Back to Blog
privacymarketingcompliancetrackingftc

Marketing Pixels and HIPAA Risk: The $9M Pixel Mistake

GoodRx and BetterHelp paid ~$9M for marketing pixels HIPAA risk. Here's how I architected a telehealth funnel so tracking never leaks treatment data.

By Mike Hodgen

Short on time? Read the simplified version

The Growth Playbook That Gets Health Brands Fined

Every DTC operator runs the same playbook. Pixel everything. Drop a Meta pixel, a TikTok pixel, and Google tags on every page. Build remarketing audiences off everyone who hits a product page. Upload your customer list to build lookalikes. Retarget the hot prospects who bounced from checkout. I've done all of it for my own fashion brand, and it works.

That exact move is what got GoodRx and BetterHelp fined a combined roughly $9 million by the FTC.

Here's the tension nobody tells you about when you move into health: the standard growth playbook and health compliance are in direct conflict. The marketing pixels HIPAA risk isn't a footnote. It's the single biggest enforcement surface in the entire build. The same instinct that makes you money in unregulated DTC is the thing that triggers a federal settlement the moment you start selling treatment.

I learned this firsthand when I architected a longevity and telehealth brand. The marketing pixel was the first thing I flagged as a critical risk, before the database, before the intake flow, before any of the clinical pieces. Because the way pixels work is fundamentally incompatible with the way HIPAA thinks about disclosure.

Most operators install tracking by reflex through a tag manager and never audit where it fires. That's the gap. You don't intend to leak patient data. The pixel does it for you, silently, on every page load.

In this article I'm going to show you exactly what leaked in the GoodRx and BetterHelp cases, why hashed emails don't save you, and the architecture I used to measure marketing performance without sending a single patient's treatment context to an ad network. This is the stuff I wish someone had handed me before I started.

What Actually Leaked: The GoodRx and BetterHelp Cases

These are public FTC cases, so I can name them.

GoodRx shared user health data with Meta, Google, and other third parties through advertising pixels and SDKs. That included information about the medications people looked up and the conditions implied by those lookups. The FTC's first enforcement action under its Health Breach Notification Rule landed on them in 2023.

BetterHelp shared consumers' email addresses and the answers from their mental health intake questionnaires with Facebook and other advertisers, despite explicitly promising users their health data would stay private. The settlement included $7.8 million in consumer refunds.

The mechanism, not the headline

Forget the headlines for a second and look at the plumbing. When a pixel fires on a page, it doesn't just count a visit. It sends the page URL, the page title, and event metadata to the ad network, alongside an identifier that ties back to a real person.

Diagram showing how a marketing pixel sends page URL, title, and a user identifier from a treatment page to an ad network, leaking patient health context. How a pixel leaks treatment context to ad networks

So when that page reveals a condition or a treatment, like a URL that reads /treatments/anxiety-therapy or a page titled "Your Semaglutide Results," that context travels to Meta or Google bundled with an ID. That's the leak. It's not a hack. It's the product working as designed.

Why hashed isn't safe

Operators hear "hashed email" and assume they're covered. They aren't.

The violation isn't whether the email is readable. The violation is the act of uploading a list of patients to an ad platform in the first place. When you push a custom audience of your patients to Meta, the disclosure is the membership in that list. You are telling Meta "these specific people are my patients." Hashing the email obscures the address, not the fact that the person is on a patient list.

The disclosure is the membership, not the readability. That distinction is what trips up almost every team I talk to.

Why Your Tracking Setup Might Be a Compliance Time Bomb

Let me answer the question you're actually asking: is my tracking a time bomb? If you're running paid acquisition in health and you installed pixels the normal way, probably yes.

The pages that betray you

Walk through the surfaces that leak. Any URL with a human-readable treatment slug. Condition-specific landing pages. Intake quiz result pages. Patient dashboards. Order confirmation pages that name the medication.

A standard Meta, TikTok, or Google pixel sitting on any of those sends treatment context to an ad network on every load. You don't have to do anything wrong manually. The reflex install does the damage.

I've audited funnels where the operator swore they weren't tracking anything sensitive, and within ten minutes I found a pixel firing on the post-checkout page that named the exact prescription in the URL. They had no idea. The tag manager fired it globally and nobody scoped it.

The BAA problem with GA4

Then there's Google Analytics 4. This one catches people who think they did their homework.

Google will not sign a Business Associate Agreement covering GA4. Full stop. That means running GA4 on any patient-facing surface is non-compliant by design. There is no configuration that fixes it, because the vendor refuses to take on the legal liability of handling protected health information.

If you've got GA4 on your patient dashboard, you have a problem that no cookie banner solves.

The deeper fix is architectural. You want to shrink your HIPAA surface area so that the number of pages touching protected health information is as small as possible, and so the vendors that do touch it will actually sign a BAA. Most operators have never mapped which of their pages are regulated and which aren't. That map is where the audit starts.

The Hard Ban: No Tracking on Any Page That Reveals Treatment

Here's the load-bearing rule I built the whole telehealth funnel around.

The rule

A hard, absolute ban on Meta, TikTok, and Google remarketing pixels on any URL that reveals treatment. No GA4 on patient surfaces, period. No exceptions, no "but we really need the data," no tag manager overrides.

This isn't a guideline I hoped people would follow. It's enforced in code. The patient-facing app simply does not load those scripts. A privacy policy is a document; this is a wall.

The URL design that backs it up

The rule pairs with a deliberate URL design. No human-readable treatment slug appears anywhere in a patient-facing URL. Generic paths, opaque IDs. So even if something leaked, the URL itself reveals nothing about the person or their condition.

Comparison matrix contrasting marketing surfaces and treatment surfaces across URL design, pixels, analytics, and risk, separated by a code-enforced wall. Marketing surfaces vs treatment surfaces, opposite rules

This is the exact opposite of the SEO-friendly slug instinct every DTC operator has trained into their bones. On marketing pages, I want rich descriptive slugs because they help rankings and they reveal nothing about an individual. On patient surfaces, I want opaque paths because the slug is a liability.

That's the core split. Marketing surfaces and treatment surfaces are two different worlds with opposite rules. Marketing pages get pixels, rich slugs, and full tracking, because nothing on them identifies a specific patient or their treatment. Treatment surfaces get opaque URLs, no ad pixels, and BAA-covered analytics only.

The reason these surfaces also need different consent models is its own subject, because marketing consent and treatment consent are not the same thing. Agreeing to be retargeted is not the same as agreeing to clinical data handling, and treating them as one bucket is how teams accidentally collapse the wall they just built.

How You Still Measure Marketing Without Leaking Data

The second question every operator asks: if I kill the pixels, how do I measure anything? Fair. You're spending real money on acquisition and you need to know what works.

Server-side conversion tracking with stripped identifiers

The answer is server-side conversion tracking with stripped identifiers. Instead of the browser pixel firing on a sensitive page and dumping context to the ad network, your server sends a conversion event with only what's necessary. No treatment context. No condition. No patient-identifying payload.

Diagram comparing browser pixel tracking that leaks patient context to server-side conversion tracking that strips identifiers before sending only a signup event to the ad network. Browser pixel vs server-side conversion tracking

You can still tell Meta "an ad drove a signup" without telling Meta what the person signed up for. The conversion fires from your backend, you control exactly what's in the payload, and the sensitive context never crosses the boundary. That's compliant conversion tracking that still feeds your campaign optimization.

The conversion event answers "did this ad produce a customer." It does not answer "what is this customer being treated for." That second question is none of the ad network's business, and now it literally can't get the answer.

What you give up and why it's worth it

I'll be honest about the tradeoffs, because they're real.

Your remarketing gets weaker. You can't build granular custom audiences off patient lists, because uploading those lists is the violation we already covered. Your attribution gets less precise. Cross-device attribution gets fuzzier, and you lean harder on first-party data and cohort analysis instead of the platform's pixel-stitched view.

That's the honest picture. You give up some attribution precision. In exchange, you don't get a federal settlement and a headline with your company name in it.

That's not a close call. The downside of the convenient version is the GoodRx and BetterHelp FTC settlement, plus refunds, plus a consent decree that follows you for twenty years. Fuzzier attribution is a rounding error against that. You adapt your measurement, you build a stronger first-party data muscle, and you sleep fine.

Why This Pattern Repeats Beyond Health

This isn't really a health problem. It's a sensitive-data problem, and health is just where the FTC has been most aggressive.

The instinct to instrument everything is correct in unregulated DTC. On my fashion brand, I pixel everything and I should. Nothing on a product page reveals something sensitive about an individual. The instinct becomes dangerous the moment a page reveals financial status, legal trouble, or a medical condition tied to a real person.

A page that reveals someone is behind on debt, going through a divorce, applying for a hardship program, or being treated for a condition carries the same risk profile as a telehealth page. The category changes. The mechanism is identical.

And the fix is always the same pattern. Separate marketing surfaces from sensitive surfaces. Strip identifiers at the boundary so context never crosses into a third party. Never upload sensitive-list audiences to ad platforms.

I've now applied this exact split across finance, legal, and health builds, because the pattern repeats across every regulated industry. Once you've solved it once, you recognize it everywhere.

The most important thing to understand: this is an architecture decision, not a policy memo. A privacy policy doesn't stop a pixel from firing. Code stops a pixel from firing. If your compliance lives in a PDF and not in your deployment, you don't have compliance. You have intentions.

Audit Your Funnel Before the FTC Does

You don't need me to start. Here's a self-audit you can run this week.

Vertical four-step funnel self-audit checklist covering listing pixels, identifying sensitive pages, checking uploaded patient lists, and confirming BAA coverage. Four-step funnel self-audit

First, list every pixel and tag firing across your domains. Open your tag manager and actually read what's configured, then verify in the browser network tab what fires on each page type. The gap between what you think fires and what actually fires is usually where the problem lives.

Second, identify which pages reveal anything sensitive about an individual. Treatment slugs, condition pages, quiz results, dashboards, confirmation pages.

Third, check whether you've ever uploaded a customer or patient list to an ad platform for custom audiences or lookalikes. If you have, in a regulated category, that's a disclosure.

Fourth, confirm whether your analytics vendor will sign a BAA. If it's GA4 on a patient surface, you already know the answer.

Most teams that run this discover at least one leak. Usually more.

I architected an entire telehealth funnel around this constraint from day one, which is a very different exercise from retrofitting it later. If you want the full picture of building it clean from the start, here's how I went about standing up a regulated telehealth brand.

If you're running paid acquisition in a regulated space and you're not certain your tracking is clean, that uncertainty is the problem. The pixel doesn't care whether you meant to leak. It just fires.

Thinking about AI for your business?

If this resonated, let's have a conversation. I do free 30-minute discovery calls where we look at your operations and identify where AI could actually move the needle.

Book a Discovery Call

Get AI insights for business leaders

Practical AI strategy from someone who built the systems — not just studied them. No spam, no fluff.

Ready to automate your growth?

Book a free 30-minute strategy call with Hodgen.AI.

Book a Strategy Call