What the FTC, HHS, and State Laws Actually Require for Hospital Website Tracking

Hospital marketing directors face a regulatory environment that shifted significantly between 2022 and 2024. Three overlapping frameworks now govern how hospitals can use digital marketing tools, and understanding where they intersect prevents costly compliance failures.

HIPAA and the HHS Tracking Technology Guidance: In December 2022, HHS issued guidance clarifying that tracking technologies on patient-facing pages—including unauthenticated pages—can create HIPAA violations when they transmit individually identifiable health information to third parties. This means a Meta Pixel firing on a cancer treatment page, combined with an IP address, may constitute a breach.

The FTC Health Breach Notification Rule: Originally designed for personal health records, the FTC expanded enforcement of this rule to cover health apps and websites that handle health information but aren't HIPAA-covered entities. Many hospital marketing tools fall into this gap. The FTC has actively pursued enforcement actions since 2023.

State Health Data Privacy Laws: Washington's My Health My Data Act (effective March 2024) and similar state laws create consent requirements that go beyond HIPAA. These laws often apply to any entity collecting health data from state residents, regardless of where the hospital is located.

This overview is educational content and does not constitute legal advice. Consult healthcare privacy counsel for your specific situation.

The challenge for hospital marketers isn't that digital tools are inherently non-compliant—it's that default configurations often transmit data that triggers regulatory scrutiny. Understanding the specific risk points helps you configure tools appropriately.

Analytics and Behavioral Data: Google Analytics, Adobe Analytics, and similar tools can capture URL paths that reveal health intent. A visitor browsing /services/oncology/breast-cancer-treatment followed by /schedule-appointment creates a behavioral record tied to their device. When this data flows to Google's servers, you've potentially transmitted protected health information.

Advertising Pixels: Meta Pixel, Google Ads conversion tracking, and programmatic advertising tags are designed to build user profiles. On hospital websites, these profiles can include health conditions, provider searches, and appointment activity. Multiple health systems have faced class action lawsuits over pixel implementations.

Session Replay and Heatmaps: Tools like Hotjar, FullStory, and Crazy Egg record user interactions. If a patient enters information into a symptom checker or pre-registration form, session replay may capture that data—even if you've configured the tool to mask form fields, edge cases exist.

Chatbots and Live Chat: Third-party chat widgets that process visitor questions about symptoms, insurance, or appointments transmit health data to external servers. The routing of this data matters for compliance.

• Default pixel placement across all pages creates the broadest exposure
• Form-field masking doesn't always prevent data capture in URLs or page titles
• IP addresses combined with health page visits may constitute identifiable health information

The December 2022 HHS guidance—updated in March 2024—provides specific direction on tracking technologies that hospital marketing teams should operationalize. Here's what it means in practice.

Authenticated Pages: On pages where patients log in (patient portals, MyChart, bill pay), tracking technologies that transmit data to third parties are effectively prohibited without a valid HIPAA authorization. Business associate agreements don't cover advertising use cases. Most hospitals have removed or heavily restricted pixels on these pages.

Unauthenticated Pages: This is where the guidance created the most disruption. HHS clarified that even on public-facing pages, if a tracking technology collects information that links an individual to health conditions—such as a browsing path through condition-specific pages—it may constitute protected health information. The combination of IP address, device identifiers, and health-related page visits can trigger HIPAA.

The Business Associate Question: Many hospitals initially believed that signing a BAA with Google or Meta would resolve tracking compliance. HHS specifically addressed this: a business associate agreement is only valid when the vendor is performing services on behalf of the covered entity for treatment, payment, or operations purposes. Advertising and analytics don't typically qualify.

Practical Implementation: Compliant approaches include server-side analytics that don't transmit identifiable data, first-party-only cookies, and selective pixel deployment that excludes health-specific pages. The specific technical architecture matters—there's no one-size-fits-all configuration.

Verify current HHS guidance directly, as enforcement interpretations continue to evolve.

The FTC Health Breach Notification Rule existed for years before aggressive enforcement began. Understanding the rule's scope helps hospital marketing teams recognize where liability extends beyond HIPAA.

Who the Rule Covers: The rule applies to vendors of personal health records (PHRs) and related entities—which the FTC has interpreted broadly to include health apps, telehealth platforms, and websites that collect health information outside of HIPAA's direct coverage. Many hospital marketing tools and third-party integrations fall into this category.

What Constitutes a Breach: Under this rule, unauthorized disclosure of health information to a third party—including advertising networks—can constitute a breach requiring notification. The FTC has explicitly stated that sharing health data with advertisers without consumer consent violates the rule, regardless of whether the disclosure was intentional or resulted from default tracking configurations.

Enforcement Actions: The FTC pursued multiple enforcement actions in 2023 and 2024 against telehealth companies and health apps for sharing health data via advertising pixels. Penalties have included significant fines and mandatory deletion of data shared with advertising platforms. While these cases targeted non-hospital entities, the enforcement theory applies equally to hospital marketing practices.

Notification Requirements: If a breach occurs, the rule requires notification to affected individuals, the FTC, and in some cases, media outlets—within 60 days. The reputational impact often exceeds the direct penalties.

This summary reflects enforcement trends as of early 2025. Consult legal counsel for current FTC positions.

Federal compliance isn't sufficient. State laws have created a patchwork of additional requirements that affect hospital digital marketing based on where patients are located—not just where the hospital operates.

Washington My Health My Data Act: Effective March 2024, this law requires affirmative consent before collecting, sharing, or selling consumer health data. It applies to any entity collecting health data from Washington residents and includes a private right of action. The definition of "consumer health data" is broad, covering information that identifies health conditions, treatments, or healthcare provider searches.

California CCPA/CPRA: While not health-specific, California's privacy laws include sensitive data provisions that cover health information. Hospitals must provide opt-out mechanisms for data sales and sharing with third parties, including advertising platforms.

Other State Laws: Connecticut, Colorado, Virginia, and other states have enacted comprehensive privacy laws with varying definitions of sensitive data and health information. The compliance requirements differ—some require opt-in consent for health data, others require opt-out mechanisms.

Practical Impact: For hospital systems with regional or national patient populations, the strictest state law often becomes the de facto standard. Implementing different tracking configurations based on visitor geolocation is technically possible but operationally complex. Many systems default to the most restrictive requirements across all visitors.

Compliance doesn't require abandoning digital marketing measurement. It requires intentional architecture that separates what you can measure from what creates regulatory exposure.

Analytics Configuration: Server-side Google Analytics implementations can aggregate behavioral data without transmitting individual identifiers to Google. First-party analytics tools that keep data within your infrastructure eliminate third-party transmission concerns. The tradeoff is implementation complexity and reduced integration with advertising platforms.

SEO Measurement Without Risk: Organic search performance—rankings, impressions, clicks—can be measured through Google Search Console without the privacy implications of on-site behavioral tracking. Technical SEO audits, page speed monitoring, and structured data validation don't involve patient data at all. Most SEO activities fall outside the regulatory concern zone.

Selective Pixel Architecture: If advertising measurement is essential, deploy conversion pixels only on non-health-specific pages—general contact confirmations, newsletter signups, or facility location pages. Exclude pixels from condition pages, provider directories, and any page where the visit itself reveals health intent.

Consent Management: For hospitals that continue using third-party tracking, consent management platforms that meet the most restrictive state requirements provide a compliance layer. However, consent banners don't resolve HIPAA concerns where business associate requirements aren't met.

Documentation: Whatever approach you implement, document the privacy impact assessment, the technical configurations, and the legal rationale. Regulators evaluate whether organizations made reasonable efforts, not whether they achieved perfect compliance.

Working with teams experienced in privacy-first SEO for hospitals helps avoid the common configuration mistakes that create exposure.