You are probably reading this for one of two reasons:
- All tracking shut off: You are a healthcare marketer and have had to shut off all tracking on your website due to HIPAA-compliance concerns and you want to get it back so you can optimize what you are doing and prove to your bosses how many patients you are acquiring.
- Worried about lawsuits: You’re a healthcare marketer and have not shut off all tracking and you’re worried about being the subject of a class action lawsuit if you don’t solve the issues. And that is a very valid concern!
You have also probably started reading websites and watching videos about how to solve these compliance issues. That has probably left you in a state of sticker shock, confusion, or maybe both.
In this post, we hope to clear up your confusion and show you some alternatives to the high 5- or 6-digit prices you may have been quoted.
How Healthcare Websites Break HIPAA Compliance
There are four primary ways healthcare websites violate HIPAA regulations:
- Analytics and Tracking: Using analytics and tracking systems that send PHI and/or PII to third parties (Google Ads, Meta Ads, Google Analytics, etc.) without a BAA.
- Embedded YouTube Videos: When embedded on healthcare pages, YouTube sends PHI and PII to Google—with no BAA in place.
- Embedded Google Maps: Like YouTube, embedded Google Maps send PHI and PII to Google without a BAA.
- Web Forms: Forms are compliant only if they: 1) ask no healthcare questions with no open-ended fields, or 2) transmit and store all data with HIPAA compliance and BAAs with all vendors.
The Three Approaches to HIPAA Compliant Analytics
Three main approaches solve the same problem: tracking marketing performance without leaking PHI to third parties.
Approach 1: Server-Side Tracking (Done-for-You)
One tracking code routes data through a secure server that strips PHI/PII before sending to marketing platforms.
Pros: Fully managed—no IT team needed. Keep your current mar-tech tools.
Cons: Contact vendor to add new conversion tracking.
Provider: Pilot Digital Marketing
Approach 2: Healthcare Privacy Platforms (CDP Middleware)
One tracking code automatically filters PHI with pre-built rules, then sends clean data to approved platforms.
Pros: Purpose-built for healthcare. Ongoing monitoring.
Cons: $25K-$150K/year. You are responsible for set up and ongoing management.
Providers: FreshPaint, Ours Privacy
Approach 3: Compliant Analytics Platforms (Replace GA4)
Switch to analytics platforms that sign BAAs and are built for HIPAA compliance.
Pros: Direct vendor relationship. No gray areas.
Cons: Doesn’t solve ad platform tracking, videos, maps, or forms.
Providers: Piwik PRO, Matomo, Mixpanel, Amplitude
Pilot Digital: A Fresh Alternative to FreshPaint
Many healthcare marketers, when doing research on how to make their websites and analytics HIPAA compliant, come across the market leader: FreshPaint. FreshPaint provides a platform that does many things and it does them well.
FreshPaint Strengths: It signs a BAA, and then provides a platform that provides server-side tracking with automatic PHI detection and removal. It can then send that cleaned data to over 100 third party providers, like GA4, Google Ads, Meta, TikTok, etc. They have a platform to make embedded videos and maps compliant, as well as a form solution.
FreshPaint Limitations: FreshPaint is very expensive and does not tend to work with smaller institutions. FreshPaint is a software platform, which requires implementation and management, which they provide only to the large organizations that pay the most. They can set up your platform rather quickly, but it can take months for you to set it up and get it working how you need. Your marketing team will need to learn the FreshPaint platform, and it will often require your web developer’s assistance.
FreshPaint’s Cost: They don’t provide pricing on their website as all prices are customized around the institution and its needs. We have met healthcare organizations that pay between $35,000 and $150,000 per year for FreshPaint.
How Pilot Compares to FreshPaint
| FEATURE | PILOT DIGITAL | FRESHPAINT |
| Sign a BAA | Yes | Yes |
| Service Model | Done-for-you full compliance management partner | Self-service software platform |
| Service Model Fishing Analogy | Fishes for you and gives you the fish. | Gives you everything you need to go fishing on your own, but you have to already know how to fish, or hire someone to teach you. |
| Implementation Method | Done-for-you | DIY for most clients |
| Implementation | Weeks to launch | Months to launch |
| Tech Stack | Use your existing systems including GA4 | Use a combination of your stack (including GA4) and their platform |
| Ongoing Management | Included | DIY or hire separately |
| Target Customer | Small to mid-size organizations | Mostly large organizations |
| Advertising Platform Support (Google Ads, Meta, TikTok…) | Yes | Yes |
| Embedded Video Solution | Yes | Yes |
| Embedded Maps Support | Yes | Yes |
| Form Compliance Support | Yes | Yes |
| Pricing | One-time setup of $5K – $8.5K$570 to $800/month | No pricing listed, but we have spoken with companies that pay $35K to $150K/year |
Pilot Digital: an Alternative to Ours Privacy
Ours Privacy is often the company you will most often find when looking for an alternative to FreshPaint. They were built from scratch to provide HIPAA compliance solutions to healthcare organizations. (FreshPaint is adapted from technology developed for other purposes.)
Ours Privacy’s Strengths: Like FreshPaint, Ours Privacy is a Customer Data Platform (CDP) that does a great job of cleaning tracking data of PHI and PII before it is sent to 3rd party platforms. They integrate with over 50 third party platforms and also with over 100 electronic health record (EHR) systems. Interestingly, they also have a CPM solution integrated into their platform. Their big advantage over FreshPaint is their support. There are not many reviews of their system as of yet (they’re new), but all that we’ve seen say their support was very strong.
Ours Privacy’s Limitations: Ours Privacy is fundamentally a software platform that customers need to learn and manage. It is very well made and easy to use, but it is still your responsibility to make sure it is set up and maintained correctly.
Ours Privacy’s Cost: They only say their pricing is competitive.
How Pilot Compares to Ours Privacy
| FEATURE | PILOT DIGITAL | OURS PRIVACY |
| Sign a BAA | Yes | Yes |
| Service Model | Done-for-you full compliance management partner | Self-service software platform with support |
| Service Model Fishing Analogy | Still doing the fishing for you and handing over the fish | Gives you the fishing equipment and teaches you to fish, but you do the fishing |
| Implementation Method | Done-for-you | DIY with support |
| Implementation | Weeks to launch | Weeks to launch if your team does the work on time |
| Tech Stack | Use your existing systems, including GA4 | Use a combination of your stack (including GA4) and their platform |
| Ongoing Management | Included | DIY with strong support |
| Target Customer | Small to mid-sized organizations | Mid to large organizations |
| Advertising Platform Support (Google Ads, Meta, TikTok…) | Yes | Yes |
| Embedded Video Solution | Yes | Yes |
| Embedded Maps Support | Yes | Yes |
| Form Compliance Support | Yes | Yes |
| Pricing | One-time setup of $5K – $8.5K$570 to $800/month | “Competitive pricing” according to their website |
Pilot Digital: an Alternative to Piwik, Matomo, Ghost Metrics & other GA4-Replacements
It’s hard to compare Pilot, FreshPaint, and Ours Privacy with GA4 replacement systems like Piwik Pro, Motomo, and their ilk. They all do one thing: replace GA4 by giving you HIPAA compliant analytics on your website. They have developed an analytics platform (or forked an open source project) that does not share data with third parties and stores the data in compliant systems, usually in the cloud with a company they have a BAA with. However, they don’t help with solving the problems of tracking (and optimizing) Google Ads, Facebook/Instagram ads and other ad platforms.
GA4-Replacements Strengths: They sign BAAs and provide website analytics so you can optimize your website.
GA4-Replacements Limitations: They don’t help with ad platform tracking issues or embedded video and map issues. You can’t keep GA4 even if you want to because you’ll still be using a copy of it that is not HIPAA compliant. And none of these solutions will solve your forms problems or your embedded video and maps problems.
GA4-Replacements Cost: There is a huge range of prices, from dirt cheap to quite expensive if you’re looking for an enterprise system.
How Pilot Compares to GA4-Replacements
| FEATURE | PILOT DIGITAL | GA4 REPLACEMENTS |
| Sign a BAA | Yes | Yes |
| Service Model | Done-for-you full compliance management partner | Self-service analytics-only platform |
| Service Model Fishing Analogy | Still fishing for you and still dutifully handing over the fish | Gives you a fishing rod, but nothing else. |
| Implementation Method | Done-for-you | DIY with support |
| Implementation | Weeks to launch | Weeks to launch |
| Tech Stack | Use your existing systems including GA4 | Use their analytics platform only. No GA4 |
| Ongoing Management | Included | DIY with strong support |
| Target Customer | Small to mid-sized organizations | Mid to large organizations |
| Advertising Platform Support (Google Ads, Meta, TikTok…) | Yes | No |
| Embedded Video Solution | Yes | No |
| Embedded Maps Support | Yes | No |
| Form Compliance Support | Yes | No |
| Pricing | One-time setup of $5K – $8.5K$570 to $800/month | $25/month to $60,000/year |
Wrapping It All Up
There is no single solution that will make every healthcare organization completely happy. All the solutions have pros and cons, and it’s up to you and your organization to decide which makes the most sense to you. Major factors that are usually taken into account include: budget, your ability to set up and manage a system, the size of your organization, how many of the four main compliance gaps do you need to address, if you want to continue to use your existing mar-tech stack, and more.
FreshPaint is strong for enterprise-scale organizations that have big budgets and strong IT and technical analytics support. They have solutions for analytics, embedded videos and maps, as well as forms. They have an extensive list of third parties where they can send the cleaned data.
Ours Privacy is made for mid- to large-size organizations (with mid- to large-sized budgets) that are looking for a platform that they can manage. Their platform is robust and can solve all four common compliance gaps. They offer white-glove support for the platform and integrate with a large number of third parties.
GA4-replacement platforms are good for organizations that only want analytics, and don’t need help with advertising on Google Ads, Facebook/Instagram Ads, or any other social media platform. It’s important to note that they all don’t help organizations with forms, or with embedded videos or maps.
Pilot Digital is built for small- to medium-sized organizations that don’t want to think about HIPAA compliance—they just want it done for them by a trusted partner. Pilot covers all four compliance gaps (compliant analytics and tracking, compliant embedded videos, embedded Google Maps, and noncompliant forms) and not only solves them, but is on call for any changes or questions you have about analytics and HIPAA compliant websites.
Ready to make your healthcare website HIPAA compliant? Contact Pilot Digital for a free compliance audit and make your website compliant quickly, easily, and economically.
15 min. Phone Consult
Services page CTA – free 15 minute phone consultation
"*" indicates required fields
