The fear of costly litigation and enforcement actions by federal regulators has led most health-care providers to remove tracking software from their password-protected patient portals resulting in the loss of valuable data to market themselves and engage with patients.
The development highlights the challenges faced by a health-care industry attempting to embrace new technologies while complying with laws and regulations that were enacted under very different conditions.
The numbers are striking, according to health-care attorneys and marketers: In 2021, over 98% of US hospitals and health systems were using website tracking pixels—snippets of code that allow user interactions with websites to be monitored and recorded—according to a recent study in Health Affairs. That number had dropped to 55% in 2024, and 30% in 2025, according to Jenny Bristow, the CEO of Hedy & Hopp, a St. Louis-based health-care marketing firm that analyzed the use of tracking tools on hundreds of provider websites during those years.
The number of providers that removed all pixels from their websites also surged over the same period, from 12% in 2024 to 28% this year, she said.
“Based on personal experience, I would say an overwhelming majority have made changes in recent years to reduce or better police their use of website tools,” said Mark H. Francis, a partner at Holland & Knight LLP, who focuses on privacy and data security. “Providers are paying a lot more attention to what tools they are using and how the tools are implemented.”
Tracking Targeted
Providers learned that using tracking tools was legally risky as early as 2019, when Boston-based Mass General Brigham was hit with a class action alleging it used analytic tools to collect data about site visitors without their permission.
The hospital system settled that lawsuit for $18 million in 2022, and a year later there were hundreds of similar federal lawsuits.
And in December 2022 the Department of Health and Human Services’ Office of Civil Rights issued guidance saying that technologies used to link an individual’s IP address with visits to hospital web pages violated patient privacy under the Health Insurance Portability and Accountability Act.
A portion of the HHS guidance was eventually struck down on procedural grounds, but the ruling didn’t restore the status quo ante, said Andrew Coffman, counsel with Phelps Dunbar LLP, who focuses on health-care litigation.
HHS exceeded its authority in attempting to expand the definition of protected health information under HIPAA, according to the court, but the ruling applied to the guidance document only, not the ability of plaintiffs’ attorneys to bring private lawsuits making similar claims, he said.
The “vast majority” of health-care defendants facing such suits will prevail on motions to dismiss, but those that don’t could find themselves facing settlement demands of “a few million dollars,” Coffman said.
That prospect is driving significant changes in how providers use pixels, he said.
Tolerance for Risk
A relatively easy decision for some providers was to take pixels off their password-protected patient portals, where sensitive information that’s directly linked to individual patients can be found, Coffman said.
But many have taken the additional step of removing pixels from pages that provide information about health conditions such as heart attacks, diabetes, or HIV, he said.
Being pursued around the ifnternet by banner ads about the excellent customer service provided by a hospital is probably not going to provide the basis for a compelling lawsuit, but it might look very different to a judge or jury if the banner ads were focused on a sensitive medical condition that was linked to a patient after a visit to a hospital’s informational web page, he said.
Given the legal uncertainties over pixel use, the analysis of which pixels to keep and which to remove depends heavily on each provider’s tolerance for legal risk, Bristow said.
But those that chose to remove all tracking tools from their websites are “giving up a tremendous amount,” she said. “It’s literally going back to the situation of the early 2000s, where you spend money on marketing and have no idea if it’s working or not, you’re just operating off your assumptions.”
Providers that do very little marketing—those that rely on referrals from patients and others, or provide services under contracts—can survive without tracking tool data, said Stewart Gandolf, CEO of health-care marketing firm Healthcare Success LLC.
And those that have been targeted by class lawsuits or have received warning letters from HHS and the Federal Trade Commission tend to be more conservative in their use of tracking tools, he said.
But not all providers are willing to “fly blind,” especially those spending tens or hundreds of thousands of dollars on Google ads, he said. “You really want to make sure you’re optimizing it versus just spending,” he said.
Some of Bristow’s clients are spoiling for a fight to settle the issue. “I talked to a senior marketer at a health system who said he hopes he ends up in the case law. He’s like, come at me, OCR, I want you to sue me, because we think we will win.”
But Bristow isn’t convinced that’s the right approach: You wouldn’t want it to become public knowledge that a family member has a sensitive health condition, she said.
“And so you should set up your technology so you protect that information. That’s what’s best for the patient.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.