We checked 59 hospital websites. 73% kept tracking visitors after opt-out.

, ,

Written by

Published July 02, 2026

A new study by Piwik PRO and Verified Data scanned 59 major US hospital and clinic websites for tracking and data compliance. The findings show just how common it is for major US healthcare websites to run marketing tools that weren’t built for a regulated environment.

What we actually found

Across the 59 scanned sites, the study identified 75 unique tools in active use – 38 analytics and 37 advertising.

Google’s infrastructure was everywhere. Google Marketing Platform appeared on 33 of the 59 sites. Google Analytics on 20. That matters because Google explicitly prohibits HIPAA-covered entities from using its services for any purpose involving PHI, and won’t sign a BAA to cover that use.

In theory, an organization could use Google Analytics without ever passing PHI through it – but PHI shows up in places teams don’t expect, from appointment URLs to symptom-checker visits paired with an IP address. For most of these organizations, that’s not a configuration problem they can fully engineer around. It’s a structural risk that doesn’t go away with better settings.

Advertising infrastructure was widespread. Facebook, Microsoft Advertising, The Trade Desk, and similar platforms appeared across multiple sites. Advertising pixels are designed to transmit behavioral data back to ad platforms so they can build audiences and measure conversions. On a retail website, that’s unremarkable. On a healthcare website, the same data may qualify as PHI – and its use for marketing purposes creates serious compliance exposure.

Perhaps most telling: 73% of sites are still running advertising or marketing trackers even when visitors have an active GPC signal – a legally recognized opt-out in 12 US states. 69% were using marketing or advertising cookies, which points to a gap worth understanding: some trackers were likely operating without cookies at all. Cookie-blocking alone wouldn’t have closed that exposure.

HEALTHCARE WEBSITE TRACKING REPORT 2026

Are healthcare companies one audit away from a compliance crisis?

A research-backed analysis of tracking practices across 59 US healthcare websites – and what organizations should do about it.

How healthcare ended up running marketing tools that weren’t built for such a regulated environment

This isn’t a story about negligence.

These are sophisticated marketing teams running tools they know well, in workflows optimized over years.

The problem is that those tools were never designed with HIPAA in mind – and the gap between ‘works everywhere else’ and ‘works in healthcare’ is often invisible until someone goes looking for it.

The regulatory landscape has shifted significantly in the last couple of years. FTC enforcement actions against digital health companies – with settlements ranging from six figures to nearly $8 million – have established that sharing health-related behavioral data with advertising platforms without a BAA is not a gray area.

On top of that, with 12 states now legally recognizing GPC signals as valid opt-outs, organizations with national patient traffic are exposed on multiple fronts at once.

Brian Clifton

Digital Analytics and Privacy Expert, Founder of Verified Data

Closing the gap: what compliant analytics and marketing actually requires

Healthcare organizations don’t have to choose between effective marketing and defensible data practices. For most of what the standard stack does, compliant alternatives exist – and the report outlines how to get there:

  • Audit what’s currently running and where data is going
  • Remove advertising pixels from health-related pages
  • Enforce opt-out signals at the tag management layer
  • Migrate to an analytics platform that signs a BAA as standard

Piwik PRO is the only analytics and data activation platform that is HIPAA-ready out of the box. Every healthcare customer gets a signed BAA, HIPAA-certified US-based hosting, and a complete analytics suite from day one. It gives marketers full visibility into campaign performance without compromising on compliance. It’s also easy to run without IT support, with a setup designed to make the switch as effortless as possible.

‘The organizations we work with aren’t starting from zero – they’ve got years of marketing data, established campaign structures, and teams that know what they’re doing,’ says Patryk Stoch, Business Development Manager at Piwik PRO. ‘The goal isn’t to tear that down, but rather to rebuild the infrastructure underneath it so the data they’re collecting is actually usable long-term, without crossing any privacy lines.’

Effective healthcare marketing and HIPAA compliance aren’t a trade-off. See how to get both.