Why Healthcare Websites Face Higher Cookie Consent Stakes
A visitor browsing a page about diabetes management or scheduling an appointment through a patient portal is generating data that regulators treat differently from someone shopping for shoes. When a tracking pixel fires on a healthcare page, the information it collects - an IP address, a page URL containing a condition name, or a session identifier tied to a logged-in patient - may qualify as protected health information (PHI) under HIPAA or special category data under GDPR Article 9.
The consequences of getting this wrong are not theoretical. The U.S. Department of Health and Human Services (HHS) issued a bulletin in December 2022 (updated March 2024) warning that online tracking technologies on healthcare websites can violate HIPAA. The FTC has brought enforcement actions against companies like GoodRx and BetterHelp for sharing health data through tracking pixels without proper authorisation.
Healthcare organisations must treat cookie consent as a clinical-grade compliance requirement, not an afterthought.
HIPAA and Cookies: No Direct Rule, but Real PHI Risk
HIPAA does not mention cookies or tracking pixels by name. The statute predates modern web tracking by decades. Yet the HIPAA Privacy Rule restricts any disclosure of PHI, regardless of the technology used to transmit it.
The HHS Office for Civil Rights (OCR) clarified this in its tracking technologies bulletin. When a analytics cookie or marketing pixel on an authenticated page (such as a patient portal) transmits data to a third party, that data may include PHI. The OCR bulletin stated that IP addresses combined with a visit to a health-related webpage can constitute PHI if the website is operated by a HIPAA covered entity.
A federal court later narrowed this position. In 2024, the American Hospital Association (AHA) successfully challenged the guidance, and the court vacated the bulletin to the extent it treated a visitor's IP address on unauthenticated public pages as PHI. Tracking on authenticated pages - patient portals, appointment systems, prescription refill pages - remains firmly within HIPAA's scope.
Business Associate Agreements for Tracking Vendors
Any third-party vendor receiving PHI must sign a Business Associate Agreement (BAA). Google, Meta, and most advertising platforms do not sign BAAs. This means firing a _ga cookie or Meta Pixel on authenticated healthcare pages without proper safeguards can create an impermissible PHI disclosure, even if the patient clicks "accept" on a cookie banner.
Cookie consent banners do not satisfy HIPAA authorisation requirements. HIPAA authorisation is a specific legal document with prescribed elements; a website pop-up does not meet that standard.
The FTC Health Breach Notification Rule
Organisations not covered by HIPAA - health apps, wellness platforms, telehealth startups without a covered entity relationship - still face the FTC's Health Breach Notification Rule (HBNR). The FTC updated this rule in June 2024 to explicitly cover the sharing of health data through tracking technologies like cookies and pixels.
Under the updated HBNR, if a health app or website shares identifiable health information with an advertising vendor through a tracking pixel without the user's explicit authorisation, that disclosure qualifies as a "breach" requiring notification. The FTC brought enforcement actions against GoodRx (USD 1.5 million penalty) and BetterHelp (USD 7.8 million) for exactly this pattern.
The practical effect: healthcare-adjacent websites must audit every third-party script and cookie to determine whether it transmits health-related information to vendors.
GDPR Article 9: Health Data as Special Category
Under the GDPR, health data is classified as special category data under Article 9. Processing special category data is prohibited unless one of ten specific exceptions applies. For cookie-based tracking on healthcare websites, the relevant exception is explicit consent - not merely the standard GDPR consent, but a higher bar requiring clear, affirmative, and specific agreement.
This has direct implications for cookie consent mechanisms. A generic "accept all cookies" button is insufficient when those cookies process health data. The consent request must specifically identify that health data will be processed and explain the purposes. Pre-ticked boxes, bundled consent, and implied consent all fail to meet the explicit consent standard.
What Counts as Health Data in a Cookie Context?
The definition is broader than many organisations assume. Data that reveals information about a person's health status qualifies, even if the data itself is not a medical record. Examples include:
- Page URLs containing condition names (e.g.,
/appointments/oncology) - Search queries on a hospital website (e.g., "heart failure symptoms")
- Session data from a patient portal linked to a diagnosis
- Appointment booking data transmitted via tracking pixels
The UK GDPR applies the same special category classification, with the ICO providing similar guidance on health data processing requirements.
Regulatory Comparison: HIPAA vs GDPR vs FTC HBNR
| Requirement | HIPAA | GDPR | FTC Health Breach Rule |
|---|---|---|---|
| Scope | Covered entities and business associates | Any organisation processing EU residents' data | Non-HIPAA health apps and websites |
| Cookie-specific rule | No (but PHI disclosure rules apply) | Yes (ePrivacy Directive Article 5(3) plus GDPR Article 9) | No (but tracking pixel sharing = breach) |
| Consent standard for health data | HIPAA authorisation (written, specific elements) | Explicit consent under Article 9(2)(a) | Affirmative express consent |
| Cookie banner sufficient? | No | Only if it meets explicit consent requirements | Only if it meets affirmative express consent |
| BAA/DPA required for vendors? | Yes (BAA) | Yes (DPA under Article 28) | No BAA, but unauthorised sharing = breach |
| Maximum penalty | USD 2.1 million per violation category per year | EUR 20 million or 4% global turnover | FTC enforcement (varies, multi-million USD settlements) |
Practical Steps for Healthcare Cookie Compliance
Compliance requires a layered approach that goes beyond installing a cookie banner. Healthcare organisations should follow a structured process.
Step 1: Audit Every Cookie and Tracking Script
Run a full cookie audit across all subdomains, including patient portals, appointment systems, and telehealth platforms. Document every cookie, its purpose, its duration, and which third parties receive data. Pay particular attention to cookies like _fbp, _ga, _gcl_au, and any session replay tools like Hotjar.
Step 2: Classify Pages by Risk Level
Not every page on a healthcare website carries the same risk. A general "About Us" page is different from a symptom checker or patient portal login. Create a page classification:
- High risk: Authenticated patient pages, appointment booking, prescription refill, telehealth sessions
- Medium risk: Condition-specific information pages, department pages, provider directories
- Low risk: General corporate pages, careers, press releases
On high-risk pages, consider blocking all non-essential cookies entirely rather than relying on consent.
Step 3: Implement Consent with Granular Controls
Your cookie banner must offer opt-in consent with clear category explanations. For pages processing health data under GDPR, the consent mechanism must meet the explicit consent threshold. This means separate, specific consent for health data processing - not bundled with general analytics consent.
Step 4: Block Scripts Before Consent
Every tracking script must be blocked until valid consent is recorded. Use conditional script loading to prevent pixels from firing before consent. On HIPAA-regulated pages, consider whether any third-party tracking is permissible at all without a signed BAA.
Common Mistakes Healthcare Websites Make
The most frequent error is treating the marketing website and patient portal as separate compliance domains while using the same Google Analytics property and Google Tag Manager container across both. This can cause PHI to flow into analytics platforms that have no BAA in place.
Another common mistake is assuming that "anonymised" or "de-identified" data is safe to share. The OCR bulletin specifically noted that a tracking vendor's promise to remove PHI after receiving it does not retroactively make the initial disclosure permissible.
Session replay tools present a particular danger. If a session replay captures a patient entering symptoms, medication names, or appointment details, that recording may contain PHI - and the session replay vendor almost certainly has no BAA.
Frequently Asked Questions
Do healthcare websites need a cookie banner?
Yes. Any website that sets non-essential cookies needs a consent mechanism under the ePrivacy Directive and GDPR. Healthcare websites face additional requirements because health-related browsing data may qualify as special category data, requiring explicit consent rather than standard consent.
Does HIPAA require cookie consent?
HIPAA does not have a cookie consent rule. It restricts the disclosure of PHI, which can include data transmitted by tracking cookies on authenticated pages. A cookie banner does not satisfy HIPAA authorisation requirements, so covered entities must evaluate whether tracking technologies on their sites create impermissible PHI disclosures.
Can I use Google Analytics on a healthcare website?
On public-facing pages that do not process health data, Google Analytics can be used with proper cookie consent. On authenticated patient pages or pages where URLs reveal health conditions, using Google Analytics without a BAA risks HIPAA violations. Google does not sign BAAs for standard Analytics products.
What is the FTC Health Breach Notification Rule?
The FTC Health Breach Notification Rule applies to health apps and websites not covered by HIPAA. Updated in June 2024, it treats the sharing of identifiable health data through tracking pixels or cookies without user authorisation as a reportable breach. Penalties can reach multi-million dollar settlements.
Are appointment booking pages subject to HIPAA cookie rules?
If the appointment booking system is operated by or on behalf of a HIPAA covered entity, any tracking cookies that transmit appointment-related data to third parties without a BAA may violate HIPAA. The safest approach is to block non-essential cookies entirely on these pages.
Does GDPR treat health website browsing data as special category?
It can. If cookies or tracking pixels collect data that reveals a visitor's health status - such as browsing pages about specific conditions or treatments - that data may qualify as health data under GDPR Article 9. Processing requires explicit consent with specific information about the health data being collected.
Take Control of Your Cookie Compliance
Healthcare websites cannot afford to treat cookie consent as a tick-box exercise. Whether your organisation falls under HIPAA, GDPR, or the FTC Health Breach Notification Rule, the stakes for mishandling tracking technologies are higher than in most other sectors.
Kukie.io detects, categorises, and helps you manage every cookie on your site - including flagging third-party scripts that may transmit sensitive data. Start with a free cookie scan to see exactly what your healthcare website is sharing.
