HIPAA Marketing Compliance: The $9M Pixel Mistake (Simply Explained)
A plain-language guide to hipaa marketing compliance. No jargon, no tech speak — just what it means for your business.
By Mike Hodgen
The Marketing Move That Works Everywhere Except Health
Here's how I grow my DTC fashion brand in San Diego. I track everything.
I put little pieces of code from Facebook and Google on every page. They watch what people do. What they click. What they add to cart. Then I show those people ads to bring them back.
This is normal. Every marketer on earth does it. And it makes money.
But if you run a health business, this exact move can cost you millions.
Two well-known health brands found this out the hard way. Together they paid around 9 million dollars. Not because they got hacked. Not because some criminal broke in.
They paid because of the standard tracking code that every marketer installs on day one.
The problem was simple. Their tracking code sat on pages that revealed what people were being treated for. And that code quietly sent that information to Facebook and Google.
Nobody at those companies meant to do it. They were good marketers running the playbook that works everywhere else. The tracking code doesn't know it's sitting on a sensitive page. It just sends what it always sends.
What That Little Tracking Code Actually Sends
Most people think tracking code just counts visitors. It does way more than that. And the "way more" is where the lawsuits live.
The first thing it sends is the full web address of the page someone is looking at.
For my fashion brand, that address might be "/products/linen-shirt." Harmless. Nobody cares that you looked at a shirt.
Now picture a health business. The address is "/treatment/anxiety-medication" or "/results/positive." That address alone tells a deeply private story about a real person.
And it never sends it anonymously. The code always attaches an ID, something that ties the visit to a specific person. That's its whole job.
So you're not sending "someone looked at a page." You're sending "this exact person looked at a page about this exact condition."
It gets worse. The code can also grab what people type into forms. If your intake form asks about symptoms, that answer can go straight to the ad platform too.
Here's the wall you hit. Facebook and Google won't sign the legal agreement that would make it okay for them to receive health information. So even if you wanted that data to land somewhere legal, there's nowhere for it to go.
That's the whole trap. A sensitive page, plus a personal ID, plus a company that legally can't receive health data. You assemble all three by accident every time you paste tracking code into your site.
Two Rules That Wall It Off
The fix is boring. It's two rules. It won't win any awards, but it's the difference between marketing that grows your health brand and marketing that ends it.
Rule one: no tracking on any page that reveals someone's health.
This is a hard line, not a suggestion. Treatment pages, intake forms, results pages, the patient portal. None of them get tracking code. Ever.
The test I use is simple. Would you be comfortable if this page's address and form answers showed up in Facebook's logs next to a real name? If the answer is no, no tracking.
Here's the part most teams get wrong. They load tracking across the whole site, then put up one cookie banner, and assume that covers them. It doesn't.
Someone clicking "accept cookies" has not given you permission to send their medical condition to Facebook. That's the trap dressed up as compliance.
The way I build it, tracking is off by default. A page has to be specifically cleared as safe before it gets any tracking at all. The code literally cannot load on a sensitive page, no matter what button the visitor clicked.
And you lose almost nothing. The pages where tracking actually drives smart ad spending are the early ones anyway. Your homepage. Your blog. Your pricing page. You keep all of those.
Rule two: keep your marketing data and your health data in two separate places.
Most companies put everything in one spot. One record per person, with their marketing preferences and their treatment details all sitting together.
It feels efficient. It's a loaded gun.
When marketing data and health data live together, it's frighteningly easy to grab the health data by accident. Someone runs a report to "build a list of active customers," and because the treatment details are right there, they come along for the ride. Nobody meant to do it. The setup made it inevitable.
So I keep two separate vaults. One holds marketing stuff: email, name, whether they opted in. The other holds the sensitive health stuff. Different locks, different keys.
Information flows in one direction only. The health side can tell the marketing side "yes, this person is a customer." It never tells it what they're being treated for. And the marketing side can never reach into the health vault at all.
This matters even more with AI. If you give an AI assistant access to both vaults, it will eventually leak something. Not maybe. Eventually. You give it a vague instruction, it grabs the most relevant thing it can find, and the most relevant thing turns out to be a medical record.
So I lock the AI to the marketing vault only. If it can't read the sensitive data, it can't leak it.
Marketing Still Works Inside These Walls
The question I always get: doesn't this kill growth? It doesn't.
You keep tracking on your early-stage pages, which is where most ad spending gets optimized anyway. You keep building audiences of people similar to your best customers. You keep email marketing to everyone who opted in.
What you give up is the ability to show someone an ad because they looked at a specific treatment. That was the illegal part. That was the exact thing that cost two brands 9 million dollars.
So reframe it. Those brands weren't winning because of that data. They were one audit away from a catastrophe. The data felt like an edge. It was a time bomb.
In my experience, the marketing you lose is tiny and measurable. The disaster you avoid is enormous and all-or-nothing. You either get the letter or you don't. That's not a hard trade.
And the best part is none of this is a six-month project. The two rules are decisions you make at the start, when you're building the thing. Splitting the vaults, turning tracking off by default, locking down your AI. It's how you build it right the first time, not a painful cleanup later.
I've built this into telehealth brands from day one, which is exactly why it was fast instead of brutal. And it's not just health. I use the same shape in financial advisory, HR, labor compliance. Keep the sensitive data thin, wall it off from the tools that legally can't touch it, and lock your AI to the safe side.
If you run marketing in health, telehealth, or wellness, this is the first thing I'd check. Not your brand. Not your funnel. Your tracking code and your data separation. Because the cheapest version of this fix is the one you do before a lawyer forces it on you.
Ready to bring AI leadership into your company?
I work with a small number of companies at a time. If you're serious about AI, apply to work together and I'll review your application personally.
Get AI insights for business leaders
Practical AI strategy from someone who built the systems — not just studied them. No spam, no fluff.
Ready to automate your growth?
Book a free 30-minute strategy call with Hodgen.AI.
Book a Strategy Call