Is Unbounce HIPAA Compliant?

Every form submission on an Unbounce landing page follows the same path. A visitor clicks a paid search ad, lands on a page hosted on Unbounce's infrastructure, fills out a form asking about their insurance provider and the procedure they need, and hits submit. That form data flows through Unbounce's servers. At the same time, the Meta Pixel fires a conversion event, Google Ads logs the click, and Google Analytics records the page visit. All of this happens in the visitor's browser, across multiple third-party connections, in milliseconds.

For healthcare organizations running patient acquisition campaigns, this architecture raises questions that go beyond conversion rates. When the landing page asks "What condition are you seeking treatment for?" and the form submission travels through Unbounce's servers while tracking scripts simultaneously send event data to ad platforms, the compliance picture becomes something worth evaluating carefully.

How Unbounce Landing Pages Handle Data

Unbounce is a landing page builder and conversion optimization platform. Healthcare organizations commonly use it for campaign-specific pages tied to paid search, social advertising, and display campaigns. These pages are designed to do one thing well: capture leads through forms.

The technical architecture has several layers that matter for compliance.

Hosting and form data. Unbounce pages are hosted on Unbounce's infrastructure, either on an Unbounce subdomain or on a custom domain via CNAME record. When a visitor submits a form, that data is transmitted to and stored on Unbounce's servers. For healthcare campaigns, these forms often collect names, phone numbers, email addresses, insurance information, and condition-specific responses. Unbounce stores this submission data and can forward it to your CRM, email marketing platform, or other integrations.

Client-side tracking scripts. Unbounce's builder makes it straightforward to add tracking scripts to landing pages. Most healthcare marketing teams add Google Analytics, the Meta Pixel, Google Ads conversion tags, and sometimes additional retargeting pixels. These scripts load in the visitor's browser and send data directly to their respective platforms. The page URL (which often contains campaign parameters indicating the condition or service), the visitor's IP address, browser metadata, and conversion events all flow to these third parties through client-side connections.

The combination problem. A landing page titled "Free Consultation for Knee Replacement" with a form asking about insurance and medical history, running a Meta Pixel and Google Ads tag, creates a specific pattern. The page URL tells ad platforms what health topic the visitor is researching. The conversion event confirms they submitted a form about it. The form data itself sits on Unbounce's servers. Health information is simultaneously present in multiple systems, none of which have signed a Business Associate Agreement with your organization.

The Compliance Bar for Healthcare Landing Pages

Healthcare organizations evaluating any landing page platform need to assess several requirements that go beyond standard marketing due diligence.

Business Associate Agreements

Under HIPAA, any vendor that receives, stores, or processes protected health information on behalf of a covered entity must sign a Business Associate Agreement. A BAA is a legal contract where the vendor accepts liability for safeguarding PHI and agrees to breach notification obligations, data handling restrictions, and permitted use limitations.

Unbounce does not sign BAAs. There is no enterprise tier, healthcare plan, or configuration option that changes this. Form submissions containing health information that pass through Unbounce's servers represent data handled by a vendor without a BAA in place.

This matters beyond the form data itself. If Unbounce's infrastructure stores a submission that includes a patient's name, phone number, and the specific procedure they are inquiring about, that combination constitutes PHI sitting on servers with no HIPAA-governed legal framework protecting it.

Audit Posture

SOC 2 Type II certification across all five trust service criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) is the standard that healthcare compliance teams should look for. Most SaaS vendors certify only Security, which confirms basic access controls and encryption but says nothing about how data is processed, whether it remains confidential, or how the vendor handles privacy obligations. Healthcare organizations should ask any landing page vendor for their SOC 2 report and check which criteria it covers.

The Tracking Script Layer

Even if the form data question were resolved, the tracking scripts running on Unbounce landing pages create a separate compliance surface. Each script loads in the visitor's browser and sends data to a third party. The Meta Pixel transmits page URLs, click events, and conversion data to Meta. Google Analytics sends similar information to Google. Google Ads conversion tags confirm that a visitor who clicked a health-related ad completed a form submission.

None of these platforms sign BAAs for their advertising and analytics products. The data they receive from healthcare landing pages flows into advertising ecosystems designed for targeting and optimization, not for safeguarding protected health information.

$193 Million in Settlements Started with This Same Pattern

The enforcement landscape since 2023 illustrates what happens when healthcare data flows through client-side tracking tools on pages that touch health information.

GoodRx paid $1.5 million to the FTC and $25 million in class action settlements after Meta Pixel and Google tracking pixels shared prescription drug names, health conditions, and personal identifiers with Facebook, Google, and other ad platforms. This was the first enforcement under the FTC Health Breach Notification Rule. The tracking was configured for standard advertising optimization. The violation was that health data flowed to ad platforms through pixels, which is exactly what happens when a Meta Pixel fires on a landing page about a specific medical procedure.

Advocate Aurora Health settled for $12.25 million after installing Meta Pixel and Google Analytics on its website and patient portal to "better understand patient needs." The tracking exposed data of approximately 3 million patients. The tools were installed for routine marketing analytics, the same reason healthcare teams add tracking scripts to Unbounce pages.

Aspen Dental reached an $18.4 million settlement after Meta Pixel and Google tracking tools on aspendental.com transmitted web user data, including appointment booking information, to Meta and Google without consent. Aspen Dental's situation is particularly relevant here: a healthcare organization using standard marketing tools on pages designed to capture patient appointments, with tracking scripts sending conversion data to ad platforms. This mirrors the typical Unbounce landing page setup for healthcare campaigns.

The pattern across all 15 major enforcement cases is the same. Healthcare organizations used standard marketing tools. Those tools operated client-side. Data flowed to third parties. The organizations did not realize the scope of what was being transmitted until regulators or plaintiffs identified it.

Building Landing Pages That Handle Healthcare Data Safely

Healthcare organizations running paid acquisition campaigns still need landing pages. They still need conversion tracking. The question is whether the architecture supports compliance rather than undermining it.

Server-side data collection. Instead of form data flowing to a third-party landing page host, a compliant architecture processes form submissions on your own infrastructure or through a vendor with a signed BAA covering the full data pipeline. This keeps health information within a governed environment from the moment it's collected.

Server-side conversion tracking. Rather than loading Meta Pixel, Google Ads tags, and analytics scripts in the visitor's browser, server-side tracking sends conversion data from your server to advertising platforms. The visitor's browser never communicates with Facebook, Google, or any third party. You control exactly what data is sent, and you can strip health-related identifiers before the data reaches any ad platform. A customer data platform built for healthcare can manage this routing with consent verification built in.

First-party infrastructure. Landing pages served from your own domain, with data collection happening through first-party endpoints and server-set cookies, eliminate the third-party data paths that regulators have targeted. No tracking endpoints visible in browser developer tools. No third-party JavaScript loading in the page source.

Consent-gated data flows. Consent and privacy requirements are expanding rapidly across state privacy laws and federal guidance. Building consent verification into the data architecture now (enforced server-side, not just through a JavaScript banner) positions healthcare organizations well as the regulatory landscape evolves. Data should only flow to analytics and advertising destinations after consent is verified at the server level.

Continuous site monitoring. Installing a compliant landing page solution does not guarantee your entire web presence remains compliant. Marketing teams add scripts. Plugins update. Third-party tags load other tags. A web scanner that crawls your site and landing pages on an ongoing basis detects every cookie, script, localStorage entry, and tracking pixel across every page. It flags which scripts lack a BAA, which cookies are set by third parties, and which tracking pixels are sending data to ad platforms. Every major enforcement case involved tracking that had been running for months or years before anyone noticed.

A real BAA and SOC 2 Type II. Any vendor handling healthcare lead data should sign a BAA covering the full data pipeline and hold SOC 2 Type II certification across all five trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Type II means sustained compliance over a review period, not a single point-in-time snapshot.

Ours Privacy provides server-side data collection and conversion tracking with a signed BAA, SOC 2 Type II across all five trust criteria, and consent-gated data dispatch built into the architecture.

Evaluating Unbounce for Your Healthcare Campaigns

If your organization is considering Unbounce or currently uses it, these are the questions to work through:

Do your landing page forms collect health information? If forms ask about conditions, procedures, insurance, medications, or symptoms, the submissions likely contain PHI. That data is stored on Unbounce's servers without a BAA.
What tracking scripts are running on your Unbounce pages? Open browser developer tools on any of your Unbounce landing pages and check the network tab. Count the third-party domains receiving data. Each one represents a data flow your organization is responsible for.
Are your page URLs health-specific? A URL like yourpractice.com/free-knee-replacement-consultation tells every tracking script on the page what health topic the visitor is researching. That URL is transmitted to every analytics and advertising platform with active scripts.
Where does form data go after Unbounce? If Unbounce forwards submissions to a CRM, email platform, or other tools via webhook or integration, each hop in the chain needs its own BAA and compliance evaluation.
Who manages your tracking scripts? If marketing team members can add or modify scripts on Unbounce pages without compliance review, new tracking technologies can appear on healthcare landing pages without anyone evaluating their HIPAA implications.
Are you monitoring for script changes? Third-party scripts can update their behavior without notifying you. A pixel that collected basic conversion data last month could start collecting additional signals today. Without continuous monitoring, you won't know.

FAQ

Does Unbounce sign a Business Associate Agreement?

No. Unbounce does not offer a BAA and does not position itself as a HIPAA-compliant platform. There is no configuration, plan tier, or add-on that changes this. Without a BAA, any protected health information in form submissions stored on Unbounce's servers constitutes data handled outside the legal framework HIPAA requires.

Can I use Unbounce if my forms don't ask health questions directly?

Even if your forms only collect names, emails, and phone numbers, the context of the landing page matters. A form submission from a page titled "Schedule Your Bariatric Surgery Consultation" links the visitor's identity to a specific health interest. Combined with the page URL transmitted to tracking scripts, this context can constitute protected health information. The OCR's December 2022 guidance clarified that even IP addresses on health-related pages could constitute PHI when combined with health context.

Are the tracking scripts on Unbounce pages the bigger risk, or is it the form data?

Both create compliance exposure, but they create it through different mechanisms. Form data flows through Unbounce's servers and is stored there without a BAA. Tracking scripts send data from the visitor's browser directly to ad platforms and analytics providers, also without BAAs. The combination is what makes healthcare landing pages particularly high-risk: health information is simultaneously present in multiple systems, none of which are governed by HIPAA-compliant agreements.

What if I remove all tracking scripts from my Unbounce pages?

Removing tracking scripts eliminates the client-side data leakage to ad platforms and analytics providers. However, form submission data still flows through and is stored on Unbounce's servers without a BAA. You would also lose all conversion tracking for your paid campaigns, which defeats the primary purpose of running landing pages for patient acquisition. A better approach is to use a landing page infrastructure that handles both form data and conversion tracking through a compliant, server-side architecture.

How do I track conversions on healthcare landing pages without client-side pixels?

Server-side conversion tracking sends conversion data from your server to advertising platforms without involving the visitor's browser. A server-side CDP can receive form submission events, verify consent, strip sensitive identifiers, and then forward conversion signals to Google Ads, Meta, and other platforms. The ad platforms receive confirmation that a conversion occurred without receiving the health-related context that client-side pixels would have transmitted. This preserves campaign optimization while keeping health data out of advertising ecosystems.

Continue Learning

Explore more HIPAA compliance resources for healthcare marketers.

HIPAA Compliant Tools

Tool Compliance Reviews

Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.

Server-Side Tracking

Server-Side Tracking Guides

Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.

← Back to Learn Center