Skip to main content
C
CookieBeam
Back to Guides
Compliance9 min read

Healthcare Websites and Cookie Consent: HIPAA, FTC, and the New Tracking Rules

Healthcare websites face unique cookie consent challenges under HIPAA, FTC enforcement, and state health data laws. This guide covers what went wrong with tracking pixels on hospital and telehealth sites, which cookies are safe, and how to handle consent for patient portals and appointment booking.

Why Healthcare Websites Face Unique Cookie Consent Challenges

Most industries can treat cookie consent as a GDPR or ePrivacy problem. Healthcare doesn't have that luxury. A hospital website that drops a Meta Pixel on its appointment scheduling page is potentially disclosing protected health information to a social media company. A telehealth app that fires Google Analytics on its symptom checker is creating a record that ties a real person's IP address to a specific medical condition.

Between 2023 and 2025, the FTC levied millions in penalties against digital health companies for sharing user health data with advertising platforms through tracking pixels. Hospitals have paid tens of millions in class action settlements for the same practice. And state health data privacy laws, led by Washington's My Health My Data Act, have created consent obligations that go beyond what GDPR requires.

HIPAA and Website Tracking: What the Law Actually Says

A critical distinction most articles get wrong: HIPAA itself doesn't regulate cookies. HIPAA governs how covered entities (hospitals, health plans, clearinghouses) and their business associates handle protected health information (PHI). The question is when website tracking data becomes PHI.

In December 2022, HHS's Office for Civil Rights (OCR) issued a bulletin on tracking technologies taking an expansive position: if a covered entity's website collects a visitor's IP address alongside their visit to a page about a specific health condition, that combination constitutes individually identifiable health information and HIPAA applies. This meant a hospital running Google Analytics on its cardiology department page was, in OCR's view, creating PHI every time someone visited.

The American Hospital Association challenged this in federal court. In June 2024, the court in AHA v. Becerra vacated the portion of the bulletin treating IP addresses collected on unauthenticated public-facing pages as PHI. HHS initially filed an appeal, then withdrew it in August 2024.

What remains in effect after AHA v. Becerra:

  • Authenticated pages are still covered. Patient portals, logged-in appointment scheduling, medical record access, any page where tracking technology associates browsing activity with a known patient creates PHI. Tracking pixels on these pages require HIPAA-compliant handling, including a business associate agreement with the tracking vendor.
  • Intentional data collection still applies. If a covered entity actively collects and transmits health information through tracking technologies, HIPAA obligations apply regardless of authentication status.
  • State laws fill the gap. Where HIPAA doesn't reach, state health data privacy laws impose their own consent requirements.

FTC Enforcement: When Health Apps Share Data with Ad Platforms

Here's the jurisdictional split that matters: HIPAA is enforced by HHS/OCR against covered entities. Many digital health companies (telehealth apps, mental health platforms, prescription services) aren't HIPAA-covered entities. They fall under the FTC's authority instead, specifically Section 5 of the FTC Act and the Health Breach Notification Rule.

Between 2023 and 2024, the FTC brought four landmark enforcement actions:

  • GoodRx ($1.5 million, February 2023): shared users' prescription medications and health conditions with Facebook, Google, and Criteo through tracking pixels. The FTC's first enforcement action under the Health Breach Notification Rule.
  • BetterHelp ($7.8 million, March 2023): shared users' sensitive mental health information, including that they'd sought therapy, with Facebook, Snapchat, and Pinterest for advertising.
  • Cerebral ($7 million, April 2024): disclosed health data of nearly 3.2 million consumers to LinkedIn, Snapchat, and TikTok through pixels embedded in its website and apps.
  • Monument ($2.5 million suspended, April 2024): shared alcohol addiction treatment data with Meta and Google for advertising without consent.

The pattern was identical in every case: standard advertising pixels on pages where users entered health information, transmitting that data to ad platforms. None of these companies had HIPAA obligations. The FTC reached them through consumer protection law.

Meta Pixel on Healthcare Sites and the "No Tracking" Movement

While the FTC pursued digital health startups, hospitals faced class action lawsuits from patients. Hospitals installed Meta Pixel on pages where patients entered health information, and the pixel transmitted that data to Meta without consent. The settlements have been substantial:

  • Advocate Aurora Health: $12.225 million (approved July 2024). Tracking tools on its website, patient portal, and scheduling app captured appointment details and health insurance data from approximately 2.5 million individuals.
  • Novant Health: $6.6 million (2024). Meta Pixel disclosed the health information of approximately 1.3 million patients.
  • Duke Health: $3.7 million. Another Meta Pixel settlement for unauthorized PHI disclosures.

The root cause was always the same: marketing teams installed pixels using the same playbook they'd use for an e-commerce site: drop the pixel in the global header, configure conversion events. Nobody asked whether the patient portal or cardiology scheduling page should be excluded.

These incidents have driven a growing "no tracking pixel" movement in healthcare. The math is simple: the marketing value of Meta Pixel (better ad targeting, retargeting) is modest for most hospital systems; the downside risk is a multi-million-dollar settlement and reputational damage to a trust-dependent organization. Many healthcare organizations now run "necessary cookies only" policies: no analytics pixels, no advertising tags, no social widgets.

Google Analytics on Healthcare Sites: When Analytics Becomes PHI

GA4 presents a more nuanced challenge than advertising pixels. On a healthcare site, "website traffic" means a record of which visitors viewed which condition pages, booked which appointments, and accessed which parts of the patient portal.

Post-AHA v. Becerra, the legal status depends on authentication. On unauthenticated pages (condition descriptions, provider directories), GA4 is legally defensible, though state health data laws may still apply. On authenticated pages (patient portals, logged-in scheduling), GA4 collects data tied to an identified patient. This is PHI. Google doesn't sign BAAs for GA4, so running GA4 behind a patient login is an unauthorized PHI disclosure.

Even on public pages, GA4 creates underappreciated risks: cross-device tracking can correlate hospital visits with Google profiles; Google Signals (on by default until its June 2026 removal) linked GA4 data to Google accounts for remarketing audiences; and data stored on Google's servers is processed under Google's terms with limited healthcare-side control.

The safest position: use GA4 only on public marketing pages with data sharing minimized. Block it entirely behind authentication. For deeper analytics, move to server-side or self-hosted solutions.

State Health Data Privacy Laws

Even where HIPAA doesn't reach, a new generation of state laws specifically targets health-related data collected online.

Washington's My Health My Data Act (MHMDA), effective March 31, 2024, is the most significant. It covers any data reasonably linkable to a consumer that relates to their health, including inferred data. A search for "cardiologist near me" on a hospital website could qualify. The law requires opt-in consent for collection and sharing, applies extraterritorially to any entity collecting health data from Washington residents, and critically provides a private right of action, meaning consumers can sue directly without waiting for the attorney general.

Nevada enacted its own Consumer Health Data Privacy Law, also effective March 31, 2024, largely mirroring Washington's MHMDA but without the private right of action. Connecticut included health data protections in its comprehensive privacy law. The trend is accelerating.

These laws create consent obligations independent of HIPAA. Even if a healthcare website isn't operated by a covered entity, and even if the data doesn't meet the HIPAA definition of PHI, affirmative consent may be required before collecting health-related data through cookies. The MHMDA's private right of action makes this especially high-stakes.

What Cookies Are Safe, and How to Handle Patient Portals

Generally safe without consent: session cookies for login state, authentication tokens, CSRF protection tokens, load balancing cookies, consent preference cookies, and language/accessibility preferences. These don't track behavior or transmit data to third parties.

Requires careful consent handling: first-party analytics (self-hosted Matomo, Plausible, or server-side measurement), which is less risky than third-party analytics but may still require consent under GDPR/ePrivacy and state health data laws. Session replay tools are extremely risky on pages displaying health information.

High risk, avoid on healthcare sites: third-party advertising pixels, GA4 on authenticated pages, social media widgets that set tracking cookies, and any cross-site tracking on pages collecting health information.

Appointment Booking and Patient Portals

Appointment scheduling pages collect provider preference, reason for visit, and insurance details. A user booking with an oncologist is disclosing a health condition. Block all third-party tags on booking flows. For conversion tracking, use server-side APIs that send only the conversion event ("appointment booked") without clinical context.

Patient portals are behind authentication, so any tracking data is tied to an identified patient. Allow zero third-party tracking inside the patient portal: no GA4, no Hotjar, no FullStory. Use server-side logging within your HIPAA-compliant infrastructure instead. Review all embedded third-party resources (fonts, CDNs, chat widgets) to ensure none set cookies or transmit patient data. Configure your CMP to enforce a "necessary only" policy on portal pages regardless of the user's consent choices elsewhere.

Server-Side Alternatives for Healthcare Marketing

Removing client-side pixels doesn't mean giving up on measurement. Server-side alternatives let healthcare organizations control what leaves their infrastructure, stripping clinical context before sending conversion signals.

A server-side GTM container sits between your website and ad platforms. Instead of Meta Pixel firing in the browser and capturing everything, your server receives a controlled payload, strips health-related fields, and forwards only the marketing signal ("conversion occurred") to Meta's Conversions API. You control which fields reach each platform, no client-side ad cookies are set, and consent enforcement happens in infrastructure you own. For implementation details, see our guide to server-side consent enforcement.

For usage analytics, self-hosted solutions like Matomo keep all data within your infrastructure. No data leaves your servers, no third-party cookies are set, and you maintain full control over retention. The key principle: separate the marketing signal from the clinical context. You need to know an ad click led to a booking. You don't need to tell Google which type of appointment.

How CookieBeam Handles Healthcare Compliance

Strict default blocking. CookieBeam blocks all non-essential scripts by default, so no cookies fire until the user makes a consent choice. No window where tracking occurs before the banner appears.

Necessary-only mode. For patient portals, booking flows, and medical record access, CookieBeam supports a configuration that blocks all non-essential cookies regardless of the user's consent state elsewhere on the site.

Page-level consent policies. Public marketing pages can allow analytics with consent while booking flows allow first-party analytics only and the patient portal permits nothing beyond session management. CookieBeam's category-based blocking handles these policies per page or section.

Cookie scanning. CookieBeam's automated scanner detects all cookies and tracking technologies, including ones marketing teams added without compliance review. The Advocate Aurora and Novant Health lawsuits both involved pixels installed without security oversight. Regular scanning catches these before they become settlements.

Server-side consent enforcement. CookieBeam's consent signals integrate with server-side consent enforcement and Google Consent Mode v2, ensuring consent decisions are respected by server-side containers. No consent, no data forwarding, enforced at every layer.

Back to all guides
Healthcare Cookie Consent: HIPAA, FTC Tracking Rules & Compliance Guide 2026 | CookieBeam | CookieBeam