HIPAA

Health Insurance Portability and Accountability Act of 1996

Flag of US
United States (Federal)Sector-specificSector-specific
Back to Regulations Guide

Key Facts

Effective Date
April 14, 2003
Enacted
August 21, 1996
Enforcing Authority
Office for Civil Rights (OCR), Department of Health and Human Services (HHS)
Consent Model
Sector-specific
Applies To
Covered entities (health plans, healthcare providers, healthcare clearinghouses) and their business associates

Overview

HIPAA protects the privacy of individually identifiable health information (PHI). The 2022 OCR guidance clarified that marketing pixels and tracking technologies on healthcare websites can constitute impermissible PHI disclosure — and critically, cookie consent banners do NOT satisfy HIPAA authorization requirements for sharing PHI.

What This Means for Your Website

  • If you operate a healthcare website, cookie consent banners alone do NOT authorize PHI disclosure
  • Marketing pixels (Google Analytics, Meta Pixel, etc.) must be removed from authenticated healthcare pages
  • Business Associate Agreements are required with any vendors receiving PHI
  • Breach notification is required within 60 days for incidents affecting 500+ individuals
  • OCR enforcement in 2025 specifically targets browser-based tracking on healthcare sites

Key Requirements

OCR enforces HIPAA with penalties from $141 to $2,134,831 per violation category/year, plus criminal penalties up to $250,000 and 10 years imprisonment. Major settlements include Kaiser Permanente ($47.5M), URMC ($2.85M), and MarinHealth ($3M) — all related to tracking pixels on healthcare sites.

How ConsentStack Handles This

ConsentStack helps healthcare websites manage tracking technologies in compliance with HIPAA by blocking marketing pixels on authenticated pages and ensuring that consent mechanisms align with HIPAA authorization requirements.

Penalties

$141-$2,134,831 USD per violation category/year. Criminal penalties: up to $250,000 and 10 years imprisonment for willful violations.

Maximum Fine
$2,134,831 per violation

Key Requirements

  • Valid HIPAA authorization required for PHI disclosure — cookie banners do not qualify
  • Business Associate Agreements required with vendors receiving PHI
  • Marketing pixels must be removed from authenticated pages
  • Administrative, physical, and technical safeguards required
  • Breach notification within 60 days for breaches affecting 500+ individuals

Notable Provisions

  • Kaiser Permanente $47.5M settlement for tracking pixels
  • OCR 2022 bulletin addresses cookies/pixels on healthcare sites
  • Cookie banners are NOT valid HIPAA authorization
  • Enforcement specifically targets browser-based tracking

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

Do cookie banners satisfy HIPAA?

No. Cookie consent banners do NOT satisfy HIPAA authorization requirements for PHI disclosure. Valid HIPAA authorization has specific requirements that cookie banners cannot meet.

Can healthcare websites use Google Analytics?

OCR guidance indicates that marketing pixels on authenticated healthcare pages can constitute impermissible PHI disclosure. Many healthcare organizations have removed such trackers entirely.

What are the HIPAA tracking pixel penalties?

Kaiser Permanente settled for $47.5M, URMC for $2.85M, and MarinHealth for $3M — all related to tracking pixels on healthcare websites.

Does HIPAA apply to all healthcare websites?

HIPAA applies to covered entities (health plans, providers, clearinghouses) and their business associates. Not all health-related websites are HIPAA-covered.

Stay compliant with HIPAA

ConsentStack helps you implement Sector-specific consent for United States (Federal) automatically.

Get started free