What Are UTM Parameters and Are They HIPAA Safe?
Most healthcare marketers believe UTM parameters are just metadata: harmless tags appended to URLs that tell analytics tools which campaign, source, and medium drove a visit. They are not patient data. They are not clinical information. They are just tracking strings. This is the most common misconception about UTMs in healthcare, and it is wrong in ways that have contributed to settlements totaling hundreds of millions of dollars.
UTM parameters are safe in isolation. The string ?utm_source=google&utm_medium=cpc&utm_campaign=spring carries no health information by itself. But UTM parameters do not exist in isolation. They exist in URLs. And on healthcare websites, those URLs contain page paths like /services/oncology/schedule-appointment or /mental-health/intake-form. When a UTM string is appended to a health-specific URL and that full URL is captured by an analytics platform, the UTM parameter has become part of a data string that links a campaign source to a health context. If the analytics platform also captures an identifier (IP address, cookie ID, email from a form submission), the combination is PHI.
The misconception that UTMs are "just campaign tags" ignores the environment in which they operate. Correcting it requires understanding what UTM parameters actually do, where the data flows, and why the architecture around them matters more than the parameters themselves.
How UTM Parameters Work (and Where the Data Goes)
UTM parameters are query strings appended to a URL. The five standard parameters are:
utm_source: Where the traffic originates (google, facebook, newsletter)
utm_medium: The marketing channel (cpc, email, social, organic)
utm_campaign: The specific campaign name (spring-checkup, diabetes-awareness-2024)
utm_term: The paid search keyword (optional)
utm_content: Differentiates ad variations (optional, used for A/B testing)
When a user clicks a link containing UTM parameters, the full URL (including the UTMs) loads in their browser. Here is what happens next in a typical healthcare marketing setup.
Google Analytics captures the full URL. By default, GA records the complete page URL, including query parameters. The UTM values are parsed into campaign dimensions. But the full URL, including the page path, is also stored. This means Google's servers receive both the campaign attribution data and the health context embedded in the page path.
The browser's address bar exposes the URL. Any JavaScript running on the page (analytics scripts, tracking pixels, chat widgets, session replay tools) can read the full URL from window.location. If Meta Pixel is on the page, it captures the URL as part of its page view event. The UTM parameters ride along with the health-specific page path to Meta's servers.
Referrer headers carry UTMs forward. When a user navigates from one page to another on your site, or clicks a link to an external site, the browser may send the referring URL (including UTMs) in the HTTP Referer header. This means the UTM-tagged URL can leak to third parties that the healthcare organization never intended to share data with.
Server logs record everything. Your web server logs the full request URL for every page load. UTM-tagged URLs containing health-specific paths are stored in server access logs, which may be accessible to hosting providers, CDN vendors, and IT staff.
The pattern is clear: UTM parameters travel everywhere the URL travels. On a healthcare website, the URL itself carries health context. UTMs do not create PHI on their own, but they ensure that campaign attribution data is permanently linked to whatever health information the URL contains.
When Campaign Names Become Health Information
The UTM parameters themselves can carry health context, independent of the page URL.
Consider a hospital running a Google Ads campaign for its behavioral health services. The marketing team names the campaign behavioral-health-spring-2024 and uses UTM parameters to track it:
https://hospital.com/schedule?utm_source=google&utm_medium=cpc&utm_campaign=behavioral-health-spring-2024
Even if the landing page (/schedule) is generic, the utm_campaign value contains the health context. When Google Analytics records this visit with the campaign name, IP address, and behavioral data, the campaign name ties the visitor to a behavioral health interest.
This is not a theoretical concern. Monument, an alcohol addiction treatment platform, faced FTC enforcement in 2024 for exactly this pattern. Monument's custom pixel events had descriptive titles like "Paid: Weekly Therapy" and "Paid: Med Management." These names were sent alongside email addresses and IP addresses to Meta. The FTC banned Monument from sharing health data for advertising. Source
Monument used event names, not UTM parameters. But the mechanism is identical. When you name a campaign, audience, tag, or UTM value with health-specific language, that name becomes part of the data payload sent to every analytics and advertising platform that captures it.
The Analytics Pipeline Amplifies the Risk
UTM parameters do not stay in your analytics platform. They flow through your entire marketing technology stack.
Tag managers fire based on URL conditions. If your tag manager has rules that trigger specific tags based on URL parameters or page paths, UTM-tagged health URLs can activate additional tracking that further distributes the data.
CRM and marketing automation platforms ingest UTM data. When a visitor fills out a form, most marketing platforms capture the UTMs from the referring URL and attach them to the contact record. If the form is on a health-specific page or the UTM campaign name carries health context, the CRM now contains a contact record with health information derived from UTMs.
Advertising platforms use UTMs for optimization. Google Ads and Meta use UTM data (alongside their own tracking) to optimize campaign performance. When health-specific UTM values reach these platforms, they become part of the audience signal data that drives ad targeting.
Advocate Aurora Health's $12.25 million settlement illustrates how standard marketing tools create cascading data exposure. Advocate Aurora installed Meta Pixel and Google Analytics on its website and patient portal. These tools captured page URLs, user behavior, and associated campaign data, sending it all to Meta and Google. Approximately 3 million patients were affected over a five-year period. Source
Using UTM Parameters Safely in Healthcare
UTM parameters are essential for campaign measurement. Eliminating them entirely would leave marketing teams without attribution data. The goal is not to stop using UTMs but to architect data flows so that UTM data never combines with health identifiers in systems that lack proper compliance coverage.
Sanitize campaign names. Use campaign names that carry no health context. Instead of utm_campaign=oncology-awareness-q2, use utm_campaign=service-line-a-q2 or a code-based system (utm_campaign=sl04-q2-24). Establish a naming convention that maps internally to service lines without exposing the health context in the parameter value itself.
Strip UTMs before data reaches third parties. Server-side architecture allows you to capture UTM parameters on your server, store them in your own database for attribution, and then strip them from the URL before any data flows to third-party analytics or advertising platforms. The third party receives the page view event without the campaign attribution data, and your internal systems retain the attribution without sharing it externally.
Use server-side tracking for campaign attribution. Instead of relying on client-side analytics to parse UTMs from the browser URL, capture UTMs server-side at the point of page load. Your server can record the UTM values, associate them with a first-party session identifier, and send sanitized events to analytics platforms. This keeps the full URL (with health context) on your servers while still enabling campaign measurement.
Audit what your analytics platforms actually receive. Review the data flowing to Google Analytics, Meta, and any other platform. Check whether full page URLs (including health-specific paths) are being recorded alongside UTM parameters and user identifiers. A web scanner can help identify which scripts on your site are capturing URL data and where that data is transmitted.
Implement consent-gated tracking. UTM data should only flow to analytics platforms after the visitor has provided consent. Server-side consent gating ensures that no tracking scripts fire, and no UTM-tagged URL data is transmitted, until consent is verified. This is particularly important as state health privacy laws like Washington's My Health My Data Act require affirmative consent before collecting consumer health data.
FAQ
Are UTM parameters themselves PHI?
UTM parameters are not inherently PHI. They become part of PHI when they are combined with identifiers (IP addresses, email addresses, cookie IDs) and health context (health-specific page URLs, health-related campaign names). The parameters are the vehicle; the combination with identifiers and health context is what creates PHI.
Can I use UTM parameters on healthcare landing pages?
Yes, but with precautions. If the landing page URL contains health-specific paths, the UTM parameters will be captured alongside that health context by any analytics tool on the page. Use server-side architecture to capture UTMs before they reach third-party tools, sanitize campaign names to remove health context, and ensure any platform receiving the data has a BAA.
Should I stop using campaign names that reference health conditions?
Yes. Replace health-specific campaign names with codes or generic labels that do not reveal the health context. Maintain a separate internal mapping document that connects codes to service lines. This prevents campaign names from becoming health data when they are captured by analytics and advertising platforms.
Do UTM parameters affect HIPAA compliance if I am using server-side tracking?
Server-side tracking significantly reduces UTM-related compliance risk because you control what data reaches each vendor. You can capture UTMs on your server, use them for internal attribution, and strip them (or the health-specific page path) before sending events to third parties. The key is ensuring that the full UTM-tagged URL, including health context, never reaches a platform without a BAA.
What about UTM parameters in email campaigns to patients?
UTM-tagged links in patient emails create a direct connection between a known individual (email recipient) and whatever health context the URL and campaign name contain. When the patient clicks the link, the full URL loads in their browser and is captured by every analytics tool on the landing page. Use server-side link tracking, sanitize campaign names, and ensure that click-through data is processed through BAA-covered infrastructure.
UTM parameters are a fundamental part of marketing measurement. In healthcare, they require the same compliance attention as any other data element that can connect individuals to health information. If your organization needs campaign attribution that works within HIPAA and state privacy law requirements, Ours Privacy provides server-side tracking infrastructure that captures UTM data without exposing health context to third parties.
Related reading:
What Is a Tracking Pixel? Why Healthcare Websites Should Remove Theirs
What Is Server-Side Tracking? A Guide for Healthcare Marketers
Patient Journey Tracking: From Ad Click to Appointment Without PHI
Healthcare Marketing Attribution Models
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.