HIPAA Compliance and Website Cookies and Tracking Pixels

In December 2022 (updated March 2024), the Office for Civil Rights issued a bulletin making clear that standard web tracking technologies can violate HIPAA when deployed on healthcare websites. The bulletin addressed three contexts:

1. Authenticated pages (patient portals, patient logins): Any tracking technology that collects information from users who are authenticated — logged in — is collecting PHI. This applies even if the tracking code itself does not explicitly request health information, because the combination of user identity and the fact of visiting a healthcare portal constitutes PHI.
2. Unauthenticated public pages with health conditions: Pages where users search for specific conditions, find a doctor by specialty, or seek information about specific treatments — tracking technologies on these pages may capture PHI if the information can be linked to an individual.
3. Login pages: Tracking pixels on login pages can capture login attempt data that, combined with the healthcare context, constitutes PHI.

The Meta (Facebook) Pixel transmits detailed event data to Meta's servers, including page URLs, referrer URLs, user agent strings, and IP addresses. On healthcare websites, this data can reveal that a specific IP address visited a page about a specific condition, scheduled an appointment of a specific type, or logged into a patient portal.

Numerous class action lawsuits and OCR investigations have focused on Meta Pixel deployments on healthcare websites. Notable cases have resulted in settlements exceeding $100 million in the commercial sector.

• Remove the Meta Pixel from all patient portal pages, login pages, and appointment confirmation pages
• If Meta Pixel is used for marketing on public informational pages, conduct a thorough risk assessment
• Meta has not signed a HIPAA BAA for its standard advertising products
• If you use Meta for advertising, target audiences should not include healthcare website visitors from sensitive pages

Google Analytics presents similar risks. While Google offers a BAA through Google Cloud Platform, standard Google Analytics (Universal Analytics or GA4) does not include a BAA in its standard terms of service. Using GA4 on patient-facing pages without a BAA is a potential HIPAA violation.

Options for healthcare organizations that need analytics:

• Deploy GA4 only on public marketing pages, never on authenticated pages or condition-specific pages
• Use Google Analytics 360 through a Google Cloud account with an activated BAA (verify that GA4 is specifically covered)
• Switch to a HIPAA-compliant analytics alternative such as Matomo (self-hosted), HIPAA-compliant server-side analytics, or analytics tools specifically designed for healthcare
• Implement server-side tag management to control exactly what data is sent to analytics platforms

Healthcare websites must implement cookie consent management that allows users to control tracking, particularly for cookies that may create PHI. This overlaps with GDPR and CCPA requirements but has HIPAA-specific dimensions.

• Categorize cookies by purpose: strictly necessary (no consent required), functional, analytics, and advertising
• Use a Consent Management Platform (CMP) that prevents tracking cookies from firing until consent is given
• For healthcare contexts, consider defaulting to opt-out rather than opt-in for non-essential tracking
• Ensure your CMP itself has a BAA if it processes data from authenticated pages
• Review cookie categories after every site update — new plugins and integrations commonly add undisclosed cookies

HIPAA Guard's scanning identifies third-party tracking scripts running on your pages, helping you maintain visibility over your cookie footprint.

Healthcare organizations do not need to operate blind — there are compliant ways to gather website analytics and run effective digital marketing:

• Matomo (self-hosted): Open-source analytics platform that keeps data on your own servers. No BAA needed with a third party. Requires server setup and maintenance.
• Server-side tracking: Route analytics data through your own server before sending it to analytics platforms, stripping PHI before transmission.
• Aggregate analytics: Use server-side log analysis tools that provide traffic insights without individual-level tracking.
• HIPAA-specific analytics vendors: Several vendors have emerged specifically to serve the healthcare analytics market with BAAs and compliant data handling.

For advertising, use privacy-safe audience targeting based on contextual signals rather than behavioral tracking from patient-facing pages.