For marketing, a JavaScript tag is a growth lever. Something that’ll allow your business to target the right people, run personalized campaigns, and onboard more customers with less spend. For your security team, though, it’s a different story.
The third-party scripts and tags on your pages can be a shadow PHI disclosure pipeline that quietly avoids detection, sidesteps your server-side controls, and transmits sensitive member data to third parties without triggering a single alert.
OCR calls that risk out loud. Clearing that if a tracker captures identifiers and context that can together reveal PHI, or payment data, then that’s a violation, unless there’s a valid HIPAA and BAA basis. Then in 2024, the grip tightened.Â
Authorities have been regularly scrutinizing tracking technologies, and whether you, as a business, have identified and mitigated the risk associated with such scripts that run on the client-side, talk to end points beyond your own servers, and update and change behaviour at their own cadence.
State laws like Washington’s My Health My Data Act (MHMDA) go further, imposing GDPR‑style opt‑in consent, a private right of action, and strict rules on sharing consumer health data via pixels, cookies, tags, and SDKs.Â
That’s the compliance reality health insurance portals are navigating right now. Federal floor, state ceiling, and a client-side attack surface most teams haven’t fully mapped.
What you’ll learn:
- Why the third-party scripts on your member portal may constitute a HIPAA violation, and how state laws like Washington’s MHMDA raise the stakes further.
- Where health insurance portals are most exposed. The specific page types, tracking technologies, and governance gaps regulators are focused on.
- What a defensible client-side compliance architecture actually looks like and why continuous monitoring is now part of that story.
The sensitivity of insurance portal data
Health insurance portals are where the fragments of a patient’s life are finally assembled into a coherent, high-value, highly sensitive dossier. It’s claims history, provider relationships, prescriptions, benefits, payments, all of it, in one place, accessible through a browser.
What raises the stakes is the fact that the instrumentation on this page is usually optimized for customer experience. The better it gets, the less the users churn.
But doing that requires insights. Which pages have drop-off? Where members get confused. What’s driving support calls? Those are legitimate questions, and the tools that answer them are mostly built for marketing environments, not PHI-bearing ones.
So, to those tools, a claims summary page looks identical to a product landing page. Every time a member logs in, they’re interacting with their full claims history, dates of service, procedure codes, diagnosis codes, and explanation of benefits.
And with each click, these pages reveal increasingly sensitive information. What mental health coverage they carry, what conditions they have, and even their card data.
This is the mosaic problem. The value of this data to attackers, advertisers, and litigants doesn’t grow linearly with each new field exposed. Instead, it compounds.
And when tracking tags and pixels are left unconfigured on these pages, they collect and transmit whatever they can see. Sensitive member data flows to third-party servers where it can be used for ad targeting, profiling, and inferences that follow members well beyond their insurance portal.
Client-side risks specific to insurance portals
Your security programs can control the threats that stem from your codebase. But on the client’s side, it’s the code that runs at runtime that isn’t always the one you govern. Marketing trackers, tags, and other third-party scripts live outside your development cadence, and thus can update, change their behaviour, or call in more third-party scripts at runtime in the client’s browser.
Often, they can observe what the user sees and does. They capture full URLs, referrer headers, and interaction events as a matter of routine. On healthcare websites, those signals frequently carry health context.
That’s the risk that server hardening won’t solve. And the risk score is then directly tied to the context of the page and the kind of data it deals with.
Authentication and account-based logins reveal identity to trackers
Login, MFA, and profile flows bind names, email addresses, and plan IDs to device fingerprints and IP addresses, often with trackers present for fraud analytics or A/B testing.
Thus, they give rise to a meaningful chance that the user’s identity gets revealed when they start the session, enabling the rest of the data that flows through trackers further in the session to be tied to a specific identity.
Claims and EOB views can carry PHI
Claims lists and detail pages display diagnosis and procedure codes, dates, treating providers, and amounts paid. If trackers or analytics widgets can read DOM content and URL parameters, this information can be captured by third parties.
That is a textbook PHI leak, just happening in the browser with legitimate, but misconfigured tags capturing the data.Â
Benefit and coverage lookup reveals intent before filing a claim
Queries for behavioral health, infertility, HIV medications, or gender‑affirming care coverage reveal highly sensitive intent and deeply personal information, even before they make a decision to file a claim.
This can make users susceptible to targeted advertising and other kinds of quiet profiling that turns a benefits search into a data point someone else monetizes.
Provider search and scheduling compound it further
Search filters for oncology, addiction treatment, or reproductive health, combined with clickthroughs to specific providers, are precisely the surfacing activity OCR and FTC have called out in warning letters.
Prescription and prior authorization management:
Drug names, refill patterns, and formulary exceptions are the same data types that featured in the GoodRx and BetterHelp cases, where similar information was shared with tracking vendors without user knowledge.
Each page type is a distinct exposure surface. And most health insurance portals have tracking technologies running across all of them.
What HIPAA actually requires of your portal
For a health plan, the member portal is just another ePHI system; OCR has clarified at multiple instances that it doesn’t see any meaningful distinction. Yet, a majority of health plans approach this space as a UX security challenge.
They look at locking down logins, fortifying authentication with 2FA, preventing account lockout, and encrypting data as it flows through the device and their servers. They matter, but they don’t punch everywhere they need to.
OCR doesn’t see your portal as a user experience layer sitting on top of your claims system. It sees it as a HIPAA system of record. Any individually identifiable health information related to enrollment, eligibility, claims, or payment that passes through that portal is ePHI, regardless of whether it lives in your back-end database or briefly appears in a browser tab.
The moment a third-party script on that page can observe it, you have a potential disclosure event. And that disclosure happened on your watch.
What OCR actually said
In a 2022 bulletin, OCR clarified that when a covered entity deploys tracking technologies on its websites or apps, any identifiers tied to an individual’s health care or payment activity may constitute PHI and fall under the Privacy, Security, and Breach Notification Rules.
The 2024 revision softened the ragged edges, acknowledging that an IP address on a generic public page isn’t automatically PHI. But for authenticated pages, and for anything in the context of medical help-seeking behavior, OCR largely held its position.
In other words, OCR is focusing on the context of the page where data is collected from. The PHI status of any given data element can depend on the page it’s collected from, the user’s authentication state, the combination of identifiers involved, and the apparent purpose of the collection.
OCR is now looking at risks on the client-side
OCR’s guidance makes clear that investigations into tracking technology will assess whether entities have appropriately identified and mitigated risks to ePHI associated with client-side execution
That means your enterprise risk analysis needs to include trackers and the runtime reality of your page in your customers’ browsers. Your access controls need to account for what third-party scripts can reach, read, and collect. Your audit logging needs to capture what actually happens in the browser, like what they actually collected and what they couldn’t.
The BAA for vendors
OCR’s position on tracking vendors leaves no gray area. If a vendor receives PHI through your portal, they are a business associate. Period.
That means a compliant BAA is required; generic terms of service don’t substitute. And neither would thin de-identification claims.
The challenge is that most mainstream analytics, session replay, and advertising vendors won’t sign BAAs that cover their full feature set. And that puts health plans in an impossible position between what marketing wants and what compliance requires.
However, there’s a signal worth reading here. If a tag vendor won’t sign a BAA, they’re also telling you something about how they intend to use and combine that data downstream. The refusal isn’t just a legal inconvenience. It’s a disclosure about their business model.
OCR hasn’t yet announced a major enforcement action specifically against a health plan for pixel tracking. But the joint warning letters with the FTC and the parallel enforcement record in GoodRx and BetterHelp set forth an intent.
For insurance vendors, HIPAA is just the Floor. State laws are the ceiling
A plan that passes HIPAA audits can simultaneously be out of compliance with MHMDA, CPRA, and a growing stack of state health-data regimes based solely on how its portal instrumentation is configured.
That’s the situation health insurance CISOs are walking into right now. HIPAA built a floor. States have been building a ceiling above it ever since. And the gap between the two is exactly where your pixel configuration lives.
Washington’s MHMDA bite where HIPAA stops
HIPAA was built around covered entities, like health plans, providers, clearinghouses, and their business associates. And it continues to regulate what those entities do with PHI.
But a fitness app, a symptom checker, or a consumer health website? HIPAA doesn’t have jurisdiction over them, even if those collect deeply sensitive health-related data.
My Health My Data Act took shape out of sharp observations on HIPAA’s limitations.
Regulators watched health-related data flow through apps and websites that HIPAA never touched, and decided that “not a covered entity under HIPAA” wasn’t a good enough answer anymore.
For health insurance portals, that means authenticated portal sessions, benefit inquiries, provider searches, prescription activity, if any of that involves a Washington consumer and a third-party script is watching, MHMDA applies to it.
No revenue thresholds. No physical presence required in Washington. Your scope when you have Washington consumers.
California’s bifurcated session problem
The same authenticated portal session can produce data that is simultaneously PHI under HIPAA, exempt under CCPA’s carve-outs, and sensitive personal information under CPRA’s obligation tier, all at once, all from the same login event.
That’s because CPRA’s sensitive personal information category explicitly includes account log-in credentials, precise geolocation, and health information.
And since the HIPAA carve-outs in California law are scoped narrowly. They don’t cast a wider net. So while the claims record itself might be exempt, the behavioral trail around it, like the login, the location, the session replay of a member navigating to their mental health benefits, can still trigger CPRA obligations for California residents.
The jurisdictional challenge
Colorado, Virginia, and a growing number of states treat health data as sensitive data requiring opt-in consent and data-protection assessments before it can be used for profiling or targeted advertising.
These laws are built with GDPR-style extraterritoriality. Physical presence is irrelevant. If your portal serves residents of those states, you’re in scope.
The practical consequence is this. A plan headquartered in Illinois, offering coverage to members in Washington, California, and Colorado, is running MHMDA, CPRA, and Colorado’s health-data regime simultaneously alongside HIPAA, across the same portal session, right now.
Architecturally, that’s challenging. You can fully pass a HIPAA audit and still be a sitting duck under three different state health-data laws based solely on your pixel configuration.
Let’s compare these regimes head-to-head to see where they align, where they diverge, and where the gaps live.
| Framework | HIPAA (federal) | Washington MHMDA | CCPA/CPRA (California) | State Insurance Regulations |
| What It Covers | All ePHI created or transmitted through health plan portals, including enrollment, claims, and payment data. | Consumer health data for Washington residents, including health inferences drawn from online interactions. | Personal information of California residents. HIPAA PHI has a carve-out, but account logins, geolocation, and health inferences remain in scope as sensitive personal information. | Policyholder and claims data across systems supporting insurance operations |
| Consent Model | PHI may only be used for treatment, payment, or operations. Trackers receiving PHI need a BAA. Cookie banners don’t qualify. | Standalone health data notice required. Separate opt-in for collection and again for sharing. Geofencing near health facilities is banned. | Notice at collection required. Consumers can limit the use of sensitive personal information, including health data and precise location. | Written information security programs and risk assessments are increasingly required. |
| Breach Notification | Notice to affected individuals within 60 days of discovery | Notice to consumers and potentially the AG when health data is involved | Notice without unreasonable delay after discovery. CPPA has enhanced enforcement authority under CPRA. | Most states mirror general breach notification timelines with additional reporting to insurance commissioners |
| Private Right of Action | No. OCR and state AGs enforce. | Yes. Members can sue directly under Washington’s Consumer Protection Act. | Yes. For certain breach types involving specific data categories. | Typically no direct private right. Insurance commissioners and AGs enforce. |
| Tracking Guidance | OCR’s 2022 and 2024 bulletins make client-side tracking an active enforcement priority | Legislative intent explicitly targets app and website tracking practices outside HIPAA’s reach. | No tracker-specific bulletin but CPRA’s sensitive personal information framework and AG enforcement squarely reach third-party tracking in portal contexts | Tracker-specific rules are limited today, but vendor management and web security questions are becoming standard in cybersecurity oversight |
What a defensible portal architecture actually looks like
A defensible architecture is one you can explain, evidence, and tie directly to your HIPAA and state-law risk analyses. Not one that simply seems secure on the server side.
A useful starting point is a single question. If you had to whiteboard your client-side data flows in front of OCR tomorrow, what all could you draw anything beyond a single box labeled portal? Could you name the scripts? Could you identify the endpoints these scripts connect to? Their update cadences? Their business justification?
OCR’s 2024 update confirms that tracking investigations will scrutinize whether entities identified and mitigated ePHI risks and implemented Security Rule safeguards.
For that, you need to govern the runtime on the client side
Defensible means client-side scripts are inventory-driven rather than ad hoc. They all go there after following a review process and get monitored continuously for their behaviour.
You need minimal and only vetted third-party code on your PHI rendering pages. Any trackers operating on those pages are either covered by BAAs or explicitly configured to avoid PHI contact entirely.
Marketing and authenticated member contexts should be strictly separated.
Implement them on different subdomains so no cross-page trackers bleed between them. Then, enforce policies with tight CSPs and regulated allow-listing.
Feature flags give you the ability to enable or disable third-party tags by page class, so a new marketing campaign can’t accidentally inherit access to claims views.
To further be sure, you can have any permissible outbound call go through auditable transformations that strip or tokenize identifiers first.
Maintain a current, complete inventory of scripts
Regulators expect to see which scripts run where, what they collect, and how that maps to your contracts. A server-centric CMDB doesn’t answer that question.
A defensible client-side inventory enumerates, for each portal surface, every script, tag, SDK, and iframe in play. Its source domain. The data elements it can access. The network endpoints it calls, including downstream redirects. And it cross-references each vendor to BAAs, DPAs, and data-protection assessments, making explicit whether that tool is permitted on authenticated, PHI-rendering pages or restricted to anonymous marketing content only.
The real challenge is keeping it current
The challenge is about keeping that inventory current. Your marketing team can ship a new script to production in an hour. Vendors can update their scripts at their own cadence. The scripts and dependencies your vendors depend on can change, and so can their behaviour.
But you can only manually update your inventory once a quarter. That’s the gap. Static assessments are fundamentally mismatched to the change velocity of your runtime environment.
Defensible governance means continuous or high-frequency client-side scanning. Change detection for scripts and outbound calls. And a documented process that routes violations into security and privacy triage immediately, not into a backlog.
How HealthData Shield AI protects insurance portals
The governance model of health plans built around HIPAA was never designed to see inside a browser session. And for decades, it worked because the client side wasn’t a compliance surface, nor was it a big risk. It is now.
Every authenticated portal interaction, like a member checking their EOB, searching for an in-network provider, reviewing a prescription history, generates a behavioral record that third-party scripts can observe, collect, and transmit before your server logs register anything unusual.
And governing that has been increasingly challenging for security teams.
HealthData Shield AI closes that specific gap. It monitors the runtime environment, documenting all the scripts, their behaviour, and flagging anomalies.
It sees what your server logs miss.
HealthData Shield AI deploys synthetic users that simulate real member behavior, navigating claims pages, triggering prescription lookups, and stepping through benefit flows.
That means it catches chainloaded scripts, third-party dependencies injected by other vendors, and outbound calls that never touch your server infrastructure. The visibility starts where your existing controls stop.
It surfaces the BAA gaps you don’t know you have
The platform automatically identifies which data processors are receiving PHI-class data in the browser and flags where BAAs or DPAs are missing. For compliance teams managing dozens of marketing and analytics vendors across an authenticated portal environment, that’s the difference between knowing your exposure and guessing at it.
It produces the evidence regulators actually ask for
When OCR or a state AG investigates, they ask for timestamped script inventories, data-flow documentation, BAA records, and remediation timelines. HealthData Shield AI’s continuous logging and exportable reporting is architected to produce exactly that package, so when the investigation opens, you’re presenting a compliance record, not reconstructing one from memory.
The bottom line
The regulatory bar has moved, enforcement is active, and the evidentiary standard is now higher than compliance programs were designed to meet. The question isn’t whether something is happening in your portal that you haven’t accounted for. It’s whether you can see it clearly enough, reliably monitor it, catch it when it drifts, and answer for it.
That’s what HealthData Shield AI lets you do.Â
Schedule a demo to assess your portal against HIPAA and state requirements and see what HealthData Shield AI surfaces.
