Vendor BAA Guide

Does Hotjar Sign a HIPAA Business Associate Agreement?

Q: Does Hotjar sign a HIPAA BAA?

No — Hotjar does not offer a HIPAA Business Associate Agreement on any plan as of 2026. Hotjar has explicitly stated that they are not HIPAA compliant. Hotjar must not be used on any healthcare website or application that handles, displays, or processes protected health information.

Q: Can I use Hotjar on a HIPAA-covered healthcare website?

No — Hotjar cannot be used on HIPAA-covered healthcare websites or applications that handle PHI. Hotjar is not HIPAA compliant, does not offer a BAA, and can capture sensitive health information through session recording and heatmaps. Using Hotjar on a page where patients enter health information is a HIPAA violation.

Q: What are HIPAA-compliant alternatives to Hotjar?

HIPAA-compliant alternatives to Hotjar for session replay and analytics include: FullStory (BAA available on Enterprise plan — requires privacy masking configuration), LogRocket (BAA available on Enterprise plan — requires privacy masking), and Microsoft Clarity (free, but no BAA — only use on non-PHI pages/flows). For healthcare applications, FullStory and LogRocket are the most commonly used HIPAA-eligible session replay tools.

By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read

Key Takeaways

✗ No — Hotjar does not sign a HIPAA BAA on any plan, including Scale
✗ Hotjar is explicitly not HIPAA compliant and must not be used on healthcare applications handling PHI
✓ HIPAA-compliant alternatives: FullStory (Enterprise BAA), LogRocket (Enterprise BAA), Microsoft Clarity (no PHI flows only)
✓ Using Hotjar on a page where patients enter health information is a HIPAA violation

Direct answer: No — as of 2026, Hotjar does not offer a HIPAA Business Associate Agreement on any plan. Hotjar is not HIPAA compliant and must not be used on any healthcare website or application that handles, displays, or processes protected health information. Using Hotjar on PHI-handling pages is a HIPAA violation.

Hotjar is one of the most popular behavior analytics tools, offering heatmaps, session recordings, and user surveys. It's widely used by product and marketing teams to understand how visitors interact with websites. However, for healthcare organizations and healthtech companies building patient-facing applications, Hotjar is categorically off-limits wherever PHI is involved.

Hotjar Plan Coverage for HIPAA BAA

Plan	Price	BAA Available?
Observe Basic	Free	No BAA
Observe Plus	$32/mo	No BAA
Observe Business	$80/mo	No BAA
Scale	Custom pricing	No BAA — Hotjar does not offer BAAs

This is not a plan tier limitation — Hotjar does not offer HIPAA BAAs at any price point. Hotjar has explicitly stated in their documentation and security policies that they are not designed for use with sensitive health information and do not support HIPAA compliance.

Why Hotjar on Healthcare Sites Is a HIPAA Violation

Session replay and heatmap tools like Hotjar are uniquely dangerous in healthcare contexts because they can capture patient data automatically without any explicit integration:

Session recordings capture form inputs — a patient entering their date of birth, health condition, insurance ID, or medical history on a patient portal is sending that data to Hotjar if Hotjar is installed and not properly restricted
Heatmaps reveal interaction patterns — while heatmaps don't capture text directly, they can reveal which diagnostic options patients click most frequently, which constitutes behavioral health data
Survey responses — Hotjar surveys embedded on health pages can collect PHI if patients include health information in open-text responses
Scroll and click tracking — on pages displaying patient-specific information, scroll and click data combined with user identification is PHI

HHS OCR has specifically identified tracking technologies — including session replay scripts — as a major source of impermissible PHI disclosures on healthcare websites. Covered entities and business associates that use these tools without a BAA are at significant enforcement risk.

HIPAA-Compliant Alternatives to Hotjar

If your healthcare organization or healthtech company needs session replay and behavior analytics with HIPAA compliance, the following alternatives offer BAA coverage:

Tool	BAA Available?	Notes
FullStory	Yes (Enterprise)	BAA on Enterprise plan; requires privacy masking configuration
LogRocket	Yes (Enterprise)	BAA available on Enterprise; requires session masking for PHI fields
Microsoft Clarity	No BAA	Free; no BAA — use only on non-PHI pages and flows
Hotjar	No BAA (any plan)	Not HIPAA compliant; do not use on healthcare applications with PHI

For healthtech teams that need session replay analytics, FullStory and LogRocket are the two most commonly used HIPAA-eligible options. Both require Enterprise plans and careful privacy masking configuration — a BAA alone is insufficient without properly blocking PHI capture at the code level.

What to Do If You Are Currently Using Hotjar on a Health Application

If your healthcare website or health application currently has Hotjar installed on pages where patients enter or view health information, you should take the following steps immediately:

Remove Hotjar from any page that displays or collects PHI — this is the only compliant option since Hotjar cannot offer a BAA
Assess the exposure period — determine how long Hotjar was installed, how many patient sessions may have been recorded, and what PHI may have been captured
Evaluate breach notification obligations — if significant PHI was captured by Hotjar without a BAA, consult with your privacy officer and legal counsel about breach notification obligations under HIPAA
Migrate to a HIPAA-eligible alternative — FullStory or LogRocket at the Enterprise tier, with proper privacy masking implemented

For a detailed look at HIPAA-compliant session replay tools, see our FullStory HIPAA BAA guide. For healthtech startups building their compliance vendor stack, see our guide on HIPAA BAAs for healthtech startups.

Note: Vendor BAA policies can change. Verify current Hotjar compliance status directly at hotjar.com before making compliance decisions.

Frequently Asked Questions

Does Hotjar sign a HIPAA BAA?

No — Hotjar does not sign a HIPAA BAA on any plan as of 2026. Hotjar explicitly states it is not HIPAA compliant. This is not a pricing tier limitation — Hotjar does not offer BAAs at any price point.

Can I use Hotjar on a HIPAA-covered healthcare website?

No — Hotjar cannot be used on any HIPAA-covered page or application that handles PHI. Session recording on health portals or apps can capture PHI automatically. Using Hotjar on a page where patients enter health information is a HIPAA violation with no available remedy since Hotjar does not offer a BAA.

What are HIPAA-compliant alternatives to Hotjar?

HIPAA-compliant session replay alternatives include FullStory (Enterprise plan, BAA available, requires privacy masking) and LogRocket (Enterprise plan, BAA available, requires privacy masking). Microsoft Clarity is free and has no BAA — it can only be used on non-PHI pages and flows. For healthcare applications, FullStory and LogRocket are the standard HIPAA-eligible choices.

Is Hotjar HIPAA compliant?

No — Hotjar is not HIPAA compliant. Hotjar does not sign BAAs and has not built the compliance infrastructure required to serve as a HIPAA Business Associate. Hotjar explicitly documents that it is not suitable for use with sensitive health information. Do not use Hotjar on any healthcare application that handles PHI.

Need a BAA for a HIPAA-compliant analytics tool?

Generate a HIPAA-compliant Business Associate Agreement in minutes — covers all vendor types, free to start.

Generate Your BAA Free →