Question 1

Are tracking pixels on a dermatology website really a HIPAA violation?

Accepted Answer

Yes, when the pixel transmits identifying information about an authenticated user or a user interacting with PHI-related pages. The HHS OCR Bulletin on Use of Online Tracking Technologies, originally issued December 1, 2022 and updated in March 2024 after court challenge, holds that Meta Pixel, Google Analytics, and similar trackers placed on protected pages (patient portals, appointment pages, condition-specific pages) without a BAA constitute an impermissible disclosure of PHI. Multiple OCR enforcement actions and class action lawsuits have followed. The first 11 months of 2024 saw over $35 million in tracking-pixel settlements across healthcare entities.

Question 2

How do clinical photography rules work for dermatology?

Accepted Answer

Clinical photographs taken for diagnosis, treatment planning, or documentation are PHI under HIPAA when they identify the patient. Storage, transmission, and disclosure require the same safeguards as any other PHI: encryption at rest and in transit, role-based access, BAA with any cloud storage vendor, and patient authorization for any use outside treatment, payment, or healthcare operations. Photos used in marketing or for before/after galleries require separate written authorization under 45 CFR 164.508. Practice management software used for image storage must support BAA coverage.

Question 3

What HIPAA enforcement should small dermatology practices be tracking?

Accepted Answer

Three enforcement patterns. First, OCR's Risk Analysis Initiative launched fall 2024: by April 2026 OCR had completed 13 Risk Analysis investigations and 19 ransomware-related breach investigations. Every settlement cited a missing or inadequate Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A). Second, OCR's Right of Access Initiative: 54 enforcement actions by December 2025, multiple dental and small specialty practices fined $25,000 to $250,000 for delayed records access. Third, tracking-pixel enforcement: OCR and the FTC have both pursued enforcement against healthcare entities running unauthenticated trackers on PHI-related pages.

Question 4

Does a cash-pay cosmetic dermatology practice still need HIPAA compliance?

Accepted Answer

Often yes. A practice is a HIPAA covered entity under 45 CFR 160.103 if it transmits any health information electronically in connection with a covered transaction. Most cosmetic practices still verify insurance eligibility for some patients, submit electronic claims for medically necessary procedures (Mohs, biopsy, treatment of pre-cancers), or use a practice management system that does so on their behalf. Even pure cash-pay aesthetic practices may be covered entities if they handle any health information about patients in connection with patient services. The safer assumption is that HIPAA applies and to confirm scope through a Risk Analysis rather than assume it does not apply.

Question 5

What are the specific HIPAA risks dermatology practices face that other specialties do not?

Accepted Answer

Four distinct risk patterns. First, clinical photography is central to dermatology and creates high volumes of image-PHI requiring secure storage and structured access. Second, before/after marketing is part of the business model, requiring 45 CFR 164.508 patient authorization for any pre-marketing use. Third, condition-specific tracking pixels (acne, psoriasis, skin cancer) on the public website have been the focus of multiple OCR actions and class action lawsuits. Fourth, the overlap with aesthetic and med spa services creates BAA scope confusion: an injectable booking system may not be HIPAA-regulated while the dermatology EHR is, and many practices use the same system for both.

HIPAA Compliance for
Dermatology Practices.

Imaging, Marketing, and Trackers.
Three Places Most Risk Analyses Miss.

Tracking Pixels Have Cost Healthcare Entities $35M+ in 2024

Clinical Photography Generates High-Volume Image PHI

Aesthetic and Medical Systems Often Share Infrastructure

The Patient Volume Is High and the Encounters Are Brief

Your Dermatology Practice Has
More HIPAA Surface Than Most.

HIPAA Compliance forDermatology Practices.

Imaging, Marketing, and Trackers.Three Places Most Risk Analyses Miss.