01
No PHI in marketing tools
Analytics, advertising pixels, heatmaps, and session replay tools are configured to exclude protected health information. We audit your stack to confirm nothing identifiable is leaving the funnel.
Compliance
HIPAA-aware by design.
Behavioral health marketing only works if it respects patient privacy. Here's how we keep your funnel compliant without slowing your growth.
This page describes our practices. It is not legal advice.
02
BAAs with every relevant vendor
Where PHI could plausibly be transmitted — CRMs, call tracking, intake platforms, hosting, email — we require executed Business Associate Agreements before integration.
03
Minimum necessary principle
We only request, transmit, or store the minimum information needed to run your campaigns and report on outcomes. Aggregated, de-identified data wherever possible.
04
Access controls & auditing
Role-based access, MFA, and activity logs across every system we operate. Internal access to client systems is granted by-engagement and revoked at offboarding.
05
Incident response
Documented runbooks for suspected incidents, with defined timelines for client notification and remediation. We rehearse them — we don't just file them.
06
Ongoing review
Marketing stacks drift. We re-audit pixels, tags, and integrations quarterly so a well-meaning change doesn't quietly break compliance.