How It Works
What the HIPAA Readiness Scan checks
The scan analyzes your practice’s website from the outside — the same perspective a patient, a competitor, or an OCR investigator would have. Every check maps to a real HIPAA requirement or a documented OCR enforcement action.
Third-Party Data Sharing
Detects tracking technologies — Facebook Pixel, Google Analytics, Google Tag Manager, TikTok, LinkedIn, session replay tools — that may transmit patient browsing data to third parties without authorization.
Website Security
Checks encryption (HTTPS/TLS), security headers (HSTS, Content Security Policy), exposed admin panels, server version disclosure, and publicly accessible sensitive files.
Email Security
Verifies SPF and DMARC records that prevent attackers from spoofing emails from your practice domain. Flags consumer email addresses (Gmail, Yahoo) listed for patient contact.
Required Documents
Checks whether your Notice of Privacy Practices and privacy policy are posted and accessible — a baseline HIPAA requirement that OCR specifically looks for.
Why It Matters
Your website is the first thing patients — and investigators — see
In December 2022, the HHS Office for Civil Rights issued a bulletin specifically warning healthcare providers about tracking technologies on their websites. Since then, multiple healthcare organizations have faced enforcement actions, class-action lawsuits, and settlements for running tools like Facebook Pixel and Google Analytics on patient-facing pages.
The average healthcare data breach costs $9.8 million(IBM, 2024) — the highest of any industry. And attacks on independent providers have risen 6x since 2021. Your website is the most visible part of your practice’s digital footprint. If it’s leaking patient data to third parties, that’s the first thing an investigator will find.
This scan gives you the same view an investigator would have — in 30 seconds, for free. The issues it finds are the ones your web developer can fix. The deeper compliance work — policies, training, BAA tracking, risk analysis — is what Patient Protect is built for.
Frequently Asked Questions
Common questions about the scan
▶What does this scan actually check?
The scan analyzes your website from the outside — the same perspective a patient or an OCR investigator would have. It checks for third-party tracking technologies (like Facebook Pixel and Google Analytics), security configurations (encryption, security headers), email authentication (SPF, DMARC), exposed admin pages, and whether required HIPAA documents like your Notice of Privacy Practices are posted.
▶Is this scan safe? Will it affect my website?
Completely safe. The scan only observes publicly available information — it visits your site like a normal browser would. No login credentials are needed, no files are modified, and no vulnerability testing is performed. It's the digital equivalent of walking past your office and looking at the sign on the door.
▶Why does my practice website matter for HIPAA compliance?
Your website is often the first point of contact between patients and your practice. If it runs tracking technologies like Facebook Pixel or Google Analytics on pages where patients book appointments or fill out contact forms, those tools may be transmitting protected health information to third parties without authorization. The HHS Office for Civil Rights issued a bulletin in December 2022 specifically addressing this issue, and multiple healthcare organizations have faced enforcement actions.
▶My website was built by a professional — do I still need to scan it?
Yes. Most web developers are not HIPAA specialists. They install standard marketing tools — Google Analytics, Facebook Pixel, session recorders — that are perfectly appropriate for a restaurant or retail store, but create compliance risks on a healthcare provider's site. The scan identifies these gaps so you can share specific findings with your web team.
▶What's the difference between this scan and a HIPAA risk assessment?
This scan looks at the outside of your practice — your public-facing website. A HIPAA risk assessment examines the inside — your policies, training, Business Associate Agreements, access controls, and documentation. Both matter. This scan covers roughly 20% of your HIPAA obligations (the technical safeguards visible from outside). The other 80% requires an internal assessment, which is what Patient Protect's platform is built to guide you through.
▶Will Patient Protect fix the issues this scan finds?
The website-specific issues (tracking pixels, security headers, missing policies on your site) need to be addressed by your web developer or IT provider — we provide the specific findings and recommended actions to share with them. Patient Protect focuses on the internal compliance infrastructure: policies, BAA tracking, risk assessments, workforce training, and continuous monitoring. We advise on the website issues, but our platform addresses the operational foundation that OCR actually audits.
▶What does my score mean?
Your score reflects the public-facing HIPAA posture of your website on a 0–100 scale. An A means your website shows strong attention to patient privacy and security. A D or F means we observed issues that OCR has specifically targeted in enforcement actions. The score is based on what's visible from outside — the compliance areas you can't see from outside (policies, training, BAAs) are equally important but require an internal assessment.
▶Is my scan data kept private?
Yes. Your scan results are not published, shared, or visible to anyone except you. Patient Protect does not maintain a public directory of scan results, and we never use individual practice names in any public context. We may aggregate anonymized scan data for compliance research — but your practice is never identified.
Related Tools