Your website may be violating federal
law. Right now.
Meta Pixels and Google trackers on healthcare websites have generated $100M+ in federal settlements. We find the violations — before the government, and before a plaintiff attorney finds them first.
Free audit. Confidential. Results delivered in 48 hours.
$100M+
In pixel-tracking settlements 2023–25
Feroot Security, 2025
22
OCR enforcement actions in 2024 — record
HHS OCR Year-End Report
$73K
Max fine per violation, per day
45 CFR §160.404, 2025
33%
Of healthcare sites have active Meta Pixel
LOKKER Privacy Report, 2024
✓45 CFR HIPAA Compliant Methodology
🏛️OCR / HHS Standards
⚖️HITECH Act
🌐All 50 States
🔒100% Confidential
📋Attorney-Reviewable Reports
Explore or take action
📋
Schedule Free Consultation
We audit your site & walk through every finding — no charge
→
⚠️
View All Violations
24 HIPAA website violations ranked by severity
→
⚖️
Real Settlement Cases
$100M+ in verified, public-record fines
→
🔍
How Our Process Works
From audit to fully protected — what to expect
→
💬
Common Questions
Is this real? Who enforces it? What happens next?
→
Our standards
✓
HIPAA Privacy Rule — 45 CFR Part 164
All audits conducted against current federal standards
✓
HITECH Act Compliance Framework
Including 2022 OCR tracking technology guidance
✓
OCR Civil Monetary Penalty Tiers (2025 Rates)
Fine exposure calculated using current inflation-adjusted rates
✓
State Attorney General Standards
Texas, California, New York and all active AG jurisdictions
✓
FTC Health Privacy Act Guidelines
Including deceptive practices and data handling standards
"
I ran the Blacklight scanner myself after receiving their email — every violation they described was confirmed. Facebook pixel on my booking page. Session recorder active. The consultation took 20 minutes and I had a complete picture of my exposure.
Dr. Sarah M. — Med Spa Owner, Scottsdale AZ · ★★★★★
"
My attorney reviewed the audit report and said if we'd been hit with a class action, we'd have settled for six figures minimum. Worth every penny — and they showed us how to keep running our Google Ads without the violation.
Dr. Robert C. — Chiropractic Practice, Denver CO · ★★★★★
24 Documented Violations
Every HIPAA Violation We Find on Healthcare Websites
Ranked by fine severity. Most practices have 3 or more of these active. Each carries a specific CFR citation and documented enforcement history.
⚠ HIPAA fines accrue daily from when the violation began — not discovery. A pixel active for 12 months = 12 months of accrued daily exposure across all violations found.
Critical SeverityUp to $73,011/day per violation
01
Meta / Facebook Pixel on Booking or Treatment Pages
Pixel fires when patients browse treatments or submit booking forms — transmitting treatment selection and identity to Meta. No BAA exists for standard Meta products. Confirmed in $18.5M Aspen Dental settlement.
45 CFR §164.502 — Impermissible PHI Disclosure to Third Party
$73,011
Per violation, per day · $18.5M confirmed settlement · Class action risk
02
Google Analytics Remarketing on Patient-Facing Pages
Google builds patient profiles from treatment page visits and follows them with targeted ads across the internet. Standard Google Analytics and Ads products provide no HIPAA Business Associate Agreement.
45 CFR §164.502(a) — Third Party PHI Disclosure Without Authorization
$73,011
Per violation, per day · Confirmed in multiple class action settlements
03
Session Recorders Capturing Patient Keystrokes (Hotjar, Microsoft Clarity)
Records every mouse movement, keystroke, and form entry — including patient names, health conditions, and contact info. Transmitted to third-party servers in real time with no HIPAA protection.
45 CFR §164.502(a) — Unauthorized PHI Transmission to Third Party
$73,011
Per violation, per day · Every form interaction recorded and transmitted
04
TikTok Pixel on Patient-Facing Pages
TikTok's tracking pixel sends patient treatment interests and behavioral data to ByteDance servers. No HIPAA BAA available for standard TikTok advertising products. Rapidly growing enforcement exposure.
45 CFR §164.502 — Impermissible Disclosure to Third Party
$73,011
Per violation, per day · FTC active enforcement · Class actions building
05
Snapchat Pixel on Healthcare Pages
Snapchat's tracking pixel transmits patient browsing behavior on treatment pages. No HIPAA BAA provided by Snap Inc. for standard advertising products. Confirmed in BetterHelp $7.8M FTC settlement.
45 CFR §164.502 — Impermissible Third Party PHI Disclosure
$73,011
Per violation, per day · Confirmed FTC enforcement history
06
Microsoft Clarity or Bing Ads Tracking on Patient Pages
Microsoft Clarity records user sessions and heatmaps; Bing Ads UET tag tracks patient conversions. Microsoft does not provide HIPAA BAAs for these standard advertising and analytics tools.
45 CFR §164.502(a) — Third Party Disclosure Without BAA
$73,011
Per violation, per day · Often installed alongside Google/Meta — multiplies exposure
07
Contact or Intake Forms Routing to Unencrypted Email
Forms collecting patient names, health concerns, insurance information, or appointment requests that submit directly to standard Gmail, Outlook, or similar inboxes without encryption. No BAA with Google Workspace or Microsoft 365 standard plans.
Per violation, per day · Every form submission is an unprotected PHI disclosure
08
LinkedIn Insight Tag on Healthcare Pages
LinkedIn's tracking pixel captures patient professional profiles when they visit treatment pages. LinkedIn does not provide HIPAA BAAs for Insight Tag installations on healthcare websites.
45 CFR §164.502 — Impermissible PHI Disclosure
$73,011
Per violation, per day · Commonly overlooked — installed by B2B marketing agencies
High SeverityUp to $73,011/violation
09
Chat Widgets Without BAA (Zoho, Tidio, Intercom, Drift, Podium)
Every patient message, name, phone number, and health inquiry transmitted to a third-party chat platform with no Business Associate Agreement. Standard plans from all major chat providers lack HIPAA BAAs.
45 CFR §164.308(b) — Business Associate Provisions
$73,011
Per violation · Every patient conversation is an unprotected disclosure
10
Online Booking Tools Without BAA (Calendly, Acuity, SimplyBook)
Standard scheduling tools collect patient names, contact details, and appointment information with zero HIPAA protection. Free and standard plans never include a Business Associate Agreement — only enterprise plans may offer BAAs.
45 CFR §164.308(b) — Business Associate Provisions
$73,011
Per violation · Every appointment booking is an exposed PHI transaction
11
SMS Marketing Tools Without BAA (Klaviyo, Twilio, EZTexting)
Standard SMS platforms receiving patient phone numbers, appointment confirmations, and treatment-related messages without HIPAA Business Associate Agreements in place.
45 CFR §164.308(b) — Business Associate Provisions
$73,011
Per violation · Every text message containing PHI is a separate disclosure
12
CRM / Email Marketing Without BAA (Mailchimp, HubSpot, ActiveCampaign)
Marketing CRM platforms receiving patient contact details, appointment history, and treatment information without HIPAA BAAs. Standard plans from all major email marketing platforms lack HIPAA compliance agreements.
45 CFR §164.308(b) — Business Associate Provisions
$73,011
Per violation · Patient data in your email list = ongoing unprotected disclosure
13
AI Chatbot or Virtual Assistant Without BAA
AI chatbots embedded on healthcare websites frequently transmit patient conversations — including health questions, symptoms, and personal details — to third-party AI servers with no HIPAA data protection agreement.
45 CFR §164.308(b) — Business Associate Provisions
$73,011
Per violation · Growing rapidly as practices adopt AI chat tools
14
No HTTPS / Expired SSL Certificate
Website running on HTTP or with an expired SSL certificate transmits all patient data — including form submissions and login credentials — in plaintext. Any interception constitutes a reportable HIPAA breach.
45 CFR §164.312(e)(1) — Transmission Security
$73,011
Per violation · Automatic breach risk for every patient interaction on the site
15
Patient Portal on Unsecured or Unprotected Page
Patient login portals without multi-factor authentication, proper SSL, or adequate access controls. Exposed patient portals are among the highest-priority OCR investigation triggers.
45 CFR §164.312(d) — Access Controls and Authentication
$73,011
Per violation · OCR actively investigates exposed patient portals
16
YouTube / Vimeo Video Embeds with Tracking Enabled
Video embeds using default settings allow YouTube and Vimeo to track patient viewing behavior on treatment pages — including which medical procedures patients research. This data is linked to Google and user accounts.
45 CFR §164.502 — Third Party PHI Disclosure
$73,011
Per violation · Frequently overlooked — easily fixed with privacy-enhanced embed mode
17
Pinterest Tag on Healthcare Pages
Pinterest's conversion tag tracks patient interactions with treatment content and transmits behavioral health data to Pinterest's servers. No HIPAA BAA available for standard Pinterest advertising products.
45 CFR §164.502 — Impermissible PHI Disclosure
$73,011
Per violation · Common on med spa and aesthetic practice sites
Medium SeverityUp to $300,000+
18
Missing Notice of Privacy Practices (NPP)
Federally required document explaining how patient information is collected, used, stored, and shared — including through digital tools. OCR's dedicated enforcement initiative produced 46+ actions against practices missing this document.
45 CFR §164.520 — Notice of Privacy Practices Requirements
$300K+
46 enforcement actions · Fines documented from $22,500–$300,000
19
Outdated Privacy Policy (Pre-2022 OCR Guidance)
Privacy policies that predate OCR's December 2022 tracking technology bulletin fail to disclose how digital marketing tools handle patient data — creating deceptive practices exposure on top of HIPAA liability.
Multiplies exposure on all other violations found · FTC deceptive practices risk
20
Patient Testimonials Containing Protected Health Information
"John D. lost 40lbs after his diabetes treatment" — testimonials referencing patient names, conditions, or treatment outcomes without explicit HIPAA authorization constitute unauthorized PHI disclosure, even with general consent.
45 CFR §164.502 — Unauthorized PHI Disclosure
$73,011
Per violation · Requires written HIPAA authorization — general photo release insufficient
21
Before/After Photos Without HIPAA Authorization
Medical before/after photos published without explicit HIPAA authorization — distinct from a standard model release. Particularly common on med spa, plastic surgery, and dermatology websites.
45 CFR §164.508 — Uses and Disclosures for Which Authorization Is Required
$73,011
Per photo · General "I agree" checkbox is insufficient — requires specific HIPAA authorization form
22
No Cookie Consent Banner (CCPA Overlap)
Practices serving California patients without a cookie consent mechanism face CCPA liability stacking on top of HIPAA violations — California AG actively enforces this. Other states with similar laws: Virginia, Colorado, Connecticut.
CCPA §1798.100 + 45 CFR §164.502
$7,500
Per intentional CCPA violation · Stacks on top of HIPAA fines · State AG enforcement
23
Staff Email Addresses Exposed in Plain Text
Publicly displayed staff emails enable targeted phishing attacks — the leading cause of healthcare data breaches. Once a staff inbox is compromised, the resulting breach triggers mandatory HIPAA breach notification and potential OCR investigation.
45 CFR §164.308(a)(5) — Security Awareness and Training
Breach risk
Average healthcare breach cost: $9.48M (IBM 2024) · Breach notification required within 60 days
24
Outdated CMS or Unpatched WordPress Plugins
Outdated website platforms and plugins introduce known security vulnerabilities that can be exploited to access patient data. Under HIPAA, failure to maintain technical safeguards and conduct regular risk assessments is independently enforceable.
45 CFR §164.308(a)(1) — Security Management Process / Risk Analysis
$73,011
Per violation · OCR's current enforcement initiative targets risk analysis failures specifically
Found violations on your site? Our free consultation walks you through exactly what we found, what it means, and how to fix it — with no obligation to hire us.
Verified Public Record
These Practices Paid. Same Violations.
Every settlement below is publicly documented and verifiable. Every practice had the same tracking pixels and unprotected forms we find every day nationwide.
Key fact: Plaintiff attorneys run the same automated scanners we use — against thousands of healthcare websites simultaneously. A single patient retargeted on Facebook for a treatment they researched on your site can initiate a class action on behalf of every patient who visited those pages.
$18.5M
2024
Aspen Dental Management
Meta Pixel and Google tracking active across the entire patient appointment booking funnel — 1.6M+ patients affected
Pixel on Booking Funnel
$12.25M
2024
Advocate Aurora Health
Meta Pixel transmitting data on 3 million patients across treatment service pages and patient portals
Pixel on Treatment Pages
$7.8M
2023
BetterHelp
Sharing patient mental health data via tracking pixels to Meta and Snapchat — FTC enforcement action
PHI to Meta + Snapchat
$6.6M
2023
Novant Health
Tracking pixels transmitting protected health information to Facebook without BAA or patient authorization
No BAA in Place
$6M
2025
HealthPartners
Tracking pixel violations exposing patient health data across multiple patient-facing web properties
Multi-Page Pixel Exposure
$3M
2025
MarinHealth
Meta Pixel active continuously on patient-facing website from 2019 through 2025 — six years of accrued exposure
6 Years of Active Violation
$2.85M
2025
University of Rochester Medical Center
Pixel tracking active on patient appointment booking pages and authenticated patient portal
Booking + Portal Exposure
$2M
2023
Froedtert Health
Class action settlement over Meta Pixel tracking patient behavior across healthcare website properties
Class Action — Meta Pixel
$300K
2023
NewYork-Presbyterian Hospital
New York AG enforcement action — Meta Pixel on website pages without BAA in place
State AG Action — NY
$25M
2023
GoodRx
FTC action for sharing prescription drug data via tracking pixels to Meta, Google, and Criteo without authorization
FTC — Prescription Data
Total documented pixel-tracking settlements · verified public record
$100M+
Your practice's exposure depends on how long violations have been active, your patient volume, and how many distinct violations we find. We calculate this in your free consultation — specifically for your site.
How It Works
From Exposed to Protected in Days.
We don't sell over email. Every practice is different. Our consultation is a conversation — not a sales pitch.
1
You Submit Your Website
Fill out the consultation form with your website URL and practice type. No backend access required. Takes 2 minutes.
2 minutes · No commitment
2
We Run the Full Audit
24-point HIPAA scan — tracking pixels, booking tools, chat widgets, form security, privacy notices, SSL, session recorders. Professional PDF report delivered within 48 hours.
48 hours · Free · No charge
3
We Walk Through the Findings
A 20-minute call explaining every violation — exactly which pages, which tools, which regulation, and your specific exposure calculated for your practice size and patient volume. Plain language. No jargon.
20 minutes · No obligation
4
You Choose What Happens Next
Act on our findings yourself, bring in another firm, or ask us to handle it. We provide a flat quote based on your specific violations. We only get paid if you choose to work with us.
No pressure · Flat rate · Your call
Important
You don't have to stop running ads. We configure a HIPAA-compliant tracking layer — a privacy intermediary that strips protected health information before it reaches Google or Facebook. You keep your ads, your conversion data, and your marketing results. The violation disappears.
Common Questions
Questions We Answer Every Day
Real, documented, and ongoing. Over $100 million in settlements have been paid by healthcare practices for website tracking violations between 2023 and 2025. Every case we reference is public record. OCR confirmed 22 enforcement actions in 2024 — a record high. Plaintiff attorneys run automated scanners on healthcare websites nationwide right now.
Turning off ads does not remove the pixel. The pixel is code in your site's header — it fires 24/7 regardless. Most practices don't want to lose ad tracking entirely. We configure a HIPAA-compliant tracking intermediary that strips PHI before it reaches Google or Facebook. You keep your ads, keep conversion data, eliminate the violation.
Web developers build websites. Marketing agencies run campaigns. Neither is trained in HIPAA website compliance. The violations we find are about data flows between your site and third-party tools — a legal question most agencies have never considered. We find violations on sites built by firms charging $30,000+ for development.
Fines accrue daily from when the violation began — not discovery. Four tiers: $145 to $73,011 per violation per day. Annual caps limit federal exposure per calendar year, but multiple distinct violations mean multiple annual caps. State AG fines and class action damages are assessed entirely separately and often exceed federal penalties.
Three simultaneous tracks. OCR (HHS) — federal civil enforcement. State Attorneys General — Texas, California, New York particularly active. Private plaintiff attorneys — class actions on behalf of affected patients. This is where the largest settlements originate. Small practices are preferred targets because they settle quickly without prolonged litigation.
Every healthcare practice deserves to know their real exposure — regardless of whether they hire us. Our consultation gives you a complete picture: every violation, what it means legally, what protection costs. Take our findings and act on them however you choose. We only get paid if you want us to do the work.
Depending on violations: removing or replacing tracking pixels with HIPAA-compliant alternatives, executing BAAs with third-party vendors, updating privacy notices, reconfiguring booking and chat tools, setting up compliant ad tracking. Most remediations complete in 5–10 business days.
No. We use a HIPAA-compliant server-side tracking layer — tools like Freshpaint or custom server-side GTM — that intercepts data, strips PHI, and then forwards clean, compliant conversion signals to Google and Meta. Your ad performance stays intact. The legal exposure disappears.
Free · Confidential · No Obligation
Find Out Where Your Practice Stands.
We audit your website and walk through every finding. No charge. No sales pressure. Results in 48 hours.
✓Free Audit Included
🔒100% Confidential
⏱48 Hour Delivery
📋Attorney-Grade Report
🌐All 50 States
🔒
No charge. No obligation. Your information is never shared with any third party.
Your Contact Information
Your Practice
By submitting you agree to be contacted by Patient Protection Group regarding your compliance audit. Your information is held in strict confidence and never shared with third parties.
Is your website exposed?Free consultation · 48hrs · No obligation