April 27, 2026 · TLS Field Notes

SOC 2 Isn't HIPAA—And Neither Stops Your Contact Form Leaking to Meta

We see it every month: a practice admin forwarding us their EHR vendor's SOC 2 Type II report, thinking it checks the HIPAA box. Or a clinic owner who just paid a consultant $8,000 for a HIPAA risk assessment, then discovers their "Book Appointment" button has been feeding patient data to Meta for two years.

Neither scenario is rare. Both are expensive to fix after the fact.

Let's clear up three things that sound related but solve completely different problems: SOC 2 reports, HIPAA compliance evaluations, and tracker exposure. Having one doesn't fix the other two. And the most dangerous assumption is thinking your compliance paperwork protects you from the tracking pixels already running on your site.

What SOC 2 Actually Tells You

A SOC 2 report is an audit of a service provider's internal controls—things like how they manage access to servers, whether they encrypt data at rest, and if they log security events. It's a vendor proving their house is in order.

When your EHR company hands you a SOC 2 Type II report, they're showing you they've been audited against the AICPA's Trust Services Criteria. That's valuable. It means they take security seriously inside their four walls.

But here's what it doesn't cover: your environment. Your network. Your staff laptops. Your website. Your contact forms. Your Google Analytics setup. Your chatbot.

SOC 2 is about the vendor's castle. HIPAA compliance is about how you use that castle and everything around it. They're not interchangeable, and one doesn't substitute for the other.

HIPAA Evaluations Miss What They're Not Looking For

A solid HIPAA Security Rule assessment will walk through administrative, physical, and technical safeguards. It'll document your policies, check your encryption, review your BAAs, and build you a risk register.

That's all necessary. But most HIPAA consultants aren't pentesters. They're policy people. They won't open Chrome DevTools, inspect your website's network traffic, and spot the Meta Pixel firing every time someone clicks "Schedule Appointment" or fills out your intake form.

And that gap has gotten expensive.

Novant Health paid OCR $6.6 million in 2024 after tracking pixels on patient portals and appointment scheduling pages sent data to Meta and Google. Banner Health, University of Chicago Medicine, and Inova Health followed with their own settlements through early 2025—same issue, same pattern.

These weren't practices that ignored compliance. They had policies. They had BAAs with their major vendors. What they didn't catch was the marketing tech layer quietly siphoning ePHI in the background.

The Tracker Problem Lives Outside Your Compliance Docs

Here's the thing about tracking pixels, analytics scripts, and third-party chatbots: they're invisible to a standard HIPAA documentation review. They're embedded in your website code, often added by a well-meaning marketing agency or baked into a website template.

You can pass a HIPAA audit on paper and still have a dozen active data leaks running 24/7.

That's why we built the TLS tracker scan—it's a technical sweep, not a policy review. It catches what compliance checklists miss: the actual HTTP requests leaving your site, where they're going, and what data they're carrying.

Our $97 Tracking-Tech Audit runs that scan, maps your exposure, and gives you a prioritized remediation list. It's not a substitute for HIPAA compliance work—it's the other half of the picture.

What Actually Covers All Three

The TLS HIPAA Bundle ($3,500) is designed to close all these gaps in one engagement.

You get a full HIPAA Security Rule risk assessment—the policies, the documentation, the safeguard review. But you also get the technical layer: network pentesting, website tracker analysis, and endpoint exposure checks. It's compliance and security testing in a single deliverable, performed by people who actually break into systems for a living.

We're not checking boxes to satisfy an auditor. We're finding the holes before someone else does.

And if your EHR vendor has a SOC 2 report? Great—that tells us they're handling their side. We'll focus on yours.

The Bottom Line

SOC 2 proves your vendor has controls. HIPAA proves you have policies. Neither proves your website isn't leaking protected health information to ad networks right now.

You need all three perspectives. The good news is you don't need three separate engagements to get them.

If you're not sure where your gaps are, start with a conversation. Talk to LIA Coach—our AI-assisted compliance advisor—and get a clearer picture of what you actually need. Whether it's a targeted tracker audit from the TLS shop or the full HIPAA bundle, we'll help you figure out the right next step.

Because the goal isn't just compliance. It's making sure the thing you built to help patients doesn't become the thing that costs you $6.6 million.

Ready to close the gaps? Talk to LIA and let's figure out what your practice actually needs—no upsell, no scare tactics, just straight answers.