Class actions against healthcare systems for tracking technology use have not slowed. Settlements have crossed nine figures. Most marketing agencies are not equipped to operate inside HIPAA. If you are a covered entity running campaigns, your website and your marketing stack are part of your compliance perimeter.
This article covers the marketing-specific HIPAA risks we see most often, the current regulatory landscape, and how we handle covered entity engagements.
The current regulatory landscape
Two pieces of recent history matter.
First, HHS's December 2022 bulletin (revised March 2024) put healthcare marketers on notice that tracking technologies on covered entity websites can implicate PHI. In June 2024, a federal court in American Hospital Association v. Becerra vacated nationally the specific portion of that guidance that defined an IP address combined with a visit to an unauthenticated public page about a specific condition as PHI. The rest of the guidance remains intact. Patient portals, authenticated pages, intake forms that collect symptoms or conditions, and anything else tied to identifiable user health data still implicate HIPAA when that data flows to a third-party vendor without a Business Associate Agreement.
Second, the lawsuits are not only about HIPAA. State privacy laws, wiretap statutes, and consumer protection claims continue to drive class action exposure regardless of where HHS guidance lands. The practical risk has not gone away.
A new HIPAA Security Rule update is also expected to be finalized in 2026, with effective dates likely landing in late 2026 or early 2027. It is expected to convert most "addressable" safeguards to mandatory, require annual compliance audits, and require a maintained inventory of all technology assets that touch ePHI, including AI tools.
Where the violations actually happen
Tracking pixels on PHI surfaces. The Meta Pixel sends user data back to Meta by default. Same with Google Ads conversion tags, LinkedIn Insight Tag, TikTok pixel, and most analytics platforms. None of these vendors will sign a BAA. Putting them on patient portal pages, appointment-scheduling flows that capture reason for visit, or symptom-checker tools is a direct compliance failure.
Lead forms that capture symptoms or conditions. A form that asks "What brings you in today?" and forwards the response to a non-BAA email address is a PHI breach. Same for chatbots that ask intake questions and route to platforms without a BAA in place.
Marketing automation and email. Sending appointment reminders, condition-specific newsletters, or care plan content through Mailchimp, Constant Contact, or HubSpot's standard tier is a violation if those platforms do not have a BAA in place. Some have HIPAA-compliant tiers. Most marketing agencies use the default tier.
Patient portal integrations. Tracking on or near patient portals is the highest-risk surface area. Any analytics, heatmapping, or session recording that captures portal interactions is almost certainly a violation.
What a compliant marketing stack looks like
Hosting. The host has a signed BAA. Standard shared hosting almost never qualifies. Healthcare clients need HIPAA-eligible hosting (AWS with BAA, Azure with BAA, or dedicated HIPAA-compliant providers).
Forms. Forms that may capture PHI submit through encrypted, BAA-covered processors. Form data lands in a system covered by BAA, not a generic CRM or email service.
Analytics. We segment. Marketing analytics for page traffic, campaign attribution, and non-PHI conversion events run through standard tools on non-PHI surfaces. PHI surfaces either have no third-party tracking or use HIPAA-compliant analytics with a BAA.
Advertising pixels. We do not place Meta Pixel, LinkedIn Insight Tag, or other ad pixels on authenticated pages, intake forms, or pages where users disclose health information. Conversion tracking for paid campaigns uses server-side methods that hash identifiers and scrub PHI before any data leaves the covered environment.
Email and SMS. We use BAA-covered platforms for any communication that could touch PHI. We segment marketing audiences from clinical communications.
Documentation. Every BAA is on file. Every vendor with potential PHI access has been verified. We can produce the BAA chain on request from a compliance officer or auditor.
How we handle healthcare clients
The first conversation is a stack audit. We map every tool currently in use, identify which ones touch PHI, and check BAA status. Most engagements start with a list of tools that need to come off the site immediately.
We rebuild what needs rebuilding. That can mean new forms, a different hosting environment, server-side conversion tracking, or migration to a HIPAA-eligible marketing automation platform.
We document the perimeter. Every healthcare engagement closes with a written record of which tools cover which functions, where the BAAs are filed, and what the segregation rules are between marketing and clinical data flows.
What this looks like in practice
When we onboard a covered entity, the first 30 days look like this:
- Week 1. Stack audit. Every tool currently in use is mapped against PHI exposure. BAA status checked for each. The immediate-pull list goes to the client privacy officer for sign-off.
- Weeks 2-3. Pulls and migrations. Non-compliant trackers come off. Forms get rebuilt to submit through BAA-covered processors. Hosting migrates if needed. Server-side conversion tracking replaces client-side pixels on any surface that touches PHI.
- Week 4. Documentation. Written perimeter map, BAA chain, segregation rules between marketing and clinical data flows, ongoing compliance cadence.
After the onboarding window, the cadence is monthly review of pixel placement and form behavior, quarterly BAA verification across the vendor stack, and an annual audit aligned to whatever the privacy officer's external counsel recommends. No surprise discoveries from the plaintiff's bar, because we have already mapped the surface area.
Honest note
Compliance is a moving target. HHS guidance has shifted twice in two years and been partially vacated in court. New Security Rule changes are coming. The plaintiff's bar is testing new theories. We are not lawyers, and your HIPAA program needs to be owned by a privacy officer with legal counsel. What we offer is a marketing operation that does not undermine that program.
If you are a covered entity and you have not audited your marketing stack since the 2022 HHS bulletin, you have unmanaged risk. We can run that audit.