HIPAA Penalties for Marketing Violations: Fine Tiers, Recent Cases, and Prevention
In February 2023, the FTC announced a $1.5 million penalty against GoodRx for sharing user health data with advertising platforms through tracking pixels. Within weeks, a class action settlement added $25 million to the total. GoodRx had not been hacked. No employee had stolen patient records. The company had configured Meta Pixel and Google tracking exactly as those platforms intended, and the resulting data flows transmitted prescription drug names, health conditions, and personal identifiers to Facebook, Google, and other ad platforms. Source
GoodRx became the opening case in what has since grown to $193M+ in combined enforcement actions and settlements across 15 major cases. The penalties have come from three separate enforcement channels (federal agencies, state attorneys general, and class action courts), affecting health systems, telehealth platforms, dental groups, fertility apps, and therapy providers. No healthcare vertical has been exempt. And every case involved standard marketing tools used exactly as designed.
The Four HIPAA Penalty Tiers
The HITECH Act established a tiered penalty structure for HIPAA violations, adjusted for inflation. The tiers are based on the level of culpability, and penalties are assessed per violation per year.
Tier 1: Did Not Know. The covered entity did not know and, by exercising reasonable diligence, would not have known about the violation. Penalty range: $137 to $68,928 per violation, with an annual maximum of $2,067,813.
Tier 2: Reasonable Cause. The violation was due to reasonable cause and not willful neglect. Penalty range: $1,379 to $68,928 per violation, with the same annual maximum of $2,067,813.
Tier 3: Willful Neglect, Corrected. The violation was due to willful neglect but was corrected within 30 days of discovery. Penalty range: $13,785 to $68,928 per violation, with the same annual maximum.
Tier 4: Willful Neglect, Not Corrected. The violation was due to willful neglect and was not corrected within 30 days. Penalty range: $68,928 to $2,067,813 per violation, with the same annual maximum.
The "per violation" calculation is critical. Each affected individual can constitute a separate violation. When Kaiser Permanente's tracking code affected 13.4 million members, the theoretical maximum penalty under HIPAA alone was astronomical. The practical impact was a $47.5 million class action settlement, which, while enormous, represented a fraction of the statutory maximum.
Where Marketing Violations Fall in the Tiers
For marketing teams, the tier classification often comes down to governance. Organizations that had no process for evaluating tracking technologies before deployment tend to fall into Tier 2 (reasonable cause) or Tier 3 (willful neglect, corrected), depending on how quickly they responded after learning of the issue.
The NewYork-Presbyterian case illustrates how governance failures elevate the penalty tier. NYP used tracking pixels on its website from 2016 to 2022 with no internal policies or procedures for vetting tracking tools before deployment. The absence of any governance process suggests willful neglect: the organization did not take reasonable steps to ensure compliance, even though the tools were handling data from a healthcare website. Source
Conversely, an organization that discovers a tracking issue, immediately removes the pixel, conducts a breach risk assessment, and implements corrective measures may qualify for a lower tier. Speed of response matters.
Beyond OCR: The Three Enforcement Channels
HIPAA penalties are only one piece of the financial exposure. Marketing violations in healthcare trigger enforcement from three separate channels, and an organization can face all three simultaneously.
Channel 1: HHS Office for Civil Rights (OCR). OCR enforces HIPAA directly. It investigates complaints, conducts compliance reviews, and imposes civil monetary penalties. In July 2023, OCR and the FTC sent joint warning letters to approximately 130 hospital systems and telehealth providers about tracking technology risks. OCR's December 2022 guidance on tracking technologies clarified that tracking pixels on healthcare websites can create PHI disclosures subject to HIPAA enforcement. Source
Channel 2: FTC enforcement. The FTC enforces the Health Breach Notification Rule (HBNR) and Section 5 (unfair or deceptive practices). For organizations outside HIPAA's direct scope (telehealth apps, digital health companies, health trackers), the FTC has become the primary enforcement body. GoodRx ($1.5M), BetterHelp ($7.8M), Cerebral ($7M), and Monument (advertising ban) are all FTC enforcement actions.
Channel 3: Class action litigation. Every major tracking pixel case since 2023 has generated class action lawsuits. These settlements are often the largest financial impact: Kaiser Permanente ($47.5M), Sutter Health ($21.5M), Mass General Brigham ($18.4M), Aspen Dental ($18.4M), Advocate Aurora ($12.25M), Henry Ford ($12.2M), BJC HealthCare ($9.25M), Novant Health ($6.66M), MarinHealth ($3M). Class actions do not require a finding of willfulness; they require a showing that PHI was disclosed without authorization.
State attorneys general represent a fourth channel. New York's AG settled with NewYork-Presbyterian for $300K. Other states are actively investigating tracking technology practices. States can enforce HIPAA violations under HITECH Act authority and also bring actions under their own consumer protection and privacy statutes.
The Cases That Defined Marketing Enforcement
Two cases illustrate how routine marketing technology creates the violations that trigger these penalty mechanisms.
Kaiser Permanente ($47.5M class action, 2025). From 2017 to 2024, Kaiser's websites, patient portals, and mobile apps used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X without member consent. The tracking captured search terms, medical histories, and communications with healthcare professionals. It affected 13.4 million members across nine states. The settlement is the largest tracking-related case to date. Source
Kaiser's case demonstrates the scale risk. Seven years of unmonitored tracking across multiple digital properties, affecting millions of members, produced a settlement that dwarfs any individual HIPAA penalty tier. The case was resolved through class action litigation, not OCR enforcement, which means the HIPAA penalty tiers were not even the relevant framework.
BetterHelp ($7.8M FTC, 2023). BetterHelp shared email addresses, IP addresses, and mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest. The company used patient therapy history to build Facebook lookalike audiences. A recent college graduate with no marketing training was placed in charge of deciding what user data was uploaded to Facebook. Source
BetterHelp's case demonstrates governance as a penalty multiplier. The FTC cited the absence of qualified oversight as a factor in the enforcement. When organizations have no training, no vetting process, and no qualified personnel managing data flows to advertising platforms, regulators view this as an aggravating factor.
Costs Beyond the Fine
The direct penalty or settlement is often the smallest cost of a marketing violation.
Legal fees and investigation costs. Responding to an OCR investigation, defending a class action, and negotiating settlements requires substantial legal resources. These costs begin accumulating before any penalty is assessed and continue for years.
Breach notification expenses. When a tracking technology violation triggers a breach determination, the organization must notify every affected individual in writing. For Kaiser, that was 13.4 million notification letters. The printing, mailing, and staffing costs alone are significant.
Corrective action plans. OCR enforcement often includes a corrective action plan (CAP) that requires the organization to implement new policies, conduct training, engage independent assessors, and submit to monitoring for one to three years. The operational burden of a CAP extends far beyond the initial penalty.
Reputational impact. Breaches are publicly listed on HHS's breach portal. Media coverage follows every major settlement. Patients who receive breach notifications may choose other providers. Employer health contracts may include breach history as an evaluation criterion. The reputational cost compounds long after the financial penalty is paid.
Prevention: Eliminating the Architecture That Creates Violations
The enforcement landscape makes one pattern clear: every case involved client-side tracking technology sending data from patient browsers to third-party platforms without adequate authorization or BAA coverage. Prevention means addressing that architectural pattern.
Replace client-side tracking with server-side infrastructure. When the browser sends data directly to advertising and analytics platforms, you have no control over what data leaves. Server-side architecture routes all data through your infrastructure first, where consent can be verified, PHI can be filtered, and only compliant data reaches downstream destinations.
Require BAAs with every marketing technology vendor. Every vendor that receives data from your healthcare digital properties needs a signed BAA. This includes analytics platforms, advertising pixels, CRM systems, session replay tools, and chatbot providers. A BAA establishes the legal framework that HIPAA requires and creates vendor accountability for data protection.
Implement consent-gated data flows. Consent management is moving from a checkbox exercise to a core compliance infrastructure. Server-side consent gating ensures that no data flows to third parties until consent is verified, not just clicked. As state privacy laws expand and patient expectations evolve, consent infrastructure is becoming a requirement, not an option.
Monitor your tracking surface continuously. Every enforcement case involved tracking that ran for years before discovery. A web scanner that crawls your website on an ongoing basis detects new scripts, cookies, and tracking pixels as they appear. This collapses the discovery window from years to days and prevents the accumulation of unmonitored data exposure.
Establish vendor vetting and governance. Create a documented process for evaluating and approving any new tracking technology before it is deployed. Train marketing staff on PHI handling. Assign qualified personnel to oversee data flows to advertising platforms. NYP's $300K settlement and BetterHelp's $7.8M penalty both cited governance failures as contributing factors.
FAQ
What is the maximum HIPAA fine for a marketing violation?
The maximum civil penalty under HIPAA is $2,067,813 per violation category per year. However, class action settlements have far exceeded this in practice: Kaiser's $47.5M settlement, Sutter Health's $21.5M settlement, and others demonstrate that total financial exposure extends well beyond the HIPAA penalty tiers when class action litigation is included.
Can individual employees be penalized for HIPAA marketing violations?
HIPAA penalties are assessed against covered entities and business associates, not typically against individual employees. However, criminal HIPAA violations (knowingly obtaining or disclosing PHI) can result in penalties against individuals, including fines up to $250,000 and imprisonment up to 10 years. The FTC's BetterHelp case highlighted individual governance failures, though the penalty was assessed against the company.
Does the FTC enforce HIPAA violations?
The FTC does not enforce HIPAA directly. It enforces the Health Breach Notification Rule and Section 5 of the FTC Act (unfair or deceptive practices). However, the same conduct that violates HIPAA (sharing health data with advertising platforms) often also violates FTC rules, meaning organizations can face penalties from both agencies for the same underlying behavior.
How long do organizations have to correct a violation before penalties increase?
Under Tier 3 of the HIPAA penalty structure, organizations that correct a violation within 30 days of discovery are subject to lower penalties than those that do not correct within 30 days (Tier 4). This means that rapid response to a discovered tracking issue, including removing the tracking technology, conducting a risk assessment, and implementing corrective measures, can materially reduce the penalty tier.
Are class action settlements covered by cyber insurance?
Coverage varies by policy. Many cyber insurance policies cover regulatory fines and breach-related litigation costs, but some exclude class action settlements or have sublimits for tracking technology claims. Review your policy with your broker specifically regarding tracking technology exposure, as this is a relatively new category of claim that older policies may not contemplate.
HIPAA penalties for marketing violations are escalating in frequency, severity, and breadth of enforcement. The organizations paying these penalties were not engaging in exotic data theft. They were running standard marketing technology. If your team wants to avoid joining the $193M+ enforcement total, Ours Privacy provides the infrastructure that eliminates the tracking patterns behind these cases.
Related reading:
What Is the OCR? How HHS Enforces HIPAA on Healthcare Marketers
Healthcare Data Breach Notification: Timeline, Requirements, and Marketing Fallout
HIPAA and Marketing: What the Privacy Rule Actually Says About Advertising
HIPAA-Compliant Tools
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.