Marketing Analytics for healthcare
From a compliance headache to confident HIPAA-safe marketing in no time
Custom BAA, HIPAA-certified infrastructure, and guided onboarding – your path to compliance and higher marketing ROI starts here.
US hosting
SOC 2 Type II
ISO 27001




Most marketing analytics tools weren’t built for healthcare
Forcing them to work in a HIPAA environment means constant workarounds – hours spent on compliance fixes, and data gaps that make every decision harder. Piwik PRO was built to end that – so you can get up and running quickly, with complete HIPAA-compliant analytics insights and a platform your marketing team can run on their own.
Everything your legal team needs to say yes
Custom BAA, HIPAA-certified infrastructure, and built-in privacy safeguards – so your legal team can sign off with confidence.
256-bit AES encryption at rest and in transit
HIPAA-compliant Azure hosting in the US
Secure PHI collection and data anonymization
Complete data on patient acquisition
A full picture of which channels and campaigns are driving patient appointments. Get the attribution accuracy and data activation tools to turn those insights into action.
Full patient journey from search to appointment
98% attribution accuracy
Data activation capabilities
First insights in days, not months
Piwik PRO is designed to get your team up and running fast – with a familiar interface, dedicated implementation, and ongoing support to answer any questions along the way.
Marketer-friendly interface
Dedicated implementation & ongoing support
Free training resources

“I really liked how intuitive, easy, and familiar Piwik PRO felt compared to other platforms. We’re a small in-house team, so not having to onboard into a new platform that would require a very steep learning curve was very helpful for us.”
Chris Walker
Director of Digital Strategy and Marketing, Shepherd Center
Complete, HIPAA-safe marketing data – in an interface your team can use without calling IT

HEALTHCARE WEBSITE TRACKING REPORT 2026
Are healthcare companies one audit away from a compliance crisis?
Across 59 US hospital websites we examined, 73% kept firing advertising trackers even after visitors actively opted out of tracking. The fix is an analytics and marketing setup built for HIPAA from the start, not a workaround bolted onto tools that were never designed for it. Read our report and learn what that setup actually looks like.
Find out what HIPAA-compliant analytics looks like for your organization
Hospitals & health systems
Track which channels and campaigns drive patient appointments across service lines – and finally have the numbers to back it up in your next leadership meeting.

Telehealth platforms
See exactly where patients drop off between symptom search and completed virtual visit – and fix it, without compromising on compliance.

Healthcare education
Track which channels drive applications, enrolments, and CME completions while meeting both FERPA and HIPAA requirements across every touchpoint.

Pharmaceutical
Measure how your disease awareness campaigns and patient support programs are really performing across HCP portals, patient education sites, and apps. Accurately, and compliantly.

What changes when healthcare marketers have data they trust
40%
Rise in online patient referrals
Shepherd Center
215%
Increase in page views
Shepherd Center
98%
Last-click attribution accuracy
Platform benchmark
Shepherd Center was using Google Analytics – which meant compliance risk and incomplete data. After switching to Piwik PRO, they got the full picture of what was driving patient acquisition and grew patient referrals by 40%.
Rochester Regional Health needed to replace Google Analytics with a platform suitable for managing patient data. With Piwik PRO, they got complete behavioral data across all their digital channels – and used it to grow their website traffic.
Analytics, tag management, and data activation – built to work together, under one BAA
Analytics for healthcare
Get the complete picture of your patient acquisition funnel, SEO performance and more. Confidently attribute traffic and conversions, and learn what drives your ROI.

Tag Management – Collect & control
Deploy and manage your marketing tags safely – with controls that ensure that your tags and pixels fire in a HIPAA-compliant way.

Data Activation
Turn patient behavioral data into targeted email marketing campaigns, content recommendations and more. All inside an integrated HIPAA-compliant environment.


“There wasn’t any other option on the market that allowed us to capture all the data we wanted and ensure it was HIPAA-compliant.”
Tyler Pierce
Manager, Digital Engagement, Rochester Regional Health
Your path to HIPAA-compliant marketing analytics
A repeatable, guided process – so you know what to expect from day one.
Sign your BAA
A customized BAA is prepared and signed before any data collection begins.
Guided setup
Your dedicated implementation specialist sets up the platform and onboards your team.
First insights
Your team gets access to accurate, HIPAA-safe marketing analytics data.
Optimize & activate
You start making real improvements with complete, compliant insights behind every decision.
Resources on HIPAA-compliant analytics
-
HIPAA-compliant analytics for healthcare systems: How hospital marketing teams can measure what matters
Patients now research symptoms, compare providers, and book appointments entirely online before ever contacting a hospital. Healthcare marketers need to adapt to digital-first patient journeys, run campaigns for numerous service lines, manage hospital marketing analytics across multiple locations, and prove ROI to administrators. For nonprofit hospitals, the picture is broader still — donation tracking is…
-
4 ways to make your analytics HIPAA-compliant: Implementation guide
Healthcare organizations have four main approaches to achieving HIPAA-compliant analytics. Each has different trade-offs in cost, technical complexity, and analytics capabilities. This guide compares all four implementation methods – from using Google Analytics with workarounds to deploying fully HIPAA-compliant analytics platforms – so you can choose the right approach for your organization’s needs and resources.
-
Is Google Analytics HIPAA-compliant?
If you use Google Analytics or similar software, you’re likely already optimizing your website to serve your customers better. But what about Google Analytics and HIPAA compliance? In short – if you’re a HIPAA-covered entity, using GA4 puts you at serious risk of a HIPAA breach. Google states that Google Analytics doesn’t satisfy HIPAA requirements. And…
-
HIPAA-compliant marketing & advertising: How to run compliant campaigns in healthcare
Healthcare organizations deal with tons of sensitive information concerning people’s health. It needs to be handled with proper care. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by HIPAA. Unfortunately, many companies are still unaware of the provisions of the law and the potential consequences…
-
PHI vs PII in HIPAA: Healthcare marketing compliance guide
Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information. Keeping HIPAA compliant and protecting patient information requires…
-
A review of HIPAA-compliant analytics platforms
As a healthcare organization subject to HIPAA, you’re walking a fine line when trying to improve the patient experience and ensure your activities are HIPAA-compliant. Vendors have been adjusting to the shifting privacy-oriented analytics landscape and their clients’ expectations. Many of them change their offers accordingly. At the same time, the dominant analytics vendors are…
Frequently asked questions (FAQ)
Who must follow HIPAA requirements?
The HIPAA rules apply to any individual or organization that meets the definition of a covered entity as stated in HIPAA guidelines.
Covered entities include:
- Health plans – for example, health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
- Healthcare providers that conduct certain business electronically, such as electronically billing your health insurance – including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health care clearinghouses – entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Beyond covered entities, the following must adhere to HIPAA:
- Business associates
- Subcontractors
- Hybrid entities
- Researchers
A business associate can be an individual or company that provides services to a HIPAA-covered entity that requires them to have access to, store, use, or transmit protected health information. Generally, an analytics vendor will be a business associate.
What is PHI and ePHI under HIPAA?
PHI and ePHI is a subset of personally identifiable information (PII) that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.
Examples of health information include:
- Medical test results
- Prescription or treatment records
- Billing information
- Appointment scheduling information
When health information is combined with a personal identifier, the data becomes PHI.
The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:
- Name
- All geographic subdivisions smaller than a state (street address, city, county, zip code)
- Dates, including birthdate, admission date, discharge date, and date of death
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary numbers
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers, including license plate number
- Device identifiers and serial numbers
- Web URL
- IP address
- Biometric identifiers, including fingerprints and voice
- Full face photo
- Any other unique identifying number, characteristic, or code
This means that not all health information acquired by organizations is considered PHI. For example, phone numbers and residential addresses alone are not PHI. But this data will be considered PHI if it includes health information about an individual’s condition, the treatment of that condition, or the payment for the treatment. It also must be transmitted and maintained in any form by a covered entity.
Specific examples of PHI and ePHI include:
- Information your doctors, nurses, and other health care providers put in your medical record.
- Conversations your doctor has about your care or treatment with nurses and others.
- Information about you in your health insurer’s computer system.
- Billing information about you at your clinic.
Importantly, PII collected on a covered entity’s website or app is considered PHI even if the individual does not have an existing relationship with the entity or the PII does not include specific treatment or billing information. When a covered entity collects such information, it is indicative that the individual has received or will receive health care services or benefits from it.
Why is HIPAA compliance crucial for healthcare marketing?
By ensuring your analytics and marketing activities are HIPAA-compliant, you protect patient trust, prevent costly violations (which can result in hefty fines and lawsuits), and give you a competitive advantage over non-compliant organizations. It also ensures you can safely leverage patient data for better marketing outcomes.
Health information is a special category of personal information because it contains details about users’ conditions that they may not want to disclose. Protecting the privacy of health-related data helps you maintain the trust of individuals whose information you are processing.
Neglecting users’ rights related to HIPAA can negatively affect your business and have a long-lasting impact on how patients view your organization. Since HIPAA is a standard that must be followed by many organizations similar to yours, the lack of compliance can make you lose business to your compliant competitors. Not to mention that any covered entity that violates HIPAA regulations can face civil action lawsuits, criminal charges, and hefty monetary penalties.
How can you stay compliant with HIPAA?
HIPAA makes covered entities responsible for complying with a number of rules – the Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule, and Omnibus Rule. The first three rules are particularly important.
The Privacy Rule provides federal standards to protect the privacy of PHI – particularly, it:
- Limits how covered entities may use and disclose individually identifiable health information they receive or create.
- Gives individuals rights concerning their protected health information, including a right to review and obtain a copy of their medical records and the right to ask covered entities to amend the information if it is inaccurate or incomplete.
- Imposes administrative requirements for covered entities, such as training of employees concerning the Privacy Rule.
- Establishes civil penalties.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect ePHI. Specifically, they must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
- Perform risk analysis as part of their security management processes.
The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.
How can you stay compliant with HIPAA?
You must apply a few safeguarding practices while collecting and processing data online. Some requirements you must fulfill include:
- Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and any other business associate. Otherwise, you cannot disclose PHI to that vendor without the individuals’ authorization.
- Address the use of analytics and other data platforms in your risk analysis and management processes.
- Implement administrative, physical, and technical safeguards – such as encrypting PHI transmitted to the analytics vendor and enabling and using appropriate authentication, access, encryption, and audit controls when accessing PHI maintained in the analytics platform infrastructure.
- Work with vendors that support values such as privacy by design to fully control and understand what data you collect, store, and transfer.
- Remove all 18 identifiers from PHI. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.
Note: De-identification of PHI is not necessary with Piwik PRO – you can sign a BAA and send the desired PHI.
You need to carefully select an analytics vendor that would allow you to achieve HIPAA compliance – for example, don’t forget that Google Analytics is not HIPAA compliant.
You must either make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.
Learn more about making your analytics HIPAA-compliant from this post: 4 ways to make your analytics HIPAA-compliant: Implementation guide.
What’s included in your HIPAA-compliant analytics and data activation platform?
You get integrated analytics, tag management and data activation, all accessible through one interface with HIPAA-compliant features.
How does the business associate agreement (BAA) work?
We provide a BAA tailored to your needs, regardless of your hosting option. A BAA establishes clear responsibilities for PHI protection, ensures joint compliance, and enables you to safely collect and analyze patient data without de-identifying it.
HIPAA certification proves that Piwik PRO Analytics Suite is a verified solution for customers whose policies mandate partnering exclusively with HIPAA-compliant vendors. This certification demonstrates our commitment to ensuring a HIPAA-compliant analytics suite safeguarding Protected Health Information (PHI).
How do you protect patient data?
We use 256-bit AES encryption for data at rest and in transit, HIPAA-compliant Microsoft Azure hosting in the US, comprehensive audit logs, advanced user permissions, and secure backup storage. We never share your data with third parties or use it for other purposes.Note: De-identification of PHI is not necessary with Piwik PRO – you can sign a BAA and send the desired PHI.You need to carefully select an analytics vendor that would allow you to achieve HIPAA compliance – for example, don’t forget that Google Analytics is not HIPAA compliant.You must either make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.
Can I control what happens with my data?
Yes, you maintain 100% control over your data. You can disable IP address collection, limit PHI in URLs, set granular access controls, and decide exactly what patient data you collect and how it’s used without privacy concerns.
Do I need to de-identify patient data?
You can but don’t have to de-identify PHI with Piwik PRO. A signed BAA allows you to work with complete patient data safely, providing deeper insights than competitors that require you to strip all identifiers before sending data to their platforms.
How does Piwik PRO compare to Google Analytics?
Google Analytics does not offer a BAA and is not HIPAA-compliant. Using it puts healthcare organizations at serious risk of regulatory violations and loss of patient trust. Piwik PRO provides the familiar analytics experience you’re used to, with full HIPAA compliance, a BAA tailored to your needs, and the ability to work with actual patient data rather than anonymous or fragmented information.
How does Piwik PRO compare to Freshpaint?
Freshpaint works as a data filter – it sits between your website and marketing tools like Google Analytics, stripping PHI before it’s passed on. This prevents compliance violations, but it also means your analytics are based on incomplete data from the start.
Piwik PRO takes a different approach. Instead of filtering data before it reaches third-party tools, it keeps all data – including sensitive patient information – within its own platform. Because PHI never gets shared with outside vendors, there’s no need to strip it. A signed BAA provides the legal framework to work with complete patient data safely and compliantly. The result is fuller, more accurate insights without the compliance tradeoffs that come with filtering-based solutions.






