How Does HIPAA Compliance Affect Marketing Agencies?
A marketing agency becomes subject to HIPAA when it acts as a business associate, meaning it creates, receives, maintains, or transmits protected health information (PHI) on behalf of a healthcare client. When that happens, the agency must sign a Business Associate Agreement (BAA), encrypt PHI, restrict access, train staff, and vet its own subcontractors. An agency that touches no PHI is generally outside HIPAA, but the line is easy to cross through CRMs, ad platforms, analytics, and web forms.
TL;DR: Quick answer
- A marketing agency that handles a healthcare client's PHI is a HIPAA business associate and is directly liable under the law.
- Being a business associate requires a signed BAA with the client, plus encryption, access controls, workforce training, and a breach-response plan.
- The agency must also sign BAAs with its own subcontractors (email platform, CRM, hosting, and any analytics vendor that will sign one).
- Tracking pixels and analytics are the most common risk. A 2024 federal court narrowed HIPAA's reach over public pages, but tracking on logged-in pages still implicates HIPAA, and state privacy laws and the FTC continue to apply.
- Penalties reach into the millions per year for the most serious violations, and they apply to business associates directly.
When does a marketing agency become a HIPAA business associate?
HIPAA does not regulate marketing as an activity. It regulates protected health information. An agency is pulled in the moment it handles PHI on behalf of a covered entity such as a clinic, hospital, dental practice, therapist, or health plan. PHI is any individually identifiable health information, including a name or other identifier tied to a condition, treatment, appointment, or payment for care.
Common situations that make an agency a business associate:
- Managing a patient email list or newsletter that references conditions, treatments, or appointments.
- Uploading patient or lead lists into an ad platform or CRM for retargeting or lookalike audiences.
- Building or managing intake forms, appointment requests, or quizzes that collect health details.
- Accessing the client's EHR, practice management system, patient portal, or call-tracking recordings.
- Handling reviews, testimonials, or case studies that identify patients and their care.
An agency that runs purely brand-level work with no patient data, such as a general awareness campaign that never touches identifiers tied to health information, is usually not a business associate. The safest assumption is to map exactly where data flows before deciding, because most agencies underestimate how often PHI enters their tools.
What does a HIPAA business associate agreement require?
A BAA is a written contract between the covered entity and the business associate. The agency cannot lawfully handle PHI for a healthcare client without one. A compliant BAA generally requires the agency to:
- Use PHI only for the purposes permitted in the contract.
- Apply administrative, physical, and technical safeguards under the HIPAA Security Rule.
- Report security incidents and breaches to the client within the agreed timeframe.
- Ensure subcontractors that handle PHI sign their own BAAs.
- Return or destroy PHI when the contract ends.
Since the 2013 Omnibus Rule, business associates are directly liable for HIPAA violations, not just contractually liable to the client. A missing or unsigned BAA is itself a violation and a frequent finding in enforcement actions.
Are tracking pixels and analytics a HIPAA problem for agencies?
This is the highest-risk area for agencies, and the rules shifted recently, so accuracy matters.
In December 2022, the HHS Office for Civil Rights (OCR) issued guidance warning that third-party tracking technologies such as the Meta Pixel and Google Analytics can disclose PHI to vendors without authorization. OCR updated that guidance in March 2024.
On June 20, 2024, a federal court in the Northern District of Texas (American Hospital Association v. Becerra) vacated part of that guidance. Specifically, it struck down the position that HIPAA is triggered simply when an online tool connects a visitor's IP address with a visit to an unauthenticated public webpage about a health condition or provider. HHS later dropped its appeal, so that narrowing stands.
What this means in practice for an agency:
- Tracking on authenticated pages, such as a patient portal, a logged-in scheduling area, or anything behind a login, still clearly implicates HIPAA. The court did not change that.
- On public marketing pages, HIPAA's hook is now weaker, but the risk is not gone. Combining a real identifier with confirmed health information is still PHI.
- HIPAA is not the only exposure. The FTC has pursued health advertisers over tracking, and a large number of state wiretap and privacy class actions continue regardless of the HIPAA ruling.
Two practical facts agencies should know: Google will not sign a BAA for standard Google Analytics or Google Ads, and Meta will not sign a BAA for the Meta Pixel. That means you generally cannot send PHI to those platforms in a compliant way. The safe path is to audit every pixel and tag, strip health details out of URLs and form payloads, and avoid uploading patient lists to platforms that will not sign a BAA.
What safeguards does a HIPAA-aware agency need?
Use this as a working checklist when you take on or audit a healthcare client:
- Sign a BAA with each covered-entity client before touching any PHI.
- Map your data flows. Document every tool where PHI could land: CRM, email, forms, analytics, call tracking, project management, and cloud storage.
- Sign subcontractor BAAs with every downstream vendor that handles PHI, including your hosting provider.
- Encrypt PHI in transit and at rest.
- Limit access with least-privilege permissions and multi-factor authentication.
- Train your workforce on PHI handling, breach reporting, and the terms of each BAA, at onboarding and periodically.
- Audit tracking tools and tag managers; remove or reconfigure anything that could leak PHI.
- Keep an incident-response and breach-notification plan ready before you need it.
- Host PHI on HIPAA-compliant infrastructure, not standard shared hosting, for any site, form, or app that stores patient data.
What are the penalties if an agency gets it wrong?
HIPAA civil penalties are tiered by culpability and are assessed per violation, and they apply to business associates directly. The figures below reflect 2025 inflation-adjusted amounts; the numbers are adjusted every year, so confirm the current amounts with HHS before relying on them.
| Tier | Culpability | Penalty range per violation (2025) |
|---|---|---|
| 1 | Lack of knowledge | About $145 to $73,011 |
| 2 | Reasonable cause | About $1,461 to $73,011 |
| 3 | Willful neglect, corrected within 30 days | About $14,602 to $73,011 |
| 4 | Willful neglect, not corrected | About $73,011 to $2,190,294 |
There is an annual cap for violations of the same provision, set at roughly $2.19 million for 2025. Because a single breach often involves several violations, real exposure can climb quickly. Knowing misuse of PHI can also carry criminal penalties prosecuted by the Department of Justice. Beyond fines, agencies face contract loss, breach-notification costs, and reputational damage.
Frequently asked questions
Do marketing agencies need to be HIPAA compliant?
Only if they handle PHI for a healthcare client. An agency that creates, receives, maintains, or transmits PHI is a business associate and must comply with HIPAA, starting with a signed BAA. An agency that handles no PHI generally does not.
Is the Meta Pixel a HIPAA violation?
The Meta Pixel is not automatically a violation, but it becomes one if it sends PHI to Meta, which will not sign a BAA. The risk is highest on logged-in or patient-portal pages. Audit what the pixel collects and avoid transmitting any health-linked identifiers.
Is Google Analytics HIPAA compliant?
No. Google does not sign a BAA for standard Google Analytics, so it cannot be used to process PHI in a compliant way. Configure analytics so that no PHI is ever sent, or use a vendor that will sign a BAA.
Does my agency need a BAA with healthcare clients?
Yes, if you handle their PHI. You also need BAAs with your own subcontractors that touch PHI, including your hosting provider, email platform, and CRM.
Can we still run ads for a healthcare client?
Yes, but keep PHI out of the ad platforms. Use de-identified data, avoid uploading patient lists to platforms that will not sign a BAA, and confirm your tracking setup does not transmit health-linked information.
Where to go from here
If your agency handles patient data, the foundation is a signed BAA plus infrastructure built for PHI. Standard hosting cannot meet that bar because most providers will not sign a BAA or supply the required safeguards. See who needs HIPAA-compliant hosting and our complete guide to HIPAA-compliant hosting to scope what you need.
This guide is general information, not legal advice. HIPAA penalty amounts are adjusted annually for inflation; the figures here reflect 2025 amounts. Confirm current requirements with the U.S. Department of Health and Human Services and qualified counsel before making compliance decisions.