Key Takeaways
- Strictly necessary cookies: Session management, auth tokens, CSRF protection
- First-party analytics with no third-party transmission: Self-hosted Plausible or Matomo
- Vendors with signed BAAs: Freshpaint, Piwik PRO
- Health condition and treatment pages
- Provider directories and specialty searches
Why Healthcare Websites Are Different
On most websites, cookies collect commercial data: page views, click patterns, shopping behavior. On healthcare websites, even standard analytics can constitute protected health information (PHI) under HIPAA.
The PHI Problem
Under HHS OCR's December 2022 bulletin, individually identifiable health information collected on a regulated entity's website generally qualifies as PHI. OCR stated that regulated entities "are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules." This includes IP addresses, device identifiers, and geographic data when combined with health-related page URLs.
When a visitor navigates to a page about cancer treatment, the combination of their IP address and that URL can constitute PHI. Google Analytics collects both by default. A standard analytics cookie that is fine on an e-commerce site becomes a potential HIPAA violation on a healthcare site because the context changes its legal classification.
The critical problem: none of the major advertising or analytics platforms will sign a Business Associate Agreement (BAA). Google will not sign one for GA4. Meta will not sign one for Meta Pixel. Without a BAA, sharing PHI with these platforms violates HIPAA's Privacy Rule.
Important legal update: In June 2024, a federal court ruled that OCR overstepped with the "proscribed combination" concept, finding that an IP address combined with a visit to an unauthenticated health webpage does not automatically constitute PHI. But this ruling applies narrowly to unauthenticated pages. Authenticated pages (patient portals, appointment scheduling behind login) still carry full risk. And the FTC's enforcement authority remains fully intact.
What the FTC Is Actually Enforcing
The FTC has been aggressive against healthcare companies sharing data through tracking pixels:
| Company | Penalty | Year | What Happened |
|---|---|---|---|
| BetterHelp | $7.8M | 2023 | Shared therapy data with Facebook, Snapchat, Criteo, Pinterest |
| Cerebral | $7M | 2024 | Sent medical histories, insurance, prescriptions to third parties |
| Monument | $2.5M (suspended) | 2024 | Banned from sharing health data with advertisers |
| GoodRx | $1.5M | 2023 | Sent prescription data to Facebook, Google, Criteo |
These were standard marketing technology implementations. As the FTC stated in its BetterHelp complaint: the company "used the information it collected through its online counseling service to target ads to its own users on platforms such as Facebook." The FTC's position is clear: if you handle health data, standard pixel practices constitute unauthorized disclosure.
Class action pixel lawsuits compound the risk. Advocate Aurora Health settled for $12.225 million after Meta Pixel exposed data for 3 million patients. Novant Health settled for $6.6 million. As the Advocate Aurora plaintiffs argued, hospitals "knowingly installed tracking technologies that transmitted patients' sensitive health information to third parties like Meta and Google without patient consent."
Explore all 32 regulations ConsentStack covers
The Legal Landscape
HIPAA and Tracking Technologies
OCR's 2022 bulletin and March 2024 update established that tracking technologies on healthcare websites may create PHI, requiring compliance with HIPAA Privacy, Security, and Breach Notification Rules. The June 2024 court ruling weakened the "proscribed combination" concept for unauthenticated pages, but does not apply to authenticated pages where tracking technologies collect PHI.
FTC Health Breach Notification Rule
The HBNR applies to health apps and websites whether or not they are HIPAA-covered. Expanded in July 2024, it makes clear that unauthorized disclosure of health data through tracking pixels constitutes a "breach" requiring notification. No BAA defense. No "we didn't know" defense. This rule has not been challenged in court and remains fully enforceable.
State Health Data Privacy Laws
Washington My Health My Data Act (March 2024): Defines "consumer health data" broadly. Includes location data indicating health service attempts. Applies to all companies handling health data with no minimum threshold. Includes a private right of action.
Nevada SB 370 (March 2024): Requires affirmative consent before collecting or sharing health data.
Connecticut CTDPA amendments (July 2023): Designates health data as sensitive requiring opt-in consent.
These state laws apply to ALL companies handling health data, not just HIPAA-covered entities. A digital health startup not covered by HIPAA may still be subject to all of them.
For detailed breakdowns of other regulatory frameworks, see our guides on GDPR cookie consent requirements and CCPA cookie consent requirements.
Which Tracking Technologies Are Affected
Meta Pixel (Highest Risk)
Page URLs like /conditions/breast-cancer/treatment-options tell Meta the visitor is researching cancer treatment. Form submissions on appointment pages disclose care-seeking behavior. Meta will not sign a BAA.
Google Analytics (High Risk)
GA4 collects page views, user journeys, session data, and demographics. On a healthcare site, a pageview of /departments/oncology/appointments combined with an IP address links a real person to cancer treatment. Google will not sign a BAA for GA4. Google Consent Mode does not prevent health-related URLs from reaching Google's servers.
Other High-Risk Technologies
Advertising pixels (TikTok, Pinterest, LinkedIn, Microsoft UET): All collect page URLs and identifiers. None sign BAAs.
Session replay tools (Hotjar, FullStory, LogRocket, Clarity): Record interactions including form inputs. On healthcare sites, these capture appointment details, symptom checker responses, and patient portal interactions. Frequently overlooked in compliance audits.
Chat widgets: May capture health-related discussions in transcripts stored on vendor servers.
What's Generally Safe
- Strictly necessary cookies: Session management, auth tokens, CSRF protection
- First-party analytics with no third-party transmission: Self-hosted Plausible or Matomo
- Vendors with signed BAAs: Freshpaint, Piwik PRO
ConsentStack's 6,592 tracker domain database auto-classifies scripts, catching tracking domains that slip through manual audits. See how it works
Implementing Compliant Consent for Healthcare
Why Standard CMPs Are Not Enough
A normal CMP lets visitors accept or reject cookie categories. For healthcare, this breaks down because user consent does not override HIPAA's restrictions on PHI disclosure.
Clicking "Accept All" on a cookie banner is not a HIPAA authorization. HIPAA authorization requires specific elements: description of information disclosed, purpose, expiration date, and individual's signature. A cookie click meets none of these. Even if a patient clicks "Accept All," sharing PHI with Meta or Google without a BAA still violates HIPAA.
Three Implementation Tiers
Tier 1: Block by Default (Most Conservative)
On health-related pages, block ALL third-party tracking regardless of consent:
- Health condition and treatment pages
- Provider directories and specialty searches
- Appointment scheduling pages
- Patient portals (highest risk)
- Telehealth sessions
- Symptom checkers
No Meta Pixel, no GA4, no session replay, no third-party chat. Zero third-party tracking.
ConsentStack's parse-time blocking makes this straightforward. Configure marketing and analytics categories to "block by default" with no opt-in on sensitive pages. The MutationObserver catches scripts before execution, so zero tracking requests leave the browser.
Learn how parse-time script blocking works
Tier 2: Server-Side Filtering
For organizations needing advertising data from health pages, capture interactions server-side, filter out PHI, then transmit de-identified data:
- Meta CAPI: Strip health-related URL paths and patient identifiers before transmission
- GA4 Measurement Protocol: Replace health page paths with generic categories (
/conditions/[redacted]) - Custom pipeline: Collect to your data warehouse, apply PHI filtering, forward clean data
Even with server-side tracking, block client-side pixels. The server-side implementation replaces the pixel, not supplements it.
Tier 3: HIPAA-Compliant Analytics Alternatives
Replace standard platforms with BAA-signing vendors:
- Freshpaint: Healthcare data governance, strips PHI, forwards clean data
- Piwik PRO: Healthcare compliance module with BAA
- Self-hosted Matomo/Plausible: All data stays on your servers
Tradeoff: less advertising integration (no audience building, no retargeting).
How ConsentStack Fits
ConsentStack handles the consent and script-blocking layer. Parse-time blocking ensures zero scripts execute before consent. Configurable categories per page allow blocking on health pages while allowing standard flows elsewhere. Auto-classification catches scripts marketing teams add through GTM. Geo-detection across 19 US states handles CCPA, Washington My Health My Data Act, and other state requirements.
An honest caveat: ConsentStack handles consent and script blocking. It does not replace BAAs, PHI filtering, or HIPAA-compliant analytics platforms. For covered entities, a CMP is one component of a compliant strategy, not the entire strategy.
Common Mistakes Healthcare Websites Make
1. Assuming Google Consent Mode solves HIPAA. GCM is for GDPR. It does not prevent health URLs from reaching Google, does not strip PHI, and does not establish a BAA.
2. Using Meta Pixel on condition pages. This cost Advocate Aurora Health $12.225 million and Novant Health $6.6 million. The pixel transmits full page URLs containing condition names.
3. Forgetting session replay tools. Hotjar, FullStory, and similar tools record form inputs on scheduling pages, symptom checker responses, and patient portal interactions.
4. Thinking user consent overrides HIPAA. A cookie click is not HIPAA authorization. Without a BAA, sharing PHI with a platform is non-compliant regardless of what the user clicked. (This is also a common dark pattern in cookie banners: implying that "Accept All" grants blanket legal permission.)
5. Not auditing GTM containers. Marketing teams add pixels through GTM without compliance review. Each one on a healthcare site creates potential PHI disclosure.
6. Using GA4 without a BAA. Google does not offer one for GA4. This is by design, not a gap that will be filled.
7. Ignoring state health data laws. Washington's My Health My Data Act applies to ALL companies handling health data, not just HIPAA-covered entities, with no minimum threshold and a private right of action.
8. Not blocking tracking on scheduling pages. These combine PII (name, email, phone) with health information (specialty, reason for visit). WakeMed's breach notification specifically cited Meta Pixel on its scheduling page.
Frequently Asked Questions
HIPAA itself does not. But a CMP with script blocking is practically necessary because GDPR, CCPA, and state health data laws (Washington, Connecticut, Nevada) all require consent mechanisms. For covered entities, the CMP is necessary but not sufficient. You also need BAAs and PHI safeguards.
On non-health pages (careers, newsroom), GA4 carries lower risk. On health condition pages, provider directories, appointment scheduling, and patient portals, standard GA4 creates significant risk because Google will not sign a BAA. Alternatives: self-hosted analytics, HIPAA-compliant vendors with BAAs, or GA4 with server-side filtering that strips health data before it reaches Google.
No. HIPAA authorization requires specific elements (description, purpose, expiration, signature) that a cookie click does not satisfy. Even with "Accept All," sharing PHI with a platform without a BAA violates HIPAA.
No. A CMP handles consent and script blocking. HIPAA compliance also requires BAAs with third parties receiving PHI, risk assessments, server-side PHI filtering, documentation, and staff training.
HIPAA penalties range from **$100 to $50,000 per violation**, with annual maximums up to **$1.5 million per category**. FTC consent order penalties have been substantial: BetterHelp ($7.8M), Cerebral ($7M), GoodRx ($1.5M). Class action settlements are even larger: Advocate Aurora ($12.225M), Novant ($6.6M).
If your website handles health data and serves visitors from Washington, Connecticut, or Nevada, likely yes. Washington's law is broadest: any company collecting consumer health data with no minimum threshold. These laws apply to all companies, not just HIPAA-covered entities, and define health data more broadly than HIPAA defines PHI. ---
Conclusion
Healthcare websites operate under stricter privacy rules than any other industry. The FTC is actively pursuing companies using standard tracking pixels, with penalties in the millions. Hospital systems are settling pixel lawsuits for eight figures.
The safest approach: block all third-party tracking on health-related pages, use HIPAA-compliant analytics with signed BAAs, and implement server-side filtering for advertising data. Layer a properly configured CMP on top for GDPR, CCPA, and state law compliance.
ConsentStack's parse-time script blocking gives healthcare teams the foundation. The <10KB SDK installs in minutes. Zero tracking scripts execute before consent. Auto-classification across 6,592 tracker domains catches scripts manual audits miss. Coverage across 32 regulations means your consent configuration accounts for the full landscape.