By Eric Atienza, Assistant Director of Digital Marketing Technology, American Med Spa Association (AmSpa)

Most platforms like Facebook, Instagram, Google Ads and Google Analytics utilize a "tracking pixel" for tracking and targeting as a standard practice, but are tracking pixels legal in matters of patient privacy? A number of court cases in recent years have called into question the definition of Protected Health Information (PHI) when it comes to online data, and created some concern over whether healthcare practices using these online tools are in violation of patient privacy laws.  

Though there may be conflicting sources out there because of the speed and frequency of legal cases, most medical spa websites shouldn't be worried about patient privacy and tracking pixels as the most recent ruling in summer 2024 relieves that burden for most general web traffic. Read on for more background and details on what you should and shouldn't be concerned about.  

What Are Tracking Pixels and What Do They Do?

Tracking pixels are small snippets of Javascript that third-party resources often require you to add to the code of your website in order to provide tracking information in their dashboards. Facebook/Instagram, Google Ads, Google Analytics, and retargeting ad platforms are just a few examples of sites that require the use of these code snippets to function.

These bits of code track users’ activity on your site including what pages they go to, how long they stay on these pages, what they click on, what forms they submit and much more. At issue is that they tie all of these individual actions together into one user’s session by tracking the user’s IP address. An IP address is like a home address for devices on the internet. It’s a unique number that identifies a computer, smartphone, or other device when it connects to a network.

With this data, platforms like Meta are able to see a user’s behavior on your site and report on effectiveness of ad clickthroughs or even provide advanced ad targeting on both Facebook and Instagram based on that user’s behavior on your website. Google is able to collect an astonishing amount of aggregated data from multiple users to provide actionable insights on how well or poorly a website is performing through Google Analytics.

Tracking Pixels and Patient Privacy

Of course, whenever data is collected that can potentially identify a person, and when the data is being collected by a medical facility, questions of patient privacy inevitably arise. With regard to online tracking, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has stated:

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

These issues came to the forefront in 2023 after a class-action lawsuit against five healthcare facilities, alleging that the facilities integrated the Meta tracking pixel with their website, which resulted in a sharing of Protected Health Information from the medical facilities to Meta. The suit was based on guidance that the OCR and HHS issued in 2022 that classified IP address as Protected Health Information.

Generally, to be compliant with HIPAA rules a vendor that receives or handles PHI from a healthcare facility or provider must execute a Business Associate Agreement (BAA). Since neither Google nor Facebook (nor any commercially available third-party ad platform) signs BAA they are technically not HIPAA compliant. Additionally, Google in its documentation specifically mentions that its tracking pixels should not be used in any fashion that relates to Protected Health Information.

What Counts as Protected Health Information on the Internet?

As mentioned above, original guidance in 2022 from OCR and HHS included IP address in its list of online PHI, which immediately put any medical practice using tracking pixels in potential violation of patient privacy laws. A number of lawsuits and appeals attempted to make the case that someone simply visiting a website isn’t an indication that they are a patient or not, and as such IP address couldn’t by itself be PHI.

The OCR attempted to clarify its position by saying that if practices could infer that the “visitor intent” was just informational then they would not be in violation. Practices then responded that this was not a reasonable standard as there is no way to prove intent with the data available.

In the most recent ruling in June of 2024, a U.S. District Court for the Northern District of Texas vacated the portion of the guidance document outlining IP address for general website traffic counted as PHI, as well as the obligation to prove visitor intent.    

What Data Can You Track as a Medical Practice?

So, what does it all mean? For medical aesthetic practices, in the vast majority of cases you should be fine using Meta, Google or other tracking pixels on the publicly available portion of your website.

Current HHS guidance for online tracking differentiates between “authenticated traffic” and “non-authenticated traffic” which means that for any page that is not locked behind a login and/or cannot be otherwise proven to tie a user to patient status, IP address is not Protected Health Information.

If you don’t have a portion of your site that requires patient login (or any other way to specifically identify users as a patient) then you should be able to use these third-party pixels as any other website on the internet.

The issue still exists for areas of your site that may require patient login, though. For instance, if you have a section where patients can log in to view their medical records or re-order medical grade skin care, these sections of your site specifically would still qualify as identifying patients. As such, tracking IP addresses in these areas could be collecting PHI and distributing that information to the third-party tracking company.

If you do have a section gated behind patient login, you may still use tracking pixels on the publicly available section of your website. For the gated section you should contact your website provider to ensure that you are not using third-party trackers in those private sections unless you are able to establish a BAA with those organizations.  

Privacy Laws Are Still Catching Up to Technology

Technology moves faster than law in almost all cases, especially when it comes to the Internet. The issue of user privacy online has become a hot topic in general in recent years as Apple and Google have moved to obscure more and more user data amidst pressure from customers, state governments and the EU. Keep checking back with us to see if the situation remains fluid, and to get updates on any other laws affecting medical aesthetics.

AmSpa will work diligently to provide clarity and up-to-date information regarding laws in our space, whether patient privacy or otherwise. Become a member to stay up to date on the laws and regulations that impact your practice.