What Is Server-Side Tracking? A Guide for Healthcare Marketers
Client-side tracking loads JavaScript in the patient's browser. That JavaScript collects data and sends it directly to a third-party server. The healthcare organization never touches the data in transit.
Server-side tracking collects data on your own server first. Your server decides what to forward, to whom, and under what conditions. The patient's browser never communicates with any third party.
That is the entire distinction. And it is the architectural difference behind every major healthcare tracking enforcement case of the past three years. Every organization that paid settlements, from Kaiser Permanente's $47.5 million to GoodRx's $25 million to the dozens of class actions that followed, used client-side tracking. The data flowed from the patient's browser to third-party servers without passing through any system the healthcare organization controlled. No filter. No review. No ability to stop PHI from leaving.
Server-side tracking does not make compliance automatic. But it makes compliance possible by giving the healthcare organization a point of control over data before it reaches external systems.
Two Architectures, Two Outcomes: A Side-by-Side Comparison
The easiest way to understand server-side tracking is to compare what happens in each architecture when a patient visits a cardiology page and submits an appointment request form.
Client-side architecture
The patient loads the cardiology services page. The page's HTML includes JavaScript tags from Google Analytics, Meta Pixel, and a chat widget.
Each third-party script executes in the patient's browser. Google Analytics collects the page URL (
/services/cardiology), the patient's IP address, device information, and browsing behavior. Meta Pixel captures the same data plus any Facebook cookies. The chat widget loads its own tracking code.Each script sends its collected data directly to the respective third party's servers. Google, Meta, and the chat provider each receive the patient's identifier combined with health-related browsing behavior.
The patient fills out the appointment form and clicks submit. Meta Pixel fires a "Lead" conversion event that includes the page URL, IP address, and potentially the form field values. Google Analytics records the form submission event.
The healthcare organization has no visibility into what data each script collected or sent. The data is already on third-party servers.
This is the pattern that drove Advocate Aurora Health's $12.25 million settlement. Meta Pixel and Google Analytics ran on the health system's website, app, and patient portal from 2017 to 2022, exposing data of 3 million patients.
Server-side architecture
The patient loads the cardiology services page. The page contains no third-party JavaScript. A lightweight first-party script (served from your domain) collects the page view event.
The page view event is sent to your server, not to any third party. Your server receives the full event: page URL, session identifier, timestamp, and user agent.
Your server evaluates the event against your data governance rules. It checks consent status. It strips or replaces any identifiers (IP address, device fingerprint). It removes health-specific URL parameters. It determines which downstream systems should receive the event and in what form.
Your server sends sanitized event data to Google Analytics (via Measurement Protocol) and to Meta (via Conversion API). The events contain only what your governance rules permit: a generic page view event, no patient identifiers, no health-specific context.
The patient submits the appointment form. Your server receives the submission, processes it for your CRM, and sends a sanitized conversion event to ad platforms. The conversion signal confirms an action occurred without revealing who performed it or what health service was requested.
The patient's browser communicated only with your domain throughout the entire session. No third-party code executed in the browser. No data traveled directly from the patient to Google, Meta, or any other platform.
Why the Browser Is the Wrong Place for Healthcare Data
The fundamental problem with client-side tracking is not the tools themselves. It is the location where data processing occurs: the patient's browser.
You cannot filter what you do not control. In client-side tracking, the third-party JavaScript decides what to collect. Google Analytics collects what Google designed it to collect. Meta Pixel collects what Meta designed it to collect. You can configure some parameters, but the core data collection behavior is determined by the vendor, runs in the patient's browser, and sends data before you can intervene.
Third-party scripts load other scripts. Tag chaining is a well-documented phenomenon. One script loads another, which loads another. A healthcare organization that installed three marketing tags might find fifteen scripts running on their site, each collecting data and sending it to different servers. NewYork-Presbyterian Hospital's enforcement by the NY Attorney General found that the hospital had no internal policies or procedures for vetting tracking tools before deployment. The scripts accumulated over six years.
Browser-based consent checks are unreliable. Cookie consent banners operate in the same browser environment as the tracking scripts they are supposed to control. Race conditions, script loading order, ad blocker interference, and browser-specific behavior can cause tracking scripts to fire before consent is evaluated. Server-side consent enforcement operates on your server, where you control the execution environment.
Client-side tracking is visible and targetable. Every tracking pixel, analytics script, and marketing tag loaded client-side is visible in the browser's developer tools, in page source code, and in network traffic logs. This visibility is what enables class action attorneys and regulators to identify violations. Server-side tracking from a first-party domain is indistinguishable from your own website's normal operation.
Components of a Healthcare Server-Side Stack
A complete server-side tracking implementation for healthcare includes several components working together.
First-party data collection. A lightweight script served from your own domain (not a third-party CDN) collects events in the browser and sends them to your server. Custom domains and server-set cookies mean all data collection looks like, and technically is, first-party activity. No third-party domains, no third-party cookies, no vendor fingerprint in page source.
Server-side event processing. Your server (or a HIPAA-compliant CDP acting as your server) receives events and applies data governance rules. This includes consent verification, identifier management, PHI stripping, and event sanitization. The processing happens before any data is forwarded to external systems.
Server-to-server API integrations. Sanitized events are sent to downstream platforms through their server-side APIs: Meta Conversion API, Google Measurement Protocol, LinkedIn Conversions API, TikTok Events API. Each integration receives only the data your governance rules permit.
Consent management. Consent preferences are stored and evaluated server-side. When a visitor sets consent preferences through a consent banner, those preferences are recorded on your server. Every subsequent event from that visitor is evaluated against their consent preferences before any downstream forwarding occurs. This is consent-gated dispatch: data only flows to destinations after consent is verified server-side.
Continuous monitoring. Even with server-side architecture in place, marketing teams can inadvertently reintroduce client-side tracking. A new CMS plugin might include a tracking script. A marketing team member might paste a pixel snippet into a landing page template. A web scanner continuously monitors your site for unauthorized scripts, cookies, and tracking endpoints, catching violations before they become multi-year exposures.
What Server-Side Tracking Does Not Solve
Server-side tracking eliminates the uncontrolled browser-to-third-party data flow, but it is not a complete compliance solution on its own.
You still need BAAs. The platforms receiving your server-side data (Google, Meta, analytics tools, CRM systems) may still need BAAs depending on what data you send them. If you are forwarding any individually identifiable data with health context, the receiving platform is handling PHI. Major advertising platforms do not sign BAAs for their ad products, which is why server-side implementations must strip identifiers and health context before forwarding.
You still need SOC 2 coverage. The server-side infrastructure processing your data must itself be compliant. A HIPAA-compliant CDP with SOC 2 Type II certification across all five trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) provides the audit assurance that your data processing layer meets healthcare standards.
Architecture does not replace governance. Server-side tracking gives you the ability to control data flows. Governance ensures you actually exercise that control correctly. Your organization needs policies for what data can be forwarded, who can modify tracking configurations, how new marketing tools are evaluated, and how consent preferences are managed.
FAQ
Is server-side tracking the same as server-side tagging?
Server-side tagging (like Google's server-side GTM) is one specific implementation of server-side tracking. It moves Google Tag Manager processing from the browser to a cloud server container. Broader server-side tracking implementations, like those built on a HIPAA-compliant CDP, go further by centralizing all data collection and routing through a compliant infrastructure with BAA coverage, consent gating, and PHI filtering. Server-side GTM alone does not provide BAA coverage or healthcare-specific data governance.
Does server-side tracking affect website performance?
Server-side tracking typically improves website performance because it removes third-party JavaScript from the browser. Fewer scripts means faster page loads, reduced CPU usage on the visitor's device, and fewer render-blocking requests. Pages load the first-party collection script from your own domain, which is faster and more reliable than loading scripts from multiple third-party CDNs.
Can server-side tracking still measure ad campaign performance?
Yes. Server-side conversion APIs from Meta, Google, TikTok, and LinkedIn provide campaign attribution and optimization data. The measurement mechanics are comparable to pixel-based tracking. The difference is that your server controls what data reaches the ad platform, allowing you to strip identifiers and health context before the data leaves your environment. Some match rate reduction may occur without user-level identifiers, but aggregate and modeled attribution remain effective.
How long does it take to implement server-side tracking?
Implementation timelines vary based on the approach. A HIPAA-compliant CDP with pre-built server-side integrations can be operational in days to weeks. Building a custom server-side infrastructure with your own server containers, API integrations, and data governance logic can take months. For healthcare organizations with active compliance exposure from client-side tracking, the fastest path is usually a CDP that handles the infrastructure and governance out of the box.
Do we need to keep any client-side tracking at all?
A minimal first-party script that sends data to your own server is technically client-side code, but it is fundamentally different from third-party tracking pixels. This first-party script communicates only with your domain. It loads no third-party code. It sets no third-party cookies. It is the data collection mechanism for your server-side infrastructure. Beyond this first-party script, no client-side tracking from third-party vendors should remain on a healthcare site.
Server-side tracking is the architectural foundation that makes healthcare marketing compliance achievable. If your organization is still running client-side tracking on healthcare pages, Ours Privacy provides the server-side infrastructure, BAA coverage, and continuous monitoring to make the transition.
Related reading:
Server-Side vs Client-Side Tracking: Why Healthcare Can't Use Pixels Anymore
What Is a Tracking Pixel? Why Healthcare Websites Should Remove Theirs
What Is Conversion API (CAPI)? Healthcare Implementation Explained
Client-Side vs Server-Side Analytics: The Healthcare Decision
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.