Is Klaviyo HIPAA Compliant?

Is Klaviyo HIPAA Compliant?

When a Marketing Platform Becomes a Health Data Liability: The GoodRx Precedent

In February 2023, the FTC fined GoodRx $1.5 million for sharing prescription drug names, health conditions, and personal identifiers with Facebook, Google, and other advertising platforms through tracking pixels. A $25 million class action settlement followed. The mechanism was straightforward: marketing pixels on a health-related platform captured behavioral data and transmitted it to third parties alongside user identities.

The GoodRx case was the first enforcement action under the FTC's Health Breach Notification Rule. It established a principle that now applies far beyond prescription discount apps: when a marketing platform collects behavioral data on a health-related website and ties that behavior to a known individual, the data becomes a regulatory liability.

This principle matters for any healthcare or wellness organization evaluating Klaviyo. As an email and SMS marketing platform, Klaviyo does exactly what GoodRx's tracking pixels did. It collects website behavioral data through a client-side tracking pixel, links that data to a known email address, and builds detailed customer profiles. On an e-commerce site selling shoes, that profile is a marketing asset. On a healthcare website, that same profile links a named patient to the specific condition pages they visited, the appointment types they browsed, and the health content they read.

How Klaviyo's Data Pipeline Works on Healthcare Sites

Understanding the compliance risk starts with understanding how Klaviyo collects and processes data. Klaviyo is not just an email sender. It is a behavioral data platform that builds customer profiles from multiple data sources.

The tracking pixel. Klaviyo's JavaScript snippet runs client-side in the visitor's browser. Once a visitor is identified (through an email click, form submission, or cookie match), the pixel records every page they visit, every link they click, and every action they take on the website. This data flows directly from the browser to Klaviyo's servers.

Email engagement tracking. Every email Klaviyo sends includes tracking pixels for opens and click-through tracking for links. When a patient opens a health newsletter or clicks a link to a condition-specific article, Klaviyo records that interaction and adds it to their profile.

Profile unification. Klaviyo merges all of this data into a single customer profile: email address, phone number, website browsing history, email engagement history, purchase or conversion events, and any custom properties the organization passes through its integration. On a healthcare website, this unified profile could contain a named individual's browsing history across condition pages, appointment booking flows, and patient education resources.

Segmentation and automation. Klaviyo's core value proposition is using this behavioral data to trigger automated flows and build audience segments. A wellness brand might create a segment of "users who viewed the diabetes management page three or more times." In a healthcare context, that segment is a list of identifiable individuals linked to a specific health condition.

The critical architecture point: all of this data collection happens client-side. The browser sends data directly to Klaviyo's infrastructure. The healthcare organization has no server-side intermediary to filter, redact, or control what gets transmitted.

The Missing BAA and What It Signals

Klaviyo does not offer a Business Associate Agreement. For any organization subject to HIPAA, this is a threshold issue.

A BAA is the legal contract that makes a vendor accountable as a Business Associate under HIPAA. It requires the vendor to safeguard protected health information (PHI), report breaches, and accept liability for mishandling health data. Without a BAA, there is no contractual obligation for Klaviyo to treat the data on its platform as PHI, even if it contains health information.

This gap is more than a paperwork issue. It signals how the platform was designed and for whom. Klaviyo was built for e-commerce marketing. Its data model assumes that behavioral profiles, purchase history, and engagement metrics are commercial data, not health data. The platform's infrastructure, access controls, data retention policies, and employee training reflect that assumption.

When a healthcare organization sends patient behavioral data to a platform that was not designed to handle health information, the organization bears full regulatory liability for any exposure. The platform has made no commitment to protect that data as PHI.

Behavioral Profiles as a Compliance Blind Spot

Many healthcare organizations evaluate email marketing platforms by asking whether the email content itself contains PHI. This framing misses the larger risk. The behavioral profile that Klaviyo builds around each contact is often more sensitive than the email content.

Consider a patient who receives a newsletter from a health system. They click through to an article about managing Type 2 diabetes. Later that week, they visit the health system's website directly and browse pages about endocrinology appointments and insulin pump options. Klaviyo's tracking pixel captures all of this activity and links it to the patient's email address and name.

The email itself might have been a generic wellness newsletter with no PHI. But the profile now contains a named individual's demonstrated interest in a specific chronic condition, inferred from their browsing behavior across multiple sessions. Under HHS's December 2022 guidance on tracking technologies, this combination of identity and health-related browsing behavior can constitute PHI.

This is not a theoretical risk. It is the exact pattern that led to enforcement actions across the healthcare industry. Advocate Aurora Health paid $12.25 million to settle claims that Meta Pixel and Google Analytics on its website and patient portal exposed data from approximately 3 million patients. The tracking was installed to "better understand patient needs." The intent was benign. The data exposure was not.

Five Compliance Requirements Klaviyo Cannot Meet Today

Healthcare organizations evaluating any marketing technology should measure it against five compliance requirements. Here is how Klaviyo stacks up.

1. Business Associate Agreement. Klaviyo does not sign BAAs. Without this contract, there is no HIPAA accountability for data on the platform. Any PHI that reaches Klaviyo exists outside the organization's compliance perimeter.

2. SOC 2 Type II with all five trust criteria. Healthcare-grade compliance requires SOC 2 Type II certification covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most marketing platforms certify only Security (one of five). The remaining four criteria address how data is handled, retained, and protected throughout its lifecycle. Check Klaviyo's published certifications against all five.

3. Server-side data collection. Klaviyo's tracking pixel is client-side JavaScript. Data flows from the patient's browser directly to Klaviyo's servers. The healthcare organization has no opportunity to inspect, filter, or redact health information before it leaves its infrastructure. Server-side architecture sends data from your servers to destinations, ensuring the browser never communicates directly with third-party platforms. This is the architectural distinction between hoping nothing sensitive leaks and ensuring nothing can.

4. Consent-gated data flows. In a compliant architecture, data only flows to downstream platforms after the patient has provided verifiable consent, enforced server-side. Client-side consent checks (JavaScript cookie banners) can be bypassed, delayed, or misconfigured. Klaviyo's pixel begins tracking immediately upon page load unless the organization implements its own blocking mechanism.

5. Continuous compliance monitoring. Installing a compliant tool does not mean your website remains compliant. Marketing teams add scripts, plugins update, and third-party tags load additional tags without anyone noticing. A web scanner that continuously crawls your site and detects every cookie, script, and tracking pixel is the difference between "we set it up right once" and "we know it's still right today." Every major enforcement case involved tracking that had been running for months or years before anyone noticed.

The Consent Gap in Email Marketing

Healthcare compliance is moving toward patient-controlled data flows. State privacy laws are expanding, patient expectations around data use are rising, and regulators are paying closer attention to how health data moves through marketing technology stacks.

Email marketing sits at an interesting intersection of these trends. Patients may consent to receiving emails from their healthcare provider. They almost certainly have not consented to having their website browsing behavior tracked, profiled, and used for segmentation by a third-party marketing platform. The gap between "I agreed to get your newsletter" and "I agreed to let Klaviyo build a behavioral profile linking my identity to my health interests" is significant, and regulators have shown they take it seriously.

Monument, an alcohol addiction telehealth platform, was banned by the FTC from sharing health data for advertising after its tracking pixels disclosed data of up to 84,000 users to ad platforms. Custom pixel events had descriptive titles like "Paid: Weekly Therapy" and "Paid: Med Management," revealing the specific services users had purchased. These events were sent to Meta alongside email addresses and IP addresses. The lesson: even well-structured marketing workflows can expose sensitive health information when the underlying platform was not built for healthcare data.

Building a Compliant Email and Marketing Architecture

Healthcare organizations that need email marketing capabilities have options beyond hoping their current tools do not create exposure. A compliant architecture addresses the risks at their root.

Server-side data routing. Instead of client-side pixels that send data directly to marketing platforms, a server-side CDP collects behavioral data on your infrastructure first. You control exactly what data reaches downstream tools. Health-related page visits can be stripped of identifying context before any data leaves your servers.

Consent as a data gate. In a properly architected stack, consent is not a banner that sits on top of tracking. Consent determines whether tracking happens at all. Server-side consent verification means data only flows to marketing platforms after a patient has explicitly opted in, and that decision is enforced at the infrastructure level, not in JavaScript.

Ongoing scanning and detection. Even with server-side architecture, you need visibility into what is actually running on your website. A web scanner continuously crawls your pages and flags any scripts, cookies, or tracking pixels that lack a BAA, were added without review, or are sending data to third parties. This catches the marketing tag that someone added through a tag manager, the plugin update that introduced a new tracking script, or the embed code that loaded an unexpected third-party pixel.

First-party infrastructure. All data collection happens on your domain through custom endpoints. No third-party tracking domains are visible in the browser. Server-set cookies are immune to browser restrictions like Safari's ITP. No vendor fingerprint appears in the page source.

Organizations like Ours Privacy provide this architecture: a server-side CDP with a comprehensive BAA, SOC 2 Type II across all five trust criteria, consent-gated dispatch, and continuous web scanning. The goal is not to avoid email marketing. It is to ensure that patient behavioral data stays within your compliance perimeter until you have verified consent to share it.

Frequently Asked Questions

Can I use Klaviyo if I only send non-clinical content like wellness tips?

The content of the email is only part of the equation. Klaviyo's tracking pixel records website browsing behavior and links it to each contact's profile. If your website contains any health-related pages, the behavioral profile Klaviyo builds may include health information regardless of what the email itself contains. The risk lives in the profile, not just the message.

Does Klaviyo's data processing agreement cover HIPAA requirements?

A standard data processing agreement (DPA) addresses general data privacy obligations, often under frameworks like GDPR or CCPA. It does not substitute for a Business Associate Agreement under HIPAA. A BAA carries specific requirements around PHI handling, breach notification timelines, and Business Associate liability that a DPA does not include. Klaviyo does not offer a BAA.

What if I disable Klaviyo's tracking pixel and only use it to send emails?

Disabling the tracking pixel reduces the behavioral data Klaviyo collects, but it does not eliminate compliance concerns. Klaviyo still processes email addresses (which are PHI when held by a covered entity), tracks email opens and link clicks, and stores contact properties that may include health information passed through integrations. Without a BAA, none of this data has HIPAA protections on Klaviyo's platform.

Are other email marketing platforms like Mailchimp or ActiveCampaign better options for healthcare?

Each platform should be evaluated against the same compliance requirements: BAA availability, SOC 2 Type II scope, data architecture, and consent handling. Most mainstream email marketing platforms share similar architectural patterns with Klaviyo, including client-side tracking and the absence of a BAA. The compliant approach is to route data through a server-side platform that controls what information reaches any downstream email tool.

How do I audit whether Klaviyo is already collecting PHI on my site?

Start by reviewing what data flows from your website to Klaviyo's servers. Check your Klaviyo account for tracked website events, customer properties, and segment definitions that reference health conditions, appointment types, or treatment categories. Then run a comprehensive scan of your website to identify all scripts and tracking pixels currently active. A continuous web scanning tool can automate this detection and flag healthcare-specific risks across every page.

Healthcare organizations need marketing tools that respect the compliance boundaries their patients expect. [Learn how Ours Privacy's server-side CDP and web scanner](https://www.oursprivacy.com) keep patient data within your compliance perimeter while enabling the marketing workflows your team needs.