What to do in the first 30 days after finding tracking pixels on your healthcare website

The 30 days that follow a tracker finding are some of the most important in your HIPAA program. What you do (and what you write down) determines whether OCR treats this as a manageable incident or as evidence that your practice doesn't take HIPAA seriously.

Here's the playbook in order.

Day 1–2: Document, don't delete

Resist the urge to log into Tag Manager and pull everything. Two reasons.

First, you need to know what was actually firing. A snapshot of the current configuration is evidence. If you remove things first, you can't reconstruct the scope of the disclosure.

Second, breach notification (if it applies) requires you to characterize what data was disclosed. You can't do that from memory. Take screenshots of the trackers, the pages they fired on, the Tag Manager configuration, and any privacy policy claims that contradict what was actually happening. Save the network traces from your scan.

Write a timeline. When was the tracker installed? Who installed it? When did you discover it? Who else knows? This document is what your attorney will work from and what OCR will eventually ask to see.

Day 3–5: Get an attorney

Specifically, a healthcare privacy attorney. Not your general business attorney unless they happen to do this work. The decisions over the next two weeks have significant legal consequences and you want someone who's worked HIPAA cases before.

The attorney's first call is whether this triggers the Breach Notification Rule under 45 CFR §164.404. The standard is whether unauthorized disclosure of PHI occurred, with a four-factor risk assessment. Tracking-pixel cases vary — some are clearly breaches, some are arguable, some aren't. The attorney's analysis goes in your file.

If it is a breach, the 60-day clock starts on the day you discovered it. Not on the day the trackers first fired. That gives you about eight weeks to investigate, prepare notices, and file with HHS. Don't burn that time arguing internally about whether to act.

Day 5–10: Scope the disclosure

Work with the attorney and your IT/web team to figure out exactly what data was disclosed.

The questions to answer:

Which pages had the tracker installed?
Were any of those pages clinical-context (condition, find-a-doctor, scheduling)?
Were any inside the patient portal or behind a login?
How long was the tracker live?
How many unique visitors hit those pages during that time?
What data did the tracker actually transmit to the third party?
Did any of that data reach a vendor without a BAA?

For most practices, the answers will require web logs, Tag Manager history, and possibly outside forensics. Budget for a forensic firm if the scope is large or unclear.

Day 10–15: Notify and remove

Once the attorney has cleared the move, remove the trackers. Document the removal — date, time, who did it, screenshots of before and after.

If breach notification is required, the next steps follow the standard timeline. Notify affected individuals within 60 days of discovery. Notify HHS within 60 days for breaches affecting 500 or more individuals (annually for smaller breaches). Notify state attorneys general where state law requires.

Don't notify the third-party vendors (Meta, Google, etc.) without the attorney's specific guidance. Those notifications can affect later claims and counterclaims.

Day 15–20: Audit how it happened

The thing OCR cares about most isn't the tracker itself. It's the absence of governance that allowed it to happen. The corrective action plans in pixel settlements (Advocate Aurora, MarinHealth, others) all require:

Written policies on what tracking technologies are allowed
A change-management process for adding new scripts
Regular audits of the website for unauthorized scripts
Training for marketing and IT staff
A defined approval chain (privacy officer + legal) for any new tracker

Write the policies now. Don't wait for OCR to require them. Practices that show up to an investigation with already-adopted policies fare better.

Day 20–30: Document remediation

Put everything in a single file: timeline, scope analysis, attorney memo, breach notification (if applicable), removal steps, new governance policies, training records, audit schedule.

This file is your evidence that the issue was discovered, contained, and remediated within 30 days. That puts you in OCR's "willful neglect, corrected" tier (if it gets there at all) instead of "willful neglect, not corrected." The penalty differential between those two tiers can be a factor of 10 or more.

After day 30

Schedule a follow-up audit at 90 days. Tracker problems often recur because someone reinstalls the same pixel for the same reason. Without ongoing monitoring, you're doing the same cleanup again next year.

Most practices learn from the first incident that they need ongoing monitoring of their public-facing surfaces. That's the part of HIPAA that didn't exist when the rules were written but matters now. The Security Rule §164.308(a)(1)(ii)(D) covers it under "system activity review" — most auditors now interpret that to include external scanning of public web surfaces.

This article is general information, not legal advice. Talk to a healthcare attorney about your specific situation.

What to do in the first 30 days after finding tracking pixels on your healthcare website

Day 1–2: Document, don't delete

Day 3–5: Get an attorney

Day 5–10: Scope the disclosure

Day 10–15: Notify and remove

Day 15–20: Audit how it happened

Day 20–30: Document remediation

After day 30

Related articles in the Knowledge Center.

Meta Pixel and HIPAA, in plain English

HIPAA penalty tiers, and how OCR decides what to fine you

BAA-required vendors most healthcare practices forget about

Find what an underwriter or plaintiff firm would find. In 60 seconds.