Penrod Blog

How to Conduct a Website Tracking Audit

Written by Matt Fiel

Thanks to the OCR ruling, your legal and marketing team may be on high alert. After an initial ruling and updated guidance, the directive is clear: regulated entities cannot send PHI to third-party trackers with which they don’t have a BAA. More than ever, legal teams want to find website trackers that are running on your website by conducting a website tracking audit.

The first step in assessing your company’s risk of non-compliance is figuring out which trackers are running on your website by running a website tracking audit.

One of the easiest ways to find them is to use a self-service vendor that tracks the use of technologies across the Internet. Some require paid plans, and the ones with free versions may have limitations. Here are the top three we recommend.

Unfortunately, these tools don’t always provide a real-time snapshot of your website. Thankfully, with a bit of elbow grease, you can find out which third-party trackers are running on your website with some applications you probably use daily. 

Let’s get started.


  • Google Chrome [Download Here]
  • A Spreadsheet Program
  • Elbow Grease

Start with a Spreadsheet

A spreadsheet will keep your findings organized and ready to share with other team members. We recommend keeping track of the following: 

  • URL of the page
  • Tracker Name
  • Tracker Website
  • Whether you have a business associate agreement with the tracker
  • Whether the tracker may send PHI
  • Additional Details

It should look something like this:

Spreadsheet of Third-Party Web Trackers

Find the Trackers 

Finding all the trackers on your website can feel like a treasure expedition. It’s not just about one page…each page may have different trackers running. However, simple website implementations utilize one header file that consistently references all the trackers, so your mileage may vary.

To get the most accurate results, we recommend following the steps below for various pages on your website.

  1. Open Google Chrome
  2. Navigate to your website’s homepage
  3. Right-click in the middle of the page.
  4. In the menu that appears, select “inspect“.

    Inspect menu in Developer Tools

  5. A new window will appear. These are your developer tools. In the new window, click the “sources” tab.
  6. On the left, a list will appear. This list contains all your website requests – some requests are to your website, while others could be from other sites. While many requests simply involve receiving web files that help your website function, some could send PHI to third-party trackers.

    Development tools with list of third-party trackers

  7. Go through each item on the list…this is where you get to be a detective. Usually, your website is the first item on the list, so you can skip this.
  8. Document each item in the spreadsheet you created. If you’re unsure of what an item is, Google is your friend.

    Simply search the URL of the item. For instance, if we wanted to know what does, we could put “” into a Google Search. Searching this shows us that it’s a common web framework.

    Google search for web tracking technology

Want to see what kind of data these your trackers are sending? Learn how in our guide “How to See if Third-Party Trackers are Sending PHI from Your Website” by clicking here.

What’s Next?

If you discover any trackers with which your organization doesn’t have a BAA, it’s important to take immediate action to avoid non-compliance fines. Penrod can help you out here. 

Penrod’s HIPAA-compliant web tracking service ensures that your website won’t disclose protected data to third-party trackers.

About The Author

Matt Fiel

EVP of Marketing

With over 15 years of experience in marketing strategy, web development, and creative design, I lead the marketing team at Penrod, a boutique Salesforce partner focused on the healthcare and life sciences industry. As a Salesforce Certified Pardot Consultant, I have deep knowledge and skills in leveraging the platform to optimize marketing automation, lead generation, and customer engagement.

Ready to get compliant?

Get a free OCR compliance action plan.

Schedule a 30-minute consultation on the right and get compliant.