Atribu
Healthcare & HIPAA

Healthcare Onboarding

Step-by-step guide to set up HIPAA-compliant attribution in Atribu

Healthcare Onboarding

This guide walks you through enabling Healthcare Mode, accepting the legal agreements, configuring the export allowlist, and verifying that your setup is correct.

Prerequisites

Before you begin:

  • You have an Atribu workspace with at least one profile
  • You have connected at least one ad platform (Meta or Google Ads)
  • You have owner or admin access to the workspace

Activation

Enable Healthcare Mode

There are two ways to activate:

Option A — Via Conversion Sync (recommended for first-time setup): Navigate to the profile's Conversion Sync page. If the profile is in standard mode, a Healthcare Intercept card appears asking "Do you handle healthcare data?" Click Yes, enable Healthcare Mode.

Option B — Via Settings: Go to Settings > Compliance and toggle Enable Healthcare Mode on.

Both paths open the DPA/BAA acceptance modal.

Accept the DPA and BAA

The modal shows the full text of:

  1. Part I — Data Processing Agreement — how Atribu processes your data
  2. Part II — HIPAA Business Associate Agreement (Annex F) — HIPAA-specific obligations

Scroll through the full text, then click I Accept. This records:

  • BAA status: Approved
  • HIPAA eligibility: Eligible
  • Signature status: Signed (with timestamp and user ID)
  • All three compliance acknowledgements checked automatically

Configure the export allowlist

After acceptance, the Privacy & Compliance panel switches from blocklist fields to allowlist checkboxes. Each checkbox represents a conversion definition in your profile.

Default allowlist: Only Payment Received and Lead Created are pre-checked.

Review each event type and only check the ones you are confident do not contain PHI in their payloads. Save when done.

Create signal rules

Create signal rules as normal in the rule wizard. Note these HIPAA-specific behaviors:

  • Non-revenue event types show an amber warning
  • Pipeline stage transitions show a red warning (blocked from export)
  • Privacy overrides in the rule wizard are locked — all strip toggles are enforced by the HIPAA floor

Verify with a test send

Use the test send feature in Conversion Sync > Deliveries to confirm:

  • Events reach the ad platform successfully
  • The delivery detail shows privacy filters applied (IP, UA, referrer, external IDs stripped)
  • The dashboard shows a green HIPAA Active badge

Agency workflow

For agencies managing multiple healthcare clients:

  1. Go to Workspace Settings > Compliance
  2. Enable Healthcare Agency Mode — new profiles will default to HIPAA
  3. The compliance overview table shows all profiles' HIPAA status at a glance
  4. Each profile must still individually accept the DPA/BAA
  5. Use the table links to jump directly to each profile's Conversion Sync settings

Existing profiles are not auto-switched

Enabling Healthcare Agency Mode only affects newly created profiles. Existing profiles must be migrated individually. See the migration guide.

Healthcare Mode

HIPAA-compliant attribution and ad optimization for healthcare businesses

Export Allowlist

Control exactly which event types can be sent to ad platforms in HIPAA mode

On this page

Healthcare OnboardingPrerequisitesActivationEnable Healthcare ModeAccept the DPA and BAAConfigure the export allowlistCreate signal rulesVerify with a test sendAgency workflow