Does Your Website's Booking Form Put You at Legal Risk?

by Jon Lober | NOC Technology

Are you booking clients online?

If you're booking clients online, what happens to the data when they click submit? Is it secure?

If your business has a booking form on your website (and most do) there's a question worth asking: do you know what happens to the data after someone hits submit?


Not in the sense that you know it goes to Jan at the front desk. More specifically: is that form transmitting patient or client information to Google, Meta, or any other third-party analytics platform? Because if it is, and your business is in healthcare, legal, or financial services, you may have a compliance problem you haven't seen yet.


This is not a hypothetical concern. It's produced over a hundred class action lawsuits in the past three years, settlements in the millions, and a string of HHS enforcement actions. The businesses in those cases weren't doing anything unusual. Most of them had standard booking forms and standard marketing tools, the same combination that tens of thousands of small businesses run every day.


What's Actually Happening

When you install a tracking pixel from Google or Meta on your website, it follows visitors across your pages. That's the point, it helps you understand which ads are working and retarget people who visited but didn't convert.


The problem is that tracking pixels don't know the difference between a product page and a booking form. If a pixel fires on a page where someone enters their name, date of birth, insurance information, or appointment reason, that data can be transmitted to the pixel provider as part of the URL string or page interaction data.


For a dental practice, medical clinic, or behavioral health provider, that information is protected health information (PHI) under HIPAA. Transmitting it to a third-party ad network without a Business Associate Agreement, which Google and Meta don't offer for their standard advertising products, is a HIPAA violation.


The HHS Office for Civil Rights has been clear on this since a 2022 bulletin on tracking technologies. The lawsuits followed.


It's Not Just Healthcare

Attorneys have a similar exposure, though the legal framework is different.


Most state wiretapping statutes prohibit intercepting electronic communications without consent. Several plaintiff law firms have successfully argued that session replay software and tracking pixels constitute unauthorized interception when used on pages where users submit confidential information. Missouri has a one-party consent wiretapping law, which limits some of that exposure — but it doesn't eliminate it, especially for firms with clients in other states.


CPA firms and financial advisors face the FTC Safeguards Rule, which requires a formal written information security program that covers how customer financial information is collected, transmitted, and protected. A contact form connected to an analytics tool that sends that data to a third party is worth reviewing under that framework.


The common thread: the compliance problem often isn't in the database or the EHR or the document management system. It's on the public-facing website, in a piece of marketing infrastructure that nobody in the compliance conversation ever looked at.


What to Check

If you want to know whether your website has this exposure, these are the three things worth reviewing:


1. What's on your booking or contact page?

Open your form in a browser with a developer tools network tab open. Submit a test entry and watch what fires. If you see requests going to googletagmanager.com, facebook.com, doubleclick.net, or similar domains immediately after a form submission, data is leaving your site.


2. Does your privacy policy match your actual data practices?

If your privacy policy says "we don't share your data with third parties" but you're running Google Analytics on your booking page, there's a gap. That gap is where plaintiff attorneys look first.


3. Who has a BAA with you?

For healthcare: Google Analytics 4 has a HIPAA-compatible configuration and will sign a BAA under its Google Cloud agreements, but it's not automatic. Most standard implementations aren't configured for HIPAA compliance. Meta does not offer BAAs for advertising products. If your booking form is on a page with Meta pixel tracking, that's a problem worth solving.


What Good Data Management Looks Like

The businesses that handle this correctly typically do a few things well:


  1. They audit their website's tracking infrastructure annually, not just when someone flags a problem.
  2. They have a conversation between whoever manages their marketing tools and whoever manages their IT and compliance.
  3. Their booking or patient intake forms are either isolated from tracking pixels or explicitly configured for compliance.


The most common version of this problem we see: the marketing team added Google Tag Manager to the site two years ago, nobody in compliance was in that conversation (because it felt like a marketing decision), and the configuration has never been reviewed since. The practice isn't doing anything wrong intentionally; the gap just formed quietly over the course of time.


That's how most compliance drift starts.


What to Do Next

If you're in healthcare, legal, or financial services and you have a website with a booking or contact form, this is worth a 30-minute conversation with someone who understands both the marketing stack and the compliance requirements.


Most IT providers aren't set up to have that conversation, it falls between marketing and IT in a way that neither team typically owns. We've built our practice specifically to help businesses in the St. Louis area close that gap.


Frequently Asked Questions

Does this apply to my business if we're small? +
HHS enforcement actions have hit solo practitioners and small clinics as well as large health systems. The size of the business doesn't change the rule — it may affect the fine amount, but not the obligation.
We only collect names and emails on our contact form. Is that still a problem? +
In general healthcare contexts, a name plus an indication that someone is seeking a medical appointment can constitute PHI under HIPAA. The key isn't just what data you collect — it's what can be inferred from the fact that someone submitted a form to a specific provider.
Our website vendor said they're HIPAA compliant. Doesn't that cover us? +
A HIPAA-compliant website hosting platform is not the same as a HIPAA-compliant website configuration. The platform may meet infrastructure standards, but if the site itself is running tracking pixels on form submission pages without proper configuration, that's a separate issue the platform doesn't control.
Can't we just add a disclaimer to the form? +
Disclosure helps with consent-based arguments, but it doesn't resolve the BAA requirement for PHI transmission. A notice saying "this form is not secure" would also undermine patient or client confidence in your practice. The cleaner fix is to isolate tracking from the form submission flow.
AI powered automations can be complex and security can be hard to guarantee.

Build vs Buy AI Automation: What Are Our Options?

May 5, 2026
Comparing DIY, SaaS tools, and managed AI service for St. Louis SMBs. Real 5-year cost comparisons, hidden expenses, and why most businesses choose the wrong path.
Compliance drift happens slowly

The 5 Stages of Compliance Drift (and How to Know Where You Stand)

By Jon Lober May 4, 2026
Every regulated business starts compliant. Most drift without knowing it. Here are the 5 stages of Compliance Drift, and how to tell where your organization stands.
AI acceptable use policy

AI Acceptable Use Policy Template

By Jon Lober May 1, 2026
A practical AI acceptable use policy template for small businesses. Includes data classification, approved tools list, enforcement language, and customizable sections.
More Articles