A new study by Piwik PRO and Verified Data scanned 59 major US hospital and clinic websites for tracking and data compliance. The findings show just how common it is for major US healthcare websites to run marketing tools that weren’t built for a regulated environment.
What we actually found
Across the 59 scanned sites, the study identified 75 unique tools in active use – 38 analytics and 37 advertising.

Google’s infrastructure was everywhere. Google Marketing Platform appeared on 33 of the 59 sites. Google Analytics on 20. That matters because Google explicitly prohibits HIPAA-covered entities from using its services for any purpose involving PHI, and won’t sign a BAA to cover that use.
In theory, an organization could use Google Analytics without ever passing PHI through it – but PHI shows up in places teams don’t expect, from appointment URLs to symptom-checker visits paired with an IP address. For most of these organizations, that’s not a configuration problem they can fully engineer around. It’s a structural risk that doesn’t go away with better settings.
Advertising infrastructure was widespread. Facebook, Microsoft Advertising, The Trade Desk, and similar platforms appeared across multiple sites. Advertising pixels are designed to transmit behavioral data back to ad platforms so they can build audiences and measure conversions. On a retail website, that’s unremarkable. On a healthcare website, the same data may qualify as PHI – and its use for marketing purposes creates serious compliance exposure.
Perhaps most telling: 73% of sites are still running advertising or marketing trackers even when visitors have an active GPC signal – a legally recognized opt-out in 12 US states. 69% were using marketing or advertising cookies, which points to a gap worth understanding: some trackers were likely operating without cookies at all. Cookie-blocking alone wouldn’t have closed that exposure.

HEALTHCARE WEBSITE TRACKING REPORT 2026
Are healthcare companies one audit away from a compliance crisis?
A research-backed analysis of tracking practices across 59 US healthcare websites – and what organizations should do about it.
How healthcare ended up running marketing tools that weren’t built for such a regulated environment
This isn’t a story about negligence.
These are sophisticated marketing teams running tools they know well, in workflows optimized over years.
The problem is that those tools were never designed with HIPAA in mind – and the gap between ‘works everywhere else’ and ‘works in healthcare’ is often invisible until someone goes looking for it.
The regulatory landscape has shifted significantly in the last couple of years. FTC enforcement actions against digital health companies – with settlements ranging from six figures to nearly $8 million – have established that sharing health-related behavioral data with advertising platforms without a BAA is not a gray area.
On top of that, with 12 states now legally recognizing GPC signals as valid opt-outs, organizations with national patient traffic are exposed on multiple fronts at once.
“Healthcare organizations often inherit their analytics setup rather than actively choose it. For example, Google Analytics became the default for many because it was free, established, and widely understood.
The challenge today is a product scope creep. What began as website analytics has evolved into broader behavioral ad targeting platforms. In regulated sectors such as healthcare, that creates greater compliance risk and requires much closer scrutiny of how data gathering tools are configured and governed.
Those questions are now being asked by regulators, plaintiff attorneys, and increasingly by patients themselves.”

Brian Clifton
Digital Analytics and Privacy Expert, Founder of Verified Data
Closing the gap: what compliant analytics and marketing actually requires
Healthcare organizations don’t have to choose between effective marketing and defensible data practices. For most of what the standard stack does, compliant alternatives exist – and the report outlines how to get there:
- Audit what’s currently running and where data is going
- Remove advertising pixels from health-related pages
- Enforce opt-out signals at the tag management layer
- Migrate to an analytics platform that signs a BAA as standard
Piwik PRO is the only analytics and data activation platform that is HIPAA-ready out of the box. Every healthcare customer gets a signed BAA, HIPAA-certified US-based hosting, and a complete analytics suite from day one. It gives marketers full visibility into campaign performance without compromising on compliance. It’s also easy to run without IT support, with a setup designed to make the switch as effortless as possible.
‘The organizations we work with aren’t starting from zero – they’ve got years of marketing data, established campaign structures, and teams that know what they’re doing,’ says Patryk Stoch, Business Development Manager at Piwik PRO. ‘The goal isn’t to tear that down, but rather to rebuild the infrastructure underneath it so the data they’re collecting is actually usable long-term, without crossing any privacy lines.’
