Why OCR issued it
Two things came together in 2022. First, The Markup and STAT published an investigation that found Meta Pixel on 33 of the top 100 U.S. hospital websites and inside the patient portals at 7 of them. Second, the Dobbs decision put a spotlight on health-data privacy generally, especially around reproductive health.
OCR responded with the December 2022 bulletin. It was the first formal federal statement that web tracking on healthcare sites could violate HIPAA. Up until then, most hospital marketing teams treated tracking pixels as routine — the same way every retail site treated them.
What the bulletin actually says
The bulletin makes three main claims.
First, that an IP address combined with a healthcare context counts as PHI when collected by a covered entity or business associate. The reasoning: ad platforms can match IPs to identified users, so the recipient sees the data as identifying even if the hospital can't.
Second, that this applies on both authenticated pages (logged-in patient portals) and unauthenticated public pages where the visitor's intent suggests a healthcare interest — like browsing a specific condition page, looking up a doctor, or starting an appointment booking.
Third, that disclosing PHI to a third-party tracker without a Business Associate Agreement and without patient authorization violates HIPAA, regardless of whether the data is anonymized, aggregated, or otherwise transformed.
Why the bulletin was controversial
The American Hospital Association and other industry groups objected to two things in particular.
The first was the breadth. The original bulletin covered any unauthenticated page where a visitor might have a healthcare reason for being there. That swept in a lot of educational content. A page about diabetes visited by a researcher, a journalist, or a curious teenager would all be covered the same way, even though none of those visitors were patients.
The second was the practical impossibility of compliance. To comply, hospitals would have to either remove all tracking, get BAAs from companies like Meta and Google (neither of which signs them for advertising data), or get individual authorization from every visitor — which isn't workable for an unauthenticated page where the hospital doesn't know who the visitor is.
What the March 2024 revision changed
The revised bulletin tried to address some of the breadth concern. OCR clarified that for unauthenticated pages, the analysis depends on whether the visitor's purpose is "related to the individual's past, present, or future health or healthcare or payment for care."
That's narrower than the original but still broad. OCR's examples of pages that would be covered included specific symptom searches, condition pages where the URL or content implied personal interest, and any flow that led to scheduling or contact. Generic informational content was less clear.
What *AHA v. Becerra* did
The American Hospital Association filed suit in November 2023 in the Northern District of Texas. The court ruled in June 2024 that OCR had overstepped on one specific point: the agency couldn't treat an IP address as PHI on an unauthenticated page when it couldn't establish that the visitor's intent was specifically about the visitor's own health.
The judge vacated that portion of the bulletin. He left the rest intact.
What's still covered after the ruling:
- Anything on authenticated pages (patient portals, logged-in MyChart, logged-in mobile apps)
- Pages with explicit clinical context where intent is clear (scheduling flows, find-a-doctor with criteria, condition-specific provider pages)
- Identified PHI by other means (URLs containing email, member ID, MRN, etc.)
What's not covered after the ruling:
- Generic educational pages about a topic where the visitor could be anyone
- Public marketing pages without clinical specificity
- Pages where the visitor's intent is ambiguous
Why the bulletin still matters even after the ruling
Three reasons.
First, it remains the controlling federal guidance for authenticated pages and clinical-context pages. That's where most of the litigation has actually been — Advocate Aurora, MarinHealth, Novant, and the rest were patient-portal cases.
Second, even where OCR's specific position has been narrowed, the bulletin established the legal framework that plaintiffs' lawyers use in class actions. The state-law claims (wiretap, invasion of privacy, common-law negligence) borrow HIPAA's standard of care. Narrowing OCR's position didn't extinguish the class actions.
Third, OCR has continued to enforce on tracking issues since the ruling. The Risk Analysis Initiative (12 enforcement actions through 2025) cites tracking-related findings as evidence that practices haven't done a real risk assessment.
What to do with all of this
Treat authenticated pages and clinical-context pages as in-scope. Treat ambiguous-intent marketing pages as defensible if you've actually thought about them. Document your reasoning either way — the absence of a written analysis is what turns a borderline finding into a willful-neglect penalty tier.