HIPAA applies to healthcare professionals and providers, not ad tech companies. And race and citizenship are not personal health-related data.

It might be a HIPAA violation, depending on the details of the data being shared. Several other healthcare websites have gotten in trouble over the same thing: https://techcrunch.com/2023/04/17/pixel-tracking-hipaa-start...

It is if it connects an individual to an explicit health outcome or category.

HIPAA as a law is intended to ease transfer of medical information, not restrict it.