Protected Health Information (PHI) under HIPAA includes any individually identifiable health information that relates to a person’s past, present, or future physical or mental health, healthcare services, or payment for care. This includes obvious data such as diagnoses, medical record numbers, and treatment details, as well as identifiers such as names, email addresses, IP addresses, device IDs, and health-related appointment information. Even form submissions, search terms, or page visits can become PHI if they reveal a specific health condition or care intent. If health-related data can reasonably be tied to an individual, HIPAA may treat it as protected.

Third-party scripts, pixels, and DTTs (Digital Tracking Tools) can trigger HIPAA violations when they collect or transmit health-related information tied to identifiable users without proper authorization or safeguards. For example, if a tracking pixel captures appointment requests, condition-specific page visits, intake form data, or login activity, and sends that data to an ad platform or analytics vendor, that transmission may constitute an impermissible disclosure of PHI. Even IP addresses or device identifiers can become protected when used in a health context. Without a valid Business Associate Agreement (BAA) and strict configuration controls, these tools can expose healthcare organizations to regulatory and legal risk.

A Business Associate Agreement (BAA) is a legally required contract under HIPAA between a covered entity (such as a healthcare provider, insurer, or health plan) and a third-party vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on its behalf. The BAA establishes how PHI may be used, requires the vendor to implement appropriate safeguards, and obligates them to report breaches or unauthorized disclosures. Without a valid BAA in place, sharing PHI with a service provider — including certain analytics or cloud vendors — can itself constitute a HIPAA violation.

Yes. HIPAA applies to healthcare marketing websites and patient portals operated by covered entities or business associates that involve Protected Health Information (PHI). If a website allows appointment scheduling, patient logins, form submissions, symptom searches, or condition-specific interactions tied to identifiable individuals, the data collected may qualify as PHI. Even marketing pages can trigger HIPAA obligations if tracking tools capture health-related activity linked to IP addresses, device IDs, or other identifiers. When health context and identifiable data intersect, HIPAA compliance requirements may apply.

The FTC Health Breach Notification Rule (HBNR) requires certain health apps, digital health platforms, and related service providers to notify consumers, the FTC, and, in some cases, the media if unsecured health information is accessed, acquired, or disclosed without authorization. Unlike HIPAA, this rule applies to vendors of personal health records (PHRs), health apps, wearable platforms, and connected devices that are not covered entities. Companies must provide notice without unreasonable delay, and no later than 60 days after discovering a breach. Failure to comply can result in significant civil penalties and FTC enforcement actions.

The Washington My Health My Data (MHMD) Act is a broad, state-enacted consumer health privacy law that regulates the collection, sharing, and sale of “consumer health data,” even outside of traditional HIPAA-covered entities. It applies to companies that collect health-related data from Washington residents via websites, mobile apps, wellness platforms, and advertising technologies. The law requires clear consent for collection and sharing, prohibits certain geofencing practices near healthcare facilities, and grants consumers the right to access and delete their health data. Because MHMD includes a private right of action, noncompliance can expose organizations to direct lawsuits in addition to regulatory enforcement.

Yes. DTTs, tracking pixels, and session replay software can create HIPAA or MHMD violations if they collect or transmit identifiable health-related data without proper authorization, consent, or safeguards. For example, if a tool captures appointment requests, symptom searches, form entries, or condition-specific page visits and shares that data with third parties, it may constitute an impermissible disclosure. Under HIPAA, this can occur if there is no valid Business Associate Agreement (BAA) in place; under MHMD, it can occur if there is no clear, affirmative consumer consent. Even IP addresses or device identifiers can trigger risk when combined with health context.

Penalties for HIPAA, MHMD, and FTC health privacy violations can include substantial civil fines, regulatory investigations, corrective action plans, and reputational harm. HIPAA is enforced by the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), with civil penalties that can reach millions of dollars depending on the severity and duration of the violation. The FTC enforces the Health Breach Notification Rule and can seek significant civil penalties, consumer redress, and injunctive relief. The Washington My Health My Data (MHMD) Act is enforced by the Washington Attorney General and also includes a private right of action, allowing consumers to file lawsuits directly.

Vault monitors sensitive healthcare data by analyzing real user flows across websites and mobile apps to detect when health-related information is collected, exposed, or transmitted to third parties. The platform scans pages, forms, login areas, appointment scheduling tools, and in-app screens to identify where Digital Tracking Technologies (DTTs) such as pixels, analytics scripts, ad tags, or embedded SDKs are active. It inspects network requests and data payloads to determine whether identifiers, health context, or form inputs are being shared. This continuous visibility helps organizations detect potential HIPAA, MHMD, or FTC-related exposure before it becomes a regulatory issue.

Yes. Vault analyzes real user journeys, including appointment booking, intake forms, account registration, and login flows, to identify where sensitive health-related data may be exposed or transmitted. It monitors active Digital Tracking Technologies (DTTs), inspects network requests, and evaluates data payloads to determine whether identifiers, form inputs, or health context are being shared with third parties. This includes testing authenticated areas and multi-step workflows that traditional scanners often miss. By mapping data collection in real time, Vault helps organizations pinpoint and remediate potential HIPAA, MHMD, or FTC-related risks.

Vault identifies unauthorized third-party data collection by mapping every external script, pixel, SDK, and network endpoint active across a website or mobile app. It analyzes outbound requests in real time to determine which vendors receive data, what fields are transmitted, and whether health context or identifiers are included. The platform correlates those transmissions with known Digital Tracking Technologies (DTTs) and vendor domains to create a complete inventory of data flows. By comparing observed behavior against policy requirements, consent status, and Business Associate Agreement (BAA) coverage, Vault flags vendors that may be collecting health-related data without proper authorization.

Yes. Vault provides documented evidence of how sensitive health data is collected, transmitted, and controlled across digital properties. Organizations can use the documentation to demonstrate due diligence during HIPAA or FTC inquiries. The platform maintains a continuous audit trail of detected Digital Tracking Technologies (DTTs), data flows, consent states, and remediation actions. This visibility supports risk assessments, vendor oversight documentation, and corrective action tracking. By producing clear records of monitoring and mitigation efforts, Vault helps organizations show regulators that compliance controls are active, tested, and enforced.