A Medical Practice Audit That Knows The Difference Between SEO And HIPAA

Medical, dental, chiropractic, physical therapy, and behavioral health practice sites operate under three stacked rulebooks. First: the state medical board's advertising rules (what you can say about providers, specialties, outcomes). Second: HIPAA (which governs PHI handling and, since the HHS 2024 guidance, specifically governs website tracking technologies that touch PHI-adjacent pages). Third: the DOJ 2024 ADA Title III enforcement posture that has pulled medical practices into active accessibility-rights lawsuits.

A browser-side audit cannot fully audit any of those. HIPAA compliance requires visibility into BAA coverage, PHI handling, and security-rule implementation the tool can't see. State medical board rules vary by jurisdiction and specialty. DOJ / ADA compliance requires deeper assistive-tech testing than pattern-matching alone.

What the audit CAN do: flag the public-facing signals that show up in real medical-board advertising reviews and HHS tracking-technology enforcement actions. The Medical Practice Audit covers the signals below.

What the audit checks

• Medical schema subtype. MedicalClinic, DentalClinic, Dentist, Physician, Hospital, Optician, VeterinaryCare. Google matches health-intent queries against the specific subtype.
• Provider credentials visible in bios. MD, DO, DDS, DMD, DC, NP, PA-C, LCSW, PhD, DNP, OD. E-E-A-T signal specific to medical YMYL content.
• Board certifications named with the certifying body. Generic "board certified" is weaker than "ABMS board-certified in Internal Medicine."
• Insurance accepted list. Highest-converting signal on medical sites. "Does this practice take my plan?" is the first question every new patient asks. Sites that answer it in body text convert higher than sites that hide it behind a call.
• Appointment booking path. Zocdoc, Doctolib, SolvHealth, Healthgrades (booking-enabled profiles), MyChart, athenahealth, Kareo, DrChrono, Vagaro / Mindbody for wellness. General Calendly / Acuity for small practices. Or a "schedule online" CTA at minimum.
• Telehealth signal. If you offer virtual visits, surface it. Patient-search queries increasingly include "virtual" or "online" modifiers.
• Hours in structured data. Google Maps accuracy depends on it. Emergency / after-hours policy if applicable.
• HIPAA Notice of Privacy Practices link. Required for any covered entity. State AGs do sweep audits of NPP availability.
• Third-party tracking pixel presence. HHS 2024 guidance specifically restricts tracking technologies from sending pages containing PHI to third parties. Meta Pixel, Google Analytics, Hotjar, Clarity on patient-portal pages, symptom checkers, and appointment-booking pages is actively enforceable.
• Basic accessibility markup. DOJ 2024 ADA Title III rules + active Title III lawsuits. aria-label on interactive elements, proper heading hierarchy, form labels.
• NAP, phone link, aggregate review schema. Standard LocalBusiness baseline.

The HHS 2024 tracking-technology concern in detail

In December 2022 and again with stronger language in early 2024, HHS OCR issued guidance that tracking technologies (Meta Pixel, Google Analytics, Hotjar, Clarity, and similar) used on pages that touch PHI are themselves a PHI disclosure to the tracking vendor. Covered entities have settled cases with 7-figure penalties for exactly this.

Safe-harbor pages (roughly):

• Marketing landing pages with no login, no PHI.
• About pages, provider directories, location pages.
• General health-information content that doesn't include a specific visitor's PHI.

Unsafe pages:

• Patient-portal login pages (the page itself leaks "this user has a portal at this provider" to the pixel vendor).
• Symptom checkers and intake forms.
• Appointment-booking pages that include condition-specific search.
• Any page behind authentication.

The audit flags tracking-pixel presence on the homepage. Whether the broader site has pixels on unsafe pages is something your privacy officer needs to check manually with a site-wide crawl. The fix prompt calls this out explicitly and does NOT offer binding compliance guidance.

The DOJ 2024 ADA concern

In April 2024 DOJ issued a final rule requiring state and local government entities (including public hospitals and clinics) to meet WCAG 2.1 AA. Private medical practices are not directly covered by that rule but are actively targeted by ADA Title III accessibility-rights lawsuits, which have pulled hundreds of private practices into litigation in 2024-2025.

The audit flags basic accessibility markup presence. For a real accessibility audit, the [WCAG Audit](/tools/wcag-accessibility-audit/) tool goes deeper.

The fix prompt produces

• MedicalBusiness subtype JSON-LD with realistic sample data.
• Provider-bio block template including credential line, board certs, medical school + year, residency, fellowship, languages spoken.
• Insurance-accepted block template.
• NPP footer link template (does NOT draft the NPP itself; flagged as "compliance review required").
• Google Business Profile checklist specifically for medical: service area, hours, appointment link, "accepts these insurances" attribute.
• Review-generation approach that complies with CMS + state medical board solicitation rules.
• Accessibility minimum-baseline recommendations.

Every compliance-sensitive section is flagged as "your compliance officer / counsel must review."

What the audit explicitly doesn't do

• HIPAA security-rule audit (requires access to systems and BAAs the tool can't see).
• State medical board specific-rule compliance (rules vary by state and specialty).
• Full WCAG accessibility audit (use the WCAG-specific tool).
• Billing or coding compliance (entirely out of scope).
• Medical-record handling (off the wire).

When to run

Before a practice website redesign. After onboarding a new provider (to verify the bio shows up with credentials). Quarterly, to catch drift. After any significant change to insurance contracts or office hours.

Related reading

• Trades Audit, the adjacent local-intent SMB vertical
• Law Firm Site Audit, another compliance-layered vertical
• Restaurant Site Audit for local schema patterns
• WCAG Accessibility Audit for the full accessibility audit
• Mega Security Analyzer for the security layer on top

Fact-check notes and sources

• HHS Office for Civil Rights guidance on Use of Online Tracking Technologies, December 2022 + March 2024 re-issuance.
• DOJ final rule on Title II ADA web accessibility for state/local government, April 8, 2024.
• schema.org documentation on MedicalBusiness subtype tree.
• CMS NPI Registry at https://npiregistry.cms.hhs.gov/ for NPI lookup cited as verification.
• State medical board advertising rules are too jurisdiction-specific to cite comprehensively; consult your state board's rules directly.

This post is informational, not legal, medical, HIPAA-compliance, or advertising-compliance advice. This tool does NOT perform a HIPAA audit; it cannot see PHI handling, BAA coverage, or security-rule compliance. It flags public-facing signals only. Mentions of Zocdoc, Doctolib, SolvHealth, Healthgrades, MyChart, athenahealth, Kareo, DrChrono, Vagaro, Mindbody, Calendly, Acuity, and Google are nominative fair use. Always consult your compliance officer, HIPAA counsel, and state medical board before making changes to advertising, patient-facing tracking, or privacy-notice content.