Healthcare by Specialty May 15, 2026 8 min read

Houston Dermatology Practice Owners: Your HIPAA Tracking Pixel Risk

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

What the June 2024 ruling did: A Texas federal court vacated only the Proscribed Combination rule (IP address plus unauthenticated public page visit equals PHI), nothing else in OCR's tracking guidance.
What it did not touch: Authenticated pages, patient portals, appointment booking forms, and the BAA requirement for any vendor receiving PHI remain fully in force.
Meta and Google: Meta does not sign BAAs, and Google's standard data processing addendum does not function as one for HIPAA purposes.
Class action exposure: Kaiser Permanente settled for up to $47.5 million, and Blue Shield of California disclosed a Google Analytics pixel leaked 4.7 million patients' data, both independent of OCR enforcement.
The 10-minute check: Open your appointment page, use the browser Network tab, and look for requests to facebook.com, google-analytics.com, doubleclick.net, or googletagmanager.com.

Quick answer

A 2024 Texas federal court vacated one narrow element of OCR’s tracking pixel guidance. It did not clear the risk for appointment booking pages, patient portals, or intake forms. Meta does not sign Business Associate Agreements. If your Houston dermatology website uses Meta Pixel or Google Analytics on any page where patients schedule appointments or describe their skin conditions, the exposure is real and the court ruling does not change it.

If someone told you a 2024 court ruling made tracking pixels legal on healthcare websites, they gave you part of the story. The ruling was real. So was its narrow scope. Most Houston dermatology practices that use online appointment booking have not gotten a clear explanation of what changed and what did not.

What the 2024 Court Ruling Actually Said

In June 2024, a federal judge in Texas issued a ruling in American Hospital Association v. Becerra that vacated a specific element of OCR’s tracking technology guidance. That element was called the “Proscribed Combination”: the theory that an individual’s IP address combined with a visit to an unauthenticated public webpage about a health condition constitutes protected health information under HIPAA.

The court found that OCR exceeded its authority in establishing that rule. HHS filed a notice of appeal in August 2024, then withdrew it ten days later. The ruling stands, and HHS confirmed it will not pursue further appeals.

For a dermatology practice in Houston, this means tracking tools on general public pages, your homepage, provider bios, and services overview, carry a lower federal HIPAA risk than OCR’s original guidance suggested. A potential patient browsing your psoriasis treatment page without logging in is not automatically triggering a HIPAA violation under the vacated rule.

That is where the good news ends.

What the Ruling Did Not Touch

The court was explicit that its ruling addressed only the Proscribed Combination on unauthenticated public pages. Every other element of OCR’s guidance remained in force. The requirement that covered entities must have a signed Business Associate Agreement with any vendor that receives PHI was not disturbed. The requirement that tracking on authenticated pages still triggers HIPAA was not disturbed.

For a dermatology practice, the pages that matter are not the homepage. They are the appointment request form. The contact form asking what the patient wants to be seen for. The patient portal login page. Any online intake flow where the patient describes their skin condition before the first visit. Tracking code running on any of those pages is outside the protection the 2024 ruling provides.

OCR also stated in its March 2024 updated guidance that it is prioritizing compliance with the HIPAA Security Rule in all investigations involving online tracking technologies. That enforcement prioritization statement was not affected by the court’s ruling.

Why Does Dermatology Face Specific Exposure?

Dermatology is not a low-sensitivity specialty for tracking purposes. Practices treat conditions patients consider private: psoriasis, eczema, rosacea, skin cancer, acne scarring, and conditions with visible stigma. A patient scheduling a skin cancer screening or a consultation for a chronic skin condition has health information at stake from the moment they interact with your booking page.

Most Houston dermatology practices use online appointment booking, either through their own website or a third-party platform. Many use Google Tag Manager, which can load a dozen different tracking scripts without the practice owner ever seeing them. A practice that installed Google Analytics in 2019 may have no idea that Google Tag Manager is also running Meta Pixel and three other scripts that nobody intentionally added.

A 2024 analysis found that 33% of healthcare websites still use Meta Pixel tracking code despite the compliance risks. A separate 2024 study found tracking pixels were present on 98% of hospital websites, with the majority sending data to Google and many running on authenticated pages. Specialty practices in Houston follow the same marketing patterns and carry the same exposure. The same pattern shows up in mental health, as covered in Texas mental health practices and the tracking code gap.

The BAA Gap the Court Ruling Did Not Fix

Regardless of what the 2024 ruling says about unauthenticated pages, the core compliance problem for most practices has always been the Business Associate Agreement gap.

Meta does not sign BAAs. This is confirmed and not expected to change. If Meta Pixel is on any page where a patient takes a health-related action, you are transmitting patient data to a vendor with no HIPAA agreement in place. That is an impermissible disclosure whether or not the specific IP address in question meets the vacated definition of PHI.

Google Analytics does not offer a standard BAA. Google offers a data processing addendum for some products, but that addendum does not function as a BAA for HIPAA purposes. Practices that believe the Google DPA covers their HIPAA obligations on appointment pages should have that assumption reviewed. The same disconnect explains why an IT provider BAA does not equal HIPAA compliance, and why a missing tracking-vendor BAA shows up in OCR letters.

The Class Action Risk Is Separate from OCR

Even where OCR enforcement is uncertain, class action exposure from tracking pixels is independent and growing.

Kaiser Permanente agreed to pay up to $47.5 million to settle a class action lawsuit alleging that tracking pixels on authenticated pages transmitted confidential patient information to Google Analytics, Meta Pixel, Microsoft, and Twitter without patient consent. The case involved 13.4 million current and former members and data transmissions spanning seven years.

In 2025, Blue Shield of California disclosed that a Google Analytics pixel had leaked 4.7 million patients’ health data to Google Ads for nearly three years. The tracking code had been running on authenticated pages without the organization’s awareness.

Plaintiff attorneys pursue tracking pixel claims under wiretapping statutes, state consumer protection laws, and common law privacy theories. None of those theories were affected by the June 2024 OCR ruling. Texas has its own wiretapping statute that applies independently of federal HIPAA guidance. A dermatology practice in Houston or Katy with an online booking form is not exempt from these theories based on the size of the practice or the size of the patient panel.

What to Check on Your Website Right Now

If you run a dermatology practice in Houston and use any form of online appointment booking, here is the check to run.

Open your appointment scheduling page in a browser. Right-click and select Inspect, then open the Network tab. Reload the page. Look at which external domains are receiving requests. You are looking specifically for facebook.com, facebook.net, google-analytics.com, doubleclick.net, googletagmanager.com, or any other domain that is not your own practice domain or your booking platform’s domain.

If you see requests going to Meta or Google on an appointment page and do not have a signed BAA with those vendors on file, that is the gap to address. The answer is not always to remove analytics entirely. HIPAA-compliant analytics tools exist that do not transmit identifiable data to third parties. The answer is to know what is running and whether your agreements cover it.

Check your patient portal login page and any intake form patients complete before their first visit. These are the pages where the combination of identifiable information and health condition is most direct, and the pages plaintiff attorneys examine first.

The Practical Picture for Houston Dermatology Practices

The 2024 court ruling gave healthcare organizations some relief on general public pages. It did not close the compliance gap on authenticated pages, it did not create BAA coverage where none existed, and it did not stop class action attorneys from pursuing pixel claims under state law.

For a Houston dermatology practice with online booking, the right question is not whether tracking pixels are theoretically permitted on your homepage. It is what is running on your appointment pages, who is receiving that data, and whether you have the agreements in place to support it.

Most practices that I work with in the Houston area have not done this check. The marketing team or the web developer installed the tools years ago, and no one has reviewed what they are transmitting since. That review is the starting point, and it is one most practices can complete in an afternoon with the right guidance. For a structured second look at what is running on your site, the $750 Privacy Exposure Review delivers your top compliance gaps in a one-page memo within 48 hours.

Last reviewed: May 15, 2026

Stay current on HIPAA enforcement in Texas

Practical updates for small healthcare practices. No spam, no legal jargon.

No spam. Unsubscribe anytime.

Not sure what is running on your practice website?

A Privacy Exposure Review identifies your top compliance gaps in a one-page memo. Flat fee, no retainer.

Schedule a Consultation

Primary sources & further reading

Frequently Asked Questions

Did the 2024 court ruling eliminate tracking pixel risk for dermatology practices?

No. The June 2024 Texas federal court ruling only vacated one narrow element of OCR guidance: the requirement that IP addresses combined with visits to unauthenticated public webpages constitute PHI. It did not affect tracking on authenticated pages, patient portals, or appointment booking flows. Dermatology practices using tracking code on scheduling or intake pages retain meaningful HIPAA exposure.

Does Meta sign a Business Associate Agreement with dermatology practices?

No. Meta does not offer a BAA. If a dermatology practice has Meta Pixel on any page where patients schedule appointments, fill out intake forms, or access a patient portal, the practice is transmitting patient data to a vendor with no HIPAA agreement. That is an impermissible disclosure regardless of the 2024 court ruling.

What pages on a Houston dermatology website carry the highest tracking pixel risk?

Pages where patients take health-related actions carry the highest risk: appointment scheduling pages, contact forms asking about skin conditions, patient portal login pages, and intake questionnaires. General informational pages such as the homepage and provider bios carry lower federal risk following the 2024 ruling, though state law claims remain.

What should a Houston dermatology practice do about tracking pixels?

Audit your website for third-party tracking code, especially on any page tied to patient appointments or health conditions. Check whether you have a signed Business Associate Agreement with every vendor whose code is present. If you find tracking code on appointment or authenticated pages with no BAA in place, remove it or replace it with a HIPAA-compliant analytics alternative.

What is the class action lawsuit risk for Houston dermatology practices using tracking pixels?

Significant and independent from OCR. Plaintiff attorneys pursue tracking pixel cases under wiretapping statutes, state consumer protection laws, and common law privacy theories, none of which were affected by the 2024 court ruling. Kaiser Permanente agreed to pay up to $47.5 million to settle a class action over pixels on authenticated pages. Blue Shield of California disclosed in 2025 that a Google Analytics pixel leaked 4.7 million patients data to Google Ads.

Last updated: May 15, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation