What Is the OCR? How HHS Enforces HIPAA on Healthcare Marketers
In July 2023, the HHS Office for Civil Rights and the Federal Trade Commission did something unprecedented: they sent joint warning letters to approximately 130 hospital systems and telehealth providers. The letters did not address ransomware attacks, stolen laptops, or insider threats. They addressed tracking pixels, analytics scripts, and marketing technology installed on healthcare websites.
That single action signaled a fundamental shift in how HIPAA enforcement applies to marketing teams. The OCR, the division within the Department of Health and Human Services responsible for enforcing HIPAA, had historically focused on data breaches caused by security failures: lost devices, hacking incidents, unauthorized access by employees. Marketing technology was not on the enforcement radar. Now it is the centerpiece.
The Office for Civil Rights is the federal agency that investigates HIPAA complaints, conducts compliance reviews, and imposes penalties on covered entities and business associates that violate the HIPAA Privacy, Security, and Breach Notification Rules. For healthcare marketing teams, understanding how OCR operates is no longer optional. It is the difference between proactive compliance and learning about OCR through an investigation letter.
How the OCR Became the Enforcement Arm of HIPAA
The OCR was established within HHS to enforce federal civil rights laws, conscience and religious freedom laws, and HIPAA. Its HIPAA enforcement authority covers the Privacy Rule (how PHI can be used and disclosed), the Security Rule (safeguards required for electronic PHI), and the Breach Notification Rule (requirements for reporting breaches).
OCR's enforcement power comes from Section 1176 of the Social Security Act, which authorizes civil monetary penalties for HIPAA violations. The penalty structure is tiered based on the level of culpability.
Tier 1: The covered entity did not know and could not have reasonably known about the violation. Penalties range from $100 to $50,000 per violation.
Tier 2: The violation was due to reasonable cause, not willful neglect. Penalties range from $1,000 to $50,000 per violation.
Tier 3: The violation was due to willful neglect that was corrected within 30 days. Penalties range from $10,000 to $50,000 per violation.
Tier 4: The violation was due to willful neglect that was not corrected. Penalties are $50,000 per violation.
Annual caps for each tier reach up to $1.5 million per violation category per year. And "per violation" can mean per patient affected, per day of violation, or per instance of non-compliance, depending on the circumstances.
For marketing technology that runs continuously across an entire website, collecting data from thousands of visitors daily, the potential violation count is staggering.
The December 2022 Guidance: OCR Draws a Line
OCR's most significant action for healthcare marketing was its December 2022 guidance on tracking technologies. This guidance did not create new law. It clarified how existing HIPAA rules apply to tracking pixels, cookies, session replay tools, and similar technologies on healthcare websites.
The guidance established several key principles.
Tracking technologies on covered entity websites are subject to HIPAA. This includes unauthenticated public-facing pages, not just patient portals. If a covered entity's website uses tracking technologies that collect individually identifiable information combined with health context, HIPAA applies.
IP addresses combined with health-related page visits can constitute PHI. This was the most significant clarification for marketing teams. A visitor who browses a cancer treatment page has generated PHI if their IP address is captured by a tracking tool, because the IP address (identifier) is combined with health context (cancer treatment interest). No login, name, or email address is required.
Tracking technology vendors may be business associates. When a vendor receives PHI through tracking technologies, it may qualify as a business associate under HIPAA. If so, a BAA is required. If the vendor does not sign a BAA (and major ad platforms like Google and Meta do not sign BAAs for their advertising products), the PHI disclosure is unauthorized.
The guidance was updated in March 2024. Portions were vacated by a Texas federal court in June 2024, and OCR withdrew its Fifth Circuit appeal in August 2024. The legal status of specific provisions remains in flux, but the enforcement trajectory is clear: OCR has signaled that marketing technology is within its enforcement scope, and the class action landscape has moved independently of the court challenge.
How OCR Investigations Begin
OCR investigations typically start through one of three channels.
Complaints. Any person can file a HIPAA complaint with OCR. Complaints are filed through OCR's online portal, by mail, or by fax. OCR receives tens of thousands of complaints annually. In the context of marketing technology, complaints may come from patients who discover tracking pixels on a hospital website, security researchers who identify PHI disclosures, or advocacy organizations monitoring healthcare privacy.
Breach notifications. HIPAA requires covered entities to notify OCR of breaches affecting 500 or more individuals within 60 days. When organizations discovered that their tracking pixels had been transmitting PHI to ad platforms, many filed breach notifications. Kaiser Permanente's breach notification covered 13.4 million individuals. Cerebral's breach notification covered 3.2 million. These notifications trigger OCR review.
Compliance reviews. OCR can initiate investigations on its own, without a complaint or breach notification. The July 2023 joint warning letters to 130 organizations were a form of proactive compliance outreach that precedes formal investigation.
Once an investigation begins, OCR has broad authority to request documentation, conduct interviews, and review technical systems. Healthcare organizations must produce policies, procedures, risk assessments, BAAs, and technical documentation showing how data is handled.
OCR and the FTC: A Two-Front Enforcement Landscape
The July 2023 joint warning letters revealed that healthcare marketing teams face enforcement from two federal agencies, not one.
OCR enforces HIPAA against covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. HIPAA penalties and corrective action plans are OCR's tools.
The FTC enforces the Health Breach Notification Rule and Section 5 (unfair or deceptive practices) against entities that handle health data but are not HIPAA-covered entities. This includes telehealth platforms, health apps, and other digital health companies.
Some organizations face both. GoodRx was subject to FTC enforcement under the Health Breach Notification Rule, resulting in $1.5 million in penalties. It also faced a $25 million class action. Cerebral was subject to FTC enforcement that included a ban on using health information for advertising, a $7 million penalty, and a breach notification to HHS.
For healthcare marketing teams, the practical implication is that compliance gaps in marketing technology can trigger federal enforcement from multiple agencies, state attorney general actions (as in the NewYork-Presbyterian case), and class action lawsuits. The enforcement channels are cumulative, not alternative.
What OCR Looks for in Marketing Technology Compliance
Based on the December 2022 guidance, the July 2023 warning letters, and the enforcement patterns that followed, OCR's expectations for healthcare marketing technology compliance include the following.
Inventory of all tracking technologies. OCR expects covered entities to know what tracking technologies are active on their websites, patient portals, and mobile apps. This includes not just tools the marketing team explicitly installed, but also scripts loaded through tag managers, CMS plugins, and third-party tag chains.
BAA coverage for all vendors handling PHI. Any vendor that receives individually identifiable information combined with health context through tracking technologies must have a BAA in place. Vendors that do not sign BAAs should not receive PHI.
Risk assessment that includes marketing technology. HIPAA's Security Rule requires regular risk assessments. OCR expects these assessments to include the risk posed by marketing tracking technologies, not just traditional IT security threats.
Policies for vetting and managing tracking tools. The NYP enforcement highlighted the absence of vetting procedures. OCR expects covered entities to have policies governing how marketing tools are evaluated, approved, deployed, and monitored.
Breach notification when warranted. If tracking technologies have been transmitting PHI to unauthorized third parties, the covered entity may need to issue breach notifications. Multiple health systems filed breach notifications after discovering pixel-related PHI disclosures, including Kaiser (13.4 million affected) and Advocate Aurora (3 million affected).
Building an OCR-Ready Marketing Infrastructure
Preparing for potential OCR scrutiny requires both technical and administrative measures.
Replace client-side tracking with [server-side architecture](/learn/what-is-server-side-tracking-a-guide-for-healthcare-marketers). Server-side tracking eliminates the uncontrolled browser-to-third-party data flow that OCR identified as the primary compliance concern. When data flows through your server first, you can filter PHI before it reaches any external system.
Establish BAA coverage for every vendor in the marketing stack. Evaluate every tool that touches website visitor data. If the vendor signs a BAA, ensure the agreement covers all data the tool processes (not just a subset with carve-outs). If the vendor does not sign a BAA, the tool should not receive PHI. A HIPAA-compliant CDP with a comprehensive BAA can serve as the BAA-covered layer between your data and downstream platforms that lack BAA coverage.
Implement continuous website scanning. A web scanner that regularly audits your site for tracking technologies creates the documentation OCR expects: an ongoing inventory of what is running, what data it collects, and where it sends that data. This is evidence of reasonable effort, which affects which penalty tier applies.
Gate data flows on verified consent. Consent management is becoming a core compliance requirement as state health privacy laws expand beyond HIPAA. Server-side consent enforcement demonstrates that your organization takes patient privacy seriously and has the infrastructure to back it up.
Document everything. OCR investigations rely heavily on documentation. Maintain records of your tracking technology inventory, BAA status for each vendor, risk assessments that include marketing technology, and your vetting process for new tools. Organizations that can produce this documentation during an investigation are better positioned than those that cannot.
FAQ
Can OCR investigate a healthcare organization's marketing technology?
Yes. OCR has authority to investigate any aspect of a covered entity's HIPAA compliance, including the use of tracking technologies on websites, patient portals, and mobile apps. The December 2022 guidance and July 2023 warning letters explicitly addressed marketing tracking technology as a compliance concern.
Does OCR enforce against class action lawsuits?
No. OCR handles federal HIPAA enforcement through civil monetary penalties and corrective action plans. Class action lawsuits are private civil litigation brought by affected individuals. However, the same marketing technology violations can trigger both: an OCR investigation and a class action lawsuit. Many recent cases involved both tracks simultaneously.
What triggers an OCR investigation of marketing technology?
Investigations can be triggered by patient complaints, breach notifications filed by the covered entity (which are required when PHI exposure affects 500+ individuals), or OCR's own compliance review initiative. The discovery that tracking pixels were transmitting PHI to ad platforms led multiple health systems to file breach notifications, which in turn triggered OCR review.
How long does an OCR investigation take?
OCR investigations can take months to years. The timeline depends on the complexity of the case, the number of individuals affected, and the organization's cooperation. During this time, OCR can request extensive documentation, conduct interviews, and require technical assessments. Healthcare organizations should not wait for an investigation to begin compliance efforts.
Does OCR distinguish between patient portals and public-facing websites?
The December 2022 guidance addressed both. While patient portals carry higher risk because users are authenticated (making identification certain), OCR clarified that unauthenticated public-facing pages also fall under HIPAA when tracking technologies combine visitor identifiers (like IP addresses) with health context. The compliance obligation applies to all pages maintained by a covered entity, not just authenticated areas.
The OCR has made its position clear: marketing tracking technology on healthcare websites is within its enforcement scope. If your organization is evaluating its marketing infrastructure for HIPAA compliance, Ours Privacy provides the server-side architecture, BAA coverage, and continuous monitoring that demonstrates the compliance posture OCR expects.
Related reading:
The December 2022 OCR Guidance on Tracking Technologies: What Changed
HIPAA Penalties for Marketing Violations
What Is PHI? A Healthcare Marketer's Guide to Protected Health Information
What Is the HIPAA Minimum Necessary Standard? Marketing Implications
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.