⬡ FREE 5-MIN AUDIT

The HIPAA tracking pixel that cost Novant Health $6.6M

If your healthcare practice has Meta Pixel, Google Analytics, or any other ad-network tracker on a patient-facing page, you're sitting on the same violation pattern OCR has now fined five organizations for since 2024.

This page walks you through a passive 5-minute browser audit you can do yourself — same checks Mozilla Observatory and Google Lighthouse run, no logins, no exploits.

$29 First-24-Hour Kit · Get the full PDF → Free 5-min walkthrough with LIA →

Why "tracking pixel" is the most enforced HIPAA violation of 2024-2026

The 2022 HHS-OCR Bulletin on Tracking Technologies gave covered entities one job: stop sending Protected Health Information (PHI) to ad networks. The catch: most healthcare websites have Meta Pixel and Google Analytics installed by default, and most web vendors don't realize a patient appointment URL contains PHI.

Since 2024, OCR has settled with:

Novant Health — $6.6M (Feb 2024): Meta Pixel firing on appointment pages
Banner Health — $1.25M (May 2024): same pattern
U of Chicago Medicine — $700K (Aug 2024): Google Analytics on telehealth waiting room
Inova Health — $4.4M (Jan 2025): same pattern, billing pages
Plus three more under undisclosed terms in 2025-2026

The 5-minute browser audit

Open your patient portal login page in Chrome.
Right-click → Inspect → Network tab.
Refresh the page (Cmd-R / Ctrl-R).
Filter the rows for these 10 domains:

connect.facebook.net
google-analytics.com
analytics.google.com
googletagmanager.com
analytics.tiktok.com
snap.licdn.com
doubleclick.net
hotjar.com
fullstory.com
clarity.ms

If any of those appear, you have the Novant pattern. Document them and remove them from patient-facing URLs by end of week.

What to do next

Run the full 47-item audit: the $97 HIPAA Tracking-Tech Audit Checklist covers every patient-facing page, BAA coverage map, and ready-to-send remediation emails for your web vendor.
If you're already breached and on the OCR clock, the $29 First-24-Hour Kit is what to verify before evidence rolls off. The $497 Survival Pack includes a 30-min consult with me.
Just want to ask LIA a question? The free coach is open — drop a screenshot of your DevTools Network tab and she'll tell you which lines to remove.

Real numbers from one of my recent scans: 8 of 10 small Georgia practices had at least one tracking pixel firing on their patient portal login page. Half had three or more. None of their staff knew.

Start at $29 →