HIPAA Watcher

Methodology

How HIPAA Watcher works

Every report is built from a passive scan of a public web page. This page explains exactly what that means, what we publish, and how to get a report corrected or removed.

The scan is passive

We fetch the public page the same way any web browser does — a single HTTP request — and read the HTML and response headers the server returns. We do not log in, submit forms, probe for vulnerabilities, or send any attack traffic. Everything we report can be reproduced by anyone loading the same page.

We publish observations, not conclusions

A report states what we observed and the date we observed it — for example, that a page loaded a particular tracking script, or embedded a third-party form, or was served without encryption. We describe what loaded, not what was sent: we can see that a tracker is present; we do not claim to see any specific data leaving.

We do not publish legal conclusions. Whether any observation amounts to a HIPAA violation is a determination only the U.S. Department of Health and Human Services Office for Civil Rights can make. See OCR's guidance on online tracking technologies and the official HHS breach portal for adjudicated cases.

What we look at

Reports stay current

Each report shows when it was last checked. Flagged domains are automatically re-scanned about every 30 days. When a re-scan finds none of the items we flag, the report is marked cleared and removed from search results.

Corrections and removal

If you believe a report is inaccurate, or you've resolved the issue and would like a fresh check sooner than the next scheduled scan, email [email protected]. We re-scan on request and correct or withdraw reports that don't reflect the current state of the site. Our internal scan history is retained, but what appears publicly always reflects the latest check.