HIPAA tracking technologies
Built for healthcare, not retrofitted.
A generic banner treats your patient portal like a blog. ConsentStack is built for the tracking-technologies picture healthcare actually lives in. The third-party tags that touch health data are recognized and gated by default, and patient-facing pages can run a stricter policy than your marketing site.
The tags regulators named
Meta Pixel, Google, TikTok, and the rest of the known-tracker library are recognized out of the box. The exact tags in the named enforcement actions, gated before they touch a patient.
Stricter where it counts
Run a tighter policy on patient portals and intake forms than on your public marketing pages. Each site carries its own config, so the high-risk surfaces lock down on their own terms.
No retrofitting
Not a generic cookie banner with a healthcare label changed on the pricing page. The defaults assume third-party tags are the risk, not an afterthought.
Business Associate Agreement
A BAA without the enterprise tier.
Most platforms only sign a BAA once you move to the enterprise tier and through a sales cycle. ConsentStack puts it on the Business plan and issues it on request. It covers ConsentStack as your business associate for the consent layer across every property. You still hold the BAAs for your other vendors.
Issued on request
Request the BAA on the Business plan and we issue it. No enterprise contract to negotiate, no procurement cycle to wait out.
On the Business plan
The BAA comes with the Business plan at a published price, not a custom enterprise quote. The thing that means an enterprise contract elsewhere is a plan you just pick here.
Honest scope
It covers the consent layer ConsentStack operates for you. Your analytics, CRM, and other vendors still need their own BAAs. We are clear about where our coverage ends.
Blocking that blocks
When a patient declines, nothing leaks.
Decline, and the third-party request never leaves the browser. Blocked, not recorded as a preference and hoped honored later. That gap is the failure mode in every named action: Meta Pixel, Google, and TikTok fired anyway. ConsentStack gates them client-side. Open the network tab and see for yourself.
Blocked, not recorded
The request never fires. You are not trusting a downstream platform to honor a flag after the data already left. The decision is enforced at the source.
Nothing before consent
Third-party tags stay gated until consent exists, so nothing leaks in the window before a patient has decided anything. No silent first-load disclosure.
Verify it yourself
No need to take our word for it. Decline, open the network tab, and the calls to the ad platforms are simply not there. The proof is in the browser.
Audit-ready records
Ready the day OCR asks.
Every consent event is logged with timestamp, jurisdiction, decision, and notice version. Threaded with the gate, so the record defends a no-disclosure position, not just that someone clicked agree. When an inquiry lands, the records are already there.
Tamper-resistant by design
Every record is anchored at write time. No silent edits, no after-the-fact rewrites. What was recorded is what an investigator sees.
Full context per event
Each event carries the resolved rule, jurisdiction, decision, and notice version active at the time. Reconstruct any visitor's exact experience months later.
Export when they ask
When the inquiry comes in, export every record as CSV or JSON. Filter by date or rule, formatted to hand to counsel or a regulator. Then get back to work.
“Hidden trackers and non-compliant tools have already cost healthcare companies over $100M in lawsuits.”
Ours Privacy, oursprivacy.comHealthcare consent vendor, cited as field admission.
Common questions
No, and any vendor that says otherwise is overselling. HIPAA compliance is a program: BAA chains, Security Rule safeguards, breach response, training, and risk analysis. ConsentStack handles one layer well, which third-party tags load on which page, gated on consent. It signs a BAA for that layer and produces the audit records to prove what happened. The rest of your HIPAA program stays yours.
Yes. The BAA is available on the Business plan and issued on request. It covers ConsentStack as your business associate for the consent-management layer we operate for you. Your analytics, CRM, email, and other vendors still need their own BAAs. We are deliberately clear about where our coverage ends.
Yes. ConsentStack gates third-party tags client-side, so when a visitor declines, the request to Meta, Google, TikTok, and the rest never leaves the browser. It is blocked, not recorded as a preference and hoped honored downstream. You can confirm it in your browser's network tab. This is client-side gating; server-to-server calls from your own backend are outside what any consent banner controls.
ConsentStack is built for digital health and telehealth teams that want third-party tags to actually stop on decline, a BAA without the enterprise tier, and audit records ready for an inquiry. Ketch and Osano are capable platforms that lean toward larger, procurement-led buyers. For a team shipping without a dedicated privacy department, ConsentStack is the cleaner fit. See ConsentStack vs Ketch and ConsentStack vs Osano for details.
Pricing is by unique monthly visitors and number of sites, not by domain or scanned page. Plans start free, with Pro at $29/mo and Business at $79/mo. The BAA is available on the Business plan, issued on request. Tiers are transparent and upgrade on the next billing cycle without breaking your banner. No surprise renewal increases, and no enterprise contract to get a BAA.
Yes. The gate and the audit records work the same whether or not you fall under HIPAA. If you handle consumer health data, the same primitive applies: third-party tags should not fire when someone declines, and you should be able to prove they did not. The BAA is the piece specific to HIPAA-covered entities; everything else is for you too.
100+ happy customers
Ship the gate. Get the BAA.
Block the pixels that get healthcare companies named, prove it with audit logs, and get the BAA without the enterprise tier.