Is your telehealth app leaking PHI through tracking pixels?
The HHS Office for Civil Rights and the FTC have made tracking pixels on health apps a top enforcement priority since 2023. The math is brutal because the violations are per-affected-user — a single Meta Pixel firing on a checkout page that mentions a medication can produce a six- or seven-figure settlement. Here's the pattern, the recent cases, and what to actually check.
The pattern that triggers every case
The recurring fact pattern across every major enforcement action since 2022:
- A healthcare or wellness app has a page that reveals something about the user's health — a booking flow for a specific condition, a medication search result, a therapist directory filtered by issue type.
- A third-party tracking pixel (Meta Pixel, Google Analytics, TikTok, LinkedIn Insight Tag, Twitter/X Pixel) is installed on that page.
- The pixel fires on page load and sends, at minimum: the user's IP address, browser fingerprint, and the URL of the page. Sometimes it also sends hashed email, account ID, or query parameters.
- The combination of "this IP visited this URL" is treated by regulators as a disclosure of PHI (under HIPAA) or sensitive health information (under FTC Act §5 and the Health Breach Notification Rule).
Unlike a GDPR cookie violation (typically remediation + small fine), a HIPAA or FTC health-data violation triggers per-user statutory damages and is often combined with an FTC consent order that restricts your data practices for 20 years. Settlements have ranged $400K–$7.8M for individual companies.
The HHS OCR position
On December 1, 2022, the HHS Office for Civil Rights issued a bulletin ("Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates") that took the position: tracking technologies on web pages that contain or display PHI are themselves a HIPAA disclosure of PHI. Without a Business Associate Agreement (BAA) with the tracking vendor, that disclosure is unauthorized.
OCR walked back parts of the bulletin in March 2024, clarifying that tracking on pages that don't relate to health (a generic homepage, a press kit) doesn't trigger HIPAA. But tracking on any page where a user's health condition, medication, treatment, or provider could be inferred remains the prohibited pattern. For most telehealth apps, that's most of the app.
Related: Is GDPR consent required for analytics? (parallel issue, EU side) →The cases, ranked by settlement size
BetterHelp — $7.8M FTC settlement (March 2023)
FTC alleged BetterHelp shared user data (including the fact that a user had sought mental-health services) with Facebook, Snapchat, Criteo, and Pinterest via tracking pixels and uploaded customer lists. The settlement banned BetterHelp from sharing consumer health data for advertising, required deletion of previously-shared data, and imposed a 20-year compliance program. Pixels were the central enforcement target.
Cerebral — $7M state and federal action (March 2023)
The pattern most directly relevant to vibe-coded apps. Cerebral's app loaded Meta Pixel on pages that disclosed the user's diagnosis, medication, and treatment provider. The pixel ran for ~3 years and affected ~3.18 million users. State AGs and HHS OCR coordinated; resolution included data deletion, BAA requirements going forward, and a $7M payment.
GoodRx — $1.5M FTC consent order (February 2023)
First-ever enforcement action under the FTC's Health Breach Notification Rule. GoodRx shared user prescription data with Facebook, Google, and Criteo via pixels and SDKs. FTC's theory was novel: GoodRx had promised users it wouldn't share health information, then did — the unfairness claim under FTC §5 stood independently of any HIPAA covered-entity question.
Monument — $400K plus a 20-year FTC order (June 2024)
Smaller settlement, same fact pattern. Monument (alcohol-use treatment) shared user data with Meta, Microsoft, and Google via pixels. The case mattered because it cemented that the FTC will pursue these cases against smaller operators, not just unicorns.
Are you a covered entity? Does it matter?
HIPAA only applies to "covered entities" — providers who bill insurance, health plans, and clearinghouses — plus their business associates. Many telehealth startups, wellness apps, and mental-health platforms are NOT covered entities (they take cash, not insurance). Founders often assume that means they're outside the enforcement risk. That assumption is wrong.
The FTC's Health Breach Notification Rule (enforced since GoodRx) and FTC Act §5 (unfair-and-deceptive-practices) reach apps that aren't HIPAA-covered. The Cerebral, BetterHelp, and Monument actions all combined HIPAA and FTC theories. If your app handles any health information — diagnoses, symptoms, treatments, medications, mental health — assume you're in scope of at least one regime.
Detecting the pattern on your own app
Five checks, in order of "easiest to verify":
- Open browser dev tools → Network tab. Visit your most health-revealing page (booking flow, results page, medication search). Filter network requests by "facebook.com", "google-analytics.com", "googletagmanager.com", "tiktok.com", "linkedin.com". If any of those fire, you have the pattern.
- Repeat for your conversion / thank-you / confirmation pages — these are particularly common pixel placements and often disclose the most sensitive context.
- Check whether any pixel parameters include user-identifying data — hashed email, account ID, member ID, or condition codes in the URL.
- Audit your Meta Events Manager / GA4 conversion setup. Look for events named "purchase", "signup", "BookAppointment" that fire from health-context pages.
- Run a Comply Code scan — it catches Meta Pixel, GA4, GTM, TikTok, LinkedIn, X, and 11 other trackers firing pre-consent, automatically.
Fixing it
Two layers, both required:
- Stop the leak. Remove every third-party tracker from any page where health information is disclosed or inferable. This is the conservative move — and it's the only move that's actually compliant under the current OCR position. Do NOT rely on "hashed identifiers" or "aggregated reporting" — neither has been blessed by regulators in a health context.
- Switch to server-side analytics. Tools like Plausible (self-hosted), Fathom, or a server-side GA4 setup with custom event tracking — combined with strict avoidance of any IP+URL data leaving your infrastructure — give you product analytics without the regulatory exposure.
Meta's Conversion API (CAPI) is sometimes presented as a fix. It is not — CAPI changes the network path (server-to-server instead of browser-to-Meta) but the same data still goes to Meta, which still triggers the disclosure analysis. Regulators have been explicit on this point.
Related: 5 legal risks of vibe coding (this is risk #2) →Bottom line
If you operate a telehealth, wellness, mental-health, or fitness app — and you have any Meta / Google / TikTok / LinkedIn tracking on pages that reveal user health information — you have the same fact pattern that produced $20M+ in settlements in 2023–2024. The fix is not optional, and "server-side" workarounds (Conversion API, hashed identifiers, aggregated reporting) don't resolve the underlying issue. Cleanest path: remove third-party trackers from health-context pages entirely, use cookieless first-party analytics for product metrics, and move conversion attribution to a UTM-and-self-reported-source model. None of this is legal advice — for a specific configuration, talk to a privacy attorney.
Common questions.
Am I a "covered entity" under HIPAA if my telehealth app doesn't bill insurance?
Probably not — HIPAA covered-entity status turns on whether you transmit certain health information for billing purposes. Cash-pay telehealth, wellness apps, and many digital-health products are not covered entities. But the FTC's Health Breach Notification Rule and §5 unfair-practices authority both reach non-covered apps. The relevant question isn't "am I a covered entity" but "does any regulator have jurisdiction over my health-data practices." Almost always yes.
Is Google Analytics 4 HIPAA-compliant if I sign a BAA with Google?
Google does not sign BAAs for GA4 with most customers. Google Workspace has BAA coverage for covered services, but GA4 is not on that list. The result: a BAA-based path to GA4 compliance generally doesn't exist. For HIPAA-covered apps, the answer is to not run GA4. For non-covered apps, GA4 may still be unwise on health-context pages because of FTC exposure.
What about Meta's Conversion API — does that solve it?
No. CAPI changes the network path (server-to-server instead of browser-to-Meta) but the same identifying data still reaches Meta. OCR's bulletin and FTC's enforcement actions don't turn on the network path; they turn on whether identifying health data leaves your infrastructure to a third party without authorization. CAPI doesn't change that analysis.
If I add a cookie banner, am I fine?
Better, but probably not fine. Cookie consent is necessary but not sufficient. OCR's position is that even with consent, certain disclosures of PHI to advertising vendors are unauthorized because the user can't meaningfully consent to a use they don't understand. The conservative path is: don't share health-context data with advertising vendors at all, regardless of consent.