Skip to Content
Client Payment

Events In the News

Digital Advertising and Tracking – Can We or Can’t We Track and Disclose User Activity on our Website?

on Tuesday, 30 September 2025 in Health Law Alert: Kristin N. Lindgren, Editor

More than eighteen months have passed since the Northern District of Texas court in AHA v. Becerra ruled that certain guidance issued by the Office for Civil Rights (OCR) on the use of online tracking technologies was not lawful and could therefore not be enforced.  Yet hospitals are still grappling with understanding whether the use of certain advertising and tracking technologies involving companies such as Meta and Google on their websites is permitted. 

The world of digital advertising is complicated and how companies connect an individual’s activities across platforms could be the subject of a lengthy college textbook.  Complexity aside, there are certain rules that are still in place that must guide any digital advertising and tracking strategy, such as the basic HIPAA rule that a covered entity is prohibited from disclosing protected health information (PHI) to a third party unless the disclosure fits within an exception or the entity is a business associate using the PHI solely on behalf of the covered entity.  

The Texas court set the precedent that an IP address visiting an unauthenticated public webpage doesn’t violate this rule.  But the decision was limited to those facts.  We have evaluated various health care organization websites where the organization is asking an individual to complete a form to be sent to the organization for follow-up related to health care.  These forms vary from asking for very minimal information (some or all of name, address, phone, and sometimes requested assistance) to very extensive information (asking for medical history of person for whom services are sought).  Connecting this to our digital advertising discussion, when the health care organization’s advertising on third party platforms directs the individual to such pages, it’s important to carefully evaluate what information is sent back to that third party company.  The organization should consider any information that is gathered in connection with a health-care related form to be PHI and sending back information on that activity could run afoul of the boundaries established by the Texas court.  You should consider any advertising that takes the individual back to these types of pages to be subject to the rules related to authenticated webpages. 

What about truly unauthenticated webpage directions?  This is where there remains significant industry debate.  What are some of the risks?

  • Even though thought to be unlikely, OCR could still try to enforce its position (i.e., that this activity violates HIPAA) against covered entities not a party to the lawsuit. OCR’s decision not to appeal the Texas decision likely signaled its lack of intention to enforce HIPAA in this manner.
  • Other private plaintiffs could allege that state unfair competition laws were triggered by a violation of HIPAA, which could lead to extensive discovery and litigation costs. We have not seen new claims of this type brought so far.
  • There is ongoing litigation against Meta for its collection of information from hospital websites, including unauthenticated public webpages. We are aware that numerous hospitals have been pulled into that litigation through subpoenas for information simply because they had the Meta pixels deployed on their website.  Meta’s position is that the health care organizations, not Meta, controlled what data was collected by Meta.  This is going to be an active litigation area for quite some time and continuing to use this type of technology could put health care organizations that do so in the cross-hairs of that or future litigation.
  • If the data is not PHI subject to HIPAA, it could be considered personally identifiable information (PII) subject to enforcement by the FTC. The FTC has been fairly active lately in enforcing consumer privacy standards against companies who share customer data.  The focus of the FTC is on whether the companies have provided proper notice and obtained the necessary consent prior to data sharing. This can be accomplished through a website Privacy Policy and consent process/opt-out.
  • If the information is not subject to HIPAA, state law could also step in and control. Thus, your applicable state law must be considered in your analysis. For example, the Iowa Consumer Data Protection Act (ICDPA) took effect on January 1, 2025.  The ICDPA exempts both non-profit institutions and entities that are subject to and comply with HIPAA (rather than a carve out for PHI).  If a relevant state law only carves out PHI, a determination that the IP address is not PHI could cause such information to be covered by the state law.

If your organization has not reviewed and updated your website privacy policy (this is different from your Notice of Privacy Practices) and user consent process, it’s time to review those documents to ensure that you are addressing the other laws that could come into play when the advertising and tracking does not involve PHI.

Vickie B. Ahlers
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design