Zevi Digital — What HIPAA-Compliant Marketing Means for Medical Practices
COMPLIANCE GUIDE

What HIPAA-compliant marketing actually means for medical and dental practices in California.

Most medical practices assume their marketing is HIPAA compliant. Most are wrong.

HIPAA compliance in marketing is not a checkbox. It is an ongoing obligation that governs how your practice collects, stores, transmits, and uses patient data across every marketing channel: your website forms, your Google Ads campaigns, your retargeting pixels, your email follow-up sequences, and your reputation management tools. In California, the Confidentiality of Medical Information Act adds state-level requirements on top of federal HIPAA standards that most marketing agencies have never heard of. This guide explains what HIPAA-compliant marketing actually requires, where most practices are unknowingly exposed, and what to look for in an agency that handles your marketing data correctly.

WHAT THE LAW ACTUALLY REQUIRES

HIPAA in marketing: what it covers, what it does not, and where practices are most exposed.

Written and audited by Ben Mansouri, Founder of Zevi Digital and designated HIPAA Officer. This is not legal advice. It is a practical guide based on direct experience marketing medical and dental practices under HIPAA and California CMIA requirements.

What counts as Protected Health Information in a marketing context.

Protected Health Information (PHI) under HIPAA is any individually identifiable health information held or transmitted by a covered entity or its business associates. In a marketing context, this means more than medical records. A contact form submission that includes a patient's name, email address, and a description of their dental concern is PHI. A call tracking number that records a patient describing their symptoms is PHI. A retargeting pixel that identifies a user who visited your "gum disease treatment" page and then follows them across the web is potentially creating PHI by associating an identifiable individual with a health condition. Most practices assume HIPAA only applies to their electronic health records system. It applies to every point of data contact between a prospective or current patient and your practice, including the marketing stack.

Where marketing agencies most commonly create HIPAA exposure for their clients.

The four most common sources of HIPAA exposure in medical and dental marketing are: standard Google Analytics and Meta Pixel implementations that transmit patient data to third-party ad platforms without proper data sharing agreements; contact forms connected directly to non-HIPAA-compliant CRM tools that store patient inquiry data in systems without BAAs in place; retargeting campaigns that use patient visit data from clinical pages (appointment confirmation pages, patient portal pages) to serve ads to identifiable individuals; and call tracking systems that record patient calls and transmit recordings to servers without HIPAA-compliant data handling agreements. Most marketing agencies use all four of these tools in their standard configuration without modification for healthcare clients. This is not negligence in most cases. It is a genuine lack of healthcare marketing expertise.

What a Business Associate Agreement is and why you need one before any marketing work begins.

A Business Associate (BA) under HIPAA is any person or entity that performs services for a covered healthcare entity and in doing so creates, receives, maintains, or transmits PHI. A marketing agency that accesses your contact form submissions, manages your call tracking, runs your retargeting campaigns, or stores any patient inquiry data is a Business Associate and must sign a Business Associate Agreement before that work begins. A BAA is a legally binding contract that specifies how the BA will safeguard PHI, what they will do in the event of a breach, and what happens to the data when the relationship ends. It is not optional. Operating without a BAA when one is required is a HIPAA violation regardless of whether any breach occurs. Every marketing agency working with a medical or dental practice should be able to produce a BAA immediately on request. If they cannot or if they are unfamiliar with what a BAA is, they should not be managing your marketing.

California adds requirements that most out-of-state agencies do not know about.

California's Confidentiality of Medical Information Act (CMIA) provides broader protections than federal HIPAA in several areas that directly affect medical marketing. The CMIA covers providers, service plans, contractors, and employers, and imposes civil and criminal penalties for unauthorized disclosure of medical information that go beyond HIPAA's penalty structure. In 2022 and 2023, the California Attorney General's office took enforcement actions against companies using advertising technology in ways that transmitted health-related data to third parties without consent. The California Consumer Privacy Act (CCPA) adds further obligations around patient data disclosure and opt-out rights for California residents. An agency marketing a Los Angeles medical or dental practice that has not accounted for CMIA and CCPA alongside federal HIPAA is operating with incomplete compliance infrastructure.

What HIPAA-compliant marketing infrastructure actually looks like in practice.

A properly configured HIPAA-compliant marketing stack for a medical or dental practice includes: server-side tracking that keeps patient data off third-party ad platform servers; contact forms connected only to HIPAA-compliant CRM tools with BAAs in place; call tracking systems with HIPAA-compliant data handling and BAAs with the call tracking vendor; retargeting configurations that exclude clinical pages and patient portal pages from pixel firing; and a documented data handling policy that specifies what patient data is collected through marketing channels, how it is stored, who has access, and what happens to it when a patient relationship ends. This infrastructure is not more expensive than a standard marketing setup. It requires expertise and intentional configuration. The default setup for most marketing tools is not HIPAA-compliant. Compliance requires actively choosing and configuring the right options, not accepting defaults.

COMMON QUESTIONS

Questions practice owners ask about HIPAA and marketing compliance.

Yes, if the agency accesses, stores, or transmits any protected health information on your behalf. In practice this means almost any marketing agency working with a healthcare practice needs a BAA in place, because contact form submissions, call recordings, and patient inquiry data are PHI. If your current marketing agency has not signed a BAA with your practice, you are operating without a required legal safeguard. Ask your agency for the BAA today. If they do not know what it is or cannot produce one, that is a significant problem that needs to be resolved immediately.

Standard Google Analytics implementations are generally not HIPAA compliant for medical practices because Google does not sign Business Associate Agreements for its standard analytics product. The default configuration of Google Analytics 4 transmits user behavior data to Google's servers, and when a user visits a clinical page (an appointment booking page, a specific condition treatment page, or a patient portal), that data can constitute PHI if it is associated with an identifiable individual. A HIPAA-compliant implementation requires server-side tagging that keeps patient data off Google's servers, careful exclusion of clinical pages from tracking, and a documented data handling policy. This is achievable but requires intentional configuration that most standard analytics setups do not have.

Yes, but with important configuration requirements. Retargeting campaigns that use data from clinical pages, patient portal pages, or appointment confirmation pages to identify and re-target specific users can create PHI by associating an identifiable individual with a health condition or treatment. HIPAA-compliant retargeting requires excluding those pages from pixel firing, using only general site visitor data (not condition-specific page data) for audience building, and ensuring that the retargeting platform has a BAA in place or a data sharing agreement that meets HIPAA requirements. Meta does not currently sign BAAs for its advertising platform. This limits how medical practices can use Facebook and Instagram retargeting without creating compliance exposure.

Federal HIPAA sets minimum national standards for the protection of health information. California's Confidentiality of Medical Information Act (CMIA) provides broader protections in several areas and applies to a wider range of entities than federal HIPAA. For marketing purposes, the CMIA is relevant because it restricts the disclosure of medical information for marketing purposes without patient authorization, and California enforcement has specifically targeted companies using advertising technology to transmit health-related data to third parties. In cases where CMIA provides greater protection than HIPAA, California law governs. A marketing agency working with California medical practices must account for both frameworks, not just federal HIPAA.

Every Zevi Digital engagement begins with a compliance audit of the existing marketing stack: tracking pixels, form integrations, call tracking configurations, retargeting setups, and CRM connections. We sign a Business Associate Agreement with every client before any work begins. Our founder Ben Mansouri is the agency's designated HIPAA Officer and personally reviews compliance on every campaign. We use server-side tracking configurations that keep patient data off third-party ad platform servers, connect forms only to HIPAA-compliant tools with BAAs in place, and exclude clinical pages from retargeting pixel firing. We account for both federal HIPAA and California CMIA requirements in every campaign we build for California practices.

NEXT STEP

HIPAA compliance is not a feature we added to our marketing. It is how we built the agency from day one.

Medical and dental practices, exclusively. HIPAA compliant by design. Los Angeles.

Zevi Digital works exclusively with medical and dental practices. Our founder Ben Mansouri serves as the agency's designated HIPAA Officer on every engagement. We sign a Business Associate Agreement before any work begins. Every campaign we build for a California medical or dental practice is designed to meet federal HIPAA and California CMIA requirements from the first day, not as a retrofit.

Not sure where your practice stands? Try one of our free HIPAA tools.