What Is a Tracking Pixel? Why Healthcare Websites Should Remove Theirs
In 2024, Kaiser Permanente agreed to a $47.5 million settlement after tracking code on its websites, patient portals, and mobile apps transmitted health information to Google, Microsoft, Meta, and X for seven years. The tracking affected 13.4 million members across nine states. The data included search terms, medical histories, and communications with healthcare professionals. None of it was supposed to leave Kaiser's systems. All of it was collected by standard tracking pixels doing exactly what they were designed to do.
Kaiser is not an outlier. It is the largest example of a pattern that has now generated over $193 million in combined enforcement actions and settlements. Every major case involved the same technology: tracking pixels. And in every case, the pixels were installed intentionally by marketing teams who believed they were using standard, safe tools.
How a 1x1 Image Became Healthcare's Biggest Liability
A tracking pixel is a small piece of code, typically a snippet of JavaScript, that a website loads from a third-party server. Despite the name, modern tracking pixels do far more than load a tiny image. When a visitor arrives on a page containing a tracking pixel, the code executes in the visitor's browser and sends data back to the third party that owns the pixel.
The data a tracking pixel collects typically includes the visitor's IP address, browser type and version, device information, the URL of the page being viewed, a timestamp, and any cookies the third party has previously set. More advanced pixels, like Meta Pixel, can also capture form field inputs, button clicks, page scroll depth, and custom conversion events configured by the site owner.
Here is what matters for healthcare: all of this data collection happens in the visitor's browser. The healthcare organization's servers never see, filter, or control the data before it reaches the third party. The pixel establishes a direct connection between the patient's browser and the third party's servers. The healthcare organization is, architecturally, a bystander to its own data flow.
On a retail website, this is routine marketing infrastructure. On a healthcare website, it creates protected health information. When an identifiable visitor (identified by IP address, device fingerprint, or logged-in status) views a page about oncology services, books a cardiology appointment, or searches for mental health resources, the tracking pixel transmits that health context alongside the visitor's identity to a third-party server. That combination is PHI under HIPAA.
The Anatomy of a Pixel-Driven Breach
Understanding why tracking pixels are so dangerous in healthcare requires tracing what happens in the seconds after a page loads.
Step 1: The page loads and the pixel fires. A patient visits your orthopedic services page. The Meta Pixel, installed in your site's header, executes JavaScript in the patient's browser.
Step 2: The browser sends data to Meta. The pixel transmits the page URL (/services/orthopedics/knee-replacement), the visitor's IP address, their Facebook cookie (if they are logged into Facebook in another tab), their browser fingerprint, and any custom events you have configured (like "Schedule Appointment" button clicks).
Step 3: Meta matches the visitor to a profile. Using the Facebook cookie or other identifiers, Meta connects this healthcare browsing behavior to a real person in their advertising system. Meta now knows that this specific individual is researching knee replacement surgery.
Step 4: The data persists in Meta's systems. This information feeds ad targeting, lookalike audience creation, and Meta's advertising algorithms. The healthcare organization cannot retrieve, delete, or control this data once it has been transmitted.
Step 5: Repeat across every page, every visitor, every day. The pixel runs continuously. It does not distinguish between a general visitor and a patient. It does not evaluate whether the page content involves health information. It collects everything and sends it all.
This is not a theoretical risk. This is precisely what happened at Advocate Aurora Health, where Meta Pixel and Google Analytics ran on websites, apps, and the patient portal from 2017 to 2022, exposing data of approximately 3 million patients.
Why Cookie Banners Do Not Fix the Problem
Many healthcare organizations respond to pixel concerns by adding a cookie consent banner. The logic seems sound: ask visitors for permission before loading tracking pixels, and the compliance problem disappears.
In practice, this approach fails for several reasons.
First, most cookie banners are implemented client-side, meaning the consent logic runs in the same browser environment as the pixels. Race conditions, ad blockers, script loading order, and browser behavior can cause pixels to fire before consent is evaluated. A pixel that loads 200 milliseconds before the consent check completes has already transmitted data.
Second, HIPAA consent and cookie consent are different legal frameworks. A cookie banner that complies with GDPR or state privacy laws does not constitute HIPAA authorization. The regulatory requirements are distinct, and satisfying one does not satisfy the other.
Third, consent does not address the architectural problem. Even with consent, a tracking pixel still sends data through the visitor's browser to a third-party server. The healthcare organization still has no control over what data is collected, no ability to filter PHI, and no visibility into what the third party does with the data after receipt. Consent changes the legal basis for data collection. It does not change the data flow.
The Regulatory Response to Healthcare Pixel Tracking
The enforcement landscape has responded directly to healthcare pixel tracking.
In December 2022, the HHS Office for Civil Rights (OCR) issued guidance on tracking technologies, clarifying that HIPAA-regulated entities may not use tracking pixels, cookies, session replay, or fingerprinting in ways that disclose PHI to tracking technology vendors. The guidance specified that even IP addresses on unauthenticated public pages could constitute PHI when combined with health context.
In July 2023, OCR and the FTC sent joint warning letters to approximately 130 hospital systems and telehealth providers specifically about tracking technology risks.
The enforcement actions followed. GoodRx paid $1.5 million to the FTC plus $25 million in a class action after its Meta Pixel and Google tracking pixels shared prescription drug names, health conditions, and personal identifiers with advertising platforms. It was the first enforcement under the FTC's Health Breach Notification Rule.
Across 15 major cases from 2023 to 2025, every single one involved tracking pixels or similar client-side tracking technologies. No case involved a sophisticated cyberattack. All were self-inflicted through routine marketing technology.
Replacing Pixels with Server-Side Architecture
Removing tracking pixels does not mean abandoning marketing measurement. It means replacing an architecture that cannot be secured with one that can.
Server-side tracking moves data collection from the visitor's browser to your own servers. Instead of a pixel establishing a direct connection between the patient's browser and Meta's servers, your server collects the event data, strips or transforms any PHI, and forwards only compliant data to the destination through a server-to-server API like Meta's Conversion API or Google's server-side tagging.
This architectural shift changes the compliance equation fundamentally.
Control over data before it leaves. Your server decides what data to forward. You can strip IP addresses, remove health-specific URL parameters, and prevent any PHI from reaching the destination. With a pixel, this filtering is impossible because the data goes directly from the browser.
No third-party code in the browser. When tracking runs server-side, no third-party JavaScript executes in the visitor's browser. There are no third-party cookies, no browser fingerprinting, and no direct connections to advertising platforms. The visitor's browser communicates only with your domain.
Consent enforcement at the server level. Server-side architecture allows you to verify consent before any data is forwarded to any destination. This enforcement happens on your server, not in the browser, so it cannot be circumvented by script loading order or client-side race conditions.
Auditability. Server-side data flows produce logs. You can audit exactly what data was sent to each destination, when, and under what consent conditions. Pixel-based tracking produces no such audit trail on your side.
Scanning for Pixels You Forgot About
One of the most dangerous aspects of tracking pixels is that they accumulate invisibly. A developer adds a pixel during a campaign launch. A WordPress plugin includes tracking code in its update. A third-party script loads additional scripts through tag chaining. Over time, healthcare websites accumulate pixels that no one on the current team installed or knows about.
Continuous web scanning addresses this blind spot. A scanner crawls your site on an ongoing basis and detects every cookie, script, localStorage entry, and tracking pixel on every page. It identifies which scripts send data to third parties, which lack BAA coverage, and which are loading additional scripts through tag chains. In the Kaiser case, tracking code ran for seven years. In the Advocate Aurora case, five years. In every case, the pixels were discovered after the damage was done.
FAQ
What is the difference between a tracking pixel and a cookie?
A tracking pixel is code that executes in the browser and sends data to a third-party server. A cookie is a small data file stored in the browser that persists across visits. Tracking pixels often set and read cookies to identify returning visitors. In healthcare, both create compliance risk, but the pixel is the active mechanism that transmits data to third parties. Removing the pixel stops the data transmission; removing only the cookie does not.
Can we keep tracking pixels if we sign a BAA with the vendor?
Major advertising platforms like Meta and Google do not sign BAAs for their advertising and analytics products. Even if a vendor does sign a BAA, the client-side architecture of pixels means data flows through the visitor's browser before reaching the vendor's servers. The exposure happens in transit, outside the scope of any BAA. Server-side architecture is necessary to control data before it leaves your environment.
Do tracking pixels on unauthenticated pages create HIPAA risk?
Yes. The December 2022 OCR guidance clarified that even on unauthenticated public-facing pages, the combination of an IP address with health-related page content (like a specific condition or service page) can constitute PHI. A visitor does not need to be logged in for tracking pixel data to qualify as protected health information.
How do we measure ad campaign performance without pixels?
Server-side conversion APIs from Meta, Google, and other platforms provide the same measurement capabilities as pixels. Instead of the browser sending conversion data directly to the ad platform, your server sends it through an API. This gives you the ability to filter, transform, or redact data before it reaches the platform. A HIPAA-compliant CDP can automate this process across multiple ad platforms simultaneously.
How quickly should we remove tracking pixels from our healthcare website?
Immediately. Every day a non-compliant pixel runs is another day of data exposure and potential liability. Start by scanning your site to identify all active pixels, then remove them and replace measurement with server-side alternatives. The enforcement cases make clear that regulators view extended exposure windows as an aggravating factor, not a defense.
Tracking pixels are not a configuration problem. They are an architectural liability that cannot be patched with consent banners or policy adjustments. If your healthcare website still uses client-side tracking pixels, Ours Privacy provides the server-side infrastructure to replace them while preserving the marketing measurement your team needs.
Related reading:
What Is Server-Side Tracking? A Guide for Healthcare Marketers
What Is Conversion API (CAPI)? Healthcare Implementation Explained
The Healthcare Pixel Problem: Why Every Tracking Pixel Is a Liability
Is Google Analytics HIPAA Compliant?
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.