HEALTHCARE WEBSITE TRACKING REPORT 2026
Are healthcare companies one audit away from a compliance crisis?
A research-backed analysis of tracking practices across 59 US healthcare websites – and what organizations should do about it.

Introduction
Most marketing platforms weren’t built for healthcare.
The tools that have become market standard – Google Analytics, Meta pixels, Microsoft Ads – were designed to measure and improve traffic and advertising performance. But they were never built for regulated industries where a standard tracking pixel can constitute a PHI disclosure.
Since December 2022, federal regulatory guidance has explicitly identified commonly used tracking technologies as non-compliant for healthcare contexts – yet most marketing teams are unaware that compliant alternatives exist.
To show what’s at stake, we commissioned independent research across 59 major US hospital and clinic websites. 73% had advertising or marketing trackers running in ways that would be difficult to defend under current regulatory guidance.
This report documents the scale of the problem and shows what a compliant, high-performing marketing stack actually looks like.
Table of contents
METHODOLOGY
The studies: what we looked at and how
The audit was conducted by Verified Data, founded by Brian Clifton – a leading expert in digital analytics and former Head of Web Analytics for Europe at Google. It was designed to replicate the conditions a regulator would examine: what data is collected, by whom, and whether it respects users’ legally recognized opt-out rights.
The crawl covered 59 major US hospitals’ and clinics’ websites were crawled – up to 25 pages per domain – from a California-based location with a Global Privacy Control (GPC) signal active. GPC communicates a Do Not Sell or Share request under the California Consumer Privacy Act and equivalent laws in 11 other states: Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.
The tool interacted with each page as a real user would: clicking buttons, scrolling, playing videos. It detected and categorized all cookies, scripts, pixels and network calls present.

key findings
- 43 out of 59 websites (73%) were using advertising or marketing trackers despite the active GPC signal.
- 41 out of 59 websites (69%) were using marketing or advertising cookies – a strong indicator of data being routed to third-party ad platforms.
- The narrow gap between those two figures is significant: some trackers were likely operating without cookies, meaning traditional cookie-blocking approaches would not fully address the exposure.
WHAT THE SCANS FOUND
What was actually running on these site
According to Verified Data’s study, the scanned sites contained 75 unique tracking tools in active use, including 38 analytics tools and 37 advertising tools.
Analytics and behavioral tools
Across the 59 scanned sites, 38 unique analytics and behavioral tools were detected. Google Analytics was the most widely deployed, appearing on 20 sites. Siteimprove Analytics and Adobe Experience Cloud each appeared on 11 sites, Qualtrics on 9, Invoca on 8 and Piwik PRO Analytics Suite on 8.
mPulse and Cloudflare Insights each appeared on 7 sites. Session replay and behavioral tools included Crazy Egg, Heap, ContentSquare and Microsoft Clarity on 4 and 3 sites respectively, alongside FullStory, Hotjar, Mouseflow and Decibel Insight each appearing on 1 site. A further 24 platforms appeared on between 1 and 4 sites each, including Amplitude, Tealium, New Relic, Salesforce, Segment, Snowplow, Kameleoon and Quantum Metric.

Advertising and call tracking infrastructure
Across the 59 scanned sites, 37 unique advertising and call tracking tools were detected. Google-owned infrastructure was the most prevalent: Google Marketing Platform appeared on 33 sites, Google on 18, Google Tag on 16, Google AdServices on 10, Google Analytics with signals on 5, Google Publisher Tags on 2, Google Ads Measurement on 1 and Google Syndication on 1.
Adobe contributed three separate products – Adobe Audience Manager on 7 sites, Adobe Advertising Cloud on 3 and Adobe Marketo Engage on 1. Facebook appeared on 6 sites, Microsoft Advertising on 5, Eloqua on 8 and CallTrackingMetrics on 4. A further 22 platforms appeared on between 1 and 4 sites each, including The Trade Desk, LiveRamp, Index Exchange, Integral Ad Science, Magnite, DeepIntent, Amazon Advertising, Epsilon, LinkedIn Widgets and Snapchat for Business.

What the data suggests
Some tools identified are concerning from a compliance standpoint, regardless of how they’re configured. Advertising platforms like Google Marketing Platform, Meta Pixel, Microsoft Advertising and The Trade Desk should not be firing after a visitor has explicitly opted out of data sharing. Stripping enough data to make them compliant would eliminate their core function.
Session replay tools present a similar problem – they capture granular, individual-level behavioral data that can include what users type into forms before submitting.
RISK ANALYSIS
The three compliance issues emerging from the study
01 – Advertising trackers and pixels on healthcare websites
73% of tested sites had advertising or marketing trackers installed
69% were using advertising or marketing cookies
19 documented enforcement cases, $100M+ in penalties (2023–2025)
Advertising pixels are designed to transmit behavioral data back to ad platforms – so those platforms can build audiences, measure conversions and optimize delivery. In most industries, that’s a straightforward exchange. On a healthcare website, the same mechanism can operate on very different data.
When a visitor navigates to an oncology page, searches for a specialist, or starts an appointment booking flow, their behavioral data may carry health-related context that qualifies as protected health information (PHI). When an ad pixel fires, data is transmitted to platforms that have no obligation to protect the health information they receive. Hence, it is not possible to sign a BAA with an advertising platform.
HIPAA also requires individual written authorization before PHI is used for marketing purposes, a requirement that pixel-based retargeting cannot meet by default.
The narrow spread between the tracker figure (73%) and the cookie figure (69%) is also worth noting: some trackers were likely operating without cookies, meaning cookie-blocking alone wouldn’t have fully addressed the exposure.
02 – Tracking before and after Reject All
43 out of 59 websites (73%) had advertising or marketing trackers installed despite the active GPC signal
The audit crawled all 59 sites with an active Global Privacy Control (GPC) signal – the legal opt-out mechanism used by browsers recognized in 12 US states. Advertising trackers were still running on 73% of them.
This means the majority of tested sites were collecting and transmitting data from users who had legally exercised their right to opt out. When a user’s opt-out signal is received but ignored at the tag level, it’s difficult to characterize the outcome as an accidental misconfiguration.
For organizations with national patient traffic, honoring opt-out signals isn’t optional. It requires that every active tracker respects the user’s choice at the point where data is collected and transmitted – not just acknowledged at the interface level.
03 – Analytics platforms that pose compliance risks
Healthcare organizations need web analytics. Understanding how patients find them, what content performs and how campaigns contribute is both legitimate and – done correctly – fully achievable in a regulated environment. The question is which platforms are used and how.
Google Analytics is the most widely deployed analytics platform in the world. It is also structurally incompatible with HIPAA in ways that settings alone can’t fix:
- Google does not sign BAAs and explicitly prohibits HIPAA-covered entities from using its services for any purpose involving PHI.
- Data processed through Google Analytics flows through Google’s infrastructure under Google’s terms and may be used to develop its services and inform its advertising systems.
Adobe Analytics presents a more nuanced picture. Adobe does offer BAA arrangements – but only for certain enterprise configurations. The standard implementation doesn’t provide a compliant path for collecting PHI, and organizations need to verify their specific setup against that standard.
For organizations subject to HIPAA, the choice of analytics platform is a compliance decision. It needs to be made deliberately, not inherited from a previous implementation or carried over when teams change.

“Healthcare organizations often inherit their analytics setup rather than actively choose it. For example, Google Analytics became the default for many because it was free, established, and widely understood.
The challenge today is a product scope creep. What began as website analytics has evolved into broader behavioural ad targeting platforms. In regulated sectors such as healthcare, that creates greater compliance risk and requires much closer scrutiny of how data gathering tools are configured and governed.
Those questions are now being asked by regulators, plaintiff attorneys, and increasingly by patients themselves.”
Brian Clifton
Digital Analytics and Privacy Expert, Founder of Verified Data
Read more: Is Google Analytics HIPAA-compliant?
REGULATORY CONTEXT
Why this matters now: the regulatory landscape
Since 2022, three developments have raised the compliance stakes for healthcare website tracking. Understanding all three matters, because each covers different ground – and organizations serving national patient populations may be subject to all of them simultaneously.
HIPAA and HHS guidance
HIPAA establishes the baseline compliance framework for any organization handling PHI. PHI covers any information related to a patient’s health condition, care or payment that can be linked to an individual – even indirectly. In practice, this has a broader reach than many organizations assume. It can include:
- IP addresses combined with visits to condition-specific pages (oncology, psychiatry, fertility services).
- URL parameters and page paths that reveal which service line or physician profile a user visited – for example, /appointments/cardiology or /find-a-doctor/dr-smith-oncology.
- Form field data on appointment request pages, including content captured by trackers before the form is submitted.
- Behavioral patterns inside authenticated pages such as patient portals, including which services a patient is accessing or what appointments they have scheduled.
- Third-party advertising cookies that connect health-related browsing to profiles held by ad platforms outside your control and without a BAA in place.
- Click IDs (GCLID, FBCLID) that connect a user’s health-related actions back to their advertising profile through conversion exports or tracking pixels.
In December 2022, HHS issued guidance clarifying that these obligations extend to the marketing website – not just clinical or EHR systems. A 2024 update narrowed the scope slightly for unauthenticated public pages, following a court ruling in favor of the American Hospital Association.
What the American Health Association (AHA) ruling actually changed – and what it didn’t
The court found that an IP address combined with a visit to a general public health page does not, on its own, constitute PHI. That’s a meaningful clarification for unauthenticated pages. But the ruling was narrow and specific to that finding. It doesn’t vacate guidance on authenticated pages, condition-specific content, symptom checkers or appointment flows.
HHS can still enforce instances where HIPAA identifiers are combined with health information – for example, an ad click ID connected to a scheduled appointment shared with an ad platform. The underlying requirement remains: any tracking tool that collects PHI-adjacent data and transmits it to a third party requires a signed BAA. Without one, the transmission may constitute an impermissible disclosure.
The Federal Trade Commission (FTC) enforcement
The FTC has authority over unfair or deceptive practices – and has used it directly in healthcare contexts, including against companies that aren’t traditionally considered HIPAA-covered entities. This matters because organizations that assume HIPAA doesn’t apply to them may still face federal oversight.
Enforcement actions against three healthcare organizations established that sharing health data with advertising platforms falls under the FTC’s jurisdiction. In 2023, the FTC and HHS jointly warned approximately 130 hospital systems and telehealth providers about the risks of online tracking technologies.
State privacy laws
An expanding body of state legislation extends requirements beyond HIPAA. Organizations serving patients across state lines face simultaneous exposure across multiple frameworks:
- Washington’s My Health MY Data Act: applies to any organization collecting health data from Washington residents – regardless of HIPAA status. It covers web browsing behavior on health-related pages and includes a private right of action, meaning individuals can sue directly without waiting for a regulator.
- California’s CCPA/CPRA: requires opt-out mechanisms and mandatory compliance with GPC signals.
- Texas, Colorado and Connecticut: require consent for the processing of sensitive data, including health information.

“Patients expect that their health-related behavior stays private when they visit a hospital website. Meeting that expectation is entirely possible with the right setup – and organizations that get there aren’t just reducing their legal risk. They’re building something more valuable: a digital presence their patients can actually trust.”
Magdalena Pawlitko
Head of Global Sales at Piwik PRO
PATH FORWARD
How to make your marketing HIPAA-compliant
These patterns show up across the industry, but they’re not inevitable. Healthcare organizations that get digital marketing right tend to share one thing: they’ve built their approach around what compliant data use actually requires. That means rethinking some familiar tools and workflows – but it doesn’t mean giving up on effective marketing.
Here’s how to start.
Note: This report does not constitute legal advice. If you’re unsure about your organization’s compliance obligations, consult a qualified attorney or compliance specialist.
Step 1 – Audit your current tracking setup
Conduct a full tag and cookie audit across all pages – with particular attention to condition-specific pages, appointment flows and patient portal entry points. Map every active tracker to its vendor destination: where does the data go, could it constitute PHI, is there a BAA in place? If you have a consent management platform (CMP), test whether tags are actually blocked before consent fires and whether Reject All is enforced across all pixels – not just acknowledged by the banner UI.
This audit will typically surface in three categories: tools that can’t be made compliant (ad pixels without BAA coverage), tools that could be compliant with reconfiguration, and gaps in consent enforcement at the tag layer.
Step 2 – Remove or replace advertising pixels on health-related pages
Client-side ad pixels should not fire on pages where PHI-adjacent data is likely. This is the most defensible position under current HHS guidance and FTC enforcement. Shift to first-party data strategies: CRM-based audience uploads with proper authorization, contextual targeting, modeled measurement.
HIPAA requires individual written authorization before PHI is used for marketing purposes. Because satisfying this at scale is impractical for most marketing teams, the default approach should be data minimization rather than broad collection.
Step 3 – Enforce opt-out signals at the tag management layer
Honoring user opt-out choices is a tag infrastructure problem, not a UI problem. Every tag needs an explicit condition tied to the user’s opt-out status. The default behavior for any marketing or analytics tag should be not to fire until that condition is met. Organizations serving visitors from states where GPC is legally required must configure GPC signal handling accordingly.
Step 4 – Replace non-compliant analytics with a purpose-built platform
Any analytics platform handling PHI-adjacent data must sign a BAA as standard, offer HIPAA-compliant US-based hosting with AES-256 encryption, provide role-based access controls and audit logs, and support server-side tracking. Most general-purpose analytics tools don’t meet these requirements and can’t be configured to.
Piwik PRO is the only analytics platform that is HIPAA-ready out of the box. Every healthcare customer gets a signed BAA as standard, full data control, and a complete analytics and data activation suite that’s live in days..

The comparison of 9 HIPAA-compliant web analytics platforms
Analyze the leading HIPAA-compliant web analytics platforms, including Piwik PRO, Freshpaint, Matomo, Mixpanel, Amplitude, Heap, Tealium, Adobe Customer Journey Analytics and Piano Analytics.
Step 5 – Unify patient data within a compliant infrastructure
A HIPAA-compliant data activation platform lets you integrate analytics, CRM, EHR, patient portal and call center data into a unified first-party view – within a BAA-covered infrastructure.
With this in place you can run segmented campaigns using consented first-party data rather than behavioral pixels, personalize digital experiences from a complete picture of the patient journey, send timely follow-ups based on digital behavior and care history, and measure attribution using first-party conversion data instead of pixel-based signals.
Step 6 – Make compliance a standing requirement – not a one-off review
Make BAA availability a non-negotiable criterion in any vendor evaluation. Involve legal, compliance and IT in marketing technology decisions from the start. Audit your tracking setup against the current regulatory environment at least once a month. Maintain an audit trail of all compliance-related decisions.

“The organizations we work with aren’t starting from zero – they’ve got years of marketing data, established campaign structures, and teams that know what they’re doing. The goal isn’t to tear that down, but rather to rebuild the infrastructure underneath it so the data they’re collecting is actually usable long-term, without crossing any privacy lines.”
Patryk Stoch
Business Development Manager at Piwik PRO
CONCLUSION
Compliance and performance can go hand in hand
The organizations in this study are using the same tools that work perfectly well everywhere else. The compliance exposure comes from applying general-purpose marketing infrastructure in an environment it was never designed for.
The good news is that compliance and strong marketing performance aren’t in conflict. You don’t have to trade away good data to stay compliant – and marketing that builds trust and delivers ROI at the same time is possible. It just requires the right infrastructure: opt-out enforcement that works, analytics platforms that sign BAAs, and advertising strategies that don’t rely on passing sensitive data to platforms with no obligation to protect it.
Piwik PRO was built from the ground up for regulated environments. That means complete attribution, accurate ROI reporting, and data your legal team can defend – without rebuilding your entire marketing operation to get there.
Get the insights your marketing team needs – within the compliance framework your legal team requires
Want to see Piwik PRO in action? → Book a personalized demo.
Want to check your own site first? → Run a free compliance scan.
About Piwik PRO
Piwik PRO is a privacy-first analytics platform built for organizations operating in regulated industries. It offers a fully integrated suite of Analytics, Tag Manager and Data Activation, designed to give marketing and compliance teams complete, accurate data without compromising regulatory requirements. Piwik PRO signs business associate agreements (BAAs) as standard for its healthcare relationships, giving organizations full control over data sharing and storage and ensuring patient information remains secure.
About Verified Data
Verified Data is a privacy technology company that provides automated audit tools for website data governance, analytics quality, and consent compliance. Its platforms help organisations verify how websites collect data, assess whether consent banners operate correctly, and identify privacy or configuration risks across digital properties. Founded by Brian Clifton, the company supports data and privacy professionals seeking measurable oversight of website tracking and regulatory compliance.