Refresher on HIPAA: Could You Be Violating It Without Knowing?

Jeffrey Segal, MD, JD
Doctor using tablet
Medical Justice solves doctors' complex medico-legal problems.

Learn how we help doctors with...

Doctor-Patient Conflicts

Meritless Litigation

Online Defamation

Medical Board Complaints

Sham Peer Review

Unethical Expert Witnesses

Schedule a consultation

HIPAA is not a “set it and forget it” rulebook. It’s a living framework that evolves as technology changes, as patient expectations shift, and as regulators redefine what qualifies as protected health information (PHI). Even if you haven’t touched your privacy policies in years, you might still be violating HIPAA today—without realizing it. 

Let’s look at a few ways that could happen. 

1. Pixels and Trackers 

The government recently cracked down on the use of tracking pixels from companies like Meta (Facebook) and Google embedded in healthcare websites and patient portals. Why? Because when a patient books an appointment or fills out a form, that interaction—and sometimes even the page they land on—can get shared with third parties. 

That’s not just creepy. It’s a HIPAA violation if it happens without a signed authorization. 

The HHS Office for Civil Rights issued guidance saying this behavior is a problem even if the patient doesn’t enter a name or birthdate. The fact that they were browsing a specific provider’s website could reveal something about their health. And if that info is being sent to third parties without permission? That’s a problem. 

So if your web team or marketing company added tracking tools “just to see how patients engage with the site,” it’s time for a compliance review. 

Recently, the Office of Civil Rights at the Department of Health and Human Services reversed course on these pixel trackers. Why? It lost in court and chose not to appeal.  

So, if pixel trackers are OK with HIPAA, the coast is clear, right? 

Nope. 

There are also state privacy laws, and attorneys have been filing individual and class action suits alleging breach of privacy. There have been eye popping settlements. One was for $18.5 M.  

2. Using AI or Chatbots 

Let’s say you added a chatbot to your website or used AI to respond to common patient questions. Even if the tool is “just helping patients schedule” or “providing education,” there’s a risk it collects or transmits protected health information. Most off-the-shelf AI and chatbot tools aren’t HIPAA-compliant. Unless you’ve vetted the vendor and executed a business associate agreement (BAA), you could be exposing patient data and not even know it. 

3. Sending Photos Without a Signed Release 

We’ve seen it before: a provider snaps a photo of a great aesthetic result—no face shown, no name attached—and posts it to social media thinking, This is fine. But HIPAA doesn’t just protect names and faces. Context matters. If someone can reasonably identify the patient based on the image, background, timestamp, or details in the caption, you’re at risk. You’d be surprised at how patients claim that they were “outed” on social media by a physician’s photos. Freckling patterns, tattoos, unique undergarments, scars, and more. 

Get a signed photo release (authorization) before you post. Every time. If a patient later asks you to take the photo down, just do it. Don’t argue stating you have a signed authorization. A HIPAA compliant authorization mandates patients be given the power to revoke the authorization whenever they want. They merely need to notify you in a way that is likely to be received—such as writing to your office. 

4. Responding to Online Reviews 

Many doctors respond to online reviews without realizing they’ve just confirmed someone was a patient. They just assume the patient “outed themselves” so they can respond and correct the record. Right? No, wrong. Even if the review is harsh, HIPAA still applies. There is no HIPAA exception allowing a response for a patient who posted a nasty review. The safest replies avoid confirming any relationship or treatment. Keep it generic, broad, kind, and compliant—or you could turn one negative review into a HIPAA audit. By the way, such HIPAA-compliant responses can be done. (We can assist…

So, what’s new in HIPAA and state privacy laws?
A lot—and it’s mostly about the unexpected places patient data can leak. Whether it’s a pixel in your code, an AI bot on your site, or a well-meaning review reply, small mistakes can have big consequences. 

Stay vigilant. Audit your tools. Train your team. And when in doubt, ask for help. 

What do you think? 

Leave a Comment

Jeffrey Segal, MD, JD
Chief Executive Officer & Founder

Jeffrey Segal, MD, JD is a board-certified neurosurgeon and lawyer. In the process of conceiving, funding, developing, and growing Medical Justice, Dr. Segal has established himself as one of the country's leading authorities on medical malpractice issues, counterclaims, and internet-based assaults on reputation.

Meet our medico-legal experts
Subscribe to Dr. Segal's weekly newsletter »
Latest Posts from Our Blog
Doctor using tablet
Refresher on HIPAA: Could You Be Violating It Without Knowing?
Female physician reading about malpractice insurance
Should I Get My Own Malpractice Insurance in Addition to What My Hospital Provides?
Doctor terminating a relationship with an angry patient
Do You Always Need to Give 30 Days’ Notice to Terminate a Doctor-Patient Relationship?
Female physician talking to an ICE federal agent outside of her medical practice
Do I Let ICE Into My Practice? What Are the Laws to Protect Me If I Don’t?
Contact Us

We’re here to provide assistance to doctors in need of guidance. Fill out this online form to start the conversation, or schedule a 15-minute consultation using our online appointment manager.

Name(Required)
Are you the doctor?(Required)
Newsletter
This field is for validation purposes and should be left unchanged.