Katy, TX Healthcare Marketing: The Privacy Risks to Fix

Quick answer

The biggest privacy risks in a Katy healthcare practice’s marketing are usually invisible: the tracking pixels on your website, the way your team replies to online reviews, and the testimonials you publish without a signed authorization. OCR has treated website tracking tools like the Meta Pixel and Google Analytics as a source of impermissible PHI disclosures. A Dallas dental practice paid $10,000 for revealing patient details in a Yelp reply. The FTC fined GoodRx $1.5 million and BetterHelp $7.8 million for sharing health data with advertisers. Texas added its own privacy law on July 1, 2024. None of this requires a hacker.

If you run a healthcare practice in Katy or the greater Houston area, your marketing is probably exposing patient data in ways you have never been warned about. The risks are not in the obvious places. They are in the analytics code on your website, the friendly reply your front desk posts under a one-star review, and the glowing testimonial on your homepage. Here is what each one looks like, what it has cost other practices, and how to fix it.

Why your website’s tracking pixels are the biggest hidden risk

Most practice websites run third-party code to measure traffic and run ads. The Meta Pixel and Google Analytics are the two most common. They quietly send data about your visitors back to Facebook and Google. On a healthcare website, that data can include things that identify a person and reveal something about their health, like the fact that they booked an appointment with an oncology clinic or filled out an intake form for a specific condition.

In December 2022, OCR issued a bulletin warning that this kind of tracking can be an impermissible disclosure of protected health information when it sends PHI to a third party without a business associate agreement or a patient authorization. OCR updated that guidance on March 18, 2024. The agencies named the Meta Pixel and Google Analytics specifically.

This is not theoretical enforcement talk. On July 20, 2023, the FTC and OCR sent joint warning letters to roughly 130 hospital systems and telehealth providers about exactly this risk. Two federal agencies, one letter, one message: know what your tracking code is sending.

Did the Texas court ruling make tracking pixels safe again?

Partly, and this is where a lot of practice owners get the wrong idea. The American Hospital Association, joined by the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued HHS over the tracking bulletin. On June 20, 2024, Judge Mark Pittman of the U.S. District Court for the Northern District of Texas in Fort Worth ruled that part of OCR’s guidance went beyond the agency’s authority and vacated it. OCR chose not to appeal.

That sounds like a clean win, but read what the court actually struck down. It vacated the narrow rule that said an IP address combined with a visit to an unauthenticated public webpage automatically counts as PHI. It did not bless tracking pixels across the board. Data collected on authenticated pages, like a logged-in patient portal, is still regulated. Actual identifiable health information shared with an advertiser is still a problem. And the ruling did nothing to the FTC’s separate authority, which brings us to the part that affects you even if you are not a hospital.

The FTC has gone after health data sharing directly. GoodRx paid a $1.5 million civil penalty in February 2023 for disclosing customers’ health information to Facebook, Google, and others. That was the first enforcement action under the FTC’s Health Breach Notification Rule. BetterHelp paid $7.8 million in 2023 for sharing mental health data with Facebook, Snapchat, and other platforms. Neither case relied on HIPAA. If you are a small practice that is not even sure HIPAA reaches your marketing pages, the FTC Act and the Health Breach Notification Rule still can.

Can you post patient photos, reviews, and testimonials?

Not without permission. Using protected health information to promote your practice is marketing under HIPAA, and marketing uses of PHI require a written authorization under 45 CFR 164.508(a)(3). A patient testimonial that names the person or reveals their condition is marketing. A before-and-after photo is marketing. A signed authorization that meets HIPAA’s requirements is what makes it allowed.

Replying to reviews is the trap that catches the most practices, because it feels like good customer service. In 2019, Elite Dental Associates in Dallas paid $10,000 to OCR after a patient complained that the practice had responded to her Yelp review by posting her last name along with her health condition, treatment plan, insurance, and the cost of her care. OCR found the practice had disclosed PHI in response to multiple reviews, had no policy governing social media disclosures, and lacked a compliant Notice of Privacy Practices. The settlement was reduced because of the practice’s small size, but the lesson was not.

The rule of thumb: when you respond to a review in public, you cannot confirm the person is a patient, and you cannot reference any detail of their care. Keep it generic, invite them to call the office, and handle everything specific offline.

What about Texas law beyond HIPAA?

Texas now has its own privacy statute. The Texas Data Privacy and Security Act, passed as House Bill 4, took effect on July 1, 2024. It requires consent before a business processes sensitive data, and sensitive data includes information about health. The Texas Attorney General has exclusive authority to enforce it.

The TDPSA exempts HIPAA covered entities and business associates for data they handle in their HIPAA-regulated capacity, so your PHI is not double-regulated. The gap is the marketing data that is not PHI. General website leads, a non-patient newsletter list, and contact-form submissions from people who are not yet patients can fall outside HIPAA and inside the TDPSA. A practice that assumes “we are HIPAA compliant, so Texas law does not touch us” has misread how the exemption works.

What it costs to get this wrong

The numbers run in two directions. On the HIPAA side, civil penalties in 2026 range from $145 per violation at the low end to $2,190,294 per violation per year at the top, based on the inflation-adjusted figures in Federal Register 2026-01688. Elite Dental’s $10,000 was a small-practice discount, not the ceiling. On the FTC side, GoodRx and BetterHelp show seven-figure exposure for health data sharing that started as ordinary marketing.

For a Katy practice, the realistic risk is not a $2 million headline. It is a patient complaint, an OCR inquiry, and a settlement plus a corrective action plan that eats months of your time over something you could have fixed in an afternoon.

What to do next

Start with an inventory of your marketing stack. List every place patient or visitor data flows: your website analytics, your ad pixels, your booking tool, your review platforms, your email lists, and your social accounts. For each one, ask whether it sends identifiable health information anywhere it should not, and whether you have an authorization or agreement covering it.

This is the same gap-finding work that sits at the front of a real HIPAA Risk Analysis, and it pairs naturally with the website tracking issues we covered for Houston dermatology practices. If you want a fast, scoped read on where your marketing is exposed, the $750 Privacy Exposure Review is built for exactly this: 48 hours, your top three risks, no big commitment.

The patients trust you with their health. The least visible part of your marketing is where that trust is easiest to break without meaning to.

Last Updated: June 15, 2026