Phone calls remain the single most common way new patients reach medical practices. The tools used to measure those calls are also among the most commonly mis-configured pieces of healthcare marketing infrastructure.
There is a paradox at the center of healthcare marketing measurement. Phone calls are the dominant channel for new patient inquiries in most specialties. They are also the channel most likely to be measured improperly, in ways that create HIPAA exposure the practice never explicitly approved.
Call tracking — the technology that assigns unique phone numbers to different marketing sources, records calls for quality or analytics purposes, and reports back which campaigns produced which calls — is essential infrastructure for any practice serious about marketing measurement. It is also, in many configurations, transmitting and storing identifiable patient communications in ways that fall short of what HIPAA requires.
Running call tracking without compromising compliance is possible. It just requires intention about which provider to use, how to configure the service, and what to do with the data once it is collected.
Why Call Tracking Is High-Stakes from a Compliance Perspective
Two characteristics make call tracking different from most other marketing technologies.
First, call tracking typically captures direct patient communications — not metadata about a visit, but the actual content of what the patient said. A patient calling a medical practice will routinely describe their condition, symptoms, treatment history, and concerns within the first minute of the call. That content, captured and stored, is PHI in the most unambiguous sense of the term.
Second, the data persists. A pixel transmission happens once and disappears. A recorded call sits in a vendor’s storage for as long as the retention policy allows, sometimes years, accessible to anyone with appropriate credentials. The exposure window is longer and the data set is larger.
These two characteristics mean that the vendor selection, the configuration, and the retention policy for call tracking matter more than for almost any other marketing tool.
Vendor Selection
Call tracking vendors broadly fall into three categories from a healthcare compliance perspective.
The first category is vendors purpose-built for healthcare or with explicit healthcare configurations. These vendors sign BAAs as part of their standard contracts, encrypt recordings at rest and in transit, segregate healthcare client data appropriately, and offer features like keyword redaction and configurable recording defaults that other vendors do not.
The second category is general-market vendors that will sign a BAA on request, usually as part of an enterprise tier. These vendors are functional for healthcare use but require explicit BAA negotiation and careful configuration. They sometimes treat healthcare clients as exceptions rather than as a primary customer segment, which shows up in feature gaps.
The third category is vendors that will not sign a BAA at all. These vendors should not be used by medical practices for any application that touches patient communications. The willingness to sign a BAA is a hard threshold question for this category of tool.
Practices currently using a vendor in the third category should change vendors. There is no configuration that makes a non-BAA call tracking vendor an acceptable choice for healthcare data.
Recording Configuration
Whether to record calls at all is a meaningful question and not the obvious yes most marketing setups assume.
Recording calls offers measurement and quality benefits. The recording can be reviewed for missed conversions, identified objections, intake quality, and training opportunities. Many practices find genuine value in this.
Recording calls also expands the surface area of stored PHI substantially. Every recording is a fresh disclosure record. The retention period matters. The access controls matter. The transcription processes — including any AI transcription services applied to recordings — matter.
A reasonable middle ground for many practices is to record only the marketing intake portion of the call — the portion before clinical information typically enters the conversation — and to terminate recording automatically when the call transfers to clinical staff or escalates to clinical conversation. Some healthcare-specific call tracking platforms offer this as a configurable feature.
Another approach is to disable recording entirely while retaining call metadata — duration, source, time, repeat caller flag — for marketing measurement purposes. Metadata-only call tracking is meaningfully less powerful for quality review but materially less risky from a compliance perspective.
Each practice’s right balance depends on the value the recordings provide and the risk tolerance of the leadership team. There is no universally correct answer.
Notice to Callers
Most states require that callers be notified when calls are being recorded. This is a legal requirement at the state level, separate from HIPAA, and the specifics vary by state. Some states require only one-party consent — the practice can record without explicit caller notification — while others require two-party consent, meaning the caller must be aware of and effectively consent to the recording.
Because practices in some states may take calls from patients in other states, the conservative practice is to provide notice in all cases. A simple recording announcement at the start of the call — “this call may be recorded for quality and training purposes” — handles the basic requirement in most jurisdictions.
Patients who do not want to be recorded can be given an option to continue without recording. Few choose to exercise this. Offering the option, however, addresses both the legal and ethical dimensions of the question.
Integration With Marketing Platforms
Where call tracking integrates with the rest of the marketing stack is where exposure can quietly expand. A few configurations are worth examining.
Call data flowing to Google Ads as conversion events should follow the same data minimization principles as other conversion data. Google should learn that a call happened and approximately what value it had. Google should not learn the caller’s phone number, recording content, or transcribed text.
Call data flowing to Google Analytics or similar analytics platforms should likewise be scoped carefully. Many call tracking platforms offer integrations with analytics tools that, in default configurations, transmit more data than is appropriate for healthcare use.
Integrations with the practice’s CRM are generally appropriate, provided the CRM operates under a BAA. The call data — including recordings and transcripts where applicable — can sit alongside the lead’s other interaction history within the CRM’s controlled environment.
Email notifications that include call audio attachments or recording links sent to non-BAA-covered email accounts are a quieter source of exposure. The recording was protected on the call tracking platform; the email attachment is not. Notification configurations that send transcripts or audio to free email accounts should be reconsidered.
Retention
How long recordings and transcripts are kept matters for both compliance and risk. A two-year retention policy means two years of accumulated PHI sitting in vendor storage, waiting for the next breach or subpoena. A thirty-day retention policy means thirty days.
There is a marketing argument for longer retention — longer historical data enables better long-term analysis. There is a compliance argument for shorter retention — less stored data is less surface area for problems. Most healthcare practices benefit from shorter retention than the vendor’s default, which is typically set with marketing convenience in mind, not healthcare risk management.
Defining a retention policy explicitly and configuring the vendor to enforce it automatically is a small piece of work that prevents large categories of long-term exposure.
The Practical Inventory
Practices that have not reviewed their call tracking in some time benefit from a simple inventory exercise. List the current call tracking provider. Verify the BAA is in place. Document the current recording configuration. Document the current retention policy. Identify what integrations are active and what data they transmit. Identify where call data flows outside the call tracking platform.
That inventory, like the BAA inventory and the form inventory, is a one-time exercise that produces ongoing value. It surfaces decisions that were made by default and reframes them as deliberate choices the practice can revisit.
