How to use tracking pixels and be HIPAA compliant

Currently, no helpful guidance on tracking pixels use in the healthcare industry exists. Healthcare providers, however, need support as online tracking can pose a risk to protected health information (PHI). Under HIPAA, covered entities are prohibited from sharing PHI with third parties without expressed consent. Healthcare organizations that handle PHI must ensure that the tools they use, including tracking pixels, are HIPAA compliant.

There have been recent calls for clearer regulation on how to use tracking pixels without compromising PHI or violating HIPAA. Until this occurs, the only way to use tracking pixels within compliance is to remove PHI altogether or not use tracking technology. 

See also: HIPAA compliant email: The definitive guide

What are tracking pixels?

Online tracking is a process in which user interaction is monitored and recorded to customize offers and online engagement. Tracking gathers information to measure the success of audience reach, marketing campaigns, and targeting strategies.

It typically involves tracking technologies embedded within ads or websites, such as cookies, pixels, or software development kits (SDKs). Tracking pixels are embedded in websites as code that releases information to other companies, notably Facebook and Google. Common data collected include IP addresses, personally identifiable information, device and browser information, and browsing activity.

Top two tracking pixel companies

Google Tag Manager is designed to inject tracking code like Google Analytics into a website or mobile app. It provides a centralized interface to add, modify, and control various tags. According to Google, Tag Manager does not collect, retain, or share any information about visitors, including web page URLs visited. It could, however, be considered a vehicle to deploy other services that, in turn, handle PHI.

Meta Pixel, previously known as Facebook Pixel, is a snippet of code that logs visitor activity for marketing and advertising purposes. It works with Meta products and reports visitor behavior, enables conversion tracking, and gathers information for retargeting.

Learn about: Are retargeting ads HIPAA compliant?

Tracking pixel use in healthcare

A study published in 2023 by Health Affairs reveals that almost 99% of US hospital websites use third-party tracking. These third parties include large technology companies, social media companies, advertising firms, and data brokers. Tracking technologies collect all sorts of information, including data that could directly link to PHI without consent.

While useful for analytics and advertising, these technologies potentially compromise PHI security, a clear violation of HIPAA. 

The misuse of tracking pixels could lead to targeted advertising related to a medical condition, possible privacy breaches, and potential legal liabilities. Healthcare organizations across the country are currently facing problems over the potential release of sensitive information to other businesses through trackers.

Meta is currently being sued by defendants who say that tracking by Meta Pixel on hospital websites violates their privacy. Packets of information were sent to Facebook, including medical conditions, doctors' names, and medication details. In response to the lawsuits, Meta claims that the hospitals that use the tool, rather than Meta, are liable.

As hospitals facilitate the profiling of patients by third parties through tracking pixels, they expose themselves to potential issues. These dangers could include HIPAA violations, which carry hefty fines and long-term corrective action plans.

Case studies

Mount Nittany Health faces a lawsuit alleging the disclosure of PHI to companies like Facebook without individual knowledge or consent. Information possibly exposed includes medical conditions, providers, and locations. The lawsuit is seeking damages of more than $1 million. 

The Federal Trade Commission (FTC) recently fined BetterHelp, an online therapy platform, $7.8 million for exposing PHI to trackers. Accordingly, BetterHelp must obtain user consent, implement a comprehensive security program, and undergo biennial assessments to ensure compliance. 

Monument, an online alcohol recovery business, disclosed to the Office for Civil Rights (OCR) that it shared data with advertisers. Approximately 100,000 patients had PHI, such as addresses, dates of birth, and phone numbers, disclosed. According to the company's breach announcement, it stopped using tracking technologies by February 23, 2023.

Telehealth company Cerebral reportedly shared patient data with Google, Meta, and TikTok. Cerebral stated that it shared information on 3.1 million patients for advertising purposes. PHI breached included names, dates of birth, and medical histories. Cerebral believes it did not violate HIPAA.

More info: Sensitive health data shared with tech giants by major pharmacies

Healthcare guidance on tracking pixels

Historically, federal privacy regulations inadequately addressed third-party tracking and how it poses a risk to healthcare. Given the recent discussions, however, regulators are taking a closer look at healthcare organizations that utilize tracking technology.

In December 2022, OCR clarified that HIPAA does apply to healthcare websites that use tracking codes. The HIPAA rules apply when tracking technologies include PHI, and the sharing may not be authorized. A good example of this is using tracking technology vendors for marketing purposes. Accordingly, these organizations could face potential fines and penalties if found in violation. The prevalence of third-party trackers on hospital websites suggests that this 2022 guidance has not yet led to widespread change.

In March 2023, the FTC released information on the hidden impact of and concern over tracking pixels. According to the FTC, the concerns center on the following:

• Widespread use of unavoidable, invisible pixels
• Lack of clarity around data collection and use
• Fear that personal information may not be effectively removed

This release then led to OCR and the FTC issuing a warning in July (published recently) to 130 hospital systems and telehealth providers. The idea was to emphasize the risks and concerns about tracking technologies.

Arguments against the guidance

In May 2023, the American Hospital Association (AHA) argued against OCR's guidelines and asked the agency to reconsider website tracking. The open letter wants OCR to suspend or amend its guidance immediately. Rather than protect patients, such strict legislation could harm them (and healthcare organizations) instead. For example, AHA mentions that the treatment of IP addresses as PHI could limit public access to credible health information.

Soon after the letter's release, Senator Bill Cassidy asked for additional information, which AHA communicated in September 2023. The updated AHA letter reiterates the harm a ban on tracking technologies could have. AHA supports the existing HIPAA framework but does not believe it concerns tracking technologies.

In other words, there is still discussion on if tracking constitutes a HIPAA violation. While federal agencies continue to evaluate the situation, healthcare organizations must learn to navigate and/or avoid tracking pixels.

HIPAA compliance and the use of tracking pixels

The widespread use of third-party tracking on healthcare websites may pose significant risks to patients and may result in liabilities. While awaiting clarity on regulations, healthcare organizations should adopt a proactive approach to security. The following measures encourage all healthcare organizations to take an offensive position when protecting patient data.

• Implement HIPAA policies and procedures and keep up to date on regulation changes.
• Review online practices and where and how information is stored or moved.
• Conduct risk assessments to identify areas of vulnerability.
• Publicly identify the use of tracking technology and ensure individual consent before sharing any information and using trackers.
• Follow the minimum necessary rule for PHI on front-facing websites and mobile apps.
• Work with HIPAA compliant tracking vendors that will sign a business associate agreement (BAA).
• Confirm that these third-party vendors use similar security methods.
• Utilize other necessary HIPAA compliant administrative, physical, and technical safeguards.
• Train staff on HIPAA regulations and tracking practices
• Have a breach plan in place to minimize damage if one occurs.

Be smart and stay HIPAA compliant

At present, the OCR guidelines plainly state, "Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI . . ."

Healthcare organizations should consider paying closer attention to their data protection programs and consider alternatives to third-party tracking. As more healthcare entities reveal that they use third-party tracking, allegations, and breaches will likely continue. This is why further federal guidance on the subject would be beneficial.