Facebook Pixel

Use Case: Behavioral advertising, user tracking, and conversion measurement

Why it matters:

Facebook Pixel is a tracking technology that collects data about a visitor's interactions with your website and sends it to Meta (Facebook). This includes information such as page views, button clicks, form submissions, and even specific URLs visited. If this data can be linked to an individual’s health condition, treatment, or appointment, it may be considered Protected Health Information (PHI) under HIPAA.

What HHS says:

According to the U.S. Department of Health and Human Services (HHS) guidance on online tracking technologies, the use of third-party trackers like Facebook Pixel on healthcare websites even on unauthenticated pages can result in the impermissible disclosure of PHI. This includes information gathered when a user searches for specific symptoms, schedules an appointment, or reads about health conditions. Sharing this data with Meta without a valid Business Associate Agreement (BAA) and without patient authorization is a HIPAA violation.

Recommendation:

Since Meta (Facebook) does not offer a Business Associate Agreement (a requirement under HIPAA when handling protected health information), we recommend removing Facebook Pixel from any page where health-related information may be collected or inferred. Some providers choose to use HIPAA-compliant analytics solutions that act as intermediaries or bridges to third-party tools and are willing to sign a Business Associate Agreement. These platforms can help control what data is shared, but proper configuration and internal review are essential to ensure compliance.