Got this from a friend or colleague? Why not subscribe?

Hey Practice Builders — it's Steve with Healthcare Marketing Vitals!

Sorry this is so late! I’m going to blame it on the breaking news yesterday about the Healthcare Tracking Technology Class Action against Google!

Last week, we explored location page optimization for your practice’s local SEO. This week, I'm diving into the compliance topic I promised: HIPAA-compliance and specifically, 3 hidden risks.

Look, compliance isn't sexy like you, dear Practice Builder.

It's confusing, expensive, and constantly changing—much more like me.

But getting it wrong can cost you big and OCR enforcement actions don’t just target big hospitals or healthcare tech.

That said, just yesterday a federal judge allowed a case against Google around health privacy and tracking to proceed—the outcome of which (and even the case itself) is likely to change a lot in the next few months or years.

Link and details below.

In This Week’s Email:

• [30 sec] Best Links: The privacy case against Google + Compliance tools that actually work for healthcare practices

• [30 sec] Thought for the Week: What the lawsuit against Google means

• [4 min] Spotlight: Deep dive into 3 hidden HIPAA-compliance risks

• [30 sec] By the Numbers: The real cost of non-compliance

• [30 sec] Quote for the Week: On compliance

TOGETHER WITH SEMRUSH

SEMRush is kind of like having your own marketing team in house—but powered by a suite of tools for content marketing, SEO, and even analytics.

I’ve personally used their tools to help with SEO for clients and really, if you do any SEO then SEMRush is one of 2 or 3 options you even consider.

Will it replace your agency?

No.

But will SEMRush allow you to market your practice faster and more effectively if you don’t have an agency?

Yes.

Try it free for 7 days.

BEST LINKS

Essential Compliance Resources for Healthcare Marketing

🚨 Google Faces Major Healthcare Privacy Lawsuit 🚨 - On June 11, 2025, a federal judge allowed a class action lawsuit against Google to proceed, alleging they unlawfully collected PHI from healthcare websites through its tracking technology. Google's filed a motion to dismiss, however, the court found merit in claims Google knew its Analytics code was being used on healthcare sites but failed to prevent PHI collection. Lawsuit details

HIPAA Online Tracking Guidance - HHS's current guidance on tracking technologies, with key portions vacated by federal court in June 2024. Know what's still enforceable. Read the guidance

CallRail HIPAA-Compliant Call Tracking - Track your marketing calls without violating HIPAA. Includes Business Associate Agreements and encrypted call recordings. Get HIPAA-compliant tracking

OursPrivacy Customer Data Platform - Healthcare-specific CDP that manages patient data while maintaining compliance. Built for practices that need advanced tracking without HIPAA violations. Try OursPrivacy

Google’s Local Service Ads (LSAs) for Practices - Unlike most businesses, healthcare practices can’t dispute “bad leads”, because Google won’t review these for fear of seeing PHI. Read the guidance

THOUGHT FOR THE WEEK

This Changes Everything

I enjoy overstating things to a ridiculous degree.

However.

I think that up until this lawsuit, there has been a tacit agreement between Google, medical and health practices, and the OCR not to worry too much about tracking technologies like Google Analytics (GA4).

Using GA4 as an example, it’s a free analytics tool that’s widely supported and as long as it isn’t on a patient portal—it’s generally fine.

And up until now, Google has never been willing to sign a BAA, so they’ve shied away from directly supporting healthcare practices in the interest of having control over any data they get.

And so whether they walk away unscathed from this suit or not, they will absolutely be making changes.

• A PHI-safe and low-cost version of their tools for healthcare practices?

• Refusal to allow practices to use their tech, under penalty of lawsuit?

• An all-in-one solution to compete with other tools out there?

I certainly have no idea.

But I’d bet that within a year we’ll see a completely different posture from Google around its tools and healthcare.

SPOTLIGHT

Compliance - What's Legal, What's Not, and What's Unclear

4 min. read

While most healthcare practices focus on obvious HIPAA compliance areas like patient records and email security, several hidden risks could trigger costly violations.

Here are three critical vulnerabilities most practices overlook.

1. Embedded Google Maps

That helpful Google Map embedded on your practice website might be creating HIPAA violations every time someone visits your site.

This is because the embed send the user’s IP address, and, according to FreshPaint, “If the map displays a specific healthcare address, such as an oncology clinic, that could be inferred as health information”.

Their argument is that the problem lies in the combination of data being collected. As healthcare privacy experts explain, "When you're a healthcare provider, that embedded map doesn't just collect a visitor's IP address—it collects protected health information (PHI) too".

If someone visits your physical therapy clinic's website and views your location map while researching knee replacement, that implies they may be seeking treatment and creates individually identifiable health information.

I see their point on this, however, I have not found a case that has been settled from the OCR against a practice due to this. If that were the case, most practices would be in violation.

It’s probably a bridge too far to say that just because someone visits a site with a map, they much be then going to that place.

But that’s my personal opinion and not legal advice.

The root of this problem though, is that you’re potentially sharing data with Google, and Google won’t sign a BAA with anyone.

The Fix: Replace embedded Google Maps with HIPAA-compliant mapping solutions that offer Business Associate Agreements, or use static images of your location without interactive mapping features.

2. Review Response Violations

Social media review responses seem harmless…

…until they trigger major HIPAA violations.

Elite Dental Associates paid $10,000 after responding to Yelp reviews by disclosing patients' last names and treatment details.

The practice had no policies for social media PHI protection and had a habit of disclosing PHI in review responses.

The HHS Office for Civil Rights investigation found that Elite had "impermissibly disclosed the protected health information of multiple patients in response to patient reviews on its Yelp review page".

When responding to a patient's review, the practice disclosed the patient's last name along with "details of her health condition, treatment plan, insurance, and cost information."

OCR Director Roger Severino stated clearly: "Social media is not the place for providers to discuss a patient's care. Doctors and dentists must think carefully about patient privacy before responding to online reviews".

Even seemingly innocent responses can violate HIPAA. For example, you could leave a message for a patient that said, "Please give our office a call" however saying "Please call us to address your concerns" is also considered a HIPAA violation as you are also confirming that they are a patient.

The Fix: Develop written policies for social media interactions. Never reference specific patients, treatments, or confirm patient relationships in public responses. Keep responses generic: "Thank you for your feedback. Please contact our office directly if you would like to discuss further."

3. Non-Compliant Appointment Reminders

While HHS confirms that "appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization", many practices unknowingly violate HIPAA through their reminder systems.

The critical issue lies in third-party services. HIPAA compliant appointment reminders must take into account consent requirements, privacy restrictions, and the channel of communication. 

When using automated scheduling software, patient engagement systems, or SMS services, practices must ensure these vendors sign Business Associate Agreements.

Many practices use popular scheduling platforms or SMS services without proper BAAs. 

Additionally, the content matters.

While basic appointment reminders are permitted, you can’t disclose the nature of the patient's appointment, as that’s considered an unauthorized disclosure of PHI.

Covered entities should never disclose information regarding a patient's treatment, health condition, or test results via phone, email, or text without proper authorization.

The Fix: Audit all third-party services used for appointment reminders. Ensure BAAs are in place with every vendor that handles patient information. Limit reminder content to basic details: patient name, appointment date/time, and contact information only.

Court Ruling Provides Limited Relief

It's worth noting that a June 2024 federal court ruling provided some relief for healthcare organizations.

The U.S. District Court for the Northern District of Texas "vacated the guidance to the extent it provides that HIPAA obligations are triggered in 'circumstances where an online technology connects (1) an individual's IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers'".

However, this relief is narrow and doesn't address the broader compliance issues with embedded maps, social media interactions, or third-party appointment systems.

The Bottom Line

These hidden HIPAA risks share a common thread: they involve seemingly routine practice operations that inadvertently share patient information with third parties lacking proper privacy protections.

The penalties are real—Elite Dental's $10,000 fine represents just one documented case among many ongoing investigations.

The key to avoiding these violations lies in systematic auditing of all patient touchpoints, from website embeds to social media policies to appointment reminder systems. When in doubt, consult with HIPAA compliance experts who can identify these hidden risks before they become costly violations.

BY THE NUMBERS

The Depth of Non-Compliance

1. $6.6 million: Settlement paid by Novant Health for sharing PHI through tracking technologies (Meta pixel on its MyChart patient portal)

2. 98.6%: Percentage of U.S. hospitals found using tracking code that transfers data to third parties

3. 33%: Healthcare websites still using Meta Pixel despite compliance risks

QUOTE OF THE WEEK

When you’re ready, here are 3 ways I can help

I help practices grow their revenue through digital marketing, through targeted, blended search marketing (SEO, Pay-Per-Click Ad) campaigns & dedicated patient reactivation and retention strategies.

I do this using our “Full Schedule Protocol”.

If you want to earn more and grow your practice, book your free call. Spots are limited and fill up each week.

1. Reply to any newsletter or send me an email at [email protected]. I read and respond to every email!

2. Get in front of our audience of healthcare leaders & professionals if you provide a service or product that could help them. I vet everyone carefully for this.

3. Book a free strategy call for precise steps you can take to market & grow your practice more effectively 👇

*Some links in this email may be affiliate links. They support this free email at no cost to you. Your support of our sponsors means a great deal to me and goes a long way.

That’s All for Now

Have a great week Practice Builders—and remember to comply (at least with HIPAA)

See You Next Week,

Steve