Protecting Patient Data.
Building Trust.
Our platform meets stringent HIPAA standards to safeguard PHI and ensure the privacy and security your patients deserve.
We follow HIPAA Privacy, Security, and Breach Notification Rules to keep your data protected.

HIPAA COMPLIANCE FOR MEDICAL PRACTICES
We help medical practices uncover hidden compliance risks across their websites, servers, and tracking stack, before the OCR, plaintiffs' lawyers, or patients do.



Not sure if your practice is actually compliant in 2026?
Most practices we audit are leaking PHI without knowing it through outdated pixels, persistent ad-platform identifiers, contact-form vendors with no BAA, and portal hand-offs that carry marketing cookies into the patient experience.
Most medical practices are quietly out of compliance, and don't know it.
The OCR's tracking-technology guidance still applies on the highest-risk surfaces, the 2026 Security Rule update is pending, and class-action plaintiffs are not waiting either. After auditing medical sites, the same patterns show up almost every time.
The CID problem
PERSISTENT IDENTIFIERS
GA4 sets a Client ID cookie (_ga) that persists about two years. Meta sets _fbp on first visit and persists about 90 days. Both bind to the browser, not the session. A patient lands on your homepage, the trackers fire, then they navigate to your portal. Even if the portal has no tags, the cookies are already set and can be joined back to identified patient activity later through Conversions API, Advanced Matching, or remarketing audiences.
Tracked page to portal
CROSS-CONTEXT LINKING
Most of the medical practices we audit run Meta Pixel and GA4 on their homepage, service pages, and 'find a doctor' or 'book an appointment' pages. When a visitor clicks through to the patient portal on the same eTLD, the tracking identifier from the marketing site travels with them. That is the connection HIPAA cares about, not whether the portal itself has trackers.
Contact pages
MAILTO, FORMS, AND COMMENTS
Posting a practice email as a mailto link, accepting free-text 'comments' on a generic contact form, or routing intake through a vendor that has not signed a BAA all create the same exposure. Patients use those channels to send PHI by default, and the email server, form vendor, or hosting platform on the receiving end is rarely covered.
Class actions
$135M+ IN SETTLEMENTS
Hospital and medical practice tracking-tech settlements have exceeded $135M since 2023, including MarinHealth ($3M) and Pomona Valley ($600K), with the In re Meta Pixel Healthcare MDL still active. Plaintiffs are using HIPAA-as-standard-of-care, federal wiretap statutes, and state laws like California CIPA. The OCR enforcement angle is one risk; the private class action is another.
Patterns observed across audits of medical practice websites. Not legal advice. We partner with your attorney and Privacy Officer to confirm findings and define remediation scope.
WHAT WE AUDIT
A complete picture of your digital exposure
Compliance is not just a policy binder. It is every line of JavaScript on your site, every cookie your browser sets, every vendor in your stack, and every form your patients fill out. We map all of it.
Meta Pixel & Ad Tracker Audit
Forensic scan of every Meta, TikTok, LinkedIn, and ad-platform tracker firing on your site. Pages, payloads, BAA status, and persistent identifier behavior.
Google Analytics G4 Review
GA4 sends IP, user-agent, and full URLs by default, and the _ga Client ID persists ~2 years. We audit configuration, IP handling, server-side options, and event payloads.
Cross-Context Linking & CID Audit
We trace persistent identifiers (GA4 _ga, Meta _fbp/_fbc) from your marketing pages through to your portal and intake forms, and find every place a browser can be re-bound to an identified patient.
Tag Manager & Consent Layer Audit
GTM containers, cookie banners, and consent platforms reviewed for proper firing rules, real consent gating, and a documented data-flow map your compliance officer can hand to counsel.
Third-Party Script Inventory
Chat widgets, schedulers, review tools, heatmaps, session recorders, A/B tests. Every external script inventoried, classified by data exposure, and matched against your BAA library.
Every pixel, tag, and persistent identifier on your site, mapped against where PHI lives and which vendors have a BAA.
OUR AUDIT PROCESS
Find it, fix it, keep it that way.
A defensible, documentable, four-stage process designed to give your compliance officer and attorney exactly what they need.

OUR AUDIT PROCESS
Find it, fix it, keep it that way.
WEEK 1
Discover
We start with a non-intrusive, read-only scan of your public website, server stack, and connected vendors. No logins required, no disruption to operations.
- • Full tracker & script inventory
- • Vendor & data-flow mapping
- • Hosting & TLS configuration scan
WEEK 2
Identify
Each finding is classified by severity and mapped to the specific HIPAA rule, OCR guidance, or proposed Security Rule provision it implicates.
- • Risk-prioritized findings report
- • Regulatory mapping
- • BAA gap analysis
WEEKS 3 TO 6
Remediate
We fix what falls in our scope (tracking, web, forms, vendor swaps), and coordinate with your IT or EHR partners on anything that does not.
- • Pixel & GA4 reconfiguration
- • Vendor migration
- • Consent layer & banner remediation
ONGOING
Monitor
Compliance drifts the moment a new tool, plugin, or marketing tag gets added. Our continuous monitoring re-scans your site and alerts you.
- • Continuous tracker monitoring
- • Quarterly re-audits
- • Real-time drift alerts
WHAT YOU GET
Deliverables your compliance
officer can actually use
Audits without action are paperwork. Every Edumyze HIPAA engagement ships a complete document set, ready to drop into your risk register and hand to counsel.

Executive Risk Summary
A one-page risk overview your Privacy Officer can hand straight to the board.

Tracker & Vendor Inventory
Every pixel, tag, cookie, and third-party vendor mapped to BAA status and remediation.

Findings Report
Each finding with severity, regulatory citation, evidence, and a specific remediation step.

Data-Flow Diagram
Visual map of how patient data moves from your site through every system in your stack.
What's changed, what's proposed, and where your practice is exposed
The regulatory picture in 2026 is mixed. Some rules are in effect, others are still proposed, and the highest-volume risk (private class action) does not wait for either. Here is how each piece shows up in our audits.
The persistent identifier problem most practices have not solved.
This is the issue that drives the largest share of current healthcare class actions, and the one we see most often in audits. A patient lands on your homepage with Meta Pixel and GA4 firing. The Pixel sets _fbp (about 90 days), GA4 sets _ga (about two years), both scoped to the browser. The visitor then clicks through to the patient portal on the same eTLD. Even if the portal page itself has no trackers, those persistent identifiers are already on the browser. Later, when the practice sends a hashed email through Meta Conversions API, or runs Advanced Matching, or builds a remarketing audience, the previously anonymous browser history (including the visit to the marketing page that signaled a health interest) can be joined back to an identified person.
The cookie does not have to fire on the portal
The cookie just has to exist on the browser when the user later identifies themselves. That makes the marketing page tracker, not the portal, the moment of compliance failure.
CAPI and Advanced Matching are the bridge
Server-side conversion APIs hash email and phone server-to-server and rebind to the existing browser cookie. Most ad-platform 'health vertical' configurations use this by default.
Domain separation matters more than tag removal
Moving the portal to a different eTLD (mychart.example.org vs example.com) and using a stricter cookie scope reduces the linking surface even if the marketing site continues to run analytics.
Summary provided for educational purposes only and is not legal advice. The Security Rule update referenced above is proposed and has not yet been finalized. Confirm current regulatory obligations with qualified healthcare counsel and your designated Privacy/Security Officer.
Why Medical Practices Choose Edumyze
The audit is only as good as what you can do with it.
We've spent years auditing and building the marketing and tech stacks that medical practices actually run on. That practical, hands-on perspective is what makes our HIPAA digital audits actionable instead of academic.

Built by digital, not by lawyers
We are a digital agency that audits the technical surface (pixels, tags, hosting, forms). We work alongside your healthcare counsel and Privacy Officer rather than replacing them.
Independent of the platforms we audit
We do not resell Meta Ads, Google Ads, or any analytics platform in a way that creates a conflict. Our findings are not softened by what we sell.
Compliance-officer-ready deliverables
Every finding is documented with the regulatory citation, severity, evidence, and recommended remediation, formatted to drop into your compliance file or risk register.
We coordinate with your IT and EHR
Most remediations need cooperation across your IT vendor, EHR provider, and marketing tools. We run that coordination so your in-house team is not stuck quarterbacking.
Start with a free 30-min digital risk review
Tell us about your practice. We'll do a free no-touch scan of your public site, share what we find, and walk you through whether a full audit makes sense. No obligation.
Please do not include any PHI (patient identifiers, conditions, etc.) in this form. We will coordinate a secure channel and BAA before discussing patient-specific information.
Request Your Risk Review
Tell us about your practice and what's on your radar. We respond within 4 business hours.
A confidential first conversation
No PHI, no commitment, just clarity.
Email Us
hello@edumyze.com
Response within 4 business hours
Sales
Limited Audit Slots
We take on a small number of medical practices per quarter. Send a note to check fit.
Office for Meetings
10009 Mount Tabor Rd Odessa, MO 64076-6109
Serving medical practices nationwide
What happens after you submit
• We run a free, no-touch scan
Only your public website. No credentials. No production systems touched.
• 30-minute walkthrough of findings
We share what we found and what it likely means under the current and proposed rules, in plain English.
• You decide what's next
Full audit, targeted remediation, ongoing monitoring, or just keep the report. No pressure.
