Throughout our website, reports, and communications, you will see a consistent statement:
Privacy Examiner is not a law firm and does not provide legal advice or certify HIPAA compliance.
Our boundary is not a limitation or even a lack of knowledge. It is a deliberate structural safeguard.
We are designed to protect healthcare practices by staying within our proper role — and by working alongside your legal counsel, not in place of them.
Privacy Examiner is structured to operate as a technical risk examiner.
Your legal counsel interprets the law.
We identify and explain technical exposure pathways.
Those two roles are different — and when they work together, they are stronger.
We are intentionally designed to:
Provide structured technical documentation your counsel can rely on
Translate website behavior into clear, understandable risk categories
Reduce ambiguity about what is actually present on the site
Support informed legal and governance decision-making
We do not compete with legal counsel. We equip them.
When legal interpretation is required, it should come from licensed attorneys so that strategy discussions are protected and advice is formally grounded in law. Our documentation is built to make that legal review easier and more precise.
Our work answers questions such as:
What third-party technologies are present on the website?
What information may be transmitted when a visitor interacts with the site?
Where could exposure pathways exist?
What structural changes could reduce uncertainty?
Legal counsel answers different questions, such as:
How do these facts align with regulatory standards?
What is the organization’s legal exposure, if any?
What documentation or corrective action is legally advisable?
We operate in the technical layer. Counsel operates in the legal layer. Together, those perspectives create stronger protection.
In addition to maintaining clear legal boundaries, we apply a defined internal risk posture when evaluating healthcare websites.
Our standards are intentionally conservative. In brief, our position is that no personal information—of any kind—should be transmitted to a third party unless the practice explicitly intends that transmission as part of its chosen operating model and has appropriate agreements in place to ensure proper handling, use, and protection of that information. This includes technical identifiers and interaction data that, in a healthcare context, may reasonably be associated with patient activity.
In practical terms, this means we focus on:
Whether third-party technologies are operating on the website
Whether those technologies transmit identifiers or interaction data
Whether that transmission is intentional and governed
Whether appropriate agreements and safeguards are in place
These standards are operational and protective. They are not legal determinations. They are designed to reduce avoidable uncertainty and strengthen patient trust.
Counsel may ultimately advise a practice on legal interpretation. Our role is to ensure the technical facts are clearly documented before that advice is rendered.
Healthcare professionals routinely distinguish between what is minimally acceptable and what is most protective for a patient.
In certain situations, a mask may reduce risk. It is a reasonable baseline precaution. Yet a clinician may still advise avoiding exposure altogether when the downside of infection outweighs the inconvenience of additional protection.
Both approaches reduce risk. They reflect different safety margins.
Regulatory frameworks define baseline thresholds. Our standards operate more like the clinician who prefers eliminating avoidable exposure entirely when that option exists.
Where a configuration can transmit personal information to a third party — even if that transmission might be technically permissible in some contexts — we ask a direct question:
If the exposure is avoidable, why accept it at all?
That is the difference in posture.
We do not assume harm. We do not declare violations. We apply a wider safety margin when uncertainty exists — because preventing exposure is almost always simpler, less disruptive, and more defensible than explaining it later.
Certain website technologies discussed in our standards are addressed in guidance published by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), particularly guidance concerning online tracking technologies and potential disclosures of protected health information.
For general awareness, OCR has issued guidance titled:
Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (December 2022, updated 2024)
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
This guidance discusses how identifiers such as IP address, device information, and browsing behavior may become protected health information in healthcare contexts and may require appropriate safeguards and contractual controls.
Privacy Examiner references this and related regulatory materials for contextual understanding only.
Our standards are operational and intentionally conservative. Regulatory guidance does not define or limit the standards applied in our assessments, and our classifications do not represent regulatory determinations by HHS, OCR, or any other authority.
Website privacy risk is rarely a simple yes-or-no issue.
Whether a situation constitutes a legal violation can depend on factors that are not visible during an external website review, including:
Internal policies
Contractual agreements
Vendor relationships
Safeguards not visible publicly
Corrective action history
Because we cannot see all internal factors, it would be inappropriate and potentially misleading for us to declare that a practice is “in violation” or “fully compliant.”
Instead, we classify risk under our internal standards and explain the reasoning clearly so that leadership and legal counsel can evaluate next steps appropriately.
While we do not provide legal advice, we do provide:
Clear identification of website technologies and configurations
Structured risk classifications under our internal standards
Plain-language explanations of how exposure pathways work
Practical remediation options and tradeoffs
Ongoing monitoring to prevent silent reintroduction of risk
Our goal is to make website privacy risk visible, understandable, and manageable.
When needed, our findings can be shared directly with your attorneys or compliance advisors so that legal analysis rests on accurate technical information.
Maintaining a strict boundary between technical risk detection and legal advice protects your organization in several ways:
It preserves attorney-client privilege when legal advice is required
It prevents false certainty from incomplete facts
It strengthens governance by keeping professional roles clear
It ensures that remediation decisions are grounded in both technical and legal review
Clear roles create stronger protection.
For clarity, we use the following language consistently:
Privacy Examiner is not a law firm and does not provide legal advice, compliance certification, or regulatory guarantees. Findings and classifications reflect our internal risk posture standards and are based on externally observable technical indicators. They do not represent a regulatory determination by HHS, OCR, or any other authority.
This statement reflects professional discipline and structured governance — not distance or hesitation.
Privacy Examiner protects healthcare practices by staying within our proper role.
We identify risk.
We explain how it works.
We recommend operational improvements.
We support your legal counsel with structured technical clarity.
Clear boundaries, combined with collaborative review, create stronger protection for your practice and your patients.
