Everyone is focused so much on the privacy risks of marketing pixels that they sometimes forget about all the other ways PHI (Protected Health Information) can unintentionally leak. When it comes to healthcare marketing, there are still data-sharing risks that organizations fail to consider.

I’m always shocked at just how many ways this can happen. Marketing pixels are just the tip of the iceberg. Teams need to also be aware of the risks in using maps, fonts, videos, and other third-party scripts.

1. Embedded Maps

Nearly every provider-based healthcare company has an interactive Google Map embedded on their site. It makes sense, patients need to find office locations.

Why is this a problem?

• When a patient loads a page with an embedded map, their IP address is sent to Google’s servers.

• If the map shows a specific provider or specialty (e.g., a cancer treatment center, an HIV clinic, a fertility specialist), then Google might have enough context to infer sensitive health information.

• IP address + specialized location + other user properties = potential PHI.

What’s the fix?

• Use HIPAA-compliant mapping alternatives that don’t send data to third-party servers. Some vendors (like Ours Privacy) offer mapping solutions with Business Associate Agreements (BAAs).

• Host a static map image instead of an interactive embed, no data gets sent to an external service.

• If you must use Google Maps, consider using a proxy solution that removes IP data before passing location requests.

2. Fonts

Your design team wants the site to look great. That’s understandable. But if you’re hotloading fonts from Google, Adobe, or any external CDN, you’re sharing patient data without even realizing it.

Why is this a problem?

• Each time a patient visits your site, their browser loads fonts from an external provider (e.g., Google Fonts).

• That request sends the user’s IP address, page URL, and other metadata to that provider.

• If the page has health-related content (e.g., “Depression Treatment Options”), that font request might link that user to a medical condition.

This issue might seem minor, but even passive data collection (like font loading) can count as an unauthorized disclosure of PHI under certain circumstances.

What’s the fix?

• Host fonts locally. Instead of pulling them from Google or Adobe’s CDN, serve them from your own domain.

• Use system fonts when possible. They don’t require external requests and reduce privacy risks.

• If a third-party font is essential, ensure that it is loaded via a HIPAA-compliant, private CDN.

3. Embedded Video

A lot of healthcare websites embed educational videos or patient testimonials using YouTube or Vimeo. But every time a user views that embedded video, you’re sending data to a third-party video platform.

Why is this a problem?

• YouTube and Vimeo automatically collect viewer data: IP addresses, device IDs, and sometimes behavioral tracking.

• The title and URL of the page where the video is embedded can be logged, potentially linking a patient to sensitive medical topics.

• If the video itself is niche or condition-specific (e.g., “Understanding Alzheimer’s Treatments”), the mere act of watching it might create inferred health-related data.

HIPAA doesn’t allow unprotected sharing of PHI with third-party platforms unless you have a BAA. And YouTube and Vimeo won’t sign BAAs for their standard services.

What’s the fix?

• Use HIPAA-compliant video alternatives that don’t send data to third-party servers. Some vendors (like Ours Privacy) offer video solutions with Business Associate Agreements (BAAs).

• Self-host videos on your own secure server.

• If you must use YouTube, link to the video instead of embedding it, or use YouTube’s privacy-enhanced mode (though even that may not fully mitigate risks).

4. Third-Party Scripts

Every third-party script added to your site introduces a potential privacy risk.

Examples of third-party scripts that might be sending PHI out:

• Live chat widgets: Some chat providers track user interactions and store messages on their own servers.

• Search bars: Autocomplete suggestions or search history might contain medical queries.

• Form builders: If a third-party contact form is used to collect patient information, that data might pass through an external system before reaching you.

How do you fix this?

• Audit every external script on your site. Run a scan and see where data is going.

• Use HIPAA-compliant alternatives for live chat, forms, and search tools.

• If third-party scripts are necessary, restrict them to pages that don’t contain sensitive health content.

And that’s just the beginning - it’s also worth considering reputation management platforms, reCAPTCHA, and more. “One area that we find that healthcare organizations need to ensure a BAA is in place is with their reputation management platforms. Since these platforms automate the retrieval of patient reviews, there is a wide range of ePHI within them such as name, email, phone number and, most importantly, healthcare status,” said Ashley La Fleur, Vice President and Privacy & Security Officer at Root3 Marketing. “For outside agencies working within these tools, having data sharing agreements in place is a best practice – it helps everyone understand who has access to what ePHI and how they can share and transfer that information across the platform and one another.”

Privacy Isn’t Black and White, But You Can Still Get It Right

Regulations around tracking technologies in healthcare aren’t crystal clear. There’s been pushback from the AHA (American Hospital Association), and the type and scope of services you provide (as well as your scale) impact how regulators assess compliance.

But regardless of the gray areas, the best move is proactive risk reduction. Fixing these issues is straightforward, but it does take time.

What Should You Do Next?

1. Audit Your Entire Setup

• Review every page, every subdomain, and every external service that touches your website.

• Identify any third-party tools that could be exposing PHI.

2. Replace Non-Compliant Tools

• Swap out risky third-party services for HIPAA-compliant alternatives that will sign a BAA.

• Host resources locally whenever possible.

3. Train Your Team and Build Privacy Awareness

• Make sure your marketing and IT teams understand how these seemingly small integrations can create compliance risks (e.g., the recent and concerning GTM update from Google).

• Document all data flows, know exactly where patient information is going and why.

4. Double-Check Everything. Then Check Again

• Even after fixes are in place, test for leaks. Use tools like browser developer consoles, network request monitors, and privacy scanners to confirm that no PHI is leaving your site without authorization.

Let’s Fix This Together

If any of this is a concern for your organization, let’s talk.

We help healthcare companies lock down their marketing and web technologies, so PHI stays protected. But more importantly, the Ours Privacy platform has a HIPAA-compliant marketing pixel, maps, and video solutions.