Pixel Tracking in Healthcare: What to Remove and Why

Pixel tracking in healthcare has moved from a technical curiosity to a litigation target—here's what the regulatory landscape requires and how to act on it.

This article is for healthcare providers, health system marketing teams, digital agencies serving covered entities, and business associates managing patient-facing websites.

What You Need to Know

• The HHS Office for Civil Rights has issued guidance stating that tracking technologies on authenticated and unauthenticated healthcare web pages can constitute impermissible disclosures of protected health information (PHI) under HIPAA.
• Pixels that transmit individually identifiable health information to third-party vendors without a valid Business Associate Agreement (BAA) create direct regulatory exposure for covered entities.
• Removal alone is not sufficient—organizations must also assess what was collected, whether a breach occurred, and whether notification obligations were triggered.

What's Driving the Scrutiny

In December 2022, OCR issued a bulletin specifically addressing tracking technologies on HIPAA-regulated websites. The bulletin clarified that commonly used tools—including pixels embedded on appointment scheduling pages, condition-specific landing pages, and patient portals—can capture and transmit PHI to third parties without patient authorization.

That guidance did not create new law. It clarified how existing HIPAA requirements apply to a category of technology that had been treated, incorrectly, as outside the regulated perimeter.

The Gap

The compliance failure here is architectural. A tracking pixel—typically a one-pixel image or JavaScript snippet embedded in a webpage—fires when a visitor loads the page. It sends data about that visit to a third-party platform, often an advertising network or analytics provider.

On a general retail site, that's routine marketing infrastructure. On a page where a user is searching for oncology appointments, mental health services, or prescription refill options, the page visit itself can constitute protected health information. The user's IP address, the URL they visited, and the action they took can combine to identify a person and associate them with a health condition.

OCR's December 2022 bulletin stated that regulated entities must ensure tracking technology vendors either sign a BAA—if they qualify as business associates—or receive no PHI at all. Most major advertising and analytics platforms have declined to sign BAAs for their standard tracking products. That means the only compliant path, for those vendors on regulated pages, is removal.

⚠ The source material for this article is OCR guidance and established HIPAA requirements. Specific pixel vendor names and litigation outcomes are not cited here; verify current BAA availability and settlement records directly through OCR and DOJ public records.

The litigation pattern reinforces the guidance. Pixel tracking in healthcare has become an active area for both class action plaintiffs and government enforcement interest. Hospitals and health systems have faced suits alleging that pixels on symptom checkers, provider search tools, and patient portal login pages transmitted PHI to advertising platforms without authorization. The argument is structurally simple: the website sent data; the data identified a person and implied a health condition; no authorization existed.

---

What to Do

1. Inventory every pixel and tag on every patient-facing page. Use a tag management audit or crawl tool to identify all third-party scripts firing on appointment pages, condition pages, provider directories, patient portal entry points, and any page where a health-related action can occur. Do not limit this audit to authenticated pages—OCR's guidance explicitly covers unauthenticated pages where health information can be inferred from page content or URL structure.
2. Assess each vendor against your BAA inventory. For every pixel identified, determine whether the receiving vendor has signed a BAA. If no BAA exists and the pixel fires on a regulated page, that gap is the exposure point. Do not assume a vendor's general terms of service or data processing addendum satisfies BAA requirements—they are distinct instruments with distinct legal obligations under HIPAA.
3. Remove pixels that cannot be covered by a BAA from regulated pages. This is the operative step. If a vendor won't sign a BAA and the pixel fires on a page where PHI can be inferred or transmitted, removal is the required action under current OCR guidance. Geofencing the pixel or suppressing it for logged-in users is not a substitute for removal where unauthenticated page content alone constitutes PHI exposure.
4. Conduct a breach risk assessment for historical pixel activity. Removal resolves the forward-looking problem. It does not resolve what happened before removal. OCR guidance indicates that prior impermissible disclosures may trigger breach notification obligations under the HIPAA Breach Notification Rule. Engage your privacy counsel to evaluate the period of pixel activity, the pages involved, and the data that was transmitted.
5. Document everything. Maintain records of the audit, the removal actions taken, the dates, the vendors contacted, and the breach risk assessment outcome. Enforcement and litigation both create discovery obligations—organizations that removed pixels quietly and kept no records are in a worse position than those who documented a structured remediation process.

If you're unsure whether your website's tag infrastructure holds up to scrutiny, get in touch.