Question 1

What is a HIPAA site scanner?

Accepted Answer

A HIPAA site scanner is a tool that loads a healthcare website the way a real visitor does, then checks every network request, cookie, and storage write against a catalog of tracking technologies (advertising pixels, analytics tags, session-replay tools, B2B identity vendors). It flags any tracker that could transmit Protected Health Information (PHI) to a third party that does not sign a Business Associate Agreement (BAA), which is the most common cause of HIPAA tracking-tech enforcement actions.

Question 2

Is this HIPAA scanner really free?

Accepted Answer

Yes. The Echo-Factory HIPAA Site Scanner is free to use, with no login required. Enter a URL, get a full report in seconds. We provide it because most healthcare organizations don't realize their public website and patient portal pages are sharing visitor behavior with platforms like Meta, Google, TikTok, and LinkedIn.

Question 3

What trackers does the scanner detect?

Accepted Answer

The scanner detects 120+ tracking technologies, including Meta Pixel (Facebook), Google Analytics, Google Ads, TikTok Pixel, LinkedIn Insight Tag, Snap Pixel, Pinterest Tag, X (Twitter) Pixel, Microsoft Clarity, Hotjar, FullStory, Mouseflow, Amplitude, Mixpanel, Segment, HubSpot, and dozens of programmatic ad networks. Each detected tracker is rated critical, high, medium, or low risk based on what data it transmits and whether the vendor will sign a BAA.

Question 4

Is the Meta Pixel HIPAA compliant?

Accepted Answer

No. Meta does not sign Business Associate Agreements (BAAs) for the Meta Pixel, and the pixel transmits page URLs, button clicks, and user identifiers back to Meta by default. On healthcare pages this regularly captures appointment flows, condition pages, and provider details, which is the exact pattern HHS-OCR has cited in enforcement actions. The Meta Pixel has been named in 20+ healthcare privacy settlements totaling more than $96 million.

Question 5

Is Google Analytics HIPAA compliant?

Accepted Answer

No. Google does not sign BAAs for Google Analytics. GA4 collects IP addresses, page URLs, and user interactions; on healthcare pages, URLs and event names regularly leak condition or appointment context, which OCR considers PHI when combined with IP. Google Analytics has been named in 11+ healthcare tracking-tech settlements. The mitigation path is server-side GA4 with IP anonymization and a PHI-scrubbing proxy.

Question 6

How do I check if my hospital website is HIPAA compliant?

Accepted Answer

Start with an automated scan: enter your URL into the Echo-Factory HIPAA Site Scanner. It will load the page in a real browser, capture every tracker that fires, and rate each one against a HIPAA risk catalog with corresponding settlement history. Then have a compliance professional review the report. Automated tools can flag the trackers, but the question of whether a specific URL constitutes PHI disclosure under your circumstances is a legal judgment.

Question 7

Do I need to install anything to use the scanner?

Accepted Answer

No. The scanner is fully web-based. Enter a URL and the scanner loads the page on our infrastructure using a real headless browser, captures the network and cookie activity, and returns a full report. Nothing is installed on your site or your computer.

HIPAA Site Scanner

Is your hospital
website sending PHI to
Facebook?

Getting started…

That one didn’t work.

This site is shielded from automated tools.

Have us run it for you

Scan it yourself in ~30 seconds advanced