How to Track Rehab Admissions Calls Without Risking PHI

Manish Singh Reading Time: 6 minutes
How to Track Rehab Admissions Calls Without Risking PHI

You can track which marketing channels drive admissions calls while protecting patient privacy. The trouble starts only when the setup fails to comply with HIPAA.

The FTC now treats patient data as off-limits for advertising. In 2023, it fined GoodRx $1.5 million for sending health data to advertisers. The case was the first under the Health Breach Notification Rule. More cases came after.

An admissions call has the same risk.

For an addiction treatment center, the risk is even bigger. The call shows that a person has a substance use disorder, the most sensitive kind of health data.

The steps below show you which campaign drove each call, while the patient details remain with you. One rule holds it together: send the marketing signal, never the patient data.

What Counts as PHI on a Call

Protected health information, or PHI, is any detail that links a person to their health. On an admissions call, that link starts the moment someone asks your center for help.

A phone number on its own is harmless. Link it to a treatment request, and it points to a patient, which HIPAA protects.

The HHS list spells out the exact data points. An email address, an IP address, and a date of birth all appear on it. The recording, the transcript, and the agent notes count as well.

Treat all of it as PHI from the first ring.

Three Laws Apply to Your Admissions Calls

Three federal rules apply to how your center tracks an admissions call. Each covers a different duty and carries its own penalty.

HIPAA protects the health data. The 42 CFR Part 2 rule guards substance use records with a higher consent bar. The FTC watches how you share data with outside platforms.

Miss one rule, and you face the same trouble as missing all three.

HIPAA and HITECH Duties

Under HIPAA, your center counts as a covered entity. That label puts the Security Rule on every call you take. The HITECH Act later raised the fines and widened the duty to your vendors.

42 CFR Part 2 for Substance Use Records

Part 2 protects records that show someone sought help for a substance use disorder. The consent bar here exceeds HIPAA alone. In 2024, HHS updated Part 2 to align it more closely with HIPAA. The tighter consent rule still holds.

The FTC Tracking Rule Change of 2024

The FTC reaches your calls under its own deception rules, apart from HIPAA. In June 2024, a court struck down part of the OCR tracking guidance. The struck part had treated an IP address combined with a health-page visit as PHI. Wiretap and state privacy lawsuits went on anyway.

Sign the Business Associate Agreement First

A BAA, or Business Associate Agreement, is a signed contract that binds a company to HIPAA rules. Any platform that touches your call data becomes a business associate, and the BAA makes those rules binding.

Sign it before you track a single call.

Encryption on its own will fail you here. It protects data while it moves, but the signature puts the company on the legal hook. CallRail, for one, signs a BAA on its Healthcare plan, while a free analytics tool signs nothing.

With no BAA, you own the violation, even when the software looks airtight.

Choose a Call Tracking Vendor That Signs a BAA

HIPAA-compliant call tracking starts with a company that signs a BAA and offers HIPAA-eligible numbers. Plenty of platforms claim to be secure, but few put the BAA in writing. Your shortlist holds only the ones that will.

Set Your Vendor Requirements

Here is what to check before you sign:

  • A signed BAA. The contract backs up every other safeguard. With none, no platform feature protects you.
  • Encryption in transit and at rest. Stored recordings contain PHI, and encryption prevents outsiders from reading them.
  • Individual logins. A shared front-desk password hides who opened a record. Named accounts pin every action to one person.
  • Limits on integrations. A good company blocks PHI from reaching an outside tool like Google Ads.

Vendors With a Healthcare Plan

Three companies back their healthcare plans with a signed BAA.

Company BAA Healthcare control
CallRail On the Healthcare plan 30-minute auto-logout, login-gated recordings
CallTrackingMetrics On Advanced and Elite Non-HIPAA numbers flagged with an asterisk
Invoca On enterprise healthcare PHI redaction inside conversation analytics

Confirm the current plan name with each one before you sign.

The Security Controls That Protect Caller Data

HIPAA call tracking security comes down to the controls you enable within a healthcare plan. Buying the plan is step one; switching on the controls is what stops a leak.

Encryption scrambles a recording while it moves and while it rests, so that an outsider cannot read it. Access roles block the front desk from clinical notes. Every open and export point is linked to a named account. Audit logging leaves a record for any later breach review. An idle logout closes a screen that has been left alone for 30 minutes.

The HIPAA Security Rule lists these safeguards. Switch on all five before your first campaign goes live.

How Dynamic Number Insertion Tracks Each Call

Dynamic Number Insertion swaps the phone number on your page to match the visitor’s source. It links a call to a campaign without affecting the caller’s health.

Here is how it works.

A visitor from Google Ads sees one tracking number. A visitor from your map listing sees a different one. The tool records the source, campaign, and keyword associated with the call. None of those data points points to a medical detail. You see which channel brought the call, and the patient remains unnamed in the report.

Tracking at the channel level shows which ads bring in admissions calls. It also answers the owner who sees plenty of traffic but few calls.

Block PHI From Google and Meta Conversions

Conversion tracking measures which ads lead to a booked admission. The signal tells Google and Meta which campaign earned the call.

Here is the risk.

Google and Meta sign no BAA. That leaves any patient details you send them outside the scope of HIPAA. A pixel on a confirmation page can send the caller’s number, the page they viewed, and the treatment they asked about. Each one of those is a violation.

The FTC has been firm on the point. The agency warns that sensitive health data needs the highest level of caution.

Conversion tracking without PHI sends the result while preserving patient identity.

How to send a clean conversion:

  • Drop the identity first. Send the event, never the person. An offline conversion reports a booked admission with no name or number.
  • Use server-side tracking. A server-side signal sends a coded, name-free record. Google works off the result, while the patient details remain on your servers.
  • Check the pixels. An old pixel on a call or form page can leak data you thought was private.

The monument shows what happens when a center gets it wrong. The alcohol-addiction service promised users full privacy. Then it sent the records of up to 84,000 people to Google and Meta from 2020 to 2022. In April 2024, the FTC barred the company from sharing health data for ads. The order came with a $2.5 million penalty.

Clean conversions protect your ad reporting and close off an FTC case.

Secure Recordings and Limit Retention

HIPAA call recording rules begin with one fact: a recording holds the most PHI your center stores. The audio, transcript, and agent notes all identify the same patient.

Three controls cut the risk. Encrypt all three, lock them behind named logins, and black out the sensitive lines before you store them.

How long you store data is the next thing to fix. Data you never store can never leak, and a short window with auto-delete lowers your standing risk. The HIPAA minimum-necessary rule backs the leaner approach.

Some centers record nothing at all and hold only the campaign data.

Less on disk, less to lose in a breach.

Tell Callers About Recording and Get Consent

Call recording consent is the permission you get before a recording starts. A plain notice up front protects both the patient and your center.

Open with a short line that you record the call. A dozen states want permission from everyone on the line, which raises the bar for a nationwide center. For substance use records, Part 2 consent goes beyond a recording notice.

Get it in writing, and log the time the caller agreed.

A written yes makes a recorded call into a record you can defend.

Set Up Compliant Call Tracking in Seven Steps

A HIPAA call-tracking setup has 7 steps, from the signed BAA to the monthly check. Work them in order, because each step builds on the one before it.

  1. Sign the BAA with the company you pick.
  2. Get HIPAA-eligible tracking numbers for every campaign.
  3. Switch on encryption, named logins, and idle logout.
  4. Add Dynamic Number Insertion, then map each traffic source.
  5. Set up name-free conversions for Google Ads and Meta.
  6. Black out recordings, cap how long you store them, and auto-delete the rest.
  7. Train the front desk, then check the whole setup each month.

A monthly check protects both your tracking and your PHI. For more on the bigger picture, see rehab marketing.

Frequently Asked Questions

How do I tell if my current call tracking already leaks PHI?

Check three things. Does your tracking company hold a signed BAA? Do your tracking numbers store recordings? Does a pixel or tag fire on your call pages? A pixel that sends caller data to Google or Meta points to a leak. Start with the conversion tags, where most leaks hide.

What Is The Penalty For Sharing Patient Data With Advertisers?

Penalties come from two sides. OCR fines HIPAA violations on a sliding scale, while the FTC goes after deceptive data sharing under its own authority. One FTC case can reach into the millions and bar a company from sharing health data at all.

How Long Until I Can Track Calls Compliantly?

Days, once the paperwork moves. A BAA signs in a day or two, numbers come online the same week, and Dynamic Number Insertion goes live right after. The longer job is checking any pixel that already leaks data. Most centers reach a clean setup within two weeks.

How Much Does HIPAA-Compliant Call Tracking Cost?

Plan on a small monthly fee and a healthcare-plan add-on. Companies like CallRail and CallTrackingMetrics build HIPAA features into specific paid tiers and sign a BAA at no extra cost. The bigger cost lands on the other side, where one data-sharing case has reached into the millions.

Does My Marketing Agency Need To Sign A BAA?

Yes. An agency that touches your call data, recordings, or analytics is a business associate, which calls for a signed BAA. The chain goes further: the agency must hold BAAs with any subcontractor that sees the data. With no agency BAA, the risk lands on you.

Is Google Analytics 4 HIPAA Compliant?

Google declines to sign a BAA for Analytics, which leaves GA4 outside HIPAA. Any caller or patient data that flows into GA4 becomes a violation. Use GA4 for non-PHI traffic only, and hold admissions-call data inside a BAA-covered tool.

About Manish Singh

Manish Singh is the Team Lead at IMMWIT, where he brings over 14 years of experience in SEO, UX, and digital marketing. Known for helping businesses rank, scale, and grow smarter online, he blends strategic thinking with AI and NLP-backed insights. His hands-on approach to semantic SEO and UX design turns ideas into real results clients can see and trust.

View all posts by Manish Singh | Website

NOVA AI IMMWIT AI • Online
Hi — I'm Nova by IMMWIT. Tell me what growth, SEO, AI visibility, or software help you need, or tap Quick quote below. I'll collect the details for the IMMWIT team.
Choose a service Scroll for more options
Optional - company profile
More question ideas