Is VWO HIPAA Compliant?

Before installing any conversion optimization tool on a healthcare website, compliance teams should know exactly what bar that tool needs to clear. The question is not whether VWO has useful features. It does. The question is whether its architecture, legal agreements, and data handling practices meet the standard that HIPAA and recent enforcement actions have set for tools that touch patient-facing web properties.

This article starts with that standard: a compliance evaluation framework for experimentation and behavior analytics tools used on healthcare websites. Then it evaluates VWO, product by product, against each criterion.

Six Criteria for Healthcare-Grade Experimentation and Analytics Tools

Any tool that runs on a healthcare website and collects behavioral data needs to satisfy all six of the following requirements. Missing even one creates exposure.

1. A Business Associate Agreement covering the full data pipeline. Under HIPAA, any vendor that receives, stores, processes, or transmits PHI on behalf of a covered entity must sign a BAA. The agreement should cover every data type the tool collects, not just a subset the vendor defines as "in scope." A BAA that carves out behavioral data, experimentation data, or recordings is not sufficient.

2. SOC 2 Type II certification across all five trust criteria. Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most vendors certify only Security (one of five). That confirms basic access controls and encryption. It says nothing about whether data is processed accurately, kept confidential, or handled in accordance with privacy commitments. Type II (not Type I) means the audit covers a sustained review period rather than a single point-in-time snapshot.

3. Server-side data collection architecture. Client-side JavaScript loads in the visitor's browser, observes the page, and sends data directly to the vendor's servers. Server-side collection happens on your infrastructure, giving you control over what data leaves your environment and where it goes. This is the architectural divide that separates every major healthcare tracking enforcement case from every organization that avoided one.

4. First-party infrastructure. Data collection should happen on your domain, through your DNS, using server-set cookies. No third-party JavaScript fingerprints in the page source. No tracking endpoints visible in browser developer tools.

5. Consent-gated data dispatch verified server-side. Data should not flow to any destination until consent has been confirmed on the server. A JavaScript consent check can fail to load, be blocked by an ad blocker, or execute after tracking scripts have already fired. Server-side consent gating ensures data physically does not move until consent is verified. As state privacy laws expand and patient expectations around data transparency increase, consent management is becoming a central compliance requirement, not an optional enhancement.

6. Continuous compliance monitoring. Installing one compliant tool does not make your entire website compliant. Marketing teams add scripts, CMS plugins load third-party resources, and tag managers inject code that loads additional code. A web scanner that crawls your site on an ongoing basis can detect every cookie, script, localStorage entry, and tracking pixel across every page. It flags which scripts lack BAA coverage, which cookies are set by third parties, and which data flows are ungoverned. Without continuous scanning, you are relying on the hope that nothing changed since the last manual audit.

How VWO's Product Suite Handles Data on Healthcare Sites

VWO is not a single tool. It is a suite of products, and the compliance exposure varies based on which ones are active.

VWO Testing is the A/B testing product. It loads client-side JavaScript that reads the page, determines which experiment variant to display, modifies the DOM to render that variant, and reports results to VWO's servers. On a healthcare site, this means VWO's script observes which variants patients interact with on health condition pages, appointment scheduling flows, and service line content. The data flowing to VWO includes page URLs (which may contain condition names like /services/oncology/treatment-options), variant assignments tied to health topics, and conversion events such as "appointment booked" or "intake form submitted."

VWO Insights includes session recordings and heatmaps. Session recordings capture a reconstruction of the visitor's experience: page content, form interactions, clicks, scrolls, and on-screen text. Heatmaps aggregate click and scroll data across visitors for individual pages. On healthcare pages, recordings can capture appointment details, provider specialties, condition information, and anything else displayed on screen. Heatmaps reveal which health topics attract the most engagement. Both products operate client-side, streaming behavioral data from the visitor's browser to VWO's infrastructure.

VWO Data360 is the customer data platform component that unifies visitor profiles. It combines data from testing, recordings, heatmaps, and surveys into a single visitor record. On a healthcare site, this means VWO can build behavioral profiles that include which health condition pages a visitor viewed, what experiment variants they were shown, how they interacted with appointment forms, and what survey responses they provided. This aggregation expands the data surface area beyond what any individual product creates.

VWO Surveys collects qualitative feedback directly from visitors. If a survey runs on a healthcare page, the responses could contain self-reported health information, satisfaction with care experiences, or feedback on specific conditions and treatments.

The breadth of VWO's suite is the central compliance concern. A pure A/B testing tool creates one category of exposure. VWO combines experimentation, session replay, heatmaps, surveys, and profile unification into a single platform, all operating through client-side JavaScript. Every additional product widens the data surface area that compliance teams need to govern.

Evaluating VWO Against the Six Criteria

BAA availability. VWO does not clearly offer Business Associate Agreements for healthcare use. Without a BAA, VWO is not accepting HIPAA liability for data its JavaScript captures on your healthcare pages. Any PHI that reaches VWO's servers through testing, recordings, heatmaps, or surveys represents an impermissible disclosure.

SOC 2 certification scope. Healthcare organizations should request VWO's SOC 2 report and verify which trust criteria it covers. If the report covers only Security, the audit did not evaluate confidentiality, privacy, or data processing integrity, the criteria that matter most for healthcare data.

Data architecture. VWO's core products operate client-side. The JavaScript loads in every visitor's browser, captures behavioral data, and transmits it to VWO's servers through the browser. This is the same data flow pattern present in every major healthcare tracking enforcement case. VWO does not offer a server-side experimentation product comparable to what some competitors provide, which limits architectural options for healthcare teams.

First-party infrastructure. VWO's JavaScript loads from VWO's domains and communicates with VWO's endpoints. This creates third-party connections visible in browser developer tools and network requests that identify VWO as the destination.

Consent gating. VWO offers configuration options to control when its scripts activate, but these operate in the browser. JavaScript-based consent checks are susceptible to timing issues, ad blockers, and configuration drift. They do not provide the same guarantee as server-side consent enforcement.

Continuous monitoring. VWO does not include website scanning for unauthorized scripts or tracking technologies. Installing VWO does not tell you what other tools are running alongside it or whether those tools have BAA coverage.

VWO's Privacy Controls and Their Limits

VWO does provide some privacy-oriented features. Element masking allows you to configure CSS selectors to suppress specific page elements from session recordings. Data retention settings let you control how long VWO stores behavioral data. IP anonymization options can strip IP addresses from collected data.

These controls are meaningful, but they share a common limitation: they are configuration-based and operate client-side. Element masking requires your team to identify every sensitive element on every page and keep those selectors current as the site evolves. A new form field, a redesigned page layout, or a CMS update can expose elements that the masking rules do not cover. Anything missed gets captured and transmitted to VWO's infrastructure.

Even with perfect configuration, the absence of a BAA means there is no legal framework governing how VWO handles data that does reach their servers. Configuration-based privacy controls reduce the likelihood of exposure but do not eliminate the legal gap.

Enforcement Cases That Illustrate the Risk Pattern

The enforcement record makes the architectural concern concrete. Since 2023, healthcare organizations have paid over $193 million in combined settlements and penalties related to tracking technologies on their websites. Every case involved standard marketing and analytics tools operating client-side.

Kaiser Permanente's case is the largest. From 2017 to 2024, Kaiser's websites, patient portals, and mobile apps used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X without member consent. The breach affected 13.4 million members and resulted in a $47.5 million class action settlement. The tools were doing what they were designed to do: observe user behavior and report it to third-party servers.

Advocate Aurora Health settled for $12.25 million after installing Meta Pixel and Google Analytics on its website, app, and patient portal to "better understand patient needs." The intent was well-meaning. The architecture was not. Approximately 3 million patients' data was exposed.

Sutter Health settled for $21.5 million after implementing Google Analytics, the Meta Pixel, and other advertising tracking tools on its MyHealthOnline patient portal. The tools tracked and disclosed private patient data to Google and Facebook without authorization.

The common thread is not the vendor name. It is the architecture: client-side code running in the browser, capturing data that includes health context, and transmitting it to servers where no BAA governs its handling. VWO's product suite operates on this same architecture, and its breadth (testing plus recordings plus heatmaps plus surveys) means it touches more of that data surface than a single-purpose tool would.

Building a Compliant Experimentation and Analytics Stack

Healthcare organizations that want to run A/B tests, analyze visitor behavior, and collect feedback have legitimate reasons to do so. The goal is not to abandon these capabilities. It is to collect them through an architecture built for healthcare.

Server-side experimentation assigns variants on your infrastructure before the page reaches the browser. No third-party JavaScript loads. No behavioral data streams to an external server through the browser. You control what data leaves your environment and what stays. For session replay and heatmaps, server-side collection captures behavioral data on your server and gives your team control over what is recorded, how it is processed, and where it is stored before it ever leaves your environment.

Pair this architecture with consent-gated data flows that are enforced server-side, a signed BAA covering the full data pipeline, SOC 2 Type II certification across all five trust criteria, and a web scanner that continuously monitors your site for unauthorized scripts and third-party tracking. That combination addresses the six criteria outlined at the top of this article.

The regulatory landscape is also moving toward stronger consent and privacy requirements. State privacy laws continue to expand, and regulators have signaled that consent management will be a central enforcement focus going forward. Building your experimentation and analytics stack on consent-gated, server-side architecture positions you for where compliance is heading, not just where it is today.

Ours Privacy provides server-side experimentation, session replay, heatmaps, and web scanning built for healthcare, with a signed BAA, SOC 2 Type II across all five trust criteria, and consent-gated data dispatch built into the architecture. If you are evaluating conversion optimization tools for patient-facing properties, start a conversation with our team.

Frequently Asked Questions

Does VWO sign a Business Associate Agreement for healthcare organizations?

VWO does not clearly offer BAAs for healthcare use. Without a BAA, VWO is not accepting HIPAA liability for data its JavaScript collects on your healthcare site. If you are considering VWO, ask explicitly whether a BAA is available, and if offered, review what data types it covers. A BAA that excludes session recordings, heatmap data, or survey responses would leave significant portions of VWO's data collection ungoverned.

Is VWO's element masking sufficient to prevent PHI capture in session recordings?

VWO's element masking lets you configure CSS selectors to suppress specific page elements from recordings. This reduces risk, but it requires your team to identify every sensitive element on every page and keep selectors current as the site changes. A new form field, a page redesign, or a CMS update can introduce elements that the masking rules do not cover. Anything missed gets captured and transmitted. Even with comprehensive masking, the absence of a BAA means there is no legal framework governing data that reaches VWO's servers.

Why does VWO's product breadth matter for HIPAA compliance?

A standalone A/B testing tool creates one category of data exposure: experiment assignments and conversion events. VWO combines testing, session recordings, heatmaps, surveys, and visitor profile unification into a single platform. Each additional product captures a different type of behavioral data, and VWO Data360 aggregates them into unified visitor profiles. On healthcare sites, this means VWO can accumulate a detailed behavioral record, including which health pages a visitor viewed, what experiment variants they saw, how they interacted with appointment forms, and what they wrote in survey responses. The wider the data surface, the greater the compliance burden.

How does VWO compare to server-side experimentation platforms for healthcare use?

VWO's testing product operates client-side: JavaScript in the browser modifies the DOM and reports results to VWO's servers. Server-side experimentation platforms evaluate variants on your server before the page reaches the browser. The visitor's browser never communicates with the experimentation vendor. This architectural difference determines whether your compliance team must trust that client-side JavaScript will not capture PHI (the pattern behind $193 million in healthcare settlements) or whether you control the data pipeline entirely from your own infrastructure.

What should I do if VWO is already running on my healthcare website?

Start by identifying which VWO products are active (Testing, Insights, Data360, Surveys) and on which pages they run. Assess what data has been flowing to VWO's servers and whether any of it could constitute PHI. Document the scope of exposure and consult your compliance team about whether the historical data flow requires further analysis. Then evaluate whether to migrate to a server-side architecture or implement additional safeguards. Use a web scanner to detect VWO scripts and any other unmonitored third-party code across all your web properties. Prioritize patient-facing pages, appointment scheduling flows, and any pages where health conditions or treatment information appears.