Novant Health's $6.6M HIPAA settlement: the full breakdown

February 2024. HHS Office of Civil Rights fined Novant Health $6.6 million for tracking pixels left firing on patient appointment pages. Here's exactly what happened and what every healthcare practice can copy to never end up in that same case file.

Get the 30-page deep-dive (bundle exclusive) →

What Novant did wrong

Novant Health, a 15-hospital system across NC/SC/VA, had Meta Pixel and Google Analytics installed on its public-facing website — including the /scheduling appointment page and /find-a-provider search.

When a visitor used those pages, identifying URL parameters (the appointment type, the provider's specialty, the visitor's IP, the visitor's Facebook account if logged in) were transmitted to Meta and Google. That data, combined with the page URL, qualified as PHI under §164.502.

OCR's three findings

1. §164.502(a) — uses and disclosures of PHI. Sending PHI to a non-BAA third party = automatic violation.
2. §164.504(e) — Business Associate Agreement requirements. Meta and Google would not sign a BAA, so they were ineligible to process this data.
3. §164.530(c) — administrative safeguards. Novant had no documented review of which third-party services touched its patient-facing URLs.

The six things every practice should mirror

1. Inventory every third-party script on every patient-facing URL. Most practices have 8-15 they don't know about.
2. Remove all ad-network tags (Meta, Google, TikTok, LinkedIn, Snap) from /portal, /appointments, /telehealth, /billing.
3. For non-ad analytics you actually need (Mixpanel, Amplitude, Heap), get a signed BAA. Most won't sign — switch to a HIPAA-compliant alternative (e.g., Matomo on-prem, Plausible self-hosted).
4. Document the change — who decided what, when, with what justification. OCR cares about the paper trail almost as much as the technical state.
5. Re-audit quarterly. Web vendors add new analytics every release.
6. Train staff. The Novant breach happened because nobody knew the appointment page was sending data to Meta. A 15-min annual training would've caught it.

What this costs to do

• Yourself, with a browser: $0, ~5 minutes per page
• The $97 HIPAA Tracking-Tech Audit Checklist: covers every step + 47 line-items + ready-to-send vendor remediation emails
• Full $497 Survival Pack: 4 PDFs + Novant case deep-dive + 30-min consult with me

Start at $29 →