Skip to main content

HIPAA Compliance for Marketing Agencies: When You Become a Business Associate

By Joseph Abear ·

A marketing agency becomes subject to HIPAA the moment it creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity, which makes it a business associate under 45 CFR § 160.103. At that point the agency must sign a Business Associate Agreement (BAA) under 45 CFR § 164.504(e), apply the Security Rule safeguards, train staff, and put BAAs in place with its own subcontractors. An agency that never touches PHI is generally outside HIPAA, but the line is crossed more often than agencies realize, usually through CRMs, ad platforms, web forms, and analytics tags.

TL;DR: Quick answer

  • An agency that handles a healthcare client's PHI is a business associate under 45 CFR § 160.103 and has been directly liable to HHS OCR since the 2013 Omnibus Rule.
  • A written BAA meeting 45 CFR § 164.504(e) is mandatory before any PHI changes hands; operating without one is itself a violation.
  • Civil penalties effective January 28, 2026 range from $145 per violation at Tier 1 to $2,190,294 for uncorrected willful neglect, with an annual cap of $2,190,294 per provision (45 CFR § 102.3).
  • A June 2024 federal ruling (AHA v. HHS, N.D. Tex.) narrowed OCR's tracking guidance for unauthenticated public pages, but pixels on logged-in pages or pages that actually collect health details still create HIPAA exposure.
  • Google will not sign a BAA for standard Google Analytics or Google Ads, and Meta will not sign one for the Meta Pixel, so PHI cannot lawfully flow to those platforms.

When does a marketing agency become a business associate under 45 CFR § 160.103?

HIPAA does not regulate marketing as an activity. It regulates PHI held by covered entities (providers who transmit health information electronically, health plans, and clearinghouses) and their business associates. The definition at 45 CFR § 160.103 captures any vendor that creates, receives, maintains, or transmits PHI on a covered entity's behalf. PHI is individually identifiable health information; a name or email address tied to a condition, treatment, appointment, or payment for care qualifies.

In our work hosting healthcare sites, these are the situations that most often pull an agency into business associate status without anyone noticing:

  • Managing a patient email list or newsletter segmented by condition, treatment, or appointment history.
  • Uploading patient or lead lists to an ad platform or CRM for retargeting or lookalike audiences.
  • Building or managing intake forms, appointment requests, or symptom quizzes. Contact form submissions on therapist and clinic sites are PHI when they tie an identity to a request for care.
  • Accessing the client's EHR, practice management system, patient portal, or call-tracking recordings.
  • Handling reviews, testimonials, or case studies that identify patients and their care.

Pure brand work with no patient data, such as an awareness campaign that never touches identifiers linked to health information, usually does not create business associate status. Map the data flows before deciding. Most agencies we audit underestimate how often PHI lands in their project management tools, shared drives, and email threads.

What must the Business Associate Agreement contain?

The BAA requirements live in 45 CFR § 164.504(e) and § 164.308(b). The contract must require the agency to:

  • Use and disclose PHI only as the contract permits.
  • Implement the administrative, physical, and technical safeguards of 45 CFR §§ 164.308, 164.310, and 164.312. We break these down in our guide to HIPAA's administrative, physical, and technical safeguards.
  • Report security incidents and breaches to the covered entity.
  • Obtain BAAs from subcontractors that handle PHI (45 CFR § 164.502(e)(1)(ii)), including the agency's hosting provider, email platform, and CRM.
  • Return or destroy PHI at contract end where feasible.

Since the 2013 Omnibus Rule, business associates are directly liable to HHS OCR, not just contractually liable to the client. A missing BAA is a frequent finding in OCR enforcement actions, and the civil penalties for HIPAA violations apply to agencies in their own right.

Are tracking pixels still a HIPAA problem after AHA v. HHS?

Partially, and the nuance matters. OCR issued tracking technology guidance in December 2022 and revised it in March 2024. On June 20, 2024, the Northern District of Texas in American Hospital Association v. HHS vacated the portion of that guidance treating an IP address combined with a visit to an unauthenticated public webpage as PHI. HHS dropped its appeal in September 2024, so the vacatur stands.

What survived the ruling:

  • Authenticated pages remain in scope. Pixels on patient portals, logged-in scheduling areas, or anything behind a login still implicate HIPAA.
  • Pages that collect health details remain in scope. A pixel that captures form field contents, condition-specific URL parameters tied to a known user, or booking confirmations is transmitting PHI regardless of authentication.
  • HIPAA is not the only exposure. The FTC has pursued health advertisers over tracking under its own authority, and state wiretap and consumer privacy class actions continue independent of the vacatur.

Two operational facts every agency should internalize: Google does not sign a BAA for standard Google Analytics or Google Ads, and Meta does not sign one for the Meta Pixel. PHI therefore cannot lawfully flow to those platforms. Audit every tag in the tag manager, strip health details from URLs and payloads, and never upload patient lists to a platform that will not sign a BAA. The same logic applies to spreadsheets: Google Sheets can hold PHI only under a paid Google Workspace BAA, never in a free account.

What does a compliant agency stack look like?

When we review agency setups for healthcare clients, the compliant ones share the same architecture:

  • BAA with every covered-entity client before any PHI is exchanged, and BAAs with every downstream vendor that touches PHI.
  • A documented data-flow map covering CRM, email, forms, call tracking, analytics, project management, and cloud storage. This is what holds up when OCR asks questions.
  • BAA-covered infrastructure for anything that stores PHI. Standard shared hosting does not qualify. A managed host that signs a BAA, such as our HIPAA-compliant WordPress hosting, covers the encryption, access controls, and audit logging at the hosting layer; that is our business, so weigh that disclosure accordingly.
  • Encryption in transit and at rest per 45 CFR § 164.312(e)(1) and § 164.312(a)(2)(iv).
  • Least-privilege access with MFA and unique user IDs (§ 164.312(a)(2)(i)). Shared agency logins to a client's portal are a recurring audit failure.
  • Workforce training at onboarding and periodically (§ 164.308(a)(5)). That includes the developers and designers building client sites.
  • An incident-response and breach-notification plan aligned to 45 CFR §§ 164.400-414 before you need it, not after.

What are the penalties if an agency gets it wrong?

Civil penalties are tiered by culpability and assessed per violation. The amounts below took effect January 28, 2026 under 45 CFR § 102.3. Note that OCR's 2019 Notice of Enforcement Discretion still caps annual maximums lower than the regulatory cap for Tiers 1 through 3.

TierCulpabilityPer violation (2026)
1Lack of knowledge$145 to $73,011
2Reasonable cause$1,461 to $73,011
3Willful neglect, corrected within 30 days$14,602 to $73,011
4Willful neglect, not corrected$73,011 to $2,190,294

The annual cap is $2,190,294 per violated provision. A single breach typically involves several provisions, so exposure compounds. Knowing misuse of PHI can also bring criminal referral to the Department of Justice. Beyond penalties, agencies face breach-notification costs, contract loss, and the client-side litigation wave that has followed pixel disclosures since 2022.

Frequently asked questions

Do marketing agencies need to be HIPAA compliant?

Only when they handle PHI for a covered entity. An agency that creates, receives, maintains, or transmits PHI is a business associate under 45 CFR § 160.103 and must sign a BAA and apply the Security Rule safeguards.

Is the Meta Pixel a HIPAA violation?

Not automatically, but it becomes one when it transmits PHI to Meta, which will not sign a BAA. Risk is highest on authenticated pages and on forms or booking flows that capture health details.

Is Google Analytics HIPAA compliant?

No. Google does not offer a BAA for standard Google Analytics, so it cannot lawfully process PHI. Configure analytics so no PHI is ever sent, or use a vendor that signs a BAA.

Did the 2024 court ruling make tracking pixels legal on healthcare sites?

No. AHA v. HHS only vacated OCR's position on IP addresses combined with unauthenticated public page visits. Pixels on logged-in pages, or anywhere actual health information is collected, still create HIPAA risk, and FTC and state-law exposure continues either way.

Does my agency need its own subcontractor BAAs?

Yes. 45 CFR § 164.502(e)(1)(ii) requires a business associate to obtain BAAs from subcontractors that handle PHI, including hosting, email, and CRM vendors.

Where to go from here

If your agency touches patient data, start with a signed BAA and a data-flow map, then move PHI onto BAA-covered infrastructure. For the broader infrastructure picture, see our complete guide to HIPAA-compliant hosting, or contact us with questions about a specific client setup.

This article is general information, not legal advice. Penalty amounts adjust annually for inflation. Consult qualified counsel and base your safeguards on a documented risk analysis. Reviewed June 2026.

Sources

← Back to all posts