minusPHI logo
minusPHI
Privacy-safe healthcare analytics

Keep Google Analytics and Meta ads. Stop sending patient data.

Tracking scripts like the Meta pixel and Google tag quietly hand an ad network the pages your patients read, their IP and their device — with no BAA covering any of it. See what your site is leaking below, then fix it with a single tag.

Free during beta · No credit card · Works with any website platform

Keeps Meta & Google attribution De-identified before either sees it No engineering team required

Why this exists

The tracking pixel became healthcare's biggest privacy liability.

Pixels see everything

The standard Meta pixel and GA tag run in your visitor's browser and report the pages they read, their IP, and their device — straight to an ad network, with no BAA covering any of it.

Regulators noticed

OCR and the FTC have treated "this person visited a health page" as a reportable disclosure. Hospitals and telehealth companies have paid multi-million-dollar settlements over exactly this.

Ripping pixels out hurts

Remove tracking entirely and your ads stop optimizing, your analytics go dark, and every marketing dollar gets harder to justify. Practices shouldn't have to choose.

How it works

One tag on your site. A relay in the middle. Clean data out the other side.

1
Connect your destinations

Sign in and connect Google Analytics with one click, your Meta pixel too if you run Facebook or Instagram ads. Either one unlocks your tag.

2
Paste one line

Add the minusPHI tag before </head> and remove your old pixels. Phone clicks, booking links and contact forms are detected as conversions automatically.

3
De-identified events flow

Traffic shows up in your GA4, conversions land on your Meta pixel, and your ad campaigns keep optimizing — with nothing identifying the patient or their browsing.

<!-- your entire analytics stack, after minusPHI -->
<script src="https://app.minusphi.com/mphi.js" data-site-key="mphi_XXXXXXXXXX"
        data-ingest="https://ingest.minusphi.com/"></script>

What we send

Deny by default. Every field that forwards is on an allow-list; everything else is stripped.

Forwarded — de-identified
  • Page views & traffic sources to your GA4 (public marketing pages only)
  • Page views to Meta as domain-only — never which page was visited
  • Conversions: leads, booking clicks, phone clicks — the signal ad delivery needs
  • Ad-click IDs (gclid / fbclid) on conversions, so campaigns keep attributing
  • A random first-party ID so sessions count correctly — never tied to a person
Never sent — to anyone
  • IP addresses, device fingerprints, third-party cookies
  • Names, emails, phone numbers — hashed or not
  • Page URLs to Meta, form contents, anything typed by a visitor
  • Anything from patient portals, intake, scheduling or confirmation pages
  • Health-condition terms — pages mentioning them are suppressed entirely
Fail-closed by design

The relay only forwards what it can prove is safe. A page it can't classify, a field it doesn't recognize, a URL carrying a condition term — all suppressed, automatically. Built around HIPAA Safe Harbor de-identification and the FTC's health-data enforcement pattern, and verified by an independent self-check on every single event before it leaves.

Pricing

Simple: one price per domain.

Free during beta
$99/month
per domain, when the beta ends
Start free

Questions

The honest answers.

Will my Meta ads still optimize without the pixel?

Yes — for what matters. Lead and appointment campaigns optimize on conversion events, which minusPHI delivers server-side with the ad-click ID attached, so attribution keeps working. What you give up is visitor retargeting, because that inherently requires handing Meta the browsing data this product exists to protect. Any vendor promising both is fudging one of them.

Do Google or Meta sign a BAA for this?

No — and with minusPHI they don't need to. A BAA is required when a vendor receives protected health information. The relay's job is to make sure they never do: events are de-identified before either company sees anything, and sensitive pages are suppressed entirely.

What happens on sensitive pages, like a patient portal?

Nothing is sent at all. Portals, intake forms, scheduling flows, confirmation pages, and any URL carrying a health-condition term are suppressed before forwarding — not scrubbed, simply never sent. You'll see marketing traffic in your analytics; nobody sees care activity.

Does it work with my website platform?

If you can paste one script tag — WordPress, Squarespace, Wix, Webflow, custom — it works. There's nothing to install server-side and no developer required. Conversions like phone clicks, Calendly/Zocdoc bookings and contact forms are detected automatically.

Is this legal advice or a compliance guarantee?

No. minusPHI is engineering: it controls exactly what data leaves your site, using allow-lists and de-identification aligned with HIPAA Safe Harbor. Your compliance program is still yours — we just make the tracking-pixel part of it defensible instead of dangerous.

Your ads keep learning. Your patients stay private.

Start free — connect in 5 minutes

Free during beta · No credit card