HIPAA and the Use of Online Tracking for Marketing Purposes

Due to some recent actions against online medical providers like BetterHealth and GoodRX, the Department of Health and Human Services has released a new warning for covered entities regarding the tracking methods they use on their websites. 

While web tracking has become a typical technology for most businesses, it’s not a cut-and-dry proposition for healthcare providers who have to maintain patient privacy. 

What Is Web Tracking?

Web tracking is all about monitoring what users are doing online. It’s a complex task that involves gathering and analyzing much information about users’ online behavior. This includes what pages they visit, how long they stay on each page, what they click on, what they search for, what kind of device they’re using, where they’re located, and where they came from.

The main goal of web tracking is to improve the online experience for users. Websites can offer personalized content, recommendations, and special deals by understanding what people like and how they behave.

In marketing and advertising, web tracking is a must-have tool. It helps advertisers create ads that are right on target with what users are interested in based on their interests, age, and online behavior. Advertisers can also see how many people click on ads and buy products to see how well their campaigns work. Plus, web tracking lets marketers focus on specific groups of users, making their marketing even more effective.

But web tracking, because it involves collecting personal data, can prove a massive problem for HIPAA compliance. This is particularly problematic for trackers enhancing the “user experience” by using protected data.

Types of Web Tracking

Web tracking methods are used to watch and understand what users are doing on websites. These smart tools help website owners determine what users like, improve their experience, and deliver the right content or ads. Here’s a rundown of common web tracking methods:

• Cookies: Cookies are small text files saved on a user’s device containing information about browsing history, likes, and interactions with a website. They’re used for personalizing content, logging in, and targeted advertising.
• Web Beacons (or Tracking Pixels): Tiny, see-through images put into web pages or emails that send information to a server when they’re loaded. They track how users interact with content, how often emails are opened, and how ads are viewed.
• JavaScript Tracking: This is code added to web pages to gather detailed information about what users do. It’s used to study things like clicks, page navigation, and form submissions.
• URL Tracking Parameters: These are details added to URLs to track where traffic comes from and how users move through a site. They help measure how well advertising and referrals are working.
• Fingerprinting: This collects unique details about a user’s device, like the type of browser, screen size, and fonts installed. It’s used to identify and track users across different sessions and websites.
• Social Media Plug-ins: These are buttons or widgets from social media sites that are placed on web pages. They’re used to sharing social media content and seeing how users interact.
• Server Logs: Records kept by web servers that show user requests, like where they’re located, what device they’re using, and what pages they ask for. They’re used to looking at traffic patterns and finding problems.
• Third-party Analytics Tools: Tools like Google Analytics provide detailed tracking and analysis of user behavior. They’re used to learning about who’s visiting a site, what they’re doing, and what they like.
• Local Storage and Session Storage: These are ways for websites to store information in a user’s browser. They’re used to remember user preferences and information from one visit to the next.

These methods can be used independently or together to fully understand what users are doing. But they can also raise privacy concerns, so using them responsibly is important. That means being clear about what’s tracked, getting users’ permission when needed, and following all the relevant privacy laws and rules.

What Does HIPAA Say About These Tracking Methods?

In a recent announcement, the Department of Health and Human Services warned CEs and BAs that the tracking methods mentioned above are considerable problems for HIPAA compliance if not managed. 

Fortunately, HHS provides clear guidelines for HIPAA-regulated entities and business associates using online tracking technologies.

The guidelines emphasize that tracking methods like cookies and web beacons, used to collect and analyze user interactions with websites or mobile apps, must follow HIPAA rules if the information gathered includes protected health information (PHI). The guidelines spell out the rules for tracking user-logged-in web pages, non-logged-in web pages, and mobile apps. They also detail HIPAA compliance duties, such as ensuring proper disclosures, setting up business associate agreements (BAAs), and implementing security measures.

Some steps that an organization can take include:

• Make Sure Disclosures Follow the Privacy Rule: Any sharing of PHI with tracking technology vendors must be allowed by the Privacy Rule. Only share the minimum PHI needed to achieve the goal.
• Set Up a Business Associate Agreement (BAA): If the tracking technology vendor is a “business associate,” a BAA must be in place. This agreement should outline the vendor’s allowed and required uses and sharing of PHI, security measures, and reporting requirements for security incidents and breaches.
• Follow Privacy Rule Permissions: If there’s no relevant Privacy Rule permission or the vendor isn’t a business associate, you’ll need HIPAA-compliant authorizations from individuals before sharing PHI with the vendor. There must be more than website banners asking users to accept or reject tracking technologies.
• Include Tracking Technologies in Risk Analysis and Management: You must consider tracking technologies in your Risk Analysis and Risk Management processes. This includes using administrative, physical, and technical safeguards in line with the Security Rule, like encrypting ePHI sent to the tracking technology vendor and using proper authentication and access controls.
• Provide Breach Notification: If there’s an unauthorized sharing of PHI with a tracking technology vendor that threatens the security or privacy of PHI, you must notify affected individuals, the Secretary, and the media (if needed).
• Don’t Share PHI Without a BAA: If you choose not to set up a business associate relationship with vendors or the tracking technology vendor won’t provide written assurances through a BAA, you can only share PHI with the vendors with individual authorizations.
• Comply with the Security Rule: This includes encrypting ePHI sent to the tracking technology vendor and using proper authentication, access, encryption, and audit controls when accessing ePHI kept in the tracking technology vendor’s system.

These steps highlight the importance of following the HIPAA Privacy, Security, and Breach Notification Rules. They ensure that all information sharing is allowed, proper agreements with vendors are in place, necessary safeguards are used, and the right notifications are made if there’s a breach.

Focus On HIPAA Security with Lazarus Alliance

When it comes to HIPAA, you’ll want a partner that can help you on your journey effectively, efficiently, and reliably. Our training, experience, and background make us the best choice to ensure that you’re getting the best partner and auditor you can for your ongoing compliance requirements.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→