Your independent practice is in the class-action docket. Same data flow. Same statutes. Same architectural answer.
Plaintiff firms have settled $100M+ against this exact data flow to date — and the docket is moving down-market into independent practices. Apex Vault sanitizes outbound tracking events at the perimeter. Your Google Ads and Meta campaigns keep running. $5,000 setup, $1,000–$2,500 a month.
You're HIPAA-compliant. Your website isn't covered.
HIPAA covers your EHR, patient records, and BAA-covered vendors. It does not cover the tracking pixels on your public-facing website — but state wiretap statutes and state consumer-health-privacy laws do.
Those pixels capture every visitor — patient or not. Every service-page visit, every condition-page click, every form interaction is forwarded to Meta and Google with the visitor's IP and the URL they're on. Visitor IP plus a health-intent URL is consumer health data under state law, and none of these state laws are preempted by HIPAA.
What's broken on your website
Three patterns the plaintiff bar files against.
Tracking pixels on service pages
GA, Meta Pixel, Google Ads conversion tag — every visit to a procedure, condition, or symptom page goes to Meta and Google with the visitor's IP and URL. Plaintiff firms have a litigation pipeline built on this exact pattern.
Form submissions captured
Patient submits an appointment form. The Meta Pixel forwards the form context to Facebook. State wiretap statutes and state consumer-health-privacy laws treat this as unauthorized disclosure of patient data.
Cyber insurance renewals in 2026
Carriers condition renewals on tracking-technology controls. Questionnaires explicitly ask about pixel inventory. "No controls" either drops you or premium-shocks you.
What about Facebook Lead Ads?
The most common marketing workaround. It doesn't work — and it creates a different compliance problem.
"Switch to Facebook Lead Ads. The form lives on Facebook, data never leaves their platform, no tracking pixel on your site. Problem solved."
Facebook collects healthcare-context data on your behalf. Facebook does not sign a BAA for Lead Ads — meaning the data still leaves your compliance chain. The architectural pattern under state consumer-health-privacy laws is the same as a pixel on your own site. Same problem, different surface.
Prove it to yourself.
Free. Instant. No signup. See what your site is sending to Meta, Google, and ad platforms right now.
Opens our scan tool in a new tab. Enter your URL, see what trackers are firing, then get the full report by email.
Finally see what Meta and Google never gave you
The headline outcome isn't compliance. It's that you finally see your patients' full journey on your site.
Every step. Unsampled.
Every visitor's full path. Every page. Every action. By user. No sampling. Open any visit and see the exact page sequence — GA4 doesn't expose this.
First-party. Perpetual. Yours.
Data lives inside your perimeter. You own it. Unlimited retention. No 14-month wall like GA4. Not training data for someone else's algorithm.
Better than what Meta showed you anyway.
Meta Ads Manager shows ad performance. Not on-site behavior. You were already flying half-blind. First-party analytics is the other half — without sending patient browsing data to Facebook or Google.
What you get
The proxy plus everything around it.
Apex Vault sanitization proxy
Compliance layer between your site and every downstream destination. Strips identifying signal at the perimeter.
First-party analytics
Visibility into user behavior without forwarding it to Google (which won't sign a BAA for its ad or analytics products). Replaces GA4. Your dashboards. Your data. Inside your perimeter.
Sanitized Conversion APIs
Server-side conversion events to Meta, Google, Bing, LinkedIn. Per-event identifier, value, timestamp. Nothing matchable.
BAA + 7-day install + annual review
Standard BAA, one-click signature. Signed BAA to live infrastructure in a week. Annual third-party security review on shared infrastructure.
What stays the same
Apex Vault sits in front of your marketing stack. It doesn't replace your tools.
- Your website (no visual changes)
- Your CMS (WordPress, Squarespace, Wix, custom)
- Your appointment forms and intake forms
- Your email marketing (Mailchimp, Constant Contact, etc.)
- Your patient-reviews platform
- Your scheduling platform
- Your EHR, PMS, and clinical systems (untouched)
- Your Google Ads and Meta Ads accounts (still active)
Pricing
Setup fee covers installation + BAA execution. Monthly scales with location count. For 1–4 locations — 5+ locations route to MSO Platform tier.
Annual prepay available with discount. Cancel anytime after the first 90 days. No long-term lock-in.
Included at every tier
- Sanitization proxy installation
- Private first-party analytics
- Conversion API setup
- BAA execution
- 7-day deployment
- Quarterly security review
Not included
- Marketing strategy / campaign management
- Website redesign or rebuild
- Email-marketing platform fees
- EHR / PMS integration
- Paid media budget
- Patient acquisition consulting
Deployment
A typical 1-location install. Multi-location adds 1–2 days per additional location.
Signed BAA & site survey
BAA executed. We audit your existing site for current tracking deployments and confirm your ad accounts. No site changes yet.
Proxy + first-party analytics deployed
Sanitization proxy provisioned. Private first-party analytics instance stood up. Conversion APIs wired to Meta and Google. Test conversions verified end-to-end.
Live cutover
Tracking pixels removed from your site. Sanitized data flow goes live. Your ad accounts continue receiving conversion signal from day 7 onward.
Common questions
Will this break my Google Ads or Meta Ads?
No. Campaigns keep running. The signal Meta and Google receive changes — instead of per-user matched events, they get aggregate events to model against. Most accounts recalibrate in 2–4 weeks. You lose Lookalikes from conversion events and per-user retargeting from conversion events. You keep prospecting, Smart Bidding, Advantage+, and aggregate reporting.
Do I need to be technical?
No. We handle the install on your existing site, CMS, and hosting. No developer on staff required.
What about my EHR and patient-records?
Untouched. Apex Vault is a perimeter proxy for marketing and analytics on your public-facing website only. EHR, patient portals, clinical workflows — different data path entirely.
Can I cancel?
Yes, after the first 90 days. That window covers installation and break-even on setup work. After that, cancel any time with 30 days' notice.