Tiktok Conversion Tracking Pixel

Use Case: Conversion tracking, retargeting, and audience creation for TikTok ad campaigns

Why it matters:

The TikTok Conversion Tracking Pixel collects data about users who interact with your website after viewing or clicking a TikTok ad. This includes actions like form submissions, button clicks, and page views. On healthcare-related websites, these interactions may reflect a person’s attempt to schedule care, research treatment options, or access condition-specific information potentially qualifying as Protected Health Information (PHI) under HIPAA.

Data captured by the TikTok Pixel is sent to TikTok’s servers, which process the information for ad performance and targeting. TikTok does not offer a Business Associate Agreement (BAA) for this tool, making its use in HIPAA-regulated environments inherently non-compliant.

What HHS says:

According to HHS guidance, the use of tracking technologies by third parties may result in the impermissible disclosure of PHI if those technologies collect data about an individual’s health-related activity even when that activity takes place on public webpages.

A June 2024 federal court ruling vacated the narrow portion of HHS’s guidance related to automatic HIPAA application for IP address and public page views. However, HIPAA still applies when a user’s behavior (like clicking a scheduling button or visiting a treatment page) can reasonably be linked to their health interest or care intent.

Since TikTok’s tracking tools provide no HIPAA-aligned data protections and do not sign BAAs, their use is a high-risk practice in healthcare.

Recommendation:

If you are using the TikTok Pixel for conversion tracking or retargeting, we recommend removing it from all pages related to healthcare services, symptoms, treatment options, or appointment scheduling. This includes both public-facing and form-interaction pages.

TikTok does not offer a Business Associate Agreement, and disclaimers or cookie banners do not fulfill HIPAA requirements. For healthcare advertising, consider privacy-centric platforms that are designed for HIPAA compliance and will sign a BAA.