Can we use tracking pixels like Meta or Google Analytics on our site without violating HIPAA?
You can use a tracker only when its actual implementation does not make an impermissible disclosure of protected health information (PHI) or other protected consumer health data. A sitewide Meta Pixel or Google Analytics tag is not a safe default: Google's HIPAA and Analytics guidance says it offers no business associate agreement for Google Analytics and Analytics must not receive PHI, while Meta's Business Tools Terms prohibit health and other sensitive information. A cookie banner does not turn a prohibited or unauthorized disclosure into a permitted one.
“HIPAA-safe pixel” is the wrong unit of analysis
A pixel is a delivery mechanism. The risk lives in the data flow: what leaves the browser or app, what context travels with it, who receives it, what that recipient is allowed to do with it, and how the data will be used later.
A pageview can carry a URL, page title, referrer, IP address, device or advertising identifier, and campaign parameters. An event can add a button label, appointment status, form value, or user identifier. A seemingly generic conversion such as appointment_complete becomes much more revealing when it is paired with an identifiable visitor, a specialty-specific URL, or intake data. Moving the same event through a server-side container changes the route; it does not automatically change the disclosure.
Before assigning the cleanup, use the agency readiness audit to see whether tracking ownership, clinical review, and approvals are clear enough to brief outside help. The promise a patient sees and the data sent behind the page need to agree.
If you are a HIPAA covered entity or business associate
HHS/OCR's online-tracking bulletin says tracking technologies on authenticated pages, including patient portals and telehealth platforms, generally have access to PHI. When a tracking vendor creates, receives, maintains, or transmits PHI on behalf of a regulated entity, the entity must have an applicable Privacy Rule permission, disclose only the minimum necessary when that standard applies, and enter into a business associate agreement (BAA) with a vendor that actually qualifies as a business associate.
A BAA is necessary in that situation, but it is not a hall pass. It does not make an otherwise impermissible use permissible, and the contract must match the vendor's real services, downstream data use, safeguards, and breach duties.
Public pages need a more careful read because of a court-imposed limit on the HHS guidance. On June 20, 2024, a federal court vacated the bulletin only to the extent it treated the combination of an IP address and a visit to an unauthenticated public page about a health condition or provider as enough, by itself, to trigger HIPAA. That narrow ruling means the bare IP-plus-page-visit theory is not an automatic trigger. It did not exempt appointment requests, form inputs, logged-in activity, or other identifiable care-related data.
If HIPAA does not apply to your company or product
“Not covered by HIPAA” does not mean “unregulated.” The FTC's consumer-health data guidance says the FTC Act applies to HIPAA-covered entities and business associates as well as companies outside HIPAA. It also identifies behind-the-scenes tracking that shares sensitive health data against a company's privacy promises as an FTC Act violation. Certain non-HIPAA health apps, websites, and connected products may also be covered by the Health Breach Notification Rule.
Under the FTC's current Health Breach Notification Rule guidance, an unauthorized disclosure by the company itself, not only a hack, can trigger notice duties. Affected people must be notified without unreasonable delay and within 60 calendar days. A breach involving 500 people or more requires notice to the FTC at the same time as notice to affected people, also no later than 60 days after discovery.
The numbers turn an abstract privacy review into an operating risk. The FTC's GoodRx action carried a $1.5 million civil penalty and noted that more than 55 million consumers had visited or used GoodRx's site or apps since January 2017. The FTC's final BetterHelp order required $7.8 million in payments and banned sharing health data for advertising and personal information for retargeting. These cases show why email addresses, IP addresses, questionnaire data, and advertising use cannot be reviewed in separate silos.
State law can add obligations as well. The FTC notes that its Health Breach Notification Rule does not displace state breach laws that impose additional, non-conflicting requirements. Your review therefore needs the states tied to your patients and users, not just a federal HIPAA checkbox.
A consent banner is not a HIPAA authorization
HHS is explicit on this point: a privacy policy, terms of use, or notice does not by itself permit a disclosure of PHI to a tracking vendor, and a website banner that asks someone to accept cookies is not a valid HIPAA authorization. If PHI will be disclosed and either no applicable Privacy Rule permission exists or the vendor is not acting as a business associate, HHS says a HIPAA-compliant authorization is required before disclosure. Vendor terms and other federal or state rules still apply even when an authorization is involved.
The practical distinction is simple. A banner manages a user's browser choice. A HIPAA authorization has specific legal elements and addresses a defined use or disclosure. Neither a banner nor a dense privacy policy can repair data that was already sent before the required permission was in place.
What to do before you turn tracking back on
This is strategic guidance, not legal advice; have privacy counsel validate the implementation and state-specific exposure. Until that review is complete, pause third-party advertising and analytics tags on the highest-risk surfaces, including authenticated areas, intake, scheduling, patient messaging, payment, and portal pages.
-
Build a data-flow inventory. List every pixel, analytics tag, tag manager, software development kit, chat widget, scheduler, session-replay tool, advertising API, and server-side destination. For each one, record the exact fields sent, trigger, page, recipient, subprocessors, retention period, permitted reuse, and deletion path. Inspect live network requests; a configuration spreadsheet is not proof of what the browser sends.
-
Classify pages and events, not just domains. Separate general corporate pages from care-related public pages, intake and appointment flows, authenticated portals, and apps. Then classify every event and parameter on those surfaces. A generic event name does not neutralize a revealing URL, query string, form field, device identifier, or account link.
-
Map the legal lane for each flow. Confirm whether each operating entity is a HIPAA covered entity, a business associate, a non-HIPAA consumer health product, or more than one of those in different contexts. Add FTC and state-law review. Do not assume the legal status of the parent company answers the question for every product, clinic, app, and vendor relationship.
-
Review the vendor, product, and contract together. Ask whether the vendor will receive PHI, whether it is willing and able to act as a business associate for that specific service, and whether its product terms permit the proposed data. Google, for example, says Analytics has no BAA and should appear only on pages that are not HIPAA-covered. Meta's terms prohibit health and other sensitive information in Business Tool Data. If nobody owns this review internally, decide whether to hire a healthcare growth agency or build in-house before scaling.
-
Minimize before you optimize. Default-deny tags on high-risk surfaces. Remove form capture, user IDs, email addresses, free text, query strings, granular event names, and advertising features unless each field has a documented purpose and permission. Do not call data de-identified merely because it is hashed or routed through an intermediary; HHS identifies Expert Determination and Safe Harbor as the two methods that can satisfy the Privacy Rule's de-identification standard. Test the released configuration again after every tag, page, or consent-management change.
-
Replace risky user-level measurement and retargeting. Use aggregate first-party reporting in an appropriately governed environment, channel-specific landing pages or campaign codes, and aggregate counts of qualified inquiries or completed bookings. Consider time- or market-based incrementality tests when they can be run without exposing individual health behavior. For acquisition, contextual campaigns and platform-defined broad audiences avoid building lists from care-seeking behavior. Google lists health among its sensitive-interest categories and bars advertiser-curated audiences for those categories. Platform permission is not legal clearance, so validate the final design rather than treating any one alternative as universally safe. If an outside partner will manage campaigns, review what to settle before you hire an agency and make the data restrictions contractual before any tag deployment.
-
Make tag governance an operating process. Keep an approved-tag register, name an owner, require privacy review before new events launch, monitor unexpected network calls, and rerun the assessment when pages, vendors, consent tools, or campaign goals change. HHS says tracking technologies that access electronic PHI belong in the regulated entity's risk analysis and risk-management process, not in a one-time marketing setup ticket.
Where the line actually is
From Pranay Parikh, MD:
The line gets crossed the moment an identifier attaches to a signal about what care someone wants. It is not one fixed event. It moves with your architecture. A condition-first company crosses it at the product page. A category site crosses it at the section click. A single-service telehealth brand crosses it at the ad click itself, because every ad already names the condition. That last case is why Cerebral's exposure was so much larger than the team likely understood. The whole funnel carried clinical meaning from the first touch.
What I tell growth teams to measure instead: the completed treatment event alone, keyed to the click identifier, forwarded server-side through a HIPAA-compliant intermediary that strips patient data before it reaches Meta or Google. The platforms optimize just as well on that signal. They never need to see the condition. Everything else stays inside the clinical system where the business associate agreement covers it: care category, page path, intake answers, per-condition conversion rates.
Finding that line for your own architecture is the first thing to do, before anyone writes an ad.
Before you turn another tag back on, run the marketing triage quiz and choose the privacy-and-tracking path; the output should tell your marketing, engineering, privacy, and legal owners what needs review first. For the larger system around privacy, trust, positioning, and acquisition, continue through the Marketing Triage diagnostic.
One of seven patterns. This is one of the seven patterns regulators keep flagging in telehealth advertising. See all seven, with the enforcement language behind each one.
Frequently asked questions
Is the Meta Pixel HIPAA compliant?
No pixel is HIPAA compliant in the abstract. The answer depends on whether your implementation discloses PHI, whether the disclosure is permitted, the vendor's role and contract, and the later use of the data. Meta's Business Tools Terms also prohibit sending health or other sensitive information, so do not send it merely because a tag can technically accept it.
Is Google Analytics HIPAA compliant?
Google says it does not offer a BAA for Google Analytics and that HIPAA-regulated entities must not expose PHI to Analytics. Google advises those entities not to place Analytics tags on authenticated pages and to use Analytics only on pages determined not to be HIPAA-covered.
Does a cookie banner make pixels HIPAA compliant?
No. HHS says a cookie banner is not a valid HIPAA authorization, and a privacy policy or terms notice does not by itself permit disclosure of PHI to a tracking vendor.
Did the 2024 court ruling make pixels safe on public healthcare pages?
No. The court vacated one HHS interpretation: that an IP address combined with a visit to an unauthenticated public page about a condition or provider automatically triggered HIPAA. The ruling did not create a blanket exemption for other identifiable care-related data, authenticated activity, forms, appointment flows, or apps.
Can a non-HIPAA health app use health data for retargeting?
HIPAA may not govern that app, but the FTC Act, the FTC Health Breach Notification Rule, vendor policies, and state law may still apply. The FTC says an unauthorized disclosure by a covered health app can be a reportable breach even when the company, not an outside attacker, made the disclosure.
What can we measure if user-level retargeting is too risky?
Start with aggregate first-party funnel counts, campaign or landing-page codes, channel-level cost and qualified-inquiry reporting, and carefully designed incrementality tests. Use contextual or otherwise non-user-level acquisition where possible, and submit the exact data flow, not a product label, to privacy and legal review.