Is Pendo HIPAA Compliant?

When $47.5 Million Starts Inside a Patient Portal

In 2025, Kaiser Permanente agreed to a $47.5 million settlement after tracking code embedded in its patient portals and mobile apps transmitted health information to Google, Microsoft, Meta, and X. The exposure ran from 2017 to 2024 and affected 13.4 million members across nine states. The data included search terms, medical histories, and communications with healthcare professionals.

The detail that matters most for this discussion: the breach didn't originate from a public marketing page. It started inside authenticated environments where patients were actively managing their care. Patient portals, mobile apps, EHR dashboards. These are exactly the environments where Pendo is designed to operate.

Pendo is a product analytics and in-app guidance platform. Its JavaScript agent loads inside web applications to capture page views, feature clicks, guide interactions, NPS survey responses, and custom events. For SaaS companies building consumer software, that's a straightforward value proposition. For healthcare organizations running patient portals, telehealth platforms, or clinical dashboards, it introduces a question that demands careful evaluation: what happens when a product analytics agent runs inside an application where protected health information is actively displayed on screen?

How Pendo's Agent Operates Inside Your Application

Unlike marketing analytics tools that sit on public-facing websites, Pendo's JavaScript agent loads within the application itself. It's injected into the page context of your product, which means it has access to the DOM (the document object model) of every page your users visit.

For a healthcare software company, consider what that means in practice. When a patient logs into a portal and views their lab results, Pendo's agent is present on that page. When a clinician opens an EHR dashboard and reviews a patient's medication list, the agent is active in that same browser context. When a care coordinator uses a scheduling tool that displays patient names alongside appointment reasons, the agent is running there too.

Pendo provides data exclusion rules that allow teams to configure which elements the agent should ignore. You can tell Pendo to skip certain CSS selectors, exclude specific page sections, or suppress data from particular URLs. These are configuration-based controls, meaning they rely on your team correctly identifying every element that contains PHI and maintaining those exclusion rules as your application changes over time.

This is a fundamentally different risk profile than tools that operate on public marketing pages. Pendo lives inside the authenticated perimeter of your product, where PHI isn't just possible; it's the core content.

The BAA Exists, But Architecture Still Matters

Pendo does offer a Business Associate Agreement for healthcare customers on certain plans. This is a meaningful step. It means Pendo is willing to accept contractual liability as a Business Associate under HIPAA for the data it processes. Pendo also holds SOC 2 Type II certification, which demonstrates sustained compliance practices verified by independent auditors.

However, a BAA covers the contractual and procedural layer of compliance. It doesn't change the architectural reality of how data flows. Here's why that distinction matters.

With Pendo's client-side agent, data capture happens in the browser. The JavaScript agent reads information from the page, packages it, and sends it to Pendo's servers. Even with exclusion rules configured, the agent is operating in an environment saturated with PHI. A new feature ships with a patient name in a tooltip. A third-party component renders a diagnosis code in a data attribute. A developer adds a form field that captures a medical record number. Any of these changes can introduce PHI into Pendo's data stream without anyone realizing it.

Configuration-based exclusion requires your team to anticipate every possible PHI exposure point and update the rules every time your application changes. That's an ongoing operational burden, and the enforcement record shows how often organizations fail to maintain it.

Compare this to a server-side architecture, where data never passes through the browser at all. With server-side collection, your servers decide what data to send to analytics platforms. PHI can be stripped, hashed, or excluded before it ever leaves your infrastructure. The browser never communicates with the analytics vendor directly, which means there's no DOM access, no CSS selector risk, and no possibility of accidental PHI capture through page content changes.

Patient Portal Tracking: A Pattern Regulators Are Watching

The Kaiser case wasn't an isolated incident. Regulators and courts have made it clear that tracking technology inside patient portals represents a specific, high-risk category.

Novant Health settled for $6.66 million after deploying Meta Pixel on its websites and MyChart patient portal. The pixel collected and shared PHI of approximately 1.3 million individuals with Facebook between May 2020 and August 2022. Henry Ford Health paid $12.2 million for using Meta Pixel and Google tracking technologies on its website and MyChart patient portal between January 2020 and December 2023, affecting over 819,000 consumers.

These cases involved marketing pixels, not product analytics tools. But the underlying exposure is the same: client-side code running inside an authenticated environment where PHI is displayed. The tracking technology captured data from pages that contained health information, and that data flowed to third parties.

Pendo is not a marketing pixel. Its purpose is product analytics and user guidance, not advertising. But from a HIPAA compliance perspective, the regulatory question isn't about intent. It's about whether PHI is being transmitted to a third party, and whether appropriate safeguards are in place to prevent that transmission.

When HHS OCR issued its December 2022 guidance on tracking technologies, it clarified that HIPAA-regulated entities may not use tracking pixels, cookies, session replay, or fingerprinting in ways that disclose PHI to tracking vendors. The guidance specifically called out authenticated pages as high-risk environments. While portions of this guidance were later vacated by a Texas federal court, the enforcement trend is unmistakable: $193 million or more in combined settlements and enforcement actions since 2023, with every major case involving standard tracking tools that organizations deployed without fully understanding the data exposure.

Five Questions to Evaluate Before Deploying Pendo in Healthcare

If your organization is considering Pendo for a healthcare application, these are the evaluation criteria that separate checkbox compliance from genuine risk mitigation.

1. Does the BAA cover your specific use case? Not all BAAs are created equal. Some exclude certain data categories, analytics data, or guide interaction data. Review the specific terms of Pendo's BAA to confirm it covers the full data pipeline: collection by the agent, processing, storage, and any onward transmission. Confirm the BAA applies to your plan tier.

2. Can you maintain exclusion rules as your application evolves? Pendo's data exclusion rules work at the point of configuration. Every sprint, every new feature, every UI change introduces the potential for PHI to appear in a new element that isn't covered by your exclusion rules. Do you have a process to audit and update these rules with every release? Who is responsible for reviewing new UI components for PHI exposure?

3. What does ongoing compliance monitoring look like? Setting up a compliant configuration once is not enough. Your application changes, Pendo updates its agent, and new integrations can alter data flows. Organizations that take compliance seriously use continuous web scanning to detect every cookie, script, localStorage entry, and tracking request across every page. This catches drift before it becomes a breach. Without ongoing scanning, you're relying on the assumption that nothing has changed since your last manual review.

4. Is there an architectural alternative that reduces risk? Server-side analytics architectures collect data on your servers and send only sanitized events to analytics platforms. The browser never communicates with the analytics vendor. This eliminates the entire category of risk that comes with a client-side JavaScript agent running inside PHI-rich environments. A BAA plus server-side architecture is fundamentally stronger than a BAA plus client-side configuration rules.

5. How does consent management integrate? State privacy laws and patient expectations are pushing healthcare toward consent-gated data flows. Can Pendo's agent respect consent preferences server-side (not just through a JavaScript check that can be bypassed)? Is guide display and analytics collection gated on verified consent status?

Building a Stack That Doesn't Depend on Configuration Perfection

The challenge with any client-side tool in a healthcare environment isn't whether it can be configured correctly. It's whether it will remain correctly configured over time, across teams, through application changes, and as the regulatory bar continues to rise.

A healthcare-grade analytics architecture addresses this at the foundation:

Server-side data collection means your servers control what data reaches analytics platforms. PHI is stripped before it leaves your infrastructure, not after it arrives at a vendor's servers. There's no agent in the browser reading from the DOM of pages that contain patient data.

First-party infrastructure keeps all data collection on your domain. No third-party endpoints appear in browser DevTools. Server-set cookies are immune to browser restrictions like Safari ITP. No vendor fingerprint is visible in page source.

SOC 2 Type II with all five trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) means independent auditors have verified the full scope of data handling. Most vendors certify only Security, which is one of five. All five criteria reflect the rigor that healthcare data demands.

Continuous web scanning crawls your site and application on an ongoing basis, flagging every script, cookie, and tracking request. It identifies which third-party resources lack a BAA, which scripts are setting cookies without consent, and which tracking requests are sending data to platforms that shouldn't receive it. Every enforcement case in the reference record involved tracking that had been running for years before anyone noticed. Ongoing scanning is what closes that gap.

Consent-gated dispatch ensures data flows only after consent is verified server-side. Bot detection filters non-human traffic automatically. These aren't optional features for healthcare; they're the baseline for where compliance is heading.

Ours Privacy was built from the ground up for healthcare organizations that need product analytics, session replay, and tag management without the architectural risks of client-side agents operating inside PHI-rich environments.

Frequently Asked Questions

Does Pendo sign a BAA for healthcare customers?

Yes. Pendo offers a Business Associate Agreement for healthcare customers on certain plan tiers. This is a necessary step for HIPAA compliance, but a BAA alone doesn't address the architectural risks of a client-side agent running inside applications where PHI is displayed. Review the specific terms to confirm coverage of your data flows.

Can Pendo's data exclusion rules prevent PHI capture?

Pendo provides configuration-based exclusion rules that let you specify CSS selectors, page sections, and URLs to exclude from data capture. These rules work when correctly configured and maintained, but they require ongoing vigilance. Every application update can introduce new PHI-containing elements that aren't covered by existing rules. The rules depend on your team identifying every possible PHI exposure point, which becomes harder as your application grows.

Is Pendo safer than a marketing pixel for healthcare applications?

Pendo serves a different purpose than marketing pixels like Meta Pixel or Google Analytics, and it offers a BAA and SOC 2 Type II certification that most marketing pixels do not. However, the fundamental architectural pattern is similar: a client-side JavaScript agent running inside an authenticated environment and capturing data from pages where PHI is present. The risk category is the same even though the business purpose differs.

What's the difference between Pendo's client-side approach and server-side analytics?

Pendo's JavaScript agent runs in the user's browser and reads data from the page DOM, then transmits it to Pendo's servers. Server-side analytics collect data on your own servers and send only the specific events you choose to analytics platforms. The browser never communicates with the analytics vendor. This architectural difference means server-side collection eliminates the possibility of accidental PHI capture through page content, DOM attributes, or URL parameters.

Should healthcare organizations stop using Pendo entirely?

This article isn't a recommendation to stop using Pendo. It's a framework for evaluating whether Pendo's architecture meets your organization's compliance requirements for the specific environment where you plan to deploy it. For non-healthcare products, Pendo is a capable analytics and guidance platform. For healthcare applications where PHI is displayed, the evaluation comes down to whether configuration-based safeguards provide sufficient protection, or whether an architecture that prevents PHI exposure by design is the more appropriate choice.

Looking for analytics that work inside healthcare applications without client-side risk? Learn how [server-side tracking eliminates the pixel problem](/learn/server-side-vs-client-side-tracking-why-healthcare-cant-use-pixels-anymore) or explore the full [HIPAA-compliant tools guide](/learn/hipaa-compliant-tools). You can also read our evaluations of similar tools: [Is Mixpanel HIPAA Compliant?](/learn/is-mixpanel-hipaa-compliant), [Is Amplitude HIPAA Compliant?](/learn/is-amplitude-hipaa-compliant), and [Is Heap HIPAA Compliant?](/learn/is-heap-hipaa-compliant).