The HHS OCR has confirmed that ad pixels on healthcare websites can violate HIPAA.
In December 2022 and in updated 2024 guidance, the HHS Office for Civil Rights clarified that tracking technologies deployed on HIPAA-covered entity websites, including public-facing pages not behind a login, can constitute impermissible disclosures of protected health information. If your healthcare organization uses Meta Pixel, Google Analytics, or similar tools on patient-facing pages, you may have HIPAA exposure that your marketing team does not know exists.
Full Name
HIPAA and Website Tracking Technologies
Jurisdiction
Federal (US)
Penalties
HIPAA civil monetary penalties range from $137 to $68,928 per violation, depending on culpability, up to a maximum of $2,067,813 per violation category per year. Willful neglect violations that are not corrected can reach the statutory maximum. OCR investigations are triggered by breach reports, complaints, and proactive audits. State attorneys general can also bring enforcement actions for HIPAA violations affecting their residents.
What It Is
Overview of HIPAA
HIPAA's Privacy Rule (45 C.F.R. § 164.502) prohibits covered entities from using or disclosing protected health information (PHI) except as permitted or required by HIPAA. The OCR's tracking technology guidance clarifies that a user's IP address, combined with a visit to a page on a healthcare website that reveals a health condition (a symptom checker, a disease-specific resource page, or a patient portal login), may constitute PHI when that combination is transmitted to a third party like Meta or Google. The guidance applies to covered entities and their business associates regardless of whether the data appears obviously health-related in isolation.
Who It Covers
Scope and private right of action
Covered entities under HIPAA include hospitals, clinics, health plans, and healthcare clearinghouses. Business associates that handle data on their behalf are also subject to HIPAA obligations. The OCR guidance extends to any third-party tracking technology deployed on a covered entity's website or mobile app, including on public-facing pages that do not require login.
Exposure Triggers
Which website technologies create HIPAA tracking exposure
The OCR guidance focuses on technologies that transmit data about a user's interaction with a healthcare website to a third party. The key test is whether the data transmitted, taken together with other information available to the recipient, could identify an individual and reveal health-related information.
Meta Pixel on healthcare pages
The Meta Pixel sends page URLs, search terms, and event data to Meta. On a healthcare website, URLs often contain diagnosis-specific or condition-specific path segments (e.g. /oncology/breast-cancer-treatment). When transmitted with a user's IP address or Facebook Login cookie, this may constitute an impermissible disclosure of PHI under the OCR guidance.
Google Analytics on patient-facing pages
Google Analytics collects page URL, referrer, session data, and custom events. On healthcare pages, URL-level data can reveal the conditions a user researched. The OCR guidance does not exempt analytics tools from HIPAA obligations when they process data from covered entity websites.
Call tracking and dynamic number insertion
Call tracking tools that use dynamic phone number insertion (like Invoca or CallRail) create a record linking a specific user's browser session to their outbound phone call. That linkage, combined with the healthcare context of the site, may constitute PHI processing by a third party that is not a business associate.
Demand Letter Response
Responding to an OCR investigation or breach notification obligation
HIPAA enforcement typically begins with either a breach report (which covered entities are required to self-report within 60 days of discovery for breaches affecting 500 or more individuals) or an OCR complaint. The OCR will request documentation of your tracking technology inventory, data flows, business associate agreements, and risk assessment. If you have not yet conducted a formal review of your website's third-party tracking technologies, doing so before responding to an OCR inquiry is critical. Lokker provides a full scan of every third-party request made by your healthcare web properties, documents what data flows to which vendors, and identifies which technologies may not have a current business associate agreement. That inventory is exactly what OCR investigations ask for.
Evidence Support
What to document when assessing your HIPAA tracking exposure
HIPAA risk assessments for website tracking require documentation of which technologies are deployed, what data they collect, whether BAAs are in place, and whether consent or opt-out mechanisms limit data collection.
Full third-party request inventory
Lokker scans every page of your healthcare web properties and documents every outbound third-party request, the data it carries, and the domain it contacts, giving you a complete inventory for BAA review.
BAA gap identification
Privacy Edge identifies vendors that are receiving potentially PHI-containing data from your site and flags those where no business associate agreement is on file based on your configuration.
Consent and opt-out state validation
Consent Validator tests whether analytics and advertising pixels are blocked when a user signals consent rejection or GPC, providing documentation of your technical controls.
Frequently Asked Questions
Common questions about HIPAA
Does the OCR guidance apply only to pages behind the patient portal login?
No. The OCR guidance explicitly covers public-facing pages on covered entity websites. A symptom checker, a physician directory, a disease-specific resource page, or any other page that reveals a user's health-related interest is in scope, even if the user is not authenticated.
We have a BAA with Google Analytics. Does that solve the problem?
A business associate agreement is a necessary but not sufficient control. The BAA governs the vendor's handling of PHI, but it does not change the fact that PHI is being disclosed to the vendor in the first place. The risk assessment question is whether the disclosure is permissible under HIPAA, not just whether a BAA exists.
Is FreshPaint a complete solution to HIPAA pixel concerns?
FreshPaint proxies marketing data and strips ePHI before routing events to downstream vendors. It addresses the disclosure risk for the specific vendors it proxies. However, it does not cover other third-party scripts on the page, does not replace your CMP's consent obligations, and does not govern session replay tools, call tracking, or other technologies outside its proxy scope. A complete HIPAA web privacy program requires independent governance of all third-party scripts.
Defense Counsel Network
Received a HIPAA demand letter or are under investigation?
Lokker works alongside defense counsel who handle HIPAA-related website privacy cases. We provide the technical evidence documentation your attorneys need and can make the right introduction to law firms that specialize in this area. Contact us now.