The Pixel Problem: Why HIPAA Compliance Isn’t Enough for Healthcare Marketers

You've probably seen headlines about hospitals being sued over website tracking. You might've even taken action—pulled a tracking pixel, updated a consent banner—and assumed you were in the clear.

But now the lawsuits are stacking up. And they're not just targeting hospitals. Hundreds of cases are being filed against the health care industry – including providers, health insurers, and payors—many of whom likely believed HIPAA was the only standard that legally applied or mattered.

"HIPAA is foundational, but it's not comprehensive," notes Jennifer Pike, Counsel in the Health Care Regulatory Group of Alston & Bird. It protects Protected Health Information (PHI), which may be on provider and payor websites and apps in specific contexts. But a large share of the data you collect as a marketer or digital lead simply doesn't fall under that definition.

For example, watching a video on your website, actions taken on unauthenticated pages, form fills from prospective users—HIPAA doesn't always cover this. And yet, this kind of behavioral data can be extremely sensitive, especially when combined with health-related context.

Regulators know it. Class action lawyers know it. And now they're acting on it.

So, what changed?

The definition of "sensitive data" has quietly expanded, and the tools for spotting violations have gotten a whole lot simpler. Plaintiffs no longer need subpoenas or insider tips. Just a browser extension and a reason to believe user data is being shared without proper consent.

In this guide, we'll map the gap between HIPAA and real-world exposure, unpack the legal strategies fueling this wave of litigation, and walk you through a five-step playbook to reduce risk, without sacrificing your marketing performance.

FTC's Pivot to Health‑Data Tracking

In 2023, the FTC asked Congress for $160 million in additional funding to "investigate and litigate more and increasingly complex matters." It wasn't vague about the types of cases it had in mind: health-related data tracking is now a top priority.

The FTC's job is to protect consumers from 'unfair or deceptive acts or practices in or affecting commerce. When HIPAA doesn't apply, the FTC steps in—and in recent years, has unearthed a more than 20-year-old statute, the Health Breach Notification Rule requiring vendors of personal health records and related entities to notify consumers following a breach involving unsecured information.

BetterHelp

Mental health platform BetterHelp told users their data was confidential, then shared it with Facebook and other platforms for advertising. People who searched for anxiety help were later retargeted with ads referencing those concerns. The FTC called this out as deceptive and levied a $7.8 million fine for a breach of trust.

GoodRx 

GoodRx shared personal health information with third parties for ad targeting without properly disclosing the practice. It even falsely suggested HIPAA compliance via a seal on its telehealth homepage. The FTC fined GoodRx $1.5 million for misleading consumers and monetizing their data.

In both cases, the FTC didn't need HIPAA to act, instead relying on their authority to enforce fines for information and entities not covered by HIPAA. These companies landed in hot water because they violated consumer trust and used sensitive data in ways they hadn't properly disclosed.

How Pixels are Feeding Plaintiffs

You may have heard about providers being sued over website tracking, but this issue is far from limited to hospitals. Many class action suits are now being filed against health insurers and payors.

Why? Because tracking tech like pixels, cookies, and session recorders is still prevalent on payor websites and apps. Plaintiffs' attorneys—often armed with nothing more than browser tools and free privacy scanners—are running audits, comparing your disclosures to what's actually happening on your site (or even what they perceive is happening), and building cases from the gaps.

It's not just web traffic. Mobile apps, member portals, embedded tools, and marketing automation platforms are all part of the new legal target surface.

This isn't hypothetical. It's active. And the legal strategies are getting increasingly creative.

Creative Legal Theories: A Crash Course

To build their cases, plaintiffs' attorneys are reviving old laws and applying them to new digital behaviors. Here are two examples worth knowing:

State Wiretapping Laws

"State wire‑tapping laws — also known as eavesdropping laws," says Jen, "are essentially saying that if you put a pixel on your website or your application, you are eavesdropping on the conversation between the user of that website and the provider of that website, and the provider is recording it and sharing it to the pixel provider without the user's consent."

Jen notes that, while cases and settlements have primarily targeted providers, don't assume payors aren't on plaintiffs' radar. 

Video Privacy Protection Act (VPPA)

"Originally passed in the 1980s to prevent rental stores from sharing viewing histories," says Jen, "this law is being applied to websites that embed video, especially those offering educational health content or telehealth services."

For example, if a user watches a video about managing diabetes, and that info is tracked or shared, it could be grounds for a VPPA claim.

Jen explains that while the legal logic may sound like a stretch, it hasn't stopped these lawsuits from moving forward, or from costing companies millions in settlements.

The 5-Step Risk Triage Playbook

With the regulatory environment evolving fast, you need a framework that helps you balance marketing performance with data privacy.

Here's a straightforward privacy-first playbook to get started, with insights from Jen Pike and  Jennifer Everett, a Partner in Alston & Bird's Privacy, Cyber & Data Strategy practice.

1. Audit

Start by compiling a complete inventory of all tracking technologies on your website and mobile apps. This requires input from marketing, product, IT, and legal. "Don't rely on assumptions," Jennifer says. "Some tags are added through tools like Google Tag Manager and may not be formally documented."

2. Analyze

Evaluate what each tool is collecting and whether that data could qualify as PHI in context. "Even if it's not PHI under HIPAA, it could still trigger scrutiny from the FTC or state regulators," says Jen.

3. Verify

"If any tool handles PHI, you need a Business Associate Agreement (BAA) in place," Jennifer stresses. "If you don't have a BAA, you'll either need to remove the tool or use a governance solution that filters or de-identifies data before it leaves your site."

4. Govern

"Set strict rules for what gets shared with each vendor," says Jen. "This may involve customizing configurations, stripping out URL parameters, or using middleware to block unauthorized data flows."

5. Monitor

"What's compliant today may not be next quarter," notes Jennifer. "Establishing a process for ongoing oversight can help you avoid blind spots."

Don't Wait for a Lawsuit: Assess Your Vulnerability Today

Not sure what's running where? You're not alone.

Freshpaint's Web Tracker Manager gives you a clear picture of all the tracking technologies operating across your digital properties, along with context like discovery date, risk level, and the specific pages affected.

It's a fast, non-invasive way to benchmark your privacy posture and catch issues before regulators (or plaintiffs' attorneys) do.

Want a full scan of your site? Complete this form and we'll send you a breakdown of every tracker, sorted by risk.

‍