The December 2022 OCR Guidance on Tracking Technologies: What Changed
On December 1, 2022, the HHS Office for Civil Rights published a bulletin titled "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates." In plain terms, OCR told the healthcare industry: the tracking pixels, cookies, analytics scripts, and session replay tools running on your websites and patient portals are subject to HIPAA. The bulletin did not create new regulations. It applied existing HIPAA rules to a category of technology that most healthcare organizations had treated as outside the scope of patient data protection.
The guidance landed in an industry that had spent years installing Google Analytics, Meta Pixel, and other standard marketing tools under the assumption that "public website" meant "not HIPAA-regulated." Within months, the bulletin's interpretation of what constitutes PHI on unauthenticated pages would trigger a legal challenge, a partial court vacatur, and an OCR withdrawal of its appeal. The result is a compliance landscape that is more nuanced than either "the guidance stands" or "the guidance was struck down." Healthcare marketing teams need to understand exactly what the bulletin said, what the courts changed, and what remains binding.
What the Bulletin Actually Said
The December 2022 guidance addressed two categories of web pages: authenticated (behind a login, like a patient portal) and unauthenticated (public-facing pages that anyone can visit).
For authenticated pages, the guidance was unambiguous. When a user logs into a patient portal, any data collected by tracking technologies on those pages is PHI. The user's identity is known. The pages contain health-related content. Any tracking technology that collects and transmits data from those pages to a third party without HIPAA authorization or a valid exception is a violation. This includes session replay tools, analytics scripts, and advertising pixels.
For unauthenticated pages, the guidance made a more expansive claim. OCR stated that even on public-facing pages, the combination of an individual's IP address with information about their visit to a health-related webpage could constitute PHI. The reasoning: if a visitor browses a hospital's oncology department page, the IP address (an identifier) combined with the page content (health information) and the fact that the visit was to a HIPAA-covered entity's website creates individually identifiable health information.
This interpretation meant that a standard Google Analytics installation on a hospital's public website could be generating and transmitting PHI every time a visitor viewed a condition-specific page. The IP address, page URL, timestamp, and browsing behavior flowing to Google's servers would constitute a disclosure of PHI to a vendor without a BAA.
The guidance also addressed mobile health apps, specifying that SDKs and third-party code within apps operated by covered entities are subject to the same HIPAA requirements as web-based tracking technologies.
The Enforcement Cascade That Followed
The guidance did not emerge in a vacuum. OCR published it after observing the proliferation of tracking technologies on healthcare websites and the growing number of breach reports related to pixel-based data sharing. The timing aligned with a broader enforcement push.
In July 2023, OCR and the FTC sent joint warning letters to approximately 130 hospital systems and telehealth providers about tracking technology risks. The letters put the industry on notice that both agencies were monitoring compliance.
The enforcement cases that followed involved the exact scenario the guidance described. Kaiser Permanente's $47.5 million settlement in 2025 involved third-party tracking code on websites, patient portals, and mobile apps that transmitted health information to Google, Microsoft, Meta, and X. The tracking affected 13.4 million members and ran from 2017 to 2024. Source
Advocate Aurora Health's $12.25 million settlement centered on Meta Pixel and Google Analytics installed on its website and patient portal. The tools exposed data of approximately 3 million patients to Meta and Google between 2017 and 2022. Advocate Aurora had deployed the tools to "better understand patient needs." Source
These cases validated the bulletin's core premise: standard marketing technologies on healthcare websites generate PHI, and the organizations deploying them bear liability for the data those technologies transmit.
The Legal Challenge and Partial Vacatur
The guidance's broad interpretation of PHI on unauthenticated pages drew legal challenge. The American Hospital Association (AHA) and other healthcare industry groups sued HHS in the Northern District of Texas, arguing that OCR had exceeded its authority by reinterpreting the definition of PHI through guidance rather than formal rulemaking.
In June 2024, a Texas federal court vacated portions of the guidance. Specifically, the court found that OCR's interpretation that an IP address combined with a visit to a public webpage of a covered entity automatically constitutes PHI went beyond HIPAA's statutory and regulatory text. The court held that the combination of an IP address and a webpage visit does not, by itself, constitute "individually identifiable health information" as HIPAA defines it.
In August 2024, OCR withdrew its appeal of the ruling.
What was vacated: The specific claim that any data collected on an unauthenticated, public-facing webpage of a covered entity is automatically PHI simply because the visit occurred on a healthcare website.
What was not vacated: The guidance's application to authenticated pages (patient portals). The principle that tracking technologies can transmit PHI when they capture information linked to both an individual's identity and their health information. The requirement that covered entities and business associates must comply with HIPAA when using tracking technologies that access PHI.
What Still Applies After the Court Ruling
The partial vacatur created confusion in the industry. Some healthcare organizations interpreted it as permission to resume installing tracking pixels on public websites. That interpretation carries significant risk for several reasons.
The authenticated page guidance stands. Any tracking technology on a patient portal, login-protected health records system, or appointment scheduling page behind authentication is subject to HIPAA. Period. This was not challenged in court and remains binding.
The PHI definition has not changed. HIPAA still defines PHI as individually identifiable health information. When a tracking pixel captures data that links an individual's identity to their health condition, treatment, or healthcare provider relationship, that data is PHI. The court ruling narrowed one specific interpretation (IP address plus webpage visit alone), but it did not redefine PHI or create a safe harbor for tracking on healthcare websites.
Class action courts are not waiting for OCR. The settlements from Kaiser, Advocate Aurora, Sutter Health, Henry Ford, and others did not depend on the December 2022 guidance. They were based on existing HIPAA requirements and state privacy laws. Removing the guidance does not remove the legal theories that have generated $193 million in settlements.
State health privacy laws fill the gap. Washington's My Health My Data Act, Connecticut's consumer health data protections, and similar state laws apply to health data regardless of the OCR guidance. These laws often define health data more broadly than HIPAA and apply to entities beyond HIPAA-covered entities. The state-level regulatory trend is toward more protection, not less.
OCR has signaled continued enforcement priority. Despite withdrawing the appeal, OCR has not retracted its position that tracking technologies on healthcare websites create compliance risk. The joint OCR/FTC warning letters to 130 healthcare organizations remain operative, and OCR continues to investigate tracking technology complaints.
Practical Implications for Healthcare Marketing Teams
The post-guidance, post-vacatur landscape requires healthcare marketing teams to make nuanced decisions rather than rely on binary "compliant/not compliant" assessments.
Treat authenticated pages as non-negotiable. Remove all tracking technologies from patient portals and authenticated pages unless the vendor has a BAA and the data collection is authorized. This is the clearest, most defensible position and was not affected by the court ruling.
Evaluate unauthenticated pages by data sensitivity. The court ruling means that an IP address on a general hospital homepage may not automatically constitute PHI. But a visitor's IP address combined with browsing behavior across specific condition pages (cancer, mental health, substance abuse) still creates significant risk under HIPAA, state laws, and class action theories. The question is not "is this page authenticated?" but "does the data collected on this page link identity to health information?"
Use server-side architecture to control data flows. The safest architectural approach, regardless of how the guidance is interpreted, is server-side data collection. When data routes from your servers to vendors, you control exactly what information reaches each destination. You can strip IP addresses, remove health-context URLs, and ensure no PHI reaches vendors without BAAs. Client-side pixels send raw data through the browser, giving you no opportunity to filter before it reaches a third party.
Implement consent that goes beyond cookie banners. The December 2022 guidance, the court ruling, and state privacy laws all point in the same direction: consent management is the next frontier of healthcare compliance. Cookie consent satisfies some state requirements, but HIPAA authorization and state health data consent laws require more specific, affirmative consent mechanisms. Server-side consent gating ensures that no data flows to any vendor until consent is verified, regardless of browser behavior.
Monitor continuously. The guidance made clear that tracking technologies change constantly. Marketing teams add scripts. Plugins update. Third-party tags load additional tags. A web scanner that crawls your site on an ongoing basis catches unauthorized tracking before it becomes a breach report.
FAQ
Is the December 2022 OCR guidance still in effect?
Partially. The guidance's application to authenticated pages (patient portals) was not challenged and remains binding. The broader interpretation that any data collected on unauthenticated public pages automatically constitutes PHI was vacated by a Texas federal court in June 2024. The core HIPAA requirements for tracking technologies that capture PHI remain unchanged regardless of the guidance.
Did the court ruling make it safe to use Google Analytics on healthcare websites?
No. The court ruling narrowed one specific interpretation in the guidance. It did not create a safe harbor for analytics tools on healthcare websites. Google Analytics still collects IP addresses, page URLs, and behavioral data that can link individuals to health information. Class action lawsuits have generated over $100 million in settlements for exactly this type of data collection, and those cases did not depend on the December 2022 guidance.
What should we do about tracking pixels on our patient portal?
Remove them unless the vendor has a signed BAA covering the data collected by the pixel and the data collection is HIPAA-authorized. The guidance on authenticated pages was not affected by the court ruling and represents OCR's clear position on tracking technologies in patient portals. Every major enforcement case has involved patient portal tracking.
Does the guidance apply to mobile health apps?
Yes. The December 2022 guidance explicitly addressed mobile apps operated by covered entities. SDKs and third-party code within those apps are subject to HIPAA requirements. If an SDK transmits health data to a third party without a BAA and proper authorization, it creates the same compliance risk as a web-based tracking pixel.
How does the March 2024 update to the guidance affect compliance?
OCR updated the guidance in March 2024, before the court ruling. The update did not substantially change the guidance's positions on tracking technologies. The June 2024 court vacatur superseded portions of both the original and updated guidance regarding unauthenticated pages. Healthcare organizations should focus on the post-vacatur landscape: authenticated pages are clearly covered, unauthenticated pages require case-by-case risk assessment, and server-side architecture is the safest approach regardless.
The December 2022 OCR guidance reshaped how healthcare organizations think about marketing technology, even after the partial court vacatur. The enforcement cases it catalyzed continue to produce settlements, and state privacy laws are filling any gaps the court ruling created. If your organization needs to evaluate its tracking technology compliance in the current regulatory environment, Ours Privacy provides server-side architecture and continuous monitoring built for the post-guidance healthcare landscape.
Related reading:
What Is the OCR? How HHS Enforces HIPAA on Healthcare Marketers
What Is a Tracking Pixel? Why Healthcare Websites Should Remove Theirs
State Health Privacy Laws: A Map of What Applies Where
HIPAA and Marketing: What the Privacy Rule Actually Says
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.