Your website talks
about your patients.
Find out what it’s saying.

Sift Health scans the public pages of your healthcare website for HIPAA-relevant risk indicators: ad trackers on appointment pages, weak transport security, risky intake forms, silent privacy policies. Then it turns them into a clear score with concrete recommendations.

Free score and top findings in about two minutes. Public pages only, passive checks only. Not a HIPAA compliance audit or legal determination.

Why this matters now

The pixel on your booking page is a regulatory story now.

In 2022, researchers found Meta’s advertising pixel on a third of top US hospital websites, in some cases inside appointment-booking flows. Hospital systems sent breach notifications covering millions of patients. HHS OCR published guidance putting healthcare organizations on notice that tracking technologies can transmit protected health information, and (with the FTC) wrote directly to roughly 130 hospital systems and telehealth providers about the practice.

Most practices never made a decision to do this. A marketing plugin, a default analytics snippet, a retargeting tag added years ago: that’s usually the whole story. The fix is rarely hard. Knowing it’s there is the hard part.

Read the full enforcement timeline

  1. June 2022

    The Markup reports the Meta Pixel on 33 of Newsweek's top 100 US hospital websites, including some appointment scheduling pages.

  2. Aug–Oct 2022

    Major health systems file breach notifications tied to website trackers affecting millions of patients, followed by class-action settlements.

  3. Dec 2022

    HHS OCR publishes its bulletin on online tracking technologies: regulated entities may not disclose PHI to tracking vendors without authorization or a BAA.

  4. 2023

    FTC acts against telehealth and digital-health companies over ad-tracker data sharing; OCR and FTC jointly warn ~130 hospital systems and telehealth providers.

  5. Today

    Litigation and enforcement around website trackers in healthcare continues to evolve, and the trackers themselves keep getting re-added by plugins and tag managers.

How it works

Crawl. Analyze. Score. Fix.

  1. 01

    Crawl

    We discover your public pages the way a search engine would: sitemap, robots.txt, and the paths patients actually use, from appointments and intake forms to the portal login and your privacy policy.

  2. 02

    Analyze

    Each page runs through six analyzers: third-party tracker detection, TLS and security headers, form handling, privacy-policy disclosures, and passive infrastructure hygiene checks.

  3. 03

    Score

    Findings roll up into category scores and an overall 0–100 risk score with an A–F grade, weighted so trackers on patient-facing pages matter most.

  4. 04

    Fix

    Every observation ships with a concrete recommendation: what it is, why it matters, and the exact change to make. Re-scan to confirm.

What we check

Six categories, weighted like the risk actually is.

Not every gap is equal. A retargeting pixel on your intake form is a different animal than a missing header on your blog, so the score treats them differently. Weights are published, and the math is documented.

Tracking & Third-Party Exposure30% of score

Meta Pixel, GA4, TikTok, session replay and ad tags, flagged at much higher severity when they sit on appointment, intake, or portal pages.

Privacy Policy & Disclosures20% of score

Does your policy exist, mention PHI, and disclose analytics or third-party sharing? Silence on tracking is itself a risk indicator.

Forms & PHI Exposure20% of score

Intake and appointment forms with PHI-shaped fields (date of birth, symptoms, insurance ID) submitted insecurely or to third-party domains.

Transport Security (TLS/HTTPS)15% of score

Certificate validity and expiry, protocol versions, hostname mismatches, and mixed content on pages patients trust with their information.

Security Headers10% of score

HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy and friends: the browser-level guardrails that limit what leaks.

Infrastructure Hygiene5% of score

Passive checks for exposed .git directories, stray .env files, open upload listings, and forgotten backup archives.

Full scoring methodology, severity taxonomy, and remediation catalog in the docs.

Start free. Monitor when you’re ready.

Free

$0forever

See where your site stands. No card, no account required to start.

Run a free scan

Starter

$39/month (draft pricing)

Continuous monitoring for a single practice website.

Start monitoring

Practice

$119/month (draft pricing)

For groups and clinics with several patient-facing properties.

Start monitoring

Agency / Consultant

$299/month (draft pricing)

Manage client portfolios under your own brand.

Talk to us

Draft pricing while we onboard early customers. Plans monitor risk indicators. None of them makes your site “HIPAA compliant,” and we’ll never claim otherwise.

This is where the testimonials would go.

We launched recently, and we don’t have public customer quotes or case studies yet. We’d rather show you an honest empty space than a wall of fabricated praise. On a product about trust, that seems like the bare minimum. Run the free scan, judge the report on its merits, and if it earns a place in your toolkit, maybe your words end up here.

“Reserved for our first customers.”

Be one of the first

Questions, answered plainly.

Anything else? Ask us directly. Just don’t include any patient information.

Is this a HIPAA compliance audit?

No. Sift Health surfaces publicly observable risk indicators on your website. It cannot assess administrative or physical safeguards like workforce training, BAAs, or access controls, and it makes no compliance or legal determination. Think of it as the website slice of your risk picture, not the whole picture.

What does the free scan include?

An overall 0–100 risk score with a letter grade, the category breakdown, and your top three findings with remediation guidance. The full findings list unlocks with an email signup; continuous monitoring is a paid plan.

Will scanning affect my website?

The scan is passive and bounded: it fetches a small number of public pages (roughly what a search-engine crawler would), makes no login attempts, submits no forms, and never tests for intrusions. Most sites see fewer than 20 lightweight requests.

Why do trackers on appointment pages score worse than on my homepage?

Because that is the pattern regulators acted on. HHS OCR's guidance on online tracking technologies and the 2022–2023 Meta Pixel enforcement wave centered on trackers placed where visitors share health-related context: booking, intake, portal pages. Our scoring weights mirror that reality.

Do I need to verify domain ownership?

Not for a one-off scan of public pages. Recurring monitoring requires verifying the domain via a DNS TXT record or a meta tag, which confirms you're authorized to watch that site continuously.

Can it scan the patient portal behind the login?

No, and that's deliberate. We only look at publicly accessible pages. Anything behind authentication is out of scope, by design and by policy.

Two minutes. Zero excuses left.

Run the free scan on your practice’s website. If everything is clean, you’ll know. If it isn’t, you’ll know exactly what to fix.

Run a free scan