While HIPAA does not explicitly reference cookies, it applies to any digital technology that collects, stores, or transmits Protected Health Information (PHI). If your website uses cookies, trackers, or pixels to gather data that could identify a patient or their health information, this may fall under HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 to protect individuals' health information. It establishes national standards for safeguarding Protected Health Information (PHI) and applies to covered entities and their business associates. HIPAA is enforced by the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR). Organizations covered by HIPAA must ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain, or transmit and implement physical, administrative, and technical safeguards to protect PHI. Non-compliance can lead to significant legal, financial, and reputational consequences.
To check your HIPAA compliance, follow these principles:
Data minimization:
Limit data sharing to the minimum necessary.
Risk assessments and training:
Conduct a HIPAA risk assessment and employee training
Secure data handling:
Implement policies in place for the secure handling and sharing of PHI and ensure proper encryption, access controls, and audit trails
Control third-party relationships:
Sign Business Associate Agreements (BAAs) with all third-party service providers handling PHI
If any of these areas are lacking, your organization may be out of compliance and at risk.
HIPAA applies to:
Covered entities, which include:
Healthcare providers (hospitals, clinics, doctors, dentists, etc.)
Health plans (insurers, HMOs)
Healthcare clearinghouses
Business Associates, which are service providers handling PHI on behalf of covered entities (e.g., billing services, cloud providers, analytics platforms).
Any organization working with PHI must evaluate its HIPAA obligations.
HIPAA gives individuals the right to:
Consumers can access their health records.
Consumers can correct inaccurate health information.
Consumers can receive an accounting of disclosures.
Consumers can limit the use or sharing of their health data.
Consumers can request a port/download of their data in electronic format.
Consumers can complain to HHS if they believe their rights have been violated.
Consent is required for the use of technologies and tools like cookies unless for permitted operations under the law. HIPAA-covered entities must ensure that any third-party service collecting data through cookies is HIPAA-compliant and governed by a Business Associate Agreement (BAA).
Cookies may become a HIPAA concern when they collect or transmit individually identifiable health information — for example:
Tracking a user’s interaction with a patient portal.
Monitoring behavior on healthcare websites where users input PHI.
Using ad trackers that gather data from pages related to diagnoses, treatments, or insurance.
HIPAA requires that explicit consent and BAAs are in place when cookies are used in these contexts. De-identified cookies used for purely functional purposes (and not linked to PHI) may not fall under HIPAA—but caution is essential.
HIPAA violations can result in:
Civil penalties ranging from 100 to 50,000 USD per violation, up to 1.5 million USD per year for identical violations.
Criminal penalties including fines and imprisonment for knowingly or willfully violating HIPAA.
Corrective action plans, audits, and mandatory reporting.
Reputational damage and loss of trust from patients and partners.
HIPAA compliance focuses on working with PHI, and any organizations working with PHI must evaluate its HIPAA obligations. While cookies and consent make up a small fraction of this due diligence, HIPAA and data privacy/cookie consent best practices should be followed including:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third parties:
Review third-party data-sharing practices
While not explicitly related to cookies and consent management, organizations subject to HIPAA would do well to invest in a consent management platform to ensure HIPAA compliance by capturing user authorizations, managing cookie and third-party tracking settings, and logging consent in line with PHI protection standards.
HIPAA governs the privacy and security of protected health information handled by healthcare organizations and their business associates across the US.
Under HIPAA, personal data is called Protected Health Information (PHI), and includes any health-related information that can identify an individual (e.g., name, diagnosis, medical records, insurance details).
Sensitive data under HIPAA includes PHI that could be used to identify an individual, such as genetic data, biometric records, diagnoses, prescriptions, or test results.
The US Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are responsible for enforcing HIPAA.
Employers (in their role as employers), educational institutions, and non-healthcare entities not handling PHI are generally exempt from HIPAA. However, if they handle PHI, even indirectly, they may fall under its jurisdiction.
Visit the U.S. Department of Health and Human Services HIPAA website for official rules, compliance guides, and enforcement updates.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
