Compliance
5
min read

Protecting Your Practice: What Aesthetic and Wellness Providers Need to Know About Website Tracking and Patient Privacy

If your practice uses digital advertising on Facebook, Instagram, Google, LinkedIn, or TikTok, there is a good chance your website contains tracking code that is actively sharing information about your patients with those platforms. Not intentionally. It was almost certainly installed by a marketing agency as standard setup for your ad campaigns.

That tracking code has been generating lawsuits across the aesthetic and healthcare industry for the past several years.

Since 2023, healthcare and health-adjacent organizations in the United States have paid more than $100 million in settlements tied to website tracking technologies. Class action lawsuits have been filed against national aesthetic chains, dental groups, hospital systems, telehealth providers, and clinics of all sizes.

The practices being sued are not bad actors. Most of them had no idea what their tracking tools were actually doing.

What is a Tracking Pixel?

A tracking pixel is a snippet of JavaScript code that advertising platforms provide to businesses for free. You paste the code onto your website, and it allows you to measure which ads are driving visits and bookings, retarget people who visited your site with follow-up ads, and build audiences of new potential patients.

These are legitimate marketing tools. The problem is what else they do. When a pixel fires on a webpage, it sends data back to the ad platform. On a standard retail website, that data is fairly routine. On a medical or health-related website, the data can include:

  • The specific treatment page the visitor viewed, such as injectables, laser, or body contouring
  • What the person typed into a booking or consultation form, including their name, contact information, and reason for their visit
  • Their preferred provider or location
  • Their appointment date and time
  • Their unique social media account ID, which allows the platform to connect all of that information directly to a named, identifiable person

When that information is linked to a person's identity, it can become protected health information under federal and state law. Once it reaches a server at Meta, Google, or LinkedIn, it has been disclosed without the patient's knowledge or consent.

The Legal Landscape

Does HIPAA Apply to Your Practice?

Not every aesthetic, wellness, or med spa practice is a HIPAA covered entity. HIPAA applies to providers that transmit health information electronically in connection with certain standard transactions, such as insurance billing. Practices that operate on a cash-pay model and do not bill insurance may not meet the technical definition of a covered entity.

That said, if your practice employs a Medical Director, performs procedures that are ordered or supervised by a licensed physician, or handles any form of electronic health records, you should confirm your status with an attorney. Many practices assume they are not covered by HIPAA when they are, and others assume they are covered when the question is more nuanced.

Even for practices that are not HIPAA covered entities, the legal exposure from tracking pixels does not disappear. State privacy laws, not HIPAA, are driving most of the lawsuits in this space.

State Privacy Laws

State wiretapping and privacy statutes allow private lawsuits from individual patients, and plaintiffs' attorneys have been filing them across the country. The key statutes include:

  1. California Invasion of Privacy Act (CIPA): California's wiretap law prohibits unauthorized interception of electronic communications. It applies to any business serving California residents, even if the practice is located outside California.
  2. California Confidentiality of Medical Information Act (CMIA): Protects individually identifiable medical information held by providers and businesses that handle health information, even outside the formal HIPAA framework.
  3. Electronic Communications Privacy Act (ECPA): A federal wiretap law that allows private lawsuits for unauthorized interception of electronic communications.
    State consumer protection laws: Most states allow unfair and deceptive trade practice claims when a business's privacy policy does not accurately describe how patient data is actually being handled.

The key point: where your patients come from matters as much as where your practice is located. If patients visit your website from California, California law may apply regardless of your state.

What the Lawsuits Teach Us

The litigation wave of the past few years has produced patterns that every aesthetic practice should understand.

The dollar amounts are significant. Individual settlements have ranged from $875,000 for a single regional facility to $6.66 million for a health system to $12.25 million for a large hospital network. A national aesthetic chain settled for $3.5 million. A major dental group settled for $18.7 million. In July 2024, the tracking pixel's primary provider paid $1.4 billion to a single state to settle a government enforcement action.

Patients do not need to prove they were harmed. Courts have allowed class members to participate in settlements without showing any concrete injury from the data sharing. The unauthorized disclosure itself is treated as the harm. This lowers the barrier for plaintiffs to join lawsuits and increases class sizes.

Vague privacy policies are not a defense. Courts have found that generic statements like "we may share information with third-party partners to improve your experience" are not adequate disclosure of pixel tracking. When there is a gap between what your privacy policy says and what your tracking tools actually do, that gap becomes the basis for a misrepresentation claim on top of the privacy violation itself.

The booking form is the highest-risk area. Across the lawsuits that have proceeded and settled, the most significant evidence consistently involves tracking pixels that captured data from appointment booking forms, consultation intake forms, and patient portals. If your practice uses an online booking tool, that is the first place to examine.

Any third-party tracking tool carries risk, not just Meta. Lawsuits have also been filed over LinkedIn's Insight Tag, Google Analytics, TikTok Pixel, and other retargeting tools. If any third-party script on your website can receive a patient's identity alongside their health-related browsing behavior, the legal exposure is similar regardless of which platform the pixel belongs to.

The Core Issue: Your Privacy Policy Must Reflect Reality

Your privacy policy must accurately describe what your website actually does with patient data.
Most privacy policies in the aesthetic space were written years ago, copied from a template, or generated by a tool that did not know your specific marketing setup. They may reference tracking in general terms. They almost certainly do not list specific tools by name, describe what data each tool collects, or explain that appointment booking behavior may be transmitted to advertising platforms.

That gap between what your policy says and what your technology does is precisely what plaintiffs' attorneys look for. A 2025 court ruling found that privacy policy language can constitute a material misrepresentation under state unfair trade practices statutes when it does not accurately reflect actual data sharing practices. A privacy policy that is present but misleading is not just a gap. It is an additional legal exposure.

Your Terms and Conditions face the same scrutiny. If your terms reference data handling in ways that conflict with your privacy policy or your actual practices, that inconsistency creates further risk.

Your Action Checklist

These steps reflect the consistent recommendations of healthcare privacy attorneys and compliance experts across the industry. This is not legal advice. Every practice's situation is different, and the legal landscape varies by state.

  1. Conduct a full website tracking audit.
Identify every pixel, tag, script, and third-party integration on your website. This includes Meta Pixel, Google Analytics and Ads tags, LinkedIn Insight Tag, TikTok Pixel, Snapchat Pixel, Microsoft Clarity, Pinterest tags, and any session recording tools. Your web developer can produce this list, or a website privacy scanner can identify what is actively firing on each page.
  2. Remove pixels from booking and intake pages.
The safest immediate step is to remove all third-party tracking pixels from any page where patients enter personal information, including booking forms, consultation intake forms, contact forms, and any page behind a patient login. This addresses the highest-risk area while you complete a broader review.
  3. Confirm no pixels are present on authenticated pages.
If your practice uses a patient portal or any page that requires a login, remove all third-party tracking tools from those pages entirely.
  4. Consult a healthcare privacy attorney.
This is the most important step on this list. The legal landscape involves federal law, multiple state statutes, and a body of case law that varies depending on where your patients are located. A qualified attorney can assess your specific setup, clarify whether HIPAA applies to your practice, advise on state-specific requirements, and help you prioritize next steps. Do not rely solely on your marketing agency or web developer for legal guidance on these questions.
  5. Rewrite your privacy policy to be specific and accurate.
Work with your attorney to update your privacy policy so that it names every third-party tool you use that receives user data, describes what data each tool collects and how it is used, clearly states whether appointment and consultation page activity may be tracked, and explains users' rights to opt out or request deletion of their data. Write it in plain language that a patient can understand.
  6. Update your Terms and Conditions.
Ensure your Terms and Conditions are consistent with your revised privacy policy. Any reference to data handling or third-party tools should align precisely with what your privacy policy says.
  7. If HIPAA applies to your practice, update your Notice of Privacy Practices.
HIPAA covered entities are required to provide patients with a Notice of Privacy Practices describing how protected health information may be used. If you have added new booking software, a patient portal, or new marketing tools since your notice was last updated, a revision is required.
  8. Implement a Consent Management Platform.
A consent management platform presents users with a clear disclosure of what tracking tools are present on your site and obtains their consent before those tools fire. When properly configured, this allows you to continue using advertising pixels on most of your website while ensuring that tracking on sensitive pages only occurs after the patient has given informed consent. Many solutions are available at modest cost and integrate with most website platforms.
  9. Review vendor contracts for Business Associate Agreements, if applicable.
If your practice is a HIPAA covered entity, any vendor that handles protected health information on your behalf must have a signed Business Associate Agreement in place. Review your vendor contracts and request agreements from any vendor that does not already have one. If a vendor refuses, that tool should not be used on any page where patient data is present.
  10. Explore server-side tracking as a long-term alternative.
Standard pixel tracking sends data directly from the patient's browser to the advertising platform before you have any opportunity to filter it. Server-side tracking routes data through your own server first, allowing you to remove patient-identifying information before it reaches the platform. This can preserve advertising effectiveness while reducing legal exposure. Discuss this option with your web developer and marketing team.
    Build a regular review into your compliance calendar.
Website tracking setups change over time. Marketing agencies add new pixels. Booking software updates introduce new tags. New campaigns require new integrations. A quarterly review of your website's tracking setup ensures that new tools are evaluated before they go live.

The Bottom Line

Aesthetic and wellness practices rely on digital advertising, and digital advertising relies on tracking tools. That does not have to change. What needs to change is the assumption that installing a pixel is consequence-free.

The practices facing litigation are not, in most cases, practices that made deliberate decisions to misuse patient data. They are practices that installed standard marketing tools, trusted that their privacy policies were adequate, and never asked what those tools were actually doing with the information they collected.

Courts and regulators have made the standard clear: patients seeking aesthetic and medical treatments have a reasonable expectation that their browsing and booking activity will not be shared with advertising platforms without their knowledge. Meeting that expectation is achievable. It requires an accurate privacy policy, careful configuration of tracking tools, appropriate consent mechanisms, and the guidance of a qualified attorney who understands how these laws apply to your specific practice.

This blog is for educational and informational purposes only and does not constitute legal advice. Practices should consult a qualified attorney with expertise in healthcare privacy law and the statutes applicable in their state before making compliance decisions.

By Christina Malik | Chief Legal Officer at Arora Health

Christina Malik, JD is a healthcare attorney and operations executive with more than 20 years of experience supporting complex healthcare organizations across compliance, operations, and growth strategy. She is the founder of Cor Consulting Partners, where she works with medical spas, wellness companies, physician practices, digital health platforms, and private equity–backed healthcare organizations.

Christina has served as Chief Operating Officer and General Counsel for multi-site healthcare organizations and franchised medical spa systems, leading compliance programs and supporting multi-state expansion, physician agreements, and M&A initiatives. Her approach focuses on building scalable, compliant operating models that align regulatory requirements with real-world business decisions.

She holds a Juris Doctor with a healthcare law specialization, an MBA in organizational finance, and a Bachelor’s degree in business administration. Christina is a Certified Medical Practice Executive and a Fellow of the American College of Healthcare Executives.