Large film reel partially hidden behind a draped sheet in shadowy light, illustrating why session replay tools do not belong on medical websites handling patient information.

Why we don’t put session replay on medical sites

ByGus

Session replay is the analytics feature that records what a visitor does on a website. Where they move their mouse, what they type into forms, how far they scroll, where they pause. The recording plays back later as a video you can watch. Marketing teams love it. It is a genuinely powerful tool for understanding why people abandon checkout flows or get stuck on a particular field. Session replay on a medical site is a different question.

On a medical site, session replay is a liability surface I will not touch.

What session replay on a medical site captures

The replay script lives on every page it is installed on. It listens to the browser’s DOM and serializes user input back to the analytics vendor. Without specific masking configuration, it captures:

  • Every keystroke in every text field, including ones the user types and deletes before submitting.
  • Every dropdown selection, including ones they reconsidered.
  • The full text of any field that was prefilled by the browser’s autofill.
  • The text of any error messages displayed.
  • The text of any confirmation pages shown after submission.
  • Page URLs, including query strings.
  • Sometimes, the contents of pages behind authentication, if the script is loaded there.

For a parent filling out a pediatric intake form, that means the analytics vendor receives, in plain text, a stream of the parent typing the child’s name, date of birth, reason for visit, allergies, medications, and insurance information. The replay can be watched back later. The vendor’s database holds the recording. The clinic, in most cases, has no idea this is happening.

The PHI question

If a clinic installs session replay on a page that collects PHI, and the vendor has not signed a Business Associate Agreement, the clinic has just created an unauthorized disclosure of PHI to a business partner. This is a real HIPAA exposure, not a theoretical one. The vendor is now a business associate by virtue of receiving PHI, but without the legal agreement that makes the relationship compliant.

The Office for Civil Rights has been increasingly explicit about this since 2022. Web tracking technologies on pages that handle PHI require a BAA with the technology vendor. Most session replay vendors will not sign one. Some will, on enterprise tiers, with specific configuration requirements that most clinics will not meet by default.

The masking myth

Most session replay vendors offer masking. You can mark certain fields as sensitive, and the recording will show those fields as blacked-out blocks instead of the typed contents. This sounds like a fix. It is a partial fix at best.

The problems with relying on masking:

  • Masking is opt-in per field. Every PHI field has to be explicitly marked. Miss one, and that one is captured.
  • The default state of any new field is unmasked. When a developer adds a new field to a form six months later, it is captured by default until somebody remembers to mark it.
  • Masking only protects what is masked. The page URL, the headers, the page title, the surrounding context, the timing, are all still recorded.
  • The masking happens at the recording layer. The vendor’s script still sees the raw input before it is masked. A bug in the masking, a misconfiguration, or a vendor-side incident exposes the unmasked content.
  • Masking does not address the BAA problem. The vendor is still receiving identifiable session metadata. Whether the specific fields are masked is a defense, not an exemption.

Masking is a useful safety net for sites that have decided to use session replay despite the risk. It is not a substitute for the BAA. It is not a substitute for the architectural decision of whether to record patient sessions at all.

What we lose without it

Session replay is genuinely useful. Without it, we lose the ability to watch a specific user’s struggle with a specific form. That is real value, and pretending it is not real value would be dishonest.

What we keep, with non-replay analytics, is most of the diagnostic capability without the recording. Aggregate funnel analytics show where users drop off. Heatmaps (the static, non-recording version) show where users click and scroll. Form analytics show which fields take longest and which fields are abandoned most often. Server-side event tracking captures the high-level steps of the journey without capturing the typing.

For a small clinic, the marginal value of session replay over those tools is small. The marginal risk is significant. The math is not close.

The vendors that do sign a BAA

For clinics that genuinely need session replay capability (rare for a small practice, but it happens), a few vendors will sign a BAA. Mouseflow and FullStory have offered HIPAA-aware tiers. Hotjar’s enterprise tier sometimes can be configured. The configuration work is non-trivial, the cost is meaningfully higher than the standard tier, and the masking discipline has to be operationalized on the clinic side.

Even with a willing vendor, the standard recommendation is to disable replay on any page that handles PHI, and only enable it on pre-conversion marketing pages. Home page, services page, contact page before the form. The form itself is the page session replay was built for, and the page where it has no business running on a clinic site.

The audit you can run today

If you are unsure whether your clinic site has session replay running:

  1. Open the site in Chrome. Open Developer Tools. Go to the Network tab.
  2. Filter for the names of common replay vendors: hotjar, mouseflow, fullstory, smartlook, lucky orange, microsoft clarity.
  3. Load your intake form page. Watch the network requests.
  4. If any of those scripts are loaded, the site is running session replay.
  5. If the script is loading on the form page specifically, the form submissions are being captured.

Most clinics that find a replay script on their site did not knowingly install it. It came with a theme, a marketing plugin, a tag manager configuration set up by a former agency, or an analytics suite the practice manager subscribed to without realizing it included replay.

Disable it. The analytics you lose are recoverable from other sources. The HIPAA exposure is not recoverable once a recording exists.

Session replay is not evil. It is a powerful tool aimed at the wrong problem for clinic sites. The right answer for understanding form friction is field-level abandonment analysis, which captures the data shape without capturing the data itself. And the right encryption posture, when you do capture form data, is the application-layer encryption I have written about elsewhere.

Similar Posts