3 Questions Healthcare Provider Organizations Need to Consider when Implementing Pixel Tracking Technologies

3 Questions Healthcare Provider Organizations Need to Consider when Implementing Pixel Tracking Technologies

This article is co-authored by:

  • Brian Rasquinha, Assoc. Director, Solution Architecture, Privacy Analytics
  • Jennifer Geetter, Partner, McDermott Will & Emery LLP
  • Ryan S. Higgins, Partner, McDermott Will & Emery LLP

Online tracking technologies, such as pixels, have become a common feature of the modern web and app ecosystem. Pixels and other online tracking technologies may be configured to collect user data about website visits, interactions, referrals, and other online activities, and the resulting datasets offer organizations valuable insights about how users interact with their websites or apps, enabling informed design choices to improve user experience and drive business growth.

However, there is growing awareness of the privacy concerns that can arise with tracking technologies in the health care context, where HIPAA-regulated protected health information could be disclosed via these technologies. This is of particular concern when the information is impermissibly disclosed to social media platforms and other advertising or analytics services providers that may not be willing or equipped to sign business associate contracts.

Over the past year, regulators have been increasingly focused on this topic and have released guidance. Most recently, the U.S. Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS) published a joint press release warning hospital systems and telehealth providers of the compliance risks associated with online tracking technologies.

The increasing scrutiny of online tracking technologies is driving discussions in the healthcare industry about how to effectively manage privacy concerns without sacrificing access to useful data assets. With a careful, considered approach, health care provider organizations can develop pragmatic, compliant solutions.

Getting ahead of the challenge

Privacy concerns with online tracking technologies arise when certain features are present, including:

  • the trackers collect and potentially share data elements that are considered individually identifiable under applicable law (e.g., HIPAA);
  • the trackers collect and potentially share data in a manner that is not disclosed in the organization’s online privacy policy; and/or
  • the trackers collect and share data with third parties (e.g., social media companies) that may enable the third party to identify the applicable user by linking the shared data with other data that resides in the third party’s broader datasets.

The following are key questions for a health care provider organization to consider prior to implementing tracking technologies on their websites and apps:

1. What pixel tracker data is being collected, and who receives it?

The first step is to understand the particulars of your organization’s current or planned implementation of online tracking technologies.  This may require coordination between compliance/legal functions and marketing/engineering functions.  To accurately assess the impacts and benefits of a pixel tracking technology, you will want to understand:

  • What tracking technologies are on (or are being proposed on) your online properties?
  • How do these technologies map to particular pages or content?
  • What data elements are ‘actually’ being collected?
  • What additional data elements may be ‘implied’ (e.g., real time dates for underlying events, such as a telehealth appointment)?
  • What data elements may be contained within hidden meta data (e.g., dates or user IDs) that are disclosed along with the specified data elements?
  • What data elements are being sent to third parties?
  • Is the data being sent to third parties de-identified under applicable law? If not, and if HIPAA applies, has the organization entered into a business associate contract with the third-party recipient?  (Note that other regimes with their own de-identification standards may apply.)
  • What data elements are critical, or what data elements can be removed or de-identified under applicable law?
  • What are the potential regulatory impacts of the answers to the above questions?

Privacy regulators evaluate whether best practices like data minimization or de-identification, where appropriate, are in place.  An organization that is restricting data collection to what is the minimum necessary for specific business functions, and that does not impermissibly disclose that information, will have a stronger privacy case with their customers and with regulators. 

2. Is my pixel tracker data governed by a regulation? 

Despite recent guidance from the HHS Office for Civil Rights (OCR), there is still confusion on what types of data are considered HIPAA protected health information in the online tracking technology context. OCR has provided in guidance some examples of the types of webpages that it believes may result in the disclosure of protected health information via online tracking technologies.  However, OCR cannot feasibly consider all potential use cases in its guidance, so organizations are often faced with making their own reasonable determinations of what is or is not protected health information in this context, based on such factors as webpage content, context, and similar factors. In making these determinations, organizations would benefit from consultations with legal counsel who are versed in these topics and data analysts who can help assess whether data is individually identifiable in the context of all other data disclosed or otherwise available to a third party.

3. Is my pixel tracker data attributable to an individual?

Applicable laws may prescribe how data may be rendered de-identified or anonymized.  There are a number of considerations involved in evaluating the identifiability of data from a statistical perspective.

Data Elements: Some data elements, such as names, home address, email, and ID numbers, would typically be considered ‘direct’ identifiers that ostensibly disclose the identity of a patient. HIPAA’s Safe Harbor approach to de-identification also explicitly lists IP address as a data element that must be removed to render health information de-identified (although there may be scenarios where an IP address pertains to a shared device, network, or organization). Other elements might be considered ‘quasi’-identifying from a statistical perspective, such as demographic information and particular interactions. In order to demonstrate that the data is not attributable to an individual, organizations will need to show that these identifiers are reduced to what is considered de-identified under the HIPAA Expert Determination method or Safe Harbor method of de-identification and/or under other applicable regulatory regimes.

Data Flows: From a risk perspective, how readily a data element can be used to attempt to re-identify an individual will vary, depending on who is receiving the data and what other data is available to that person. Recipients with richer reference data, with more computational resources, and with more financial resources would have a higher capacity to attempt to re-identify data. You will want to understand what data elements are being shared and what organizations they are being shared with, including whether the receiving organization might further share data in any form.

Data privacy experts can support an analysis of identifiability and potentially document a HIPAA Expert Determination that the information is de-identified or provide guidance on the steps required to achieve that state.


Since OCR provided its bulletin in December 2022, we have seen discussion around pixel trackers intensify rather than taper off. The topics and questions discussed above will be critical as organizations evaluate their existing or proposed implementations of online tracking technologies.

Please reach out to Privacy Analytics or McDermott Will & Emery LLP to discuss further, or if you need any assistance in managing privacy in the implementation of online tracking technologies. 

Contact Privacy Analytics here

Contacts at McDermott Will & Emery LLP:

Archiving / Destroying

Are you unleashing the full value of data you retain?

Your Challenges

Do you need help...


Value Retention

Client Success

Client: Comcast

Situation: California’s Consumer Privacy Act inspired Comcast to evolve the way in which they protect the privacy of customers who consent to share personal information with them.


Are you achieving intended outcomes from data?

Your Challenge

Do you need help...


Unbiased Results

Client Success

Client: Integrate.ai

Situation: Integrate.ai’s AI-powered tech helps clients improve their online experience by sharing signals about website visitor intent. They wanted to ensure privacy remained fully protected within the machine learning / AI context that produces these signals.


Do the right people have the right data?

Your Challenges

Do you need help...


Usable and Reusable Data

Client Success

Client: Novartis

Situation: Novartis’ digital transformation in drug R&D drives their need to maximize value from vast stores of clinical study data for critical internal research enabled by their data42 platform.



Are you empowering people to safely leverage trusted data?

Your Challenges

Do you need help...


Security / compliance efficiency


Client: ASCO’s CancerLinQ

Situation: CancerLinQ™, a subsidiary of American Society of Clinical Oncology, is a rapid learning healthcare system that helps oncologists aggregate and analyze data on cancer patients to improve care. To achieve this goal, they must de-identify patient data provided by subscribing practices across the U.S.


Acquiring / Collecting

Are you acquiring the right data? Do you have appropriate consent?

Your Challenge

Do you need help...


Consent / Contracting strategy

Client Success

Client: IQVIA

Situation: Needed to ensure the primary market research process was fully compliant with internal policies and regulations such as GDPR. 



Are You Effectively Planning for Success?

Your Challenges

Do you need help...


Build privacy in by design

Client Success

Client: Nuance

Situation: Needed to enable AI-driven product innovation with a defensible governance program for the safe and responsible use
of voice-to-text data under Shrems II.


Join the next 5 Safes Data Privacy webinar

This course runs on the 2nd Wednesday of every month, at 11 a.m. ET (45 mins). Click the button to register and select the date that works best for you.