HIPAA-Compliant Call and Form Tracking

For marketers in the healthcare industry, protecting patient information isn’t just a best practice—it’s a legal requirement.

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a federal law that requires any organization that handles Protected Health Information (PHI) to comply with strict data security requirements to ensure sensitive patient data remains private and protected.

Organizations that are governed by HIPAA must ensure not only that their own data handling practices meet federal standards, but that any platforms they use to handle that data meet those same requirements as well.

That's why, for users in the healthcare- and healthcare-adjacent industries, WhatConverts offers a HIPAA compliance setting that applies rigorous security protocols specifically designed to protect lead data in full accordance with HIPAA's stringent privacy and security requirements.

What Makes a Platform HIPAA Compliant?

HIPAA compliance requires specific technical and administrative safeguards that protect patient data from unauthorized access, breaches, and potential misuse.

In order to qualify as HIPAA-compliant software, platforms need to offer:

• Data encryption at rest and in transit
• Strict access controls and user authentication protocols
• Audit logs for all user interactions
• Automatic session timeouts and forced re-authentication
• Secure data storage and transmission protocols
• Ability to restrict and monitor access to Protected Health Information (PHI)
• Mechanisms to prevent unauthorized data sharing or distribution

Platforms must also sign a Business Associate Agreement (BAA), which is a legally binding contract between HIPAA-governed organizations and their business associates to ensure PHI remains protected.

How Does a HIPAA-Enabled WhatConverts Account Differ from a Regular Account?

HIPAA-enabled accounts within WhatConverts are equipped with additional controls that meet the federal requirements for healthcare data protection. Unlike standard accounts, HIPAA-compliant accounts include advanced security features that ensure that sensitive lead data is protected.

In a HIPAA-enabled WhatConverts account:

• Strict authorization controls ensure only approved personnel can access Protected Health Information (PHI)
• User action logging tracks every interaction with sensitive data
• End-to-end encryption protects data both at rest and during transmission
• Webhooks to unsecured URLs are disabled to prevent potential unauthorized PHI distribution
• Detailed access logs record which user accessed what specific data and when
• Email notifications are scrubbed of potential identifying PHI
• Users are automatically logged out after 15 minutes of inactivity

Who Should Enable HIPAA Compliance?

HIPAA compliance is required for a wide range of healthcare and healthcare-adjacent organizations, including:

• Medical practices and clinics
• Hospitals and healthcare systems
• Dental offices
• Psychiatric and psychological practices
• Physical therapy and rehabilitation centers
• Chiropractic offices
• Medical billing and coding services
• Healthcare marketing and lead generation agencies
• Medical software and technology providers
• Insurance companies specializing in health coverage

Any organization that handles patient information, processes medical leads, or provides services that involve collecting or managing personal health data should ensure their tracking and analytics tools have HIPAA compliance settings enabled. This includes marketing agencies and contractors with clients in these industries.

How to Enable HIPAA Compliance in WhatConverts

To enable HIPAA compliance in your WhatConverts account, you’ll need to turn on HIPAA settings at the Profile level and execute a Business Associate Agreement (BAA) between your company and WhatConverts.

To turn on HIPAA compliance settings:

Log in to your account and navigate to the profile you want to enable. Open the Settings menu and select “HIPAA.” Use the toggle to turn on the “Enable HIPAA” setting and then click "Update."

To execute a Business Associate Agreement (BAA):

Send an email to WhatConverts support with your first and last name, company name, and email address. Once your BAA has been signed, you’ll see a confirmation banner appear on the HIPAA settings page.

With HIPAA compliance enabled, you can trust that your lead data is handled according to the same security and privacy protections that ensure your entire organization remains compliant with federal law.

If you have any questions, contact support@whatconverts.com.