Case Study · Dental · Spokane, WA

From Facebook Pixel to BAA-backed:
a Spokane dental practice, rebuilt for HIPAA + MHMDA

A small independent dental office came to us with a site built and maintained by a family friend — a setup common across the specialty. The site looked fine. Underneath, it was a compliance liability waiting to happen. Here's what we found and what we rebuilt.

Practice Single-location dental
Region Spokane, WA
Regime HIPAA + MHMDA
Timeline ~6 weeks + ongoing

We never publish the names of clinics we work with — our clients came to us because their site exposed patients, and naming them would defeat the purpose of the engagement. Every identifying detail on this page is either removed or generalized. Technical and regulatory facts are accurate. Read our case-study confidentiality policy.

01 · Before

The site we inherited

Nothing about the site was unusual — which is exactly the problem. This is what a typical small healthcare website in 2025 actually looks like under the hood.

  • Meta (Facebook) Pixel on every page

    Tracking visitors across service pages that described specific procedures — the exact pattern OCR has been fining since the 2022 tracker guidance.

  • Standard shared hosting, no BAA

    The host had unrestricted access to every form submission and every database row. No Business Associate Agreement was ever signed.

  • General-purpose online booking form

    Patient name, phone, and reason-for-visit submitted through a non-HIPAA form service and delivered by plain email.

  • Maintained by a non-technical family friend

    Full CMS admin access from a personal laptop. No 2FA, no access log, no documented handoff procedure.

  • No Consumer Health Data Privacy Policy

    Only a generic template privacy page. MHMDA requires a dedicated, separate notice — and the site didn't have one.

  • URLs leaking identifiers

    Referral-source and patient-name query parameters appearing in URLs, then forwarded to analytics and ad pixels.

02 · Remediation

What we rebuilt (~6 weeks)

The goal wasn't a redesign. The site stayed visually the same. Every piece of infrastructure underneath it changed.

01

Hosting & infrastructure

  • Migrated to Google Cloud with a signed BAA covering every data flow
  • Forced TLS 1.3, disabled legacy cipher suites
  • Content Security Policy headers added to block unauthorized third-party scripts
  • Session cookies set HttpOnly, Secure, SameSite=Strict
02

Tracking & analytics

  • Meta Pixel removed entirely — no replacement that touches PHI
  • Swapped to privacy-preserving analytics (no user-identifying data, no cookies)
  • Third-party embeds audited — YouTube replaced with privacy-mode embeds, Google Maps swapped for static, no-cookie alternative
  • Query parameters stripped from URLs; redirect rules added to catch legacy inbound links
03

Forms & PHI flow

  • Retired the old general-purpose form
  • Deployed Jotform HIPAA with a signed BAA
  • Submissions encrypted at rest, routed to a BAA-covered mailbox
  • Historical submissions exported from the unsecured mail, archived on BAA-covered storage, originals purged
04

Documentation & access

  • Client-retained legal counsel drafted the HIPAA Notice of Privacy Practices and MHMDA Consumer Health Data Privacy Policy — we integrated both into the site
  • 2FA enforced on every CMS and email account
  • Admin access revoked from personal devices; LoricaWeb handles site changes on behalf of the practice
  • Change log maintained — every production edit recorded with author and justification
03 · Ongoing

MHMDA is continuous, not a project

Washington's Consumer Health Data law isn't a one-time fix. A site can be audit-clean today and non-compliant next quarter because a new tracker shipped with a plugin update. This is what the monthly plan actually does for this client.

  • Dedicated Consumer Health Data Privacy Policy kept current as Washington AG enforcement guidance evolves
  • Separate consent flow: one consent for collection, a distinct consent for third-party sharing (MHMDA §19.373.030)
  • Functional data deletion request form — a Washington resident can request deletion, and we process it within the statutory timeline
  • Consent audit log — every consent event timestamped and stored, retained for enforcement defense
  • Monthly review of every tracking script and third-party tool on the site — nothing ships without a BAA check
  • Documented "no-sell" of consumer health data on the policy page, as required under MHMDA
  • Quarterly re-audit of the site against updated HIPAA + MHMDA guidance
  • Staff protocol document for handling MHMDA consumer rights requests within the required timeline
04 · Outcome

Where the practice stands now

BAA coverage end-to-end

Hosting, forms, analytics, email — every vendor that could touch PHI has a signed BAA on file.

MHMDA-ready workflow

Consent flow, deletion request handling, and Consumer Health Data Privacy Policy operational and maintained.

No third-party PHI leaks

Every tracking script and embed passes a monthly review. Nothing new reaches the site without a BAA check.

Owner off the hook for a stack they don't run

The practice owner stopped being the person personally accountable for a web infrastructure they never signed up to manage.

What this looks like from the patient's side: nothing changed. The site looks the same. The difference is that every form, tracker, and cookie on that page has a BAA — or doesn't exist at all.

Your practice probably looks a lot like the 'before' here.

Get a free audit and find out which of these violations are on your site right now. No commitment — just a prioritized PDF you can act on.

Request Free Audit