Skip to main content

HIPAA Tracking Technologies: What Pixels and Analytics Are Allowed in 2026

By Joseph Abear ·
HIPAA Tracking

Last updated: June 18, 2026

HIPAA tracking technologies are scripts and tools, such as the Meta Pixel, Google Analytics, cookies, and tag managers, that collect visitor data on a website. They become a HIPAA problem when they send protected health information (PHI) to a vendor that has not signed a Business Associate Agreement (BAA). The rule is simple even when the technology is not: under 45 CFR § 164.308(b), no third party may receive PHI without a signed BAA, and the big advertising and analytics platforms will not sign one. So a tracker that fires on a patient portal, a booking flow, or an intake form can turn an ordinary website into an illegal disclosure. This guide explains when tracking becomes PHI, what the rules say in 2026, and how to find the leaks on your own site.

TL;DR: Quick answer

  • HIPAA tracking technologies break the rules when they transmit identity plus health context to a vendor with no BAA, an impermissible disclosure under 45 CFR § 164.502(a).

  • Google Analytics and the Meta Pixel cannot be made compliant, because Google and Meta will not sign a BAA for them.

  • A federal court vacated part of the HHS tracking guidance on June 20, 2024 (AHA v. Becerra), but only for IP addresses on public, unauthenticated pages. Trackers on portals, booking flows, and forms still violate HIPAA.

  • The cost is real. Advocate Aurora Health settled a tracking pixel case for $12.25 million and Novant Health for $6.6 million.

  • You can audit your own site with browser tools, and a one-time professional review documents the findings and fixes.

What are online tracking technologies?

Online tracking technologies are the small pieces of code that watch what a visitor does on a website and report it somewhere. HHS uses that exact phrase in its guidance. The HIPAA tracking technologies you will find on a healthcare site fall into a few common types:

  • Advertising pixels, such as the Meta Pixel and the Google Ads tag, which send visit data to ad platforms.

  • Analytics scripts, such as Google Analytics 4, which measure traffic and behavior.

  • Tag managers, such as Google Tag Manager, which load many other tags from one container.

  • Cookies and device identifiers, which tie repeat visits to the same person.

  • Session replay and chat tools, which can record what a visitor types, including form fields.

Each of these runs in the visitor's browser, which is why a review of them is called a client-side review. The host secures the server, but these scripts send data straight from the browser to a third party, often without the practice realizing it.

When does tracking data become PHI?

When Tracking Becomes PHI

PHI is health information that identifies a person, or reasonably could, under 45 CFR § 160.103. On a website, identity and health context combine fast. A pixel on a booking page can capture a visitor ID, the page URL, the provider chosen, and the appointment type in a single request. Together, that data says a known person sought care for a condition. That is PHI, and sending it to a vendor with no BAA is an impermissible disclosure under 45 CFR § 164.502(a). HIPAA tracking technologies do not have to name the patient to create the problem; an identifier plus a health-context page is enough.

The highest-risk pages are patient portals and anything behind a login, booking and scheduling flows, intake and contact forms that ask about symptoms, and condition pages that feed a booking funnel. A general blog read by an unknown visitor is a lower-risk case, which is exactly what the 2024 court ruling addressed.

The 2026 rules: OCR guidance and the AHA v. Becerra ruling

2026 HIPAA Rules Court Ruling

HHS OCR first published its tracking guidance in December 2022 and updated it on March 18, 2024. The American Hospital Association sued, and on June 20, 2024 a federal court in Texas vacated the part of the guidance known as the Proscribed Combination, the claim that an IP address plus a visit to a public, unauthenticated page is PHI on its own. HHS withdrew its appeal on August 29, 2024, so that piece is gone.

What did not change is most of the rule. Trackers on authenticated pages such as patient portals still trigger HIPAA. Trackers that capture form entries, appointment details, or anything a user types about their health still break the rules. And the ruling did nothing to stop class actions, state privacy laws like Washington's My Health My Data Act, or the Federal Trade Commission, which has warned health providers about tracking under its own authority. In short, the HIPAA tracking technologies rules narrowed slightly for public pages and stayed firm everywhere patient data is involved.

Why Google Analytics and the Meta Pixel cannot be fixed

Why GA Meta Cant Be Fixed

Some HIPAA tracking technologies problems are a settings issue. This one is a contract issue. Google will not sign a BAA for Google Analytics, and Meta will not sign one for its Pixel. Without the BAA, no configuration, IP masking, or consent banner makes them lawful on a page that handles PHI. The missing contract is the failure, not the data setting. We cover the analytics side in depth in whether Google Analytics is HIPAA compliant, and the agency angle in HIPAA compliance for marketing agencies.

What getting it wrong costs

What Getting it wrong Costs

The HIPAA tracking technologies that cause settlements are usually the ones nobody audited, because nothing visibly breaks. The bills are not small. Advocate Aurora Health paid $12.25 million to settle a class action after its pixels sent patient data to third parties, and Novant Health paid $6.6 million over pixels on its patient portal. Both started as routine marketing choices: someone added a tag, and nobody checked what it sent. Pixels appear in our roundup of unintentional HIPAA violations for that reason. Beyond settlements, an impermissible disclosure can trigger the breach notification duties in 45 CFR §§ 164.400-414 and the penalty tiers at 45 CFR § 102.3.

How to find the trackers on your own site

How to find Trackers

You can audit your own HIPAA tracking technologies in about 15 minutes. Open a booking or intake page in Chrome, press F12, and select the Network tab. Reload the page, then filter requests for "google-analytics," "googletagmanager," "facebook," and "doubleclick." Each match is a third party receiving data from that page. Submit a test form entry and watch for new requests that contain your test name or answers. Then open your tag manager and look for tags you do not recognize, because agencies, old plugins, and theme demos all leave trackers behind.

This finds the obvious leaks. It will not catch everything, because scripts can load only on some devices or pass data through chained tags and server-side proxies that a manual check misses. That gap is why many practices have the work done once, properly.

Safer ways to measure traffic

Replacing risky HIPAA tracking technologies does not mean flying blind. Self-hosted analytics such as Matomo keep visitor data on your own server, so no third party receives it. Some privacy-focused vendors, such as Piwik PRO and Freshpaint, will sign BAAs and are built for healthcare. Cookieless, count-only tools collect so little that they avoid identity problems on information pages, and server logs answer basic traffic questions with data you already hold. Whichever you choose, get the BAA answer in writing before the tag goes live.

Get a documented client-side review

If your site takes bookings, intake details, or any patient information, a one-time audit is cheap insurance against a seven-figure settlement. Our client-side compliance review is the fastest way to get every one of your HIPAA tracking technologies documented: we audit each tracking script, cookie, form, and third-party tool across your key pages and return a findings report with risk levels and clear fix-it steps. HIPAA Compliant Hosting sells this review, so weigh that as a disclosure. We still publish the manual check above, because a practice that finds its own pixel problem this week is better off than one that waits for a demand letter. For the hosting side of compliance, our HIPAA compliant hosting covers the server; the client-side review covers what runs in the browser.

Frequently asked questions

Are tracking pixels HIPAA compliant?

Not when they send PHI to a vendor without a BAA. A pixel on a public page with no patient data is lower risk after the 2024 ruling, but a pixel on a portal, booking flow, or intake form that captures identity plus health context is an impermissible disclosure.

Is the Meta Pixel allowed on a healthcare website?

Not on pages that handle PHI. Meta will not sign a BAA, so the Pixel cannot lawfully receive patient data. Keep it off portals, booking flows, and forms; even on public pages, weigh state privacy laws and FTC risk.

Did the 2024 court ruling make website tracking legal again?

Only partly. AHA v. Becerra vacated OCR's claim about IP addresses on public, unauthenticated pages. Trackers on authenticated pages and anywhere health information is collected still violate HIPAA, and class actions and state laws continue.

What is a client-side compliance review?

An audit of the HIPAA tracking technologies that run in a visitor's browser, the scripts, cookies, pixels, forms, and third-party tools, to find where a site sends PHI to vendors without a BAA. It produces a findings report with risk levels and fixes.

Which analytics can healthcare websites use?

Self-hosted tools like Matomo, BAA-signing vendors such as Piwik PRO or Freshpaint, cookieless count-only tools on information pages, and server log reports. Confirm BAA coverage in writing before deploying any of them.

Recap: HIPAA tracking technologies

To recap, HIPAA tracking technologies are the pixels, analytics, and tags that watch your visitors. They are fine on pages with no patient data and a violation the moment they send identity plus health context to a vendor with no BAA. Google Analytics and the Meta Pixel cannot be fixed, because the platforms will not sign a BAA. The 2024 ruling narrowed the rule for public pages only. Map where patient data flows, pull trackers off every page that touches PHI, replace them with BAA-covered or self-hosted tools, and document the result.

This article is general information, not legal advice. Details reflect the HIPAA Privacy and Security Rules (45 CFR Parts 160 and 164), the OCR tracking guidance after American Hospital Association v. Becerra, and the published HIPAA positions of Google and Meta as of June 2026. Confirm your obligations with qualified legal counsel.

Sources

← Back to all posts