Are Tracking Pixels HIPAA Compliant? A Dentist's Guide (2026)

When is a tracking pixel actually a HIPAA problem?

A tracking pixel is a small piece of third-party code, like the Meta Pixel or Google Analytics, that records what a visitor does and sends it back to the company that made it. The HIPAA question is not whether you run one. It is whether the page it sits on can send a patient's information to that company. HHS OCR drew the line around what the page can see.

On a page a patient has to log in to reach, like a patient portal, the pixel generally has access to protected health information, so HIPAA applies. On a general marketing page that anyone can read without logging in, like your hours or job postings, it usually does not. The surprise is in the middle: a page that lets someone book an appointment, fill in a contact form, or complete a new-patient intake form without logging in can still expose patient data, because the visitor types in a name and a reason for the visit. OCR treats that as a disclosure too.

Google says the same thing about its own product. Its official guidance tells HIPAA-regulated entities not to put Google Analytics on authenticated pages, and not to put it on unauthenticated pages that relate to the provision of health care. You can read Google's instruction in its own words.

Why you can't just sign a BAA and move on

For most vendors that handle patient data, the fix is a business associate agreement, a contract that binds them to HIPAA's rules. OCR's guidance is built on it: if a tracking vendor receives protected health information, you may only share it with a permission under the Privacy Rule, and that vendor has to sign an agreement.

Here is the catch for pixels. Google states plainly that it makes no representations that Analytics meets HIPAA and does not offer business associate agreements for the service. As of 2026, there is no such agreement on offer for the Meta Pixel either. So on a page that handles patient data, the contract that would make the pixel compliant does not exist. The only route the rules leave open is a signed HIPAA authorization from each visitor before any tracking happens, which is not practical for a marketing website.

And the shortcuts do not work. A cookie banner asking visitors to accept tracking is not a HIPAA authorization. Naming the pixel in your privacy policy does not create permission to share. Even a promise from the vendor to strip the data after it arrives is not enough, because the disclosure already happened when the page sent it. The agreement question that sits underneath all of this, which vendors count as business associates and what the contract has to say, is its own topic, covered in does my dental practice need a BAA.

Did the 2024 court ruling make this go away?

Partly, and a lot of online advice gets this wrong in both directions. In June 2024, a federal court in American Hospital Association v. Becerra struck down one specific piece of OCR's guidance: the claim that an IP address combined with a visit to a public, no-login page about a health condition is automatically protected information. That theory is gone, nationwide. OCR notes the ruling at the top of its own bulletin.

But that is the only part that fell. The rest of the guidance still applies: patient portals and logged-in pages, booking pages and intake forms that collect patient data, the business associate requirement, the duty to address tracking in your risk analysis, and breach notification when patient data leaks. The ruling is about the limits of HIPAA, and it does not touch the other ways a pixel can create legal exposure for a practice, the FTC and private lawsuits, which run on different laws entirely. The accurate read is narrow: pixels are not banned, and the ruling did not make the issue disappear.

It's not only HIPAA: the FTC and the courts

Even where HIPAA stops, two other doors stay open. The Federal Trade Commission has pursued health companies over data shared through pixels. In its first action under the Health Breach Notification Rule, it reached a $1.5 million civil penalty with the prescription-discount service GoodRx over allegations that it shared users' health information with Facebook and Google through tracking pixels and other tools. The FTC laid out the case in its own announcement. GoodRx is a health app rather than a dental office, so that specific rule may not reach your practice, but it shows the direction regulators are moving, and the FTC's deception authority can reach any business that misstates how it handles data.

The more common consequence has been private litigation. Patients have no private right of action under HIPAA itself; it is enforced by the government, federal regulators and, in some cases, state attorneys general, not by individuals. Instead, patients sue under state wiretapping and privacy laws, arguing that a pixel intercepted their communications without consent. A 27-hospital system, Advocate Aurora Health, agreed to a settlement of more than $12 million over tracking pixels on its website and patient portal, while denying any wrongdoing. Those cases have produced multimillion-dollar settlements against healthcare providers, and dental practices are not exempt.

What Aspen Dental's $18 million settlement shows

In 2025, Aspen Dental Management agreed to a settlement fund of more than $18 million in a class action, Donnelly v. Aspen Dental Management. The patients claimed the dental chain's website used the Meta Pixel and Google tools that allegedly sent information about people who booked appointments online to Facebook and Google, without their consent. Aspen denied any wrongdoing, and a settlement is not a court finding that a company broke the law.

The lesson for a small practice is not the headline number. This was not a hospital with a vast data operation. It was an ordinary booking page. The payout per patient was small; the total came from the sheer number of people who had booked. The same setup, a Facebook or Google pixel firing on your "request an appointment" page, is the same kind of tracking the case was built on.

You do not have to guess whether your own booking page has the same gap. The free HIPAA Scorecard checks your website tracking and vendor setup along with eight other core controls, and names your top gap in about three minutes. It is a starting point, not a full audit, but it tells you where you stand.

How to check your dental website for tracking pixels

You do not need a developer for the first pass. Five steps tell you most of what you need to know, and the result feeds straight into the dental HIPAA risk assessment every practice has to keep.

Going dark is not the only option. You can still measure your traffic without the HIPAA exposure: keep marketing pixels only on pages with no patient data, and for everything else use analytics that never send visitor data to a third party, like server-side logging or privacy-first tools that do not rely on cookies. For the record, this site is built to sidestep the problem: privacy-first, cookieless analytics and no third-party advertising or social pixels at all. The expensive path is sorting it out after a dispute has already begun.

This is general information about HIPAA, the FTC Act, and state privacy law, not legal advice. This is an unsettled and fast-moving area, and the right answer depends on your specific site and your state. Before you rely on any tracking setup on a page that could touch patient data, have it reviewed by counsel.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. If a line can't be sourced, it doesn't run. More about Hipsana →

Sources

• HHS Office for Civil Rights, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (hhs.gov, accessed June 2026), including the June 20, 2024 vacatur note for Am. Hosp. Ass’n v. Becerra, No. 4:23-cv-1110 (N.D. Tex.).
• 45 CFR § 164.502(a) (permitted uses and disclosures of PHI) and § 164.508(a)(3) (authorization required for marketing) (eCFR, current).
• 45 CFR § 164.308(a) (security risk analysis and risk management) and § 164.312(e) (transmission security) (eCFR, current).
• 45 CFR § 160.103 (definitions of “business associate” and “protected health information”) (eCFR, current).
• Google, “HIPAA and Google Analytics,” Analytics Help (support.google.com, accessed June 2026): Google does not offer a business associate agreement for Google Analytics, and HIPAA-regulated entities should not set Analytics tags on HIPAA-covered pages.
• Federal Trade Commission, “FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising” (ftc.gov, Feb. 1, 2023): first action under the Health Breach Notification Rule; $1.5 million civil penalty.
• Donnelly, et al. v. Aspen Dental Management, Inc., No. 2025LA000036 (Cir. Ct. Sangamon County, Ill.): settlement fund of more than $18 million over tracking-pixel disclosures; the company denied wrongdoing (official settlement website, accessed June 2026).
• In re Advocate Aurora Health Pixel Litigation, No. 2:22-cv-1253 (E.D. Wis.): a $12,225,000 settlement fund over tracking pixels on the system's website and patient portal; the company denied wrongdoing (official settlement website, accessed June 2026).