In December 2022, OCR issued a bulletin explicitly warning healthcare organizations about the use of tracking technologies on websites and mobile apps — including pixels from Meta, Google, and TikTok. The bulletin exposed what many compliance officers already suspected: social media firms lack HIPAA compliance expertise, and covered entities are paying the price. Healthcare organizations had unknowingly transmitted protected health information to social media platforms through embedded tracking code, triggering potential HIPAA violations at massive scale.

Why Social Media Firms HIPAA Compliance Expertise Is Virtually Nonexistent

Social media companies are built on data collection — not data protection under 45 CFR Part 164. Their business models rely on harvesting behavioral data, building advertising profiles, and monetizing user activity. That objective runs directly counter to the Privacy Rule's minimum necessary standard, which requires covered entities to limit PHI disclosures to only what is needed for a specific purpose.

Most social media firms do not sign business associate agreements (BAAs). Meta has publicly stated it does not consider itself a business associate, even when its tracking pixel captures PHI from patient portals and appointment scheduling pages. Without a BAA in place, your organization has no contractual mechanism to enforce HIPAA requirements on these platforms.

This is not a gray area. OCR has made clear that if a covered entity's website transmits individually identifiable health information to a third party — including a social media company — the Privacy Rule applies, regardless of whether the social media firm acknowledges it.

The Tracking Pixel Problem Healthcare Organizations Ignore

Healthcare organizations consistently struggle with understanding how tracking technologies work behind the scenes. When a hospital embeds a Meta pixel on its appointment booking page, that pixel may transmit the patient's IP address, the medical department selected, and the URL of the page visited. Combined, these data points constitute PHI under HIPAA.

In 2023, multiple class-action lawsuits targeted healthcare systems that had deployed Meta pixels on patient-facing pages. Advocate Aurora Health disclosed a breach affecting 3 million patients tied directly to pixel tracking. Novant Health reported 1.3 million patients affected. These were not cyberattacks — they were self-inflicted compliance failures caused by trusting social media firms with access to sensitive environments.

Your marketing team may have installed these trackers without consulting your compliance or IT security departments. That gap between marketing operations and HIPAA oversight is where violations breed.

Business Associate Agreements: The Contract That Never Gets Signed

Under the Omnibus Rule, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity qualifies as a business associate. Social media platforms that receive PHI through tracking technologies arguably meet this definition — but they refuse to act like it.

Without a signed BAA, your covered entity bears full regulatory exposure. OCR can impose civil monetary penalties ranging from $137 per violation (for unknowing violations) up to approximately $2.1 million per violation category per year. When tracking pixels transmit data on thousands of patients, the exposure compounds rapidly.

Your organization cannot outsource compliance obligations to a social media firm that refuses to accept them. If you cannot obtain a BAA, you must not allow the technology to access PHI. It is that straightforward.

Conducting a Risk Analysis That Includes Digital Marketing

The Security Rule requires covered entities to conduct a thorough risk analysis under 45 CFR § 164.308(a)(1). In my work with covered entities, I find that risk analyses routinely exclude marketing technologies, website analytics, and social media integrations. This is a critical blind spot.

Your risk analysis must inventory every technology that touches patient data — including JavaScript tracking codes, social sharing buttons on patient portals, and chatbot integrations on health-related pages. Each one represents a potential unauthorized disclosure of protected health information.

Steps your organization should take immediately:

  • Audit all web pages that collect or display PHI for embedded third-party tracking code.
  • Remove tracking pixels from authenticated patient portals, appointment scheduling systems, and payment pages.
  • Require compliance review before any marketing technology is deployed on patient-facing digital properties.
  • Document your findings as part of your ongoing risk analysis and management process.
  • Consult legal counsel about existing exposure from previously deployed tracking technologies.

The Workforce Training Requirement Most Organizations Underestimate

Your marketing staff, web developers, and communications teams need to understand HIPAA as thoroughly as your clinical workforce does. The Privacy Rule at 45 CFR § 164.530(b) requires training for every workforce member whose functions are affected by HIPAA policies — and if your marketing team manages website technology, they qualify.

Training should cover how PHI can be inadvertently disclosed through digital channels, what the minimum necessary standard means for marketing data collection, and why social media firms cannot be treated as trusted data partners absent proper safeguards. A comprehensive HIPAA training and certification program ensures every department in your organization — not just clinical staff — understands these obligations.

Building a Compliance Framework for Social Media Use

Banning social media entirely is neither practical nor necessary. Healthcare organizations can maintain a social media presence while protecting PHI — but it requires deliberate governance.

Your social media compliance framework should include written policies prohibiting staff from sharing patient information on social platforms, approval workflows for all public-facing content, and clear rules about responding to patient comments or reviews without confirming a treatment relationship. OCR enforcement actions have targeted organizations where employees posted identifiable patient information on social media, sometimes inadvertently.

Equally important is ensuring your workforce HIPAA compliance program addresses social media scenarios specifically. Generic training modules that focus only on paper records and fax machines fail to prepare your team for the digital risks they face daily.

OCR Is Watching — Your Organization Should Be Too

OCR's 2022 tracking technology bulletin was not a suggestion. It signaled active regulatory attention on how covered entities interact with social media firms and advertising technology companies. Investigations are underway, and enforcement actions tied to online tracking are widely expected in the coming months.

Healthcare organizations that proactively audit their digital footprint, remove unauthorized tracking technologies, and train their full workforce on social media risks will be positioned to defend their compliance posture. Those that assume social media firms have HIPAA compliance expertise — or that marketing technology is somehow exempt from the Privacy Rule — face penalties, breach notifications, and reputational harm that no advertising campaign can undo.

The gap between what social media firms promise and what HIPAA demands is your organization's problem to solve. Start solving it now.