View All Blog Posts

HIPAA Compliant Marketing and Analytics Tools

As marketers in the healthcare industry, it’s a fine line to walk to try to offer personalized and helpful digital experiences to patients while also ensuring tactics are HIPAA compliant. As an agency that specializes in helping our clients in the healthcare space improve their digital marketing and analytics practices, we have deep experience with sourcing and testing tools. We thought it would be helpful to aggregate a list of our favorite tools that we find ourselves leveraging time and time again.

Note: Currently there is no official training or certification for HIPAA compliance. At Hedy & Hopp, all of our employees go through HIPAA BAA training during their first week of employment (along with Google Analytics certification) to make sure every team member understands the fundamentals when dealing with PII and PHI. Our training platform of choice is

Some of our favorite tools:

Website Analytics:

  • Google Analytics: Though many more robust analytics platforms exist, Google Analytics is still the primary platform used in healthcare (and honestly, for most industries). While there are some potential compliance issues when the tool is used “out of the box,” it can easily be modified to meet HIPAA compliance by ensuring you are not collecting any PHI. Note: once website traffic hits certain levels, you will need to upgrade to Google Analytics 360 to avoid getting “sampled” data. Again, certain changes must be made to ensure HIPAA compliance.

User Experience Optimization:

  • VWO: Visual Website Optimizer is the choice here when it comes to HIPAA compliance. Though we love Lucky Orange and Optimizely for non-PHI situations, VWO has great instructions to collect qualitative data about patients’ usage of a website and run A/B tests to improve your site’s conversion rate. Learn more about how to make your VWO account compliant here.

Business Intelligence and Data Storage/Management tools:

  • Power BI: Microsoft’s business intelligence tool is already included in Microsoft’s 365 business suite, so it’s our first go-to tool of choice for many of our clients because there is no cost. Especially for clients new to BI, we believe it’s better to spend the money you would have spent on a more costly tool like Tableau on training your employees and making sure your data is clean and accurate! It’s a perfect fit — there’s no additional charges, you don’t have to get a new tool, and it’s HIPAA compliant.
  • Google Big Query: Google Big Query is our data warehouse of choice. Before we push data from all of our different sources into a business intelligence tool, we combine them in Big Query to make joining, scrubbing, and normalizing the data a little easier. That way when we import the data into a business intelligence tool like Power BI, we can hit the ground running with the fun part — visualizing and analyzing data!
    Note: Google has clear instructions on how to identify a need for a BAA and their process online. If you’re in healthcare, take the time to read this page and execute the BAA if you’re leveraging Google products for any PHI.
  • Amazon Redshift: Redshift is a data warehouse like Big Query. Though it is not HIPAA compliant “out of the box,” like many other AWS services, it is HIPAA eligible and can be configured to comply with HIPAA regulations. To do this, organizations need to review user permissions, ensure a log is kept of who accesses Redshift and when, and ensure that the data stored in Redshift is encrypted properly.

Call Tracking/Attribution:

  • CallRail: We are big fans of CallRail and help many of our clients become customers and implement this tool. It dynamically changes the phone number in marketing campaigns/websites so when a prospective patient calls, the marketing source that drove the call (Google Ads, Facebook, email, etc.) gets credit. This is an area that could be a huge compliance issue because the entire call is tracked (which could be the patient calling to make an appointment), so ensuring you have the HIPAA version enabled is essential. Note: they also have a new product for form submissions.

Patient texting/messaging platforms:

  • MedChat: MedChat is a sophisticated chatting and messaging tool that leverages AI and machine learning to improve the chatting experience for patients. It specializes in two-way texting, chatting on a website, and automations such as appointment reminders. The entire system was built with HIPAA in mind, so it’s perfect for healthcare.

Polling and Research tools:

  • SurveyMonkey: Need to send a questionnaire out to patients or potential patients to collect data or conduct a survey? SurveyMonkey is your tool — the user interface is very intuitive and, best of all, it’s HIPAA compliant so it can be used to collect all types of data.

Manage location listings, online reviews, social media:

  • has an excellent platform to manage all of your location and physician profiles in one interface. Update and push out changes to bios, secure patient reviews, manage social media, and much more, all in a HIPAA compliant version. We’ve used this platform to get assets organized and distributed for one of the largest healthcare systems in the country, and it is a lifesaver when you’re working with hundreds of data points.

Appointment Setting/Management Platform:

  • InQuicker: A scheduling tool made specifically for the healthcare industry, InQuicker has a smooth user interface but you can also leverage their API to integrate appointment setting functionality directly within your own website and customer experience. The platform also allows the ability to tag their confirmation pages with Google Analytics tags so you can accurately confirm conversion rates of patient acquisition campaigns.

Form Submissions:

  • CallRail: We already mentioned CallRail above (in the call tracking section), but it’s worthwhile to mention again in this section, as they recently rolled out form submission tracking tools. If you’re also doing call tracking (you likely should be!), it’s great to streamline tools and have both in the same interface.
  • FormStack: FormStack has healthcare-specific form templates ready to go, so whether you’re setting up a form for lead generation, patient acquisition or even equipment ordering, it’s a great resource.

A final note: Even if you are using the best tools, it’s important to audit access to these tools on a regular basis. Who has login capability and why? Remove access for any non-essential employees and have plans in place to audit access immediately if required. Also, making sure all members of your marketing team have received training to identify PHI and feel comfortable raising potential issues is a really important step. Your legal department is likely focusing most of their attention on the clinical side of the business, so take steps to clean up the marketing and analytics tools before they become an issue.



About the Author

Jenny Bristow is the CEO and Founder of Hedy & Hopp. Prior to starting Hedy & Hopp, Jenny launched, grew and sold a digital agency in Seattle and worked at Amazon. She was named one of St. Louis Business Journal’s 30 under 30, won a Stevie Award for Female Entrepreneur of the Year in 2018 and speaks regularly at healthcare marketing industry events.

More from this author
Next Blog Post

Using Google Data Studio to Calculate Statistical Significance

At Hedy & Hopp, we are knee-deep in data every day. We are constantly segmenting…