Skip to main content
Article

Is Podium HIPAA Compliant? Review and Messaging Risks for Medical Practices

Podium is conditionally HIPAA compliant. The company does sign a Business Associate Agreement (BAA) for healthcare customers on its higher-tier plans, but the platform's default review-request workflows and two-way texting features create PHI exposure that most medical practices never configure around. The question "is Podium HIPAA compliant" requires a nuanced answer: the tool can be used compliantly, but only with deliberate setup, staff training, and a signed BAA in place before any patient data flows through the system. This article is current as of July 2026.

TL;DR

  • Podium will sign a BAA for healthcare accounts, but only on certain plans; confirm current terms directly with Podium sales before activating any patient-facing messaging.
  • Two-way texting is the highest-risk feature because staff can inadvertently include appointment types, diagnoses, or treatment details in SMS threads stored on Podium servers.
  • Review request messages that reference a specific service ("How was your dermatology appointment?") turn a routine marketing text into a PHI disclosure.
  • Without a BAA, any patient name plus healthcare context transmitted through Podium constitutes an unauthorized disclosure under the HIPAA Privacy Rule.
  • Podium's webchat widget can capture IP addresses and browsing behavior on condition-specific pages, implicating HHS OCR's December 2022 online tracking guidance.
  • Compliant use requires generic message templates, role-based access controls, audit logging, and documented staff policies.

What Podium Does With Patient Data

Podium is a customer interaction platform built around SMS/MMS messaging, webchat, review generation, and payment collection. For medical practices, data flows through the system in several ways:

Data categories Podium may process

  • Patient phone numbers and names (imported from your PMS or entered manually)
  • Message content in two-way SMS threads
  • Review request metadata (who was asked, when, and the link they clicked)
  • Webchat transcripts, which can include symptom descriptions or appointment requests
  • Payment card data if you use Podium Payments
  • IP addresses, device identifiers, and page-visit history collected by the webchat widget

Under the HIPAA Privacy Rule (45 CFR 160.103), protected health information is any individually identifiable health information held or transmitted by a covered entity or its business associate. A patient's phone number alone is not PHI, but a patient's phone number stored alongside a record that they visited your orthopedic clinic absolutely is.

Podium BAA Availability and Terms

Podium does offer a BAA to healthcare customers. The agreement is typically available on mid-tier and enterprise plans rather than the lowest self-serve tier. Key points to verify with Podium before signing:

BAA checklist items

  • Confirm the BAA covers all product modules you plan to use (messaging, webchat, reviews, payments).
  • Ask whether Podium's sub-processors (cloud hosting, SMS delivery vendors) are included in the BAA's downstream coverage.
  • Clarify data retention and deletion terms; HIPAA requires you to be able to account for PHI disclosures for six years.
  • Verify encryption standards for data at rest and in transit; look for AES-256 and TLS 1.2 or higher.
  • Request documentation of Podium's breach notification procedures and timelines, which must align with the 60-day window in 45 CFR 164.410.

A signed BAA is a legal prerequisite, not a guarantee of compliance. The BAA makes Podium a business associate, but operational compliance still depends on how your staff use the tool day to day.

Review Requests: Where PHI Leaks Happen

HIPAA compliant review requests are possible through Podium, but only if templates are carefully constructed. The risk is subtle. Consider two versions of the same text message:

Non-compliant example

  • "Hi Sarah, thanks for visiting Dr. Martinez for your knee injection today. Would you mind leaving us a Google review?"

Compliant example

  • "Hi Sarah, thank you for visiting our office. We'd appreciate your feedback. [review link]"

The first message discloses a treatment detail (knee injection) and a provider name to a third-party platform (Podium's servers, the SMS carrier, and potentially anyone with access to the recipient's phone). That combination of name plus treatment constitutes PHI and, without proper authorization, violates the minimum necessary standard in 45 CFR 164.502(b).

Even confirming that a person is a patient of a healthcare practice can be a disclosure if the practice specialty itself reveals health information. A text from "Downtown HIV Clinic" saying "Thanks for your visit" reveals a sensitive health detail by context alone.

This is the same principle that applies to email marketing platforms. As discussed in our guide on whether Mailchimp is HIPAA compliant for medical email marketing, the content and metadata of patient communications determine whether PHI is exposed, not just the platform's technical architecture.

Two-Way Texting Risks

Podium's messaging inbox is arguably the highest-risk module for medical practices. Staff members answering patient texts often share appointment details, prescription instructions, or referral information in real time. Each message is stored on Podium's servers and visible to any team member with inbox access.

Common two-way texting compliance failures

  • A front-desk employee confirms a procedure date and type via text without patient authorization for electronic communication.
  • Multiple staff members access the same conversation thread without role-based access controls, violating the minimum necessary rule.
  • Podium's message search indexes PHI, making it discoverable by anyone on the team.
  • Patients voluntarily text photos or descriptions of symptoms; the practice is now storing unsolicited PHI on a third-party platform.

HHS OCR has not issued Podium-specific enforcement guidance, but its December 2022 bulletin on tracking technologies (updated in March 2024) makes clear that any technology collecting individually identifiable health information on behalf of a covered entity must be governed by a BAA, and the data must be safeguarded per the Security Rule.

Webchat Widget and Online Tracking Concerns

Podium's webchat widget loads JavaScript on your website pages. When a visitor navigates to a condition-specific page (for example, "/services/addiction-treatment") and then opens the chat, the system may log that page URL alongside the visitor's IP address and, eventually, their name and phone number. Under HHS OCR's tracking guidance, that combination constitutes PHI if it connects an individual to a health condition or healthcare provision.

This issue parallels the tracking risks present on healthcare websites built with platforms like Webflow. Our analysis of whether Webflow is HIPAA compliant for medical practice sites covers how page-level data collection can inadvertently create PHI even before a patient identifies themselves.

Similarly, practices using Google Ads call tracking for medical practices should understand that phone attribution data combined with healthcare context faces the same regulatory scrutiny.

HHS OCR Guidance and Enforcement Patterns

OCR's enforcement actions from 2023 through 2025 have focused heavily on unauthorized disclosures via tracking pixels and third-party tools. The pattern is consistent: a covered entity installs a vendor tool, PHI flows to the vendor without a BAA, and OCR treats the disclosure as a reportable breach.

The FTC has pursued parallel actions under the Health Breach Notification Rule (16 CFR Part 318) against companies like BetterHelp, GoodRx, and Cerebral for sharing health data with advertising platforms without adequate consent. While those cases involved ad-tech rather than review platforms, the underlying principle applies: sharing identifiable health information with a third party without authorization or a BAA is a violation regardless of the tool category.

State laws add further complexity. Washington's My Health My Data Act (MHMDA), effective since March 2024, requires affirmative consent before collecting or sharing health data and applies to non-HIPAA-covered entities too. If your practice serves Washington residents, Podium's data handling must satisfy both HIPAA and MHMDA requirements.

Safe-Use Checklist for Podium in Healthcare Settings

Before activating Podium

  • Obtain a signed BAA from Podium that explicitly covers every module you intend to use.
  • Confirm your plan tier supports healthcare compliance features (audit logs, access controls, encryption).
  • Document Podium in your HIPAA risk analysis as a business associate with access to PHI.

Message template configuration

  • Use only generic review request templates that never reference provider names, specialties, treatments, or appointment types.
  • Disable auto-personalization tokens that could insert service-line or condition data.
  • If your practice name reveals a health condition (e.g., "Sunrise Fertility Center"), consider using a DBA or neutral brand name in outbound messages.

Staff training and access controls

  • Restrict inbox access to staff who need it; use role-based permissions.
  • Train front-desk teams never to discuss diagnoses, medications, or treatment plans via text.
  • Create a written policy specifying what can and cannot be communicated through Podium.
  • Conduct quarterly audits of message threads to identify PHI leakage.

Webchat and website widget

  • Configure the webchat widget to display a consent notice before collecting identifying information.
  • Avoid embedding the widget on condition-specific service pages, or ensure the page URL is not logged with the chat transcript.
  • Verify that chat transcripts are encrypted at rest and access-controlled within Podium's dashboard.

Ongoing compliance maintenance

  • Review Podium's privacy policy and terms of service annually for changes to data handling practices.
  • Ensure your BAA includes a breach notification clause that meets the 60-day HIPAA requirement.
  • Maintain records of all review requests sent and received for your HIPAA accounting of disclosures.

Where Podium Fits (and Where It Does Not)

Podium is a legitimate tool for healthcare practices that need review generation and patient communication, provided the BAA is in place and templates are properly sanitized. It is not, however, a tracking or analytics platform, and it does not solve the separate compliance challenge of website visitor tracking, ad conversion measurement, or marketing attribution.

For scheduling tools, practices face similar conditional-compliance questions. Our review of whether Calendly is HIPAA compliant illustrates how appointment booking platforms require the same BAA-plus-configuration approach.

For email marketing, the compliance requirements mirror those of review messaging. Our detailed analysis of Mailchimp's HIPAA compliance for healthcare email covers the parallel risks of list segmentation and campaign content that references health conditions.

Tracking and Analytics: A Separate Compliance Layer

Even if you configure Podium perfectly, your practice likely also runs Google Ads, Meta campaigns, and website analytics that create independent PHI exposure. Conversion pixels, remarketing tags, and session recordings all fall under OCR's tracking technology guidance and require their own compliance framework.

Curve is a HIPAA-compliant tracking and analytics platform purpose-built for healthcare marketers. With a signed BAA, PHI-safe server-side conversion delivery to Google, Meta, and Microsoft, plus compliant session replay, forms, and analytics, Curve addresses the tracking layer that tools like Podium were never designed to handle. If your practice runs paid media or needs marketing attribution without PHI risk, visit curvecompliance.com to see how it works.

Frequently Asked Questions

Does Podium sign a BAA for medical practices?

Yes, Podium offers a Business Associate Agreement for healthcare customers, typically on mid-tier or enterprise plans. You must request and execute the BAA before any patient data enters the platform. Confirm current plan requirements and BAA scope directly with Podium's sales team, as terms may change.

Can I send review requests to patients through Podium without violating HIPAA?

You can, but only if the message template contains no treatment details, provider specialties, or condition-specific language. A compliant review request uses only the patient's first name and a generic thank-you message. If your practice name itself reveals a health condition, even that basic message may constitute a PHI disclosure.

Is two-way texting through Podium safe for discussing patient care?

Two-way texting should never be used to discuss diagnoses, medications, or treatment plans unless you have a signed BAA, the patient has authorized electronic communication, and staff are trained on the minimum necessary standard. Even with those safeguards, the risk remains elevated because patients may voluntarily text sensitive information that is then stored on Podium's servers.

What happens if my practice uses Podium without a BAA?

Without a BAA, any transmission of individually identifiable health information through Podium constitutes an unauthorized disclosure under the HIPAA Privacy Rule. This is a reportable breach if it affects 500 or more individuals, and it can trigger OCR investigation, civil monetary penalties of up to $2,067,813 per violation category per year, and state attorney general enforcement actions.

Does Podium's webchat widget create HIPAA risks on my website?

Yes. The widget can collect IP addresses, page URLs, and device identifiers alongside the visitor's name and message content. If the visitor is on a condition-specific page, that combination may constitute PHI under HHS OCR's tracking technology guidance. A consent notice and careful page-level deployment decisions are necessary to mitigate this risk.

Are there HIPAA-compliant alternatives to Podium for review management?

Several healthcare-focused reputation management platforms offer BAA-backed review request features with built-in PHI guardrails, including pre-approved template libraries and specialty-aware message sanitization. Examples include Birdeye (healthcare tier), Weave, and NexHealth. Evaluate each vendor's BAA scope, encryption standards, and access controls before committing.

Stay Compliant. Scale Confidently.

Join healthcare innovators who trust Curve for HIPAA-compliant ad tracking.Launch in hours, not months. Your growth stack, now HIPAA-safe.