Healthcare & HIPAA
Support Runbook
Troubleshooting guide for healthcare account issues and blocked exports
Healthcare Support Runbook
"Why is my export blocked?"
This is the most common question from healthcare accounts. Here's how to diagnose it.
Check the Conversion Sync feed
Go to Conversion Sync > Deliveries and find the blocked event. The status column shows skipped and the detail panel shows the skip reason.
Read the skip reason
| Skip Reason | What It Means | Fix |
|---|---|---|
healthcare_allowlist_blocked | Event type not on HIPAA allowlist | Add it to the allowlist in Privacy & Compliance, or explain why it should stay blocked |
healthcare_stage_transition_blocked | Pipeline stages can't be exported in HIPAA mode | By design — use conversion events instead |
healthcare_missing_conversion_key | Signal rule missing a valid conversion definition | Re-create the rule with a proper conversion definition source |
legal_gate_blocked | BAA/legal requirements not met | Complete legal setup: BAA Approved + HIPAA Eligible |
legal_compliance_missing | No legal record exists | Customer needs to accept the DPA/BAA |
hipaa_baa_unsigned | BAA approved but not signed | Complete the signature workflow |
Verify the setup
Confirm these three things:
- Privacy mode is
hipaa(notstandardwith blocklists) - Legal panel shows BAA Approved, HIPAA Eligible, all acknowledgements checked
- Allowlist has the expected event types checked
Common mistakes
Customer switched back to standard mode
If a healthcare customer accidentally switches from HIPAA to standard mode:
- Blocklist fields reappear, allowlist disappears
- No event-type gating occurs
- PII may be sent unfiltered
Fix: Switch back to HIPAA in Privacy & Compliance. The allowlist configuration is preserved.
Rules created before HIPAA mode was enabled
Signal rules created in standard mode are not retroactively blocked. After enabling HIPAA mode:
- Existing rules are subject to the allowlist gate on the next export cycle
- No action needed — the pipeline checks the allowlist at export time, not rule creation time
Verifying privacy filters
- Go to Conversion Sync > Deliveries and click on a sent event
- In the detail panel, check:
filters_appliedshould include:ip_removed,user_agent_removed,url_sanitized,external_id_removed:fbc, etc.privacy_mode_snapshot.modeshould be"hipaa"legal_gate_snapshotshould showallowed: true
- If
payload_redactedshows{ redacted: true, hipaa_mode: true }— this confirms raw PHI was not stored in the audit log
What gets stripped in HIPAA mode
| Field | Stripped? | Notes |
|---|---|---|
| Client IP | Yes | Removed from Meta user_data |
| User agent | Yes | Removed from Meta user_data |
| HTTP referrer | Yes | Removed from custom_data |
| Page title | Yes | Removed from custom_data |
| External IDs (fbclid, gclid, fbc, fbp) | Yes | Removed from Meta user_data |
| URL path | Yes | Reduced to origin only |
| Hashed email (Meta) | Sent | For ad matching — hashed, not plaintext |
| Hashed phone (Meta) | Sent | For ad matching — hashed, not plaintext |
| Hashed email (Google) | Stripped | When strip_external_ids is active |
| Hashed phone (Google) | Stripped | When strip_external_ids is active |
| Meta LDU flags | Injected | Always in HIPAA mode |
Escalation matrix
| Severity | Trigger | Response |
|---|---|---|
| P1 | PHI confirmed sent to Meta/Google | Disable exports immediately. See incident response |
| P2 | Healthcare account in standard mode with active exports | Switch to HIPAA. Audit recent exports |
| P3 | Legal setup incomplete, exports blocked | Guide through onboarding |
| P4 | Allowlist configuration question | Explain the allowlist |