Study Finds Widespread Use of Tracking and Analytics Tools on Healthcare Websites

A recent analysis of 59 websites operated by major U.S. hospitals and clinics found that most used marketing and analytics tools that could route website data to third parties, prompting renewed attention to website privacy and compliance practices.

Study Scope

The analysis was conducted jointly by Piwik PRO, a privacy-first web analytics platform provider, and Verified Data, an automated audit platform focused on analytics accuracy, data quality, and privacy compliance.

The findings were published in the healthcare website tracking report titled Are Healthcare Companies One Audit Away From a Compliance Crisis? The researchers scanned 59 websites operated by major U.S. hospitals and clinics to evaluate tracking technologies, consent systems, cookies, and related data compliance practices.

The study did not examine whether protected health information (PHI) was disclosed to third parties. It evaluated the presence and behavior of consent systems, cookies, tracking scripts, and advertising pixels.

Tracking Technologies Identified

The study found that 73% of the analyzed healthcare websites had active advertising trackers installed even though the Global Privacy Control opt-out signal was enabled.

The report states that the Global Privacy Control signal allows a browser to communicate a user’s preference to opt out of the sale or sharing of personal data with website operators.

The researchers also found that 69% of the scanned websites used marketing or advertising cookies. The report states that this pattern suggests data is routed to third-party platforms. It also states that the small difference between the percentage of websites using trackers and those using marketing cookies suggests that some tracking technologies operate without cookies.

The researchers identified 75 distinct tracking technologies across the 59 websites. The identified technologies included Google Analytics, Meta Pixel, Microsoft Advertising, and session replay technologies.

Compliance and Privacy Concerns

The healthcare organizations have received increased scrutiny regarding their use of website tracking and analytics tools after previous studies found that these technologies were routinely deployed on healthcare websites, including authenticated pages in some instances.

The tracking technologies collect and transmit information about website activity to third parties. The information may include PHI that the HIPAA Privacy Rule requires regulated entities to protect. The following organizations reported major HIPAA breaches to the HHS Office for Civil Rights related to website tracking tools: Kaiser Permanente, Advocate Aurora Health, Advocate Aurora Health, Advocate Aurora Health,  and Atrium Health as organizations that reported .

The report stated that patients have increasingly filed legal actions concerning the use of website tracking technologies by healthcare providers. Settlements resolving alleged healthcare privacy violations involving tracking and analytics technologies exceeded $100 million between 2023 and 2025. The reported technologies included Meta Pixel, Google Analytics, and Microsoft Advertising code.

Statements From the Study Authors

Magdalena Pawlitko, Head of Global Sales at Piwik PRO, stated that many healthcare organizations inherited their analytics configurations instead of selecting them directly. She stated that Google Analytics became widely adopted because it was free, established, and familiar to organizations. She also stated that website analytics platforms have expanded into broader behavioral advertising capabilities, increasing compliance risk in regulated sectors such as healthcare and requiring closer oversight of data collection tools and their configuration.

Brian Clifton, founder of Verified Data and a digital analytics and privacy expert, stated that healthcare organizations can meet patient expectations for privacy by implementing appropriate website configurations. He stated that organizations adopting compliant approaches can reduce legal exposure while strengthening the privacy of their digital services.

Recommendations

Healthcare organizations need to audit their existing website tracking configurations.

Advertising pixels must be removed from web pages that are adjacent to PHI.

Enforce opt-out signals through the tag management layer.

Replace non-compliant analytics platforms with purpose-built alternatives.

Implement compliant infrastructure for website analytics.

Make compliance an ongoing operational requirement instead of a one-time review.

Documenting compliance-related decisions must be required.

About Christine Garcia 1270 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA