Guide to United States - HIPAA Healthcare Overlay Cookie Consent Compliance
Complete technical implementation guide for United States (federal - healthcare sector) privacy regulations. Learn about consent requirements, banner elements, record keeping, and technical specifications.
Summary
This guide provides comprehensive technical implementation requirements for United States - HIPAA Healthcare Overlay. Healthcare providers and covered entities must not share Protected Health Information via tracking technologies without patient authorization.
This jurisdiction requires an opt-in consent model (prior consent), meaning websites must obtain explicit user consent before placing non-essential cookies or similar tracking technologies. Users must actively accept cookies through clear consent mechanisms.
Additional requirements for this jurisdiction include: providing consent banners and privacy information in all required languages, and special protections and consent mechanisms for children's personal data.
Website owners and operators subject to these regulations must implement compliant cookie consent banners, maintain proper consent records, and ensure their tracking technologies respect user privacy choices. This guide outlines all technical requirements needed to achieve compliance.
Key Requirements Overview
Technical Requirements
Required Banner Elements
First Layer (Cookie Banner)
- Hipaa Authorization Notice
- Reject All Button Or Link
- Privacy Policy Link
- Patient Rights Notice
Second Layer (Preferences Modal)
- Detailed Phi Sharing Disclosure
- Business Associate Information
- Patient Authorization Form Link
Implementation Guidance
CRITICAL: Disable all third-party analytics and advertising cookies on authenticated patient portals and pages containing health information unless covered by valid patient authorization. Use server-side analytics only or ensure Business Associate Agreements are in place. Do not use identifiers (IP, cookies) that could link to PHI without authorization. HHS 2022 guidance treats IP addresses + health-related page URLs as PHI.
Special Protections
Children's Privacy
Parental authorization required for minors; extra safeguards for adolescent health information.
Sensitive Data
Protected Health Information (PHI) cannot be shared via third-party trackers without explicit patient authorization or Business Associate Agreement. De-identification must meet HIPAA Safe Harbor or Expert Determination standards.
Record Keeping Requirements
Required Consent Record Fields
For each consent action, you must maintain records containing:
- Timestamp ISO
- Patient Authorization Signed
- Tracking Purposes Disclosed
- Policy Version
- Baa Covered
CookieChimp handles all of this automatically. Our platform maintains comprehensive consent records including all required fields, timestamps, consent strings, IP addresses, user agents, and more. Records are securely stored and easily exportable for compliance audits. Learn more about our consent management
Legal References & Resources
Official legal documents and regulatory guidance for this jurisdiction:
Explore Other Jurisdictions
View All
California (CPRA/CCPA Regs)
United States - California
Covers 'sharing' for cross-context behavioral advertising.
Colorado (CPA)
United States - Colorado
Targeted advertising and sale require easy opt-out.
Virginia (CDPA)
United States - Virginia
Opt-out rights for targeted ads and sale; no mandatory GPC recognition.
Connecticut (CTDPA)
United States - Connecticut
Opt-out for targeted ads and sales; GPC recognition required from Jan 2025.
Utah (UCPA)
United States - Utah
Opt-out for sale and targeted advertising; no GPC requirement.
Texas (TDPSA)
United States - Texas
Opt-out for sale and targeted ads; must honor UOOMs like GPC.