Is Microsoft Clarity HIPAA Compliant?

In 2024, Advocate Aurora Health finalized a $12.25 million settlement after installing analytics tools on its website, app, and patient portal to "better understand patient needs." The tools were mainstream. The intent was benign. The result was a class action lawsuit covering approximately 3 million patients whose data had been shared with Meta and Google without consent from 2017 to 2022.

The lesson from Advocate Aurora is not that the organization acted recklessly. It's that well-intentioned analytics deployments, especially free ones that feel low-risk, can quietly create massive liability. Microsoft Clarity fits squarely in this category: a free behavior analytics tool from a trusted brand, offering session recordings and heatmaps with no usage limits. For healthcare organizations evaluating it, the combination of "free" and "Microsoft" creates a sense of security that the tool's actual architecture does not support.

When "Free from Microsoft" Creates a False Sense of Compliance

Microsoft is a legitimate enterprise vendor. Azure supports BAAs. Microsoft 365 supports BAAs for certain services. Microsoft has invested billions in healthcare cloud infrastructure. So when a healthcare marketing team discovers that Microsoft offers a free behavior analytics tool, the assumption is reasonable: surely Microsoft built this with enterprise compliance in mind.

That assumption is wrong for Clarity specifically. Microsoft's BAA coverage extends to Azure services and select Microsoft 365 products. Clarity is not included. It operates as a standalone free product with its own terms of service and its own data handling practices that sit outside Microsoft's healthcare compliance umbrella.

This distinction matters because the Microsoft brand carries implicit trust. A marketing director who would scrutinize a no-name session recording tool before deploying it on a healthcare site might install Clarity without a security review because "it's Microsoft." The brand association becomes a compliance risk in itself, bypassing the evaluation process that would catch the gaps.

How Clarity Captures and Processes Behavioral Data

Microsoft Clarity works by injecting a JavaScript snippet into your website. Once installed, the script runs in every visitor's browser and captures two primary data streams.

Session recordings reconstruct the visitor's experience by capturing DOM content, mouse movements, clicks, scrolls, and form interactions. Unlike traditional analytics that log events and page URLs, session recordings capture what was visually present on the page. On a healthcare website, that includes appointment types, provider names, condition descriptions, intake form fields, and any clinical information displayed to the visitor.

Heatmaps aggregate click, scroll, and attention data across all visitors on a given page. While heatmaps are less granular than session recordings, they still require the same client-side JavaScript to collect the underlying interaction data.

All of this data flows from the visitor's browser directly to Microsoft's servers. Your organization does not control the transmission path, the processing logic, or the storage infrastructure. This is the same client-side architecture that has been at the center of every major healthcare tracking enforcement action since 2023.

There's an additional layer to consider. Clarity integrates directly with Google Analytics, combining behavioral recording data with traditional analytics. It also operates under Microsoft's privacy terms, which allow Microsoft to use data collected through Clarity to improve Microsoft products and services. For healthcare organizations, this means behavioral data from your patients could be used for purposes entirely outside your control or awareness.

The Missing BAA and What It Means

Under HIPAA, any vendor that receives, stores, or processes protected health information on behalf of a covered entity must sign a Business Associate Agreement. A BAA is a legal contract where the vendor accepts responsibility for safeguarding PHI and agrees to breach notification obligations, data handling restrictions, and permitted use limitations.

Microsoft does not sign BAAs for Clarity. This is not a gap that can be closed through configuration, an enterprise upgrade, or a conversation with a Microsoft sales representative. Clarity is a free product with no compliance tier.

Without a BAA, any PHI that reaches Microsoft's servers through Clarity constitutes an impermissible disclosure under HIPAA. The fact that the disclosure was unintentional does not reduce liability. The fact that Microsoft is a large, trusted company does not change the legal framework. The BAA is a binary requirement: either the vendor has signed one covering the data in question, or the disclosure is impermissible.

Consider what Clarity's session recordings capture on a typical healthcare website. A patient visits a provider directory and views a cardiologist's profile. They navigate to an appointment scheduling page that displays available times for "New Patient Cardiology Consultation." They begin filling out an intake form with their name, date of birth, and reason for visit. Every step of this journey is recorded by Clarity's JavaScript and transmitted to Microsoft's infrastructure. Without a BAA, each frame of that recording is a potential HIPAA violation.

Three Cases That Show How This Plays Out

The enforcement landscape since 2023 provides concrete examples of what happens when healthcare organizations use client-side analytics and recording tools without adequate compliance safeguards.

Kaiser Permanente reached a $47.5 million settlement after its websites, patient portals, and mobile apps transmitted health information to Google, Microsoft, Meta, and X from 2017 to 2024. The breach affected 13.4 million members across nine states. The data included search terms, medical histories, and communications with healthcare professionals. Notably, Microsoft was one of the third parties receiving data in this case, illustrating that even data flowing to Microsoft can trigger enforcement when it's transmitted without proper agreements and consent.

Sutter Health settled for $21.5 million after implementing Google Analytics and the Meta Pixel on its MyHealthOnline patient portal. The tools tracked and disclosed private patient data to Google and Facebook without authorization. The class period covered California residents who logged into their portal from June 2015 through March 2020. Standard analytics tools, installed for routine measurement, running for years before anyone raised a flag.

Across all 15 major enforcement actions since 2023, healthcare organizations have paid over $193 million in combined settlements and penalties. Every case involved standard marketing and analytics tools. No case involved a sophisticated cyberattack. All were self-inflicted through routine technology choices that seemed harmless at deployment.

Why Session Recording Tools Carry Elevated Risk

Standard analytics tools like Google Analytics collect structured data: page URLs, event names, referral sources, and session metadata. Session recording tools capture something fundamentally different: a visual reconstruction of the visitor's entire experience.

This distinction is critical for healthcare. A Google Analytics event might log that a visitor reached /appointments/confirm. A session recording captures everything visible on that confirmation page: the patient's name, the provider they selected, the appointment type, the date and time, and any clinical context displayed alongside it.

Clarity's session recordings reconstruct pages by capturing the DOM, which means they capture the page's content as rendered in the browser. On healthcare websites, DOM content regularly includes condition names, provider specialties, medication references, insurance information, and appointment details. Clarity does provide some content masking capabilities, but these operate client-side and require manual configuration. Every element containing sensitive data must be identified and tagged for suppression. As pages change, new content appears, and marketing teams add features, the masking rules must be maintained continuously. Anything that slips through gets recorded and sent to Microsoft.

This manual, client-side masking approach is fundamentally fragile. It assumes perfect knowledge of every sensitive element across every page of your site at all times. In practice, healthcare websites are dynamic. Content management systems generate pages from templates. Third-party widgets inject content. Marketing teams create landing pages. The surface area for PHI exposure grows constantly, and client-side masking can only protect against the risks you already know about.

Building a Compliant Behavioral Analytics Stack

Healthcare organizations have a legitimate need to understand how patients and visitors interact with their digital properties. The question is not whether to collect behavioral insights. It's how to collect them through an architecture that was designed for healthcare from the start.

Server-side collection and processing. Behavioral data should be captured on your infrastructure and processed before it reaches any vendor. Server-side architecture ensures that the visitor's browser never communicates with a third-party analytics server. You control what data is collected, how it's processed, and what reaches any downstream destination. This eliminates the browser-to-third-party data path that regulators and plaintiffs have targeted in every enforcement case.

First-party data infrastructure. Data collection should happen through your domain using server-set cookies. No third-party JavaScript visible in page source. No vendor-specific tracking endpoints in browser developer tools. This architecture is also immune to Safari's Intelligent Tracking Prevention and ad blockers, which increasingly interfere with client-side analytics accuracy.

Consent verification before data flows. Healthcare compliance is moving rapidly toward consent as a foundational requirement. State privacy laws are expanding, patient expectations are rising, and regulators are scrutinizing whether organizations obtained meaningful consent before sharing data. A compliant architecture enforces consent server-side. Data only flows to analytics destinations after consent has been verified at the server level, not through a JavaScript banner that can be misconfigured or bypassed.

Continuous site monitoring. Installing a compliant analytics tool does not make your entire website compliant. Marketing teams add scripts. Plugins update and introduce new tracking. Third-party tags load additional tags you never approved. A web scanner that crawls your site on a recurring basis detects every cookie, script, localStorage entry, and tracking pixel across every page. It identifies which scripts lack a BAA, which cookies come from third parties, and which data is flowing to platforms without agreements in place. Every enforcement case in the reference data involved tracking that had been active for years before discovery.

A BAA that covers the full pipeline. Not a BAA that excludes behavioral data, session recordings, or data from unauthenticated pages. The agreement should cover collection, processing, storage, and transmission of all data the tool handles.

SOC 2 Type II across all five trust criteria. Security alone (1 of 5) is table stakes. All five criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) verified by independent auditors over a sustained review period demonstrate the rigor healthcare data demands.

Ours Privacy provides server-side session replay, heatmaps, and behavioral analytics with a signed BAA, SOC 2 Type II certification covering all five trust criteria, first-party infrastructure, and consent-gated data dispatch built into the architecture.

FAQ

Does Microsoft sign a BAA for Clarity?

No. Microsoft does not offer a Business Associate Agreement for Clarity. While Microsoft signs BAAs for Azure and certain Microsoft 365 services, Clarity operates as a separate free product outside that compliance framework. There is no paid tier, enterprise option, or configuration that changes this. Without a BAA, using Clarity on pages where PHI could be present creates an impermissible disclosure under HIPAA.

Can I configure Clarity's masking features to prevent PHI capture?

Clarity offers content masking that lets you suppress specific page elements from session recordings. However, masking operates client-side and requires manual identification of every sensitive element across every page. Healthcare websites are dynamic: new pages are created, content management systems generate content from templates, and marketing teams add features continuously. Any element not explicitly masked gets captured and transmitted. Even with comprehensive masking, the absence of a BAA means there is no legal framework governing how Microsoft handles data that does reach their servers.

Is Clarity safe because it's from Microsoft?

Microsoft's enterprise compliance credentials do not extend to all Microsoft products. Clarity is a free, standalone tool with its own terms of service and data handling practices. Microsoft's privacy policy for Clarity allows data to be used to improve Microsoft products. The brand association should not substitute for a proper compliance evaluation. The same due diligence you would apply to any third-party tool should apply to Clarity, regardless of the company behind it.

Does Clarity's Google Analytics integration create additional risk?

Yes. Clarity can be linked directly to a Google Analytics property, combining session recording data with traditional analytics data. If your Google Analytics implementation is also running client-side without a BAA (Google does not sign BAAs for standard Google Analytics), you now have two non-compliant tools sharing data with each other and with their respective parent companies. This compounds the compliance exposure rather than reducing it.

What should I use instead of Microsoft Clarity for healthcare websites?

Evaluate behavior analytics vendors that offer server-side session recording with a signed BAA, SOC 2 Type II covering all five trust criteria, and server-side consent enforcement. Pair any analytics tool with a web scanner that continuously monitors your site for non-compliant scripts and third-party tracking. The goal is not to stop collecting behavioral data. It's to collect it through an architecture that keeps patient data under your control from the first interaction to the last.