Common digital advertising tools may be quietly transmitting patient data, raising serious HIPAA and FTC concerns for plastic surgery practices.
By Evie Hamilton
Most plastic surgery practices running digital advertising have a compliance problem hiding in plain sight. It is not a new policy, a recent regulatory change, or something that requires unusual behaviour to trigger. It is the standard setup, the default configuration that most marketing agencies install on day one without a second thought.
How Tracking Pixels Actually Work
A tracking pixel is a small piece of JavaScript code embedded in a website that fires silently each time a page loads. It records the visitor’s IP address, the specific URL they landed on, how they arrived, what they clicked, and in some configurations, what they typed into forms before ever pressing submit. That data packet travels in real time to a third-party server run by the platform that owns the pixel: Meta, Google, or LinkedIn. The visitor sees nothing. No prompt, no notification, no consent request. This is not a vulnerability or a malfunction. It is exactly what the technology was designed to do.
Why Standard Tracking Creates a HIPAA Risk
For most industries, that is unremarkable. For plastic surgery practices, it creates a legal problem that very few have addressed.
In December 2022, the US Department of Health and Human Services Office for Civil Rights published guidance clarifying that when tracking technologies on healthcare websites collect individually identifiable health information, that data constitutes Protected Health Information under HIPAA, regardless of whether the visitor holds an existing patient relationship with the practice. Sharing that information with third-party vendors without a Business Associate Agreement or patient authorisation is an impermissible disclosure. HHS noted that single-specialty practices carry a higher baseline risk than general health systems because most pages on a specialist site point to an individual’s specific healthcare needs. A visit to a rhinoplasty page, a breast augmentation FAQ, or a consultation booking form is not neutral browsing. When a pixel captures an IP address alongside that visit and transmits the combination to an advertising platform, the result is a data profile carrying health-related information about an identifiable individual. That is the definition of PHI.
The BAA Problem with Ad Platforms
None of the three tools most commonly installed on plastic surgery websites, Meta Pixel, Google Analytics 4, and LinkedIn Insight Tag, offer a Business Associate Agreement for their advertising products. This is not an administrative gap that can be closed with a settings change. Meta’s business model depends on receiving and using visitor data to build advertising profiles. A BAA would require Meta to restrict how it uses that data in ways that are fundamentally incompatible with how the platform operates. The same structural incompatibility applies across all three platforms.
What the Courts and Regulators Are Saying
A federal court ruling in June 2024 narrowed part of this picture, finding that an IP address combined only with a visit to an unauthenticated public page does not automatically constitute PHI. That offered some relief on general public-facing pages. It did not alter compliance requirements for booking forms, authenticated pages, or any situation where identifiable health information is clearly transmitted. Plaintiff attorneys, state attorneys general, and the FTC all continued enforcement activity after the ruling.
The FTC’s enforcement track runs parallel to HIPAA and does not require a practice to be a covered entity to pursue action. Its 2023 cases against GoodRx and BetterHelp established that sharing health-related user data with advertising platforms without patient consent, and misrepresenting that practice in a published privacy policy, constitutes a deceptive trade practice under the FTC Act. The most directly analogous case for plastic surgery practices is Advocate Aurora Health, where Meta Pixel on appointment scheduling pages transmitted details affecting approximately three million patients, resulting in a $12.25 million settlement. Between 2023 and 2025, US healthcare organisations collectively paid over $100 million in pixel-related settlements. The pattern across virtually every case is identical: standard tools, no privacy oversight, no BAAs, and privacy policies that did not reflect what the tracking was actually doing.
Moving Toward a Compliant Tracking Setup
A compliant setup does not require abandoning digital advertising. Server-side tracking moves data through the practice’s own infrastructure first, where a filtering layer strips PHI before transmitting only a clean conversion signal to ad platforms. HIPAA-compliant analytics platforms such as Freshpaint and self-hosted Matomo will sign BAAs and are purpose-built for healthcare. For practices where phone calls are the primary conversion event, HIPAA-compliant call tracking handles attribution without any website pixel involved. Offline conversion import through Google Ads and Meta Ads allows practices to upload de-identified data from a BAA-covered CRM after consultations occur, connecting ad spend to real outcomes without live PHI transmission.
How Practices Can Assess Their Risk
Practices looking to assess their current exposure can start with a free surface scan using Blacklight by The Markup, which identifies active trackers on any publicly accessible page. Agencies that specialise in healthcare digital marketing, such as ContentClicks, can conduct a more thorough audit and advise on compliant alternatives. The tools most practices are currently running were not built with HIPAA in mind, and the enforcement record since 2023 makes clear that regulators and plaintiff attorneys have noticed. PSP
Evie Hamilton is head of technology at ContentClicks, where she builds the technology systems powering marketing for regulated medical practices.
Photo: ID 124865457 © Ammentorp | Dreamstime.com
