SOC 2 Isn't HIPAA (And Neither Stops Meta From Reading Your Forms)

Let's clear up three things that keep medical and dental practices awake at night—or should.

You signed a BAA with your EHR vendor. They sent you their SOC 2 Type II report, all 60 pages of controlled-access glory. Maybe you even paid a consultant to run through your HIPAA Security Rule checklist. Everything's covered, right?

Not if your "Schedule Appointment" button is quietly shipping form data to Meta, Google, or TikTok every time a patient types their name and chief complaint.

This isn't theory. It's the exact issue that cost Novant Health $6.6 million in 2024 when OCR discovered tracking pixels on patient appointment pages. Banner Health, University of Chicago Medicine, and Inova Health followed with their own settlements through early 2025—same pattern, same exposure.

What SOC 2 Actually Tells You

SOC 2 reports are built for service organizations. They evaluate controls around security, availability, processing integrity, confidentiality, and privacy—but only for the specific systems and processes the vendor chose to include in scope.

When your practice management software vendor hands you their SOC 2, they're saying: "An auditor verified that we follow our own documented controls for the infrastructure we described."

That's useful. It means they're not cowboys. But it doesn't tell you:

• Whether your configuration is secure
• What happens to data once it leaves their platform
• Whether your website or patient portal has third-party trackers
• If your staff are trained on minimum necessary disclosure

SOC 2 is a vendor trust signal. It is not a substitute for your own compliance work.

What HIPAA Compliance Really Means

HIPAA is a regulatory framework, not a certification. There's no such thing as "HIPAA certified," and any consultant who promises it is selling fog.

What you actually need is a documented risk analysis under the Security Rule (§164.308(a)(1)(ii)(A)), implementation of reasonable safeguards, and ongoing monitoring. That's the floor—and it's your responsibility as a covered entity, regardless of what your vendors do.

Here's where practices stumble: they assume that because their EHR vendor is compliant and they've signed BAAs across the stack, they're covered. But HIPAA applies to all electronic protected health information (ePHI) you create, receive, maintain, or transmit—including the contact form on your marketing website.

And if that form has a Meta Pixel, Google Analytics with default settings, or a TikTok tracker? You're transmitting ePHI to a business associate without a BAA. That's a direct violation, and one OCR is actively pursuing.

The Layer That Nobody Audits

The real exposure isn't in your EHR. It's in the invisible layer most practices don't think about: client-side tracking technology.

When someone fills out your "Request Appointment" or "New Patient" form, and you've got tracking scripts running, those tools often capture:

• Form field contents (names, email, phone, reason for visit)
• Button clicks and page paths
• Session replay data
• IP address and device fingerprints

All of that is ePHI the moment it's connected to a patient. And most tracking pixels send it in near real-time to ad platforms that have no BAA with you—and never will.

This is exactly what our free scanning tool detects in under 60 seconds. You'd be surprised how many practices discover they're running four or five trackers they didn't even know were installed.

Why the Fixes Don't Overlap

Getting your vendor's SOC 2 doesn't fix your website. Completing a HIPAA Security Rule checklist doesn't remove third-party trackers. And removing trackers doesn't mean your policies, training, or incident response plan are documented.

These are separate layers—and all three matter.

The good news: you don't need to become a security engineer to handle this. You need a clear-eyed evaluation of where your practice actually has exposure, and a prioritized plan to close the gaps that put you at regulatory and financial risk.

That's what Tough Love Security's HIPAA bundle does. For $3,500, you get:

• Full risk analysis aligned to the Security Rule
• Tracking technology audit across your web properties
• Written policies and procedures templates
• Remediation roadmap with technical implementation support
• Documented evidence package you can show OCR if you ever need to

It's not a rubber stamp. It's the actual work, done right, so you can focus on patient care instead of wondering if your contact form is a ticking liability.

What to Do This Week

If you've been relying on your vendors' compliance to cover your own, it's time to separate the layers:

1. Run a free scan at /scan to see what's actually running on your site
2. Review which forms collect patient information and what happens to that data
3. Confirm you have BAAs in place for every vendor that touches ePHI
4. Document your current safeguards and gaps

And if you want a second set of eyes from someone who's done this across hundreds of healthcare practices, talk to LIA. She'll walk you through what's urgent, what's next, and what you can safely defer. No sales pressure. No fear tactics. Just a clear road forward.

Because compliance isn't about passing audits. It's about protecting the people who trust you with their care—and making sure your practice is still standing when the next OCR enforcement wave hits.

Ready for an honest assessment? Talk to LIA Coach—our AI assistant trained on healthcare security and compliance. She'll help you figure out where you stand and what to tackle first. Available 24/7, starting at $79/month for solo practices.