. Its surveys and feedback widgets let product teams collect qualitative data alongside the quantitative. For marketing and UX teams, Hotjar answers the question traditional analytics can't: not just what visitors did, but why.

Healthcare organizations want those same insights. Understanding how patients navigate an appointment booking flow or where they drop off during intake is genuinely valuable. But Hotjar's approach to collecting this data introduces compliance considerations that healthcare teams need to evaluate carefully before deploying it on any site that touches protected health information.

What Healthcare-Grade Compliance Actually Requires

When evaluating any behavior analytics tool for a healthcare website, three things matter more than the tool's feature set: the legal agreement, the audit posture, and the data architecture.

A Real Business Associate Agreement

Under HIPAA, any vendor that receives, stores, or transmits protected health information on behalf of a covered entity must sign a Business Associate Agreement. A BAA isn't a checkbox. It's a legal contract where the vendor accepts liability for safeguarding PHI and agrees to specific obligations around breach notification, data handling, and permitted uses.

Not all BAAs are equal. Some vendors offer agreements that carve out marketing data, analytics data, or data collected on unauthenticated pages. A legitimate healthcare BAA covers the full data pipeline: collection, processing, storage, and transmission. It means the vendor stands behind the data it handles with the same legal exposure your organization carries.

SOC 2 Type II with All Five Trust Criteria

SOC 2 Type II is an independent audit that verifies a vendor's controls over an extended review period. The audit covers up to five trust service criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Most vendors certify only Security (1 of 5). That's table stakes. It means an auditor confirmed that the vendor has basic access controls and encryption. It says nothing about how data is processed, whether it remains confidential, or how the vendor handles privacy obligations.

All five criteria mean independent auditors verified the vendor handles data with the rigor healthcare requires: that the system is available when needed, processes data accurately, keeps it confidential, and respects privacy commitments. Type II (not Type I) means this was verified over a sustained period, not a single point-in-time snapshot.

Server-Side Data Architecture

Client-side behavior analytics (including session recording tools) work by loading JavaScript in the visitor's browser. That JavaScript captures DOM content, user interactions, and page elements, then transmits the data directly to the vendor's servers. The browser is the intermediary, and the data transits through a third-party connection your organization does not control.

Server-side analytics work differently. Data is collected on your server and sent from your infrastructure to its destination. The visitor's browser never communicates with the analytics vendor. There is no third-party JavaScript, no third-party cookies, and no data path you don't control.

This distinction matters because every major healthcare tracking enforcement case involved client-side tracking technologies. The browser-to-third-party data path is the root cause, not a contributing factor.

Where Hotjar Stands

Hotjar operates entirely as a client-side tool. When you install Hotjar, its JavaScript loads in every visitor's browser. For heatmaps, that script tracks mouse movements, clicks, and scroll depth. For session recordings, it captures a reconstruction of the DOM, including page content, form inputs, and user interactions, then streams that data to Hotjar's servers.

This is where behavior analytics tools differ from traditional analytics in a way that matters for healthcare. Google Analytics collects page URLs and events. Hotjar collects a visual replay of what was on the screen. On a healthcare website, that screen may display appointment details, provider specialties, condition information, prescription names, or patient portal content. A session recording captures all of it unless it's explicitly masked.

Hotjar does offer data suppression features. You can configure CSS selectors to mask specific form fields or page elements. But these masking rules operate client-side, in the browser, before the recording is sent to Hotjar. They require manual configuration, meaning your team must identify every element on every page that could contain sensitive data and keep those selectors current as the site changes. Anything missed gets recorded and transmitted.

Hotjar does not sign Business Associate Agreements. Their documentation does not list HIPAA as a supported compliance framework. There is no enterprise tier or configuration that changes this. Without a BAA, any PHI that reaches Hotjar's servers creates an impermissible disclosure under HIPAA, regardless of whether the exposure was intentional.

What the Enforcement Landscape Looks Like

Since 2023, healthcare organizations have paid over $193 million in settlements and penalties related to tracking technologies on their websites. Every case involved standard marketing tools, not sophisticated attacks.

Kaiser Permanente reached a $47.5 million settlement affecting 13.4 million members. From 2017 to 2024, their websites and patient portals used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X without member consent. The data included search terms, medical histories, and communications with healthcare professionals. Session recordings and behavioral tracking tools capture exactly this type of content.

Advocate Aurora Health settled for $12.25 million after installing Meta Pixel and Google Analytics on its website, app, and patient portal to "better understand patient needs." The tracking exposed data of approximately 3 million patients. The intent was routine analytics. The outcome was a class action lawsuit.

BetterHelp paid $7.8 million to the FTC after tracking pixels shared mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest. A recent college graduate with no marketing training had been placed in charge of deciding what user data was uploaded to Facebook. This case illustrates what happens when the tools are easy to deploy but the governance around them is insufficient.

The pattern across all 15 major cases is consistent: healthcare organizations installed widely used marketing and analytics tools, those tools operated client-side, data flowed to third parties, and nobody noticed until regulators or plaintiffs did.

What a Compliant Behavior Analytics Architecture Looks Like

Healthcare organizations that want to understand visitor behavior (which is a legitimate and valuable goal) should evaluate vendors against a specific architecture:

Server-side session recording. Behavioral data should be collected and processed on your infrastructure, not streamed from the visitor's browser to a third-party server. Server-side collection means you control what data is captured, how it's processed, and where it's stored before it ever leaves your environment.

First-party infrastructure. Data collection should happen on your domain, through your DNS, using server-set cookies. No third-party JavaScript in the page source. No tracking endpoints visible in browser developer tools. This eliminates the third-party data path that regulators and plaintiffs have targeted in every enforcement action.

Consent-gated data flows. Consent and privacy are quickly becoming the next frontier of healthcare compliance, driven by state privacy laws and rising patient expectations around how their data is handled. Data should only flow to analytics destinations after consent is verified server-side. A JavaScript consent banner can be bypassed or misconfigured. A server-side consent gate cannot. Organizations building consent into their data architecture now will be positioned well as the regulatory landscape evolves.

Continuous compliance monitoring. Installing a compliant analytics tool does not tell you whether your entire website is compliant. Marketing teams add scripts, plugins update, and third-party tags load other tags. A web scanner that crawls your site on an ongoing basis detects every cookie, script, localStorage entry, and tracking pixel across every page. It flags healthcare-specific risks: which scripts lack a BAA, which cookies are set by third parties, and which tracking pixels are sending data to ad platforms. Every enforcement case in the reference data involved tracking that had been running for years before anyone noticed.

A real BAA covering the full data pipeline. Not a BAA that excludes behavioral data, heatmap data, or data from unauthenticated pages.

SOC 2 Type II with all five trust criteria. Security, Availability, Processing Integrity, Confidentiality, and Privacy. Verified by independent auditors over a sustained review period.

Ours Privacy offers server-side session replay, heatmaps, and behavioral analytics with a signed BAA, SOC 2 Type II across all five trust criteria, and consent-gated data dispatch built into the architecture.

How to Evaluate Any Behavior Analytics Vendor for Healthcare

Whether you're evaluating Hotjar alternatives or any other session recording platform, use this checklist:

1. Does the vendor sign a BAA? If not, stop here. If yes, read the BAA carefully. Does it cover all data the tool collects, including session recordings and behavioral data? Or does it carve out analytics data?

2. What does the SOC 2 report cover? Ask for the trust criteria. If it's Security only (1 of 5), the audit did not verify confidentiality, privacy, or data processing integrity.

3. Where does data flow? Does the tool load JavaScript in the visitor's browser that captures and sends session recordings to a third-party server? Or is behavioral data collected and processed server-side from your infrastructure?

4. How is data masking handled? Is masking configured client-side (requiring manual selector maintenance), or is it enforced server-side with defaults that prevent PHI from being captured in the first place?

5. How is consent enforced? Is consent a JavaScript check that can be bypassed, or is it enforced server-side before any behavioral data leaves your infrastructure?

6. Can you monitor your site continuously? Does the vendor (or your compliance stack) provide scanning tools that detect non-compliant scripts, cookies, and pixels across your entire site on an ongoing basis?

FAQ

Does Hotjar sign a Business Associate Agreement?

No. Hotjar does not offer a BAA and does not position itself as a HIPAA-compliant tool. There is no enterprise plan or configuration option that changes this. Without a BAA, using Hotjar on any page where PHI could be present creates an impermissible disclosure under HIPAA.

Can I use Hotjar's data masking to make it safe for healthcare?

Hotjar's suppression features let you mask specific elements using CSS selectors, but this approach has significant limitations. The masking operates client-side and requires manual configuration for every sensitive element on every page. As your site evolves, new pages and form fields must be added to the suppression rules. Anything missed gets captured in session recordings and transmitted to Hotjar's servers. Even with perfect masking, the absence of a BAA means there is no legal framework governing how Hotjar handles any data that does reach their infrastructure.

Are session recordings riskier than standard analytics for healthcare?

Session recordings capture a visual reconstruction of the visitor's experience, including page content, form inputs, and on-screen text. Standard analytics tools collect page URLs and events. On a healthcare website, a session recording can capture appointment types, provider names, condition information, and portal content that appears on screen. This makes session recordings a higher-risk category of behavioral data collection because the surface area for inadvertent PHI capture is substantially larger.

What happened to healthcare organizations that used client-side tracking tools?

Since 2023, healthcare organizations have paid over $193 million in combined settlements and enforcement actions related to tracking technologies. Kaiser Permanente settled for $47.5 million, Sutter Health for $21.5 million, and Advocate Aurora Health for $12.25 million. Every case involved standard marketing tools operating client-side. No case involved a sophisticated attack. All were self-inflicted through routine marketing technology choices.

What should I use instead of Hotjar for healthcare websites?

Look for a behavior analytics platform built on server-side architecture that signs a BAA covering the full data pipeline, holds SOC 2 Type II certification across all five trust criteria, and enforces consent server-side before any data flows. Pair it with a web scanner that continuously monitors your site for non-compliant scripts and third-party tracking. The goal is not to give up behavioral insights. It's to collect them through an architecture designed for healthcare from the ground up.