The form vendor is JotForm (https://www.jotform.com/), and we have a BAA (business associates agreement) with them.
We have Google and Facebook pixels from when we were running ads. What are your thoughts on that? You would have to browse in incognito, because of how many sites have pixels, and not use Gmail/Messenger/Whatsapp if you didn't want to disclose the fact you're searching for a mental healthcare provider to Google or Facebook.
Or with a recent version of Firefox. Or with an ad blocker. My thoughts are this: just because most users will likely leave trace with Google by visiting from SERP, doesn't mean you should volunteer more data points for third party advertisers, especially when we're talking medically relevant data. And there will be users who will visit your site via links from other sites where they weren't tracked (e.g. from here!). So please don't do this.
I wouldn't, but the last time we had a story here where mental health websites were sending sensitive data to advertisers, they did it in such a dumb way you could spot it easily on the network tab of your browser's dev tools. Haven't seen anything like here in my brief look.
The form, where we collect user data, is not hosted by us, and is hosted by a HIPAA-compliant vendor. What particular data was being shared in your story?
Including the Google Analytics library and Facebook Pixel on your site at the very least sends each and every pageview back to both of those entities. If the developer has implemented custom conversions, even further behavior is tracked.
We have Google and Facebook pixels from when we were running ads. What are your thoughts on that? You would have to browse in incognito, because of how many sites have pixels, and not use Gmail/Messenger/Whatsapp if you didn't want to disclose the fact you're searching for a mental healthcare provider to Google or Facebook.