Most marketing agencies have never read the HIPAA Privacy Rule. Most have never signed a Business Associate Agreement. Most do not know what counts as protected health information once a website visitor becomes a lead. If your practice works with a generalist marketing agency, there is a real chance your patient data is being handled in a way that creates legal exposure for you, not for them.
Here are five specific signs your current marketing partner does not understand HIPAA, and what each one actually costs your practice.
Red Flag One: They Have Never Mentioned a Business Associate Agreement
A Business Associate Agreement, often called a BAA, is a legal contract required any time a vendor handles protected health information on your behalf. If your marketing agency manages your website forms, your patient intake process, your email campaigns, or your appointment scheduling, and they have never brought up a BAA, that is the first and clearest sign they do not understand healthcare compliance.
This is not a minor paperwork issue. Without a signed BAA, your practice is liable if that vendor mishandles patient data, even if the mishandling happens entirely on the vendor’s end. The Office for Civil Rights does not care that your marketing agency was the one who installed a non-compliant tracking tool. The fine comes to you.
Red Flag Two: They Installed Tracking Pixels Without Asking What Happens to the Data
Standard retargeting pixels, the kind used by countless ecommerce and consumer brands, capture user behavior and send it directly to advertising platforms. On a medical or dental website, this means a visitor’s interest in a specific condition, treatment, or symptom page can be transmitted to a third party without a compliant data use agreement. This is precisely the kind of exposure we identified and remediated for MDPerio after their previous offshore agency installed exactly this kind of tracking. Read the full MDPerio case study for what that remediation looked like.
If your agency has never asked what platform your tracking pixels send data to, or whether that platform is HIPAA compliant, assume the answer is that nobody checked.
Red Flag Three: Your Intake Forms Are Not Encrypted
A contact form that asks for a name and a general inquiry is low risk. A form that asks about symptoms, medical history, current medications, or insurance details is collecting protected health information. If that form submits over a non-encrypted connection, stores responses in a non-compliant database, or emails responses in plain text, the practice is exposed every time a patient fills it out.
Ask your agency directly: where does the data from our intake forms go, and is that storage location HIPAA compliant? If they cannot answer immediately and specifically, that is a red flag.
Red Flag Four: They Talk About Compliance Only When You Bring It Up
A healthcare marketing specialist leads with compliance. It is the first conversation in any new engagement, before strategy, before content, before a single keyword is targeted. A generalist agency treats compliance as an afterthought, something to address if the client asks, rather than something built into the foundation of every campaign.
If compliance has never come up unprompted in your relationship with your current agency, that silence is informative. It usually means nobody on their team is thinking about it at all.
Red Flag Five: Your Content Was Written by Someone Who Does Not Understand Your Specialty
This is not strictly a HIPAA issue, but it travels with the same root problem: an agency that does not understand healthcare will not understand the regulatory and clinical nuance your practice requires. Content that misrepresents a procedure, makes an unsubstantiated medical claim, or fails to include appropriate disclaimers creates both a compliance risk and a credibility problem. Patients researching a procedure can tell within seconds whether the content was written by someone with real clinical knowledge.
If your blog posts and service pages read like they could apply to any industry with minor word substitutions, that is the same lack of specialization that leads to compliance blind spots elsewhere.
What This Costs You
HIPAA violations are not abstract. Civil penalties range from hundreds to tens of thousands of dollars per violation, with annual caps reaching well into six figures for sustained non-compliance. Beyond the financial penalty, a practice that experiences a data breach traced back to its marketing vendor faces a credibility problem with patients that is far harder to repair than any fine.
The fix is not complicated. It requires a marketing partner who treats compliance as the starting point, not an afterthought. Read our full guide to what HIPAA-compliant marketing actually requires for a complete breakdown of BAA requirements, PHI exposure points, and CMIA obligations for California practices specifically.
If you are evaluating whether your current agency understands healthcare compliance, or whether you need a new one, our guide to choosing a medical marketing agency walks through the specific questions to ask before you sign anything.
Written and audited by Ben Mansouri, Founder of Zevi Digital and designated HIPAA Officer.
Wondering if your own marketing has one of these red flags? Find out in two minutes with our free HIPAA Marketing Compliance Checker. Check My Compliance →
