HIPAA, marketing and advertising: How to run compliant campaigns in healthcare

,

Written by Karolina Lubowicka, Małgorzata Poddębniak

Published October 02, 2023

Webinar on-demand

A practical guide to digital analytics and advertising under HIPAA

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.

Healthcare organizations deal with tons of sensitive information concerning people’s health. It needs to be handled with proper care. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).

Unfortunately, many companies are still unaware of the provisions of the law and the potential consequences of breaching its rules. The recent scandal around the use of Facebook pixels inside the patient portals of renowned medical institutions is sad proof of that.

In this article, we explain which marketing practices are unlawful under HIPAA and why. We also present some practical measures you could take to make your retargeting campaigns HIPAA-compliant.

Finally, we provide you with more privacy-friendly alternatives to retargeting that can help you do effective marketing and engagement campaigns without violating patients’ privacy.

Get a free 6-month trial of Piwik PRO Analytics Suite covered by a BAA

Simplify HIPAA compliance for your team with a secure analytics platform that works with ePHI, has a user-friendly interface, and integrates with your favorite tools.

Healthcare providers continue to misuse patient data

The recent lawsuit filed against the UCSF Medical Center and the Dignity Health Medical Foundation has caused a stir in the world of healthcare. According to the lawsuit, the healthcare providers collected sensitive health information from patient portals and used it for retargeting ads on Facebook, transmitting the data to Facebook without patient consent.

Healthcare data breaches, although alarming, are neither new nor rare. As of July 2023, healthcare organizations reported 330 breaches of sensitive health information affecting 41.4 million individuals to the HHS Office for Civil Rights, compared to 52 million affected in all of 2022. Many breaches involve cyberattacks and ransom demands, but some involve the inadvertent disclosure of private health data through tracking technologies, known as pixels, utilized by social media companies. Last year, The Markup found that 33 of the top 100 US hospitals used Facebook pixels on their websites. Seven of them used tracking codes on patients’ portals behind login walls.

New guidance on using tracking technologies

It’s clear that many healthcare companies remain unaware of HIPAA provisions and ways to comply with them. One of the factors affecting the increased number of HIPAA breaches is HHS’s bulletin from December 2022 that provides strict guidance on the use of third-party cookies, pixels and other tracking technologies by healthcare companies. The bulletin expands the definition of protected health information (PHI). Notably, it indicates that even using tracking technologies on websites and mobile apps accessible without user login could put healthcare companies at risk of privacy violations. 

Earlier this year, numerous healthcare organizations submitted breach reports, acknowledging they were in violation of the December guidance from HHS. Telehealth provider Cerebral filed a data breach notification with HHS, admitting to having disclosed PII to other parties without sufficient HIPAA-protective measures. In July 2023, the FTC and HHS sent a joint letter to approximately 130 hospital systems and telehealth providers to alert them to the risks of tracking technologies on sites and apps that can impermissibly disclose consumers’ sensitive personal health data to third parties.

In November 2023, the American Hospital Association (AHA) filed a lawsuit against HHS regarding its guidance on tracking technologies. The AHA challenged the OCR’s interpretation of HIPAA, especially its alleged overly broad conception of PHI. The AHA stated that by limiting tracking technologies on sites, essential website tools like analytics platforms will no longer appear on hospital websites.

The AHA’s lawsuit was supported by 17 state hospital associations and 30 hospitals and health systems. In response to the litigation, the HHS updated its guidance on March 18, 2024, with the AHA calling the modifications “cosmetic”. In June 2024, a judge ruled in favor of AHA, declaring that OCR had overstepped its authority when issuing the guidance. On August 29, the OCR decided not to appeal the district court’s decision.

The court ruling and HHS’ decision not to appeal it do not mean that the issue of protecting PHI in the context of analytical tools has been settled once and for all. The ruling was issued in a specific case, indicating that an IP address combined with visit data from an unauthenticated web page does not constitute PHI. However, the ruling does not vacate other parts of the guidance, like those relating to authenticated pages such as patient portals. While the court’s verdict may serve as a benchmark for later decisions on possible HIPAA violations, the complexity of PHI protection and the multiplicity of contexts involved would dictate special caution.

The fundamental issues surrounding the collection and use of PHI by healthcare organizations remain unchanged. What is allowed under HIPAA concerning the use of tracking technologies like analytics platforms continues to be subject to interpretation. While the definitions of PHI and ePHI are well-established, the widespread use and interoperability of modern IT systems make it alarmingly easy for PHI to inadvertently leak into your website or app. Therefore, it’s wiser to stay on the safe side rather than rely on a gray-area interpretation of PHI that maintains the status quo. 

To protect patient privacy and reduce the risk of hefty fines and loss of trust, organizations must remain vigilant about the data they collect and share with analytics vendors. Notably, the biggest web analytics providers, Adobe and Google, have not changed their guidelines relating to the use of their most popular products: Adobe Analytics and Google Analytics 4. Those products should not be used by healthcare providers. Instead, they should seek out alternative solutions that prioritize data privacy and security. Their focus will likely shift towards analytics platforms that explicitly support HIPAA compliance and provide appropriate safeguards for handling sensitive health information, such as signing a business associate agreement (BAA).

What happens if you don’t comply with HIPAA

The unauthorized use of protected health data for marketing and advertising may have some serious consequences. HIPAA breaches lead to the harshest and most direct penalties, including fines of up to $1,806,757, and in some cases even criminal sanctions.

Malpractice concerning healthcare data can also damage patients’ trust and affect their relationship with their healthcare provider. As a recent study shows, patients who worry about their electronic health records being compromised in a breach are three times more likely to withhold information from their physicians.

read also

The guide to HIPAA compliance in analytics

Learn how your organization can achieve HIPAA compliance in analytics, marketing and advertising, including recommended practices and tools to adopt in your technology stack.

Marketing and HIPAA: The problem goes beyond Facebook

The use of Facebook tracking pixels on patient portals is a flashy example of mishandling confidential health information. But this is not the only marketing activity through which healthcare organizations may unknowingly violate patients’ privacy.

To give you a broader perspective, let’s discuss some important provisions of HIPAA:

  1. HIPAA’s definition of marketing concerns interaction between a covered entity and an individual, no matter their patient status. It means that health data about your website visitors who came through ads should be protected the same way as it would come from your paying customers.
  2. According to the HHS bulletin on using tracking technology, what constitutes a disclosure of PHI may depend on the user’s intentions. This complicates the process of identifying PHI, as there is no clear way of determining the visitors’ underlying intention for visiting your pages. This broadens the scope of user information that you need to be careful about in your marketing activities. Additionally, some publishers, such as Facebook, serve ads on social platforms available after logging in. Even data that doesn’t include health information may become PHI when combined with user data from social networks. In this case, you must be especially careful about the information you share. Due diligence is then advised.
  3. Protected health information (PHI) that falls under HIPAA can be found on most user-authenticated pages and even pages accessible without login. Examples of the latter may include a hospital’s webpage listing its oncology services that a user visits to seek a second opinion on cancer treatment options, or pages that permit individuals to schedule appointments or use a symptom-checker tool without entering credentials. Marketing technologies could collect an individual’s email address and/or IP address when the individual visits such pages. Even data collected from marketing pages and used in retargeting campaigns may constitute PHI. HIPAA’s definition of protected health information lists 18 types of data, including names, addresses, and medical records, but also user IDs and IPs often used to recognize visitors across channels. Using this information for marketing, in most cases, requires the patient’s authorization (for example, a signature) and an advertising platform that allows PHI, and provides enough data protection.

Definitions of PHI and where it can be found are not the only complications in HIPAA-compliant marketing activities.

Popular advertising platforms, including Facebook, Google, and LinkedIn Ads, don’t give you the option to sign a business associate agreement (BAA), a special kind of contract with a third party having access to PHI that is required by HIPAA. This means you can’t share any data that can be considered PHI with them.

All these factors limit the ways you can do marketing in healthcare, especially when it comes to retargeting and other practices relying on user identifiers. That said, running retargeting campaigns is not impossible under HIPAA.

How to run compliant ad campaigns under HIPAA

You need to make sure to clean up any PHI traces that are being sent to the publisher’s platform and remember a few important steps.

Instead of targeting individuals, create broad remarketing campaigns that don’t involve PHI. To do so:

  • Remove marketing pixels from your password-protected apps and websites, such as patient portals. On top of that, consider limiting their use to your homepage. As explained above, some subpages of your website, such as blog posts about a specific disease or treatment, may still contain health information and pass it to the advertising platform.
  • Strip your data of any traces of PHI before you push it to the ad networks. Make sure to get rid of any unique identifiers and pieces of data that would allow an individual to be identified. Follow the privacy guidelines of your chosen ad platform.
  • Create remarketing campaigns based on simple and broad targeting, for example, website visits. That said, the compliance of your ads will depend on the type of healthcare business you’re in. We’ll address this later on.
  • Consider using a safe tag management system for better control over the information you send to the ad platforms. This way, you will control where and when the pixel is allowed to run.

Taking care of all these things should help you create lawful retargeting campaigns. They will be less effective than traditional remarketing. But if you’re interested in promoting your brand through popular ad platforms, they will be better than nothing.

Also, remember that this configuration might still be non-compliant in the case of some healthcare providers.

Let’s consider three scenarios:

  1. You want to prepare a remarketing campaign for a health insurance provider. Hence, you create a general campaign that targets users who visited your website and presents them with non-personalized ads that promote your offer.

    In this case, you don’t rely on PHI and the message of your ad doesn’t contain information about the visitor’s condition or health issues. Given that you’ve gotten rid of all potential user identifiers, your advertisement is most probably HIPAA-compliant.
  2. You’re running a fertility clinic and plan to create a retargeting campaign based solely on page visits without using demographic data. Unfortunately, displaying ads related to sensitive issues, such as infertility, still might violate user privacy and bring compliance risks. By using data about a visit on a highly specialized website, you disclose information about a person’s potential health issues and share it with an ad platform.
  3. You’re in charge of digital marketing for a dermatological clinic. A person has visited your website in search of dermatitis treatment. Retargeting them with an ad promoting a treatment for the skin condition they looked up would violate the patient’s privacy. But an ad that promotes your clinic without mentioning any particular health issues should be a safe choice.

To sum things up: The compliance of your retargeting ads will depend on your area of specialization. The narrower and more sensitive the subject is, the greater the risk of disclosing protected health information to a publisher. Assess your case carefully before employing any remarketing campaign.

pro tip

A different option is to capitalize on other types of advertising that don’t involve retargeting and PHI, for example, contextual targeting and simple ads based on keywords.

Search engine advertising (SEA), which largely relies on keyword searches, is mostly allowed under HIPAA. You can also consider contextual advertising on portals related to your specialty.

Compliance with the ad will depend on the type of information you include in it. Read carefully the policies of the ad platforms for ads related to healthcare to see what’s permitted.

Despite your best efforts, marketing campaigns run on popular advertising platforms always pose some compliance risks. These platforms weren’t built for such privacy-sensitive industries as healthcare.

For greater peace of mind, consider investing in a safe first-party data ecosystem to use the potential of PHI in a way that fully respects HIPAA.


The benefits of a first-party data marketing strategy include:

  • Better compliance – Operating on first-party data helps you comply with data protection laws such as HIPAA. First-party data stays in the hands of those who collect it, and that gives more control and transparency over what happens with the data.
  • Accuracy – First-party data is more accurate because you obtain it directly from your patients, unlike third-party data that is often aggregated from various data sets. Also, this data comes from your audience, making it more relevant to your business.
  • Trust – As you gather data first-hand from your customers and inform them about all processing purposes, you build trust and solid relationships with them.
  • Enhanced personalization and segmentation – First-party data enables targeting content recommendations and messages at a more granular level. Relying on PHI in a safe data ecosystem will allow you to create detailed segments of users based on characteristics such as demographics or subscribed health plans. This wouldn’t be possible or permitted with third-party data.
  • Increased customer engagement – The direct relationships built with site visitors and previous customers create many opportunities for customer experience optimization. As you gather data on customer engagement with the site and different digital assets, you gain key insights into what it needs to do better.

You can use a customer data platform (CDP) to establish and manage a first-party data strategy. CDPs are not HIPAA-compliant by default, so to find the right platform you must evaluate its HIPAA compliance as you would for any other marketing tool – we will discuss this in more detail in the next chapter.

A HIPAA-compliant CDP can be beneficial because it lets organizations combine data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, consent managers, offline sources and more. This helps companies connect siloed data to create unified patient records and opens up many possibilities for effective marketing activities to improve users’ digital experiences. CDPs can store consent centrally and use it to ensure compliance across all connected downstream systems.

A first-party data strategy lets you engage in many types of compliant marketing activities that you can use PHI for, such as:

  • Onsite retargeting and personalization – These help you reengage patients directly on your website or inside your app and serve them special offers, discounts, or recommendations. You get great upsell and cross-sell opportunities. Such activities may not require patient authorization.
  • Email campaigns – Email is another channel for promoting your offer and recommending new products to the existing customer base. If you’re using email for marketing communications, you will need to receive prior written authorization from the patient. Make sure patients can easily opt out of marketing emails.
  • Improving the performance of your ad campaigns – You can also consider integrating data from your ad platforms with a secure analytics platform, such as Piwik PRO Analytics Suite. This will allow you to evaluate the performance of your ads without sending this data back to Google or Facebook and adjust your campaigns accordingly.

All of these activities require trusted business partners ready to meet the requirements of HIPAA.

How to find a HIPAA-compliant marketing vendor

What makes a MarTech vendor the right partner for a HIPAA-covered organization? A willingness to sign a business associate agreement (BAA) is essential.

A BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect PHI and comply with the guidelines provided by HIPAA. This means ensuring the proper standards of data encryption, private hosting, data minimization options, and other safety measures demanded by the act.

HIPAA business associates automatically become subject to audits performed by the HHS and can be held accountable for any data breaches or improper handling of data. Because of that, not many companies want to sign this agreement.

Keep in mind that signing a BAA is not a universal solution – evaluate the marketing platform’s agreement, terms of service, and data management processes diligently.

There are also additional security features that you can look for in your chosen marketing tools, such as:

  • User authentication methods to ensure unique login credentials to access the platform for each authorized employee. For increased security, the platform should enable two-factor authentication (2FA).
  • Access controls limit access to sensitive data and should be set based on an employee’s job function. Not all employees should have full access to the platform – they should only be granted access to the data that they need to perform their job.
  • Audit logs help ensure that data is only accessed when it should be. Audit logs can be used to determine access patterns for each employee, enabling administrators to identify when an employee is accessing data excessively. This can help quickly detect breaches.
  • End-to-end encryption enabled when electronic PHI is created, stored, transmitted, or received using a software platform.
  • Storage of PHI on an encrypted offsite data backup server.

If the vendor you choose won’t sign a BAA with you, you need to de-identify all data that can be considered PHI before sharing it with the vendor. Such data is deprived of any identifiers, so it is no longer viewed as PHI, making it out of the scope of HIPAA. At the same time, de-identified data lacks a lot of valuable information that would make your marketing campaigns more effective.

Are there any alternatives? Yes. You can find a MarTech platform that offers on-premises hosting. If the vendor doesn’t have access to your infrastructure, they won’t be considered your business associate, so you won’t have to sign a BAA with them. However, maintaining such infrastructure requires extensive resources and time, so not every company will be able to use this option. You can also look into other secure, less resource-heavy options developed over the years, such as private cloud.

You must apply these high standards to all platforms that interact with your patients’ PHI – CRMs, marketing automation tools, email marketing platforms, customer data platforms and analytics alike. Thanks to this, you will be able to collect granular data and use it to promote your services within the limits allowed by HIPAA.

Marketing and HIPAA: A summary

Using standard methods of retargeting in healthcare is not impossible, but requires some serious precautions. It’s also less effective, since stripping your data from user identifiers removes the layer of personalization.

To steer clear of the potential risks involved in using popular ad platforms in a highly regulated sector such as healthcare, think of employing marketing strategies that don’t involve big tech products. A first-party data strategy can bring many benefits to your organization and help you build a trust-based relationship with your patients.

If you’d like to learn more about data activation under HIPAA, contact us. We’ll be happy to present some compliant use cases to you.

Related posts: