Posted December 4, 2025

HIPAA does NOT require a separate “Tracking Technologies Notice.”

There is no regulation for “tracking code/pixel policies.” However, .under  45 C.F.R. § 164.530(i), covered entities must implement policies and procedures with respect to PHI that are designed to comply with the Privacy Rule and Breach Notification Rule.

Attention: HIPAA DOES require:

• A Notice of Privacy Practices that accurately reflects all uses/disclosures of PHI
• Policies and procedures addressing the organization’s real data practices
• Vendor contracts (BAAs) when PHI is shared
• Authorization when disclosures fall outside allowed uses

If tracking technologies create previously undisclosed disclosures of PHI to advertisers, analytics companies, or social media platforms, then:

HIPAA requires those practices to be disclosed, regulated, contractually controlled, monitored, and restricted—just like any other PHI disclosure.

Also, Patients cannot consent to something they were never told about.

A hidden pixel is not informed consent.

Let me say this again…

HIPAA does not require the Notice of Privacy Practices to explicitly list the names of tracking technologies (example: “Google Pixel” or “Adobe Analytics”). But regulators expect that an NPP accurately reflects the organization’s real data practices.

If a health plan is disclosing PHI to third-party tracking vendors, and this practice is not covered by an existing HIPAA permission, then:

**The NPP is no longer accurate—

and that, by itself, is a HIPAA violation.**

Why This Issue Matters So Much

Tracking technologies can reveal diagnoses and treatment interests.

But tracking codes can provide website owners with valuable information on site usage, and that data can be used to improve the websites to benefit web visitors. However, the privacy related issue is the code can be used to record website interactions, such as the pages visited, how visitors arrived on the website, and the sites they visited when they left.

Here is something to think about…

• Searching for oncology services signals cancer-related concerns.
  Viewing mental-health pages may signal a mental disorder or mental illness. Clicking on websites about sexually transmitted diseases, well you get the picture.
• These digital traces are legally protected medical information.
• Key point to remember: By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties.

Website tracking technologies, such as pixels, are used extensively on websites to track user activity.

University of Pennsylvania conducted the study, publishing their findings in Health Affairs. The researchers used an open-source tool called WebXray to identify third-party tracking code and recorded data requests on the hospital websites over a 3-day period in 2021. They found that 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties.

The third parties that most commonly received data were Alphabet (Google) – 98.5% of websites, Meta (Facebook) – 55.6% of websites, and Adobe Systems – 31.4% of websites. Other third parties commonly sent visitor data include AT&T, The Trade Desk, Oracle, Verizon, Rubicon Project, Amazon, Microsoft, Hotjar, StackPath, Siteimprove, Cloudflare, and Acxiom.

Attention: Health Insurance Portability and Accountability Act (HIPAA) does not permit the use of these technologies unless certain conditions are met as the tracking code can collect individually identifiable health information.

Companies receiving PHI through pixels are not “healthcare providers.”

Google, Microsoft, X, and Adobe are not covered entities. Without a Business Associate Agreement, they have no obligation to follow HIPAA.

Yet they were receiving patient identifiers, browsing behavior, and medical interest indicators.

Kaiser Foundation Health Plan: A Real-World Example

The Kaiser case illustrates how tracking technologies can lead to PHI exposure on a massive scale.

Kaiser Foundation Health Plan:

• Embedded pixels from Google, Microsoft Bing, Adobe, X (Twitter), and other third parties
• Across both public-facing websites and authenticated mobile apps
• Resulting in the sharing of sensitive browsing behavior, identifiers, and portal activity
• All without patient authorization and without HIPAA-required safeguards

What patients viewed on Kaiser’s website—mental health topics, appointment scheduling pages, maternity information, chronic disease content—could all be linked back to them through digital identifiers.

Outcome: Kaiser Permanente has agreed to pay up to $47.5 million to settle a class action lawsuit regarding this issue.

Kaiser’s case is not unique. The FTC and OCR have launched investigations across the industry, and dozens of class action lawsuits are now pending nationwide for similar tracking disclosures.

The Kaiser example underscores that healthcare organizations must treat pixels as potential PHI conduits—not harmless marketing tools.

What OCR (the HIPAA Enforcement Agency) Has Said About Tracking Technologies

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued its official bulletin on tracking technologies in 2022, updated in 2024.

OCR was direct:

**If tracking technologies collect identifiable health information, it is PHI.

And PHI cannot be disclosed to tracking vendors without either:

(1) a Business Associate Agreement, or
(2) a valid HIPAA authorization from the individual.**

OCR also clarified:

• A website privacy policy does not replace HIPAA authorization.
• A cookie banner does not substitute for HIPAA compliance.
• “De-identified” data must meet HIPAA de-identification standards, not marketing-industry standards.

Print it. Share it. Act on it.

DLH-Enterprises 5150 is your HIPAA compliance partner.

Visit DLHEnterprises5150.com to schedule training or consultation.

Resource:

1. Alder, S (April 6, 2023). 99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties. HIPAAJournal
2. Friedman, et al (April, 2023). Widespread Third-Party Tracking On Hospital Websites Poses Privacy Risks For Patients And Legal Liability For Hospitals. Health Affairs, Vol. 42, No. 4
3. McGhee, M (Dec. 2, 2025). Class Action Litigation Alleges Web Trackers Shared Patient Data With Tech Firms. GovInfo Security.