HIPAA-compliant marketing & advertising: How to run compliant campaigns in healthcare

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.

Healthcare organizations process a vast amount of sensitive information related to people’s health that must be handled with proper care. In the US, the rules for using this kind of data across different contexts, including marketing, are set by HIPAA.

Unfortunately, many companies remain unaware of the law’s provisions and the potential consequences of breaching its rules. The recent scandal surrounding the use of Facebook pixels within the patient portals of renowned medical institutions is a sad testament to that. However, this doesn’t mean that you can’t do any type of digital marketing or advertising under HIPAA.

In this article, we explain which marketing practices are unlawful under HIPAA and why. We also present some practical ways to make your retargeting campaigns HIPAA-compliant, as well as privacy-friendly alternatives to effective marketing.

Healthcare providers continue to misuse patient data

Since 2023, healthcare organizations have paid over $100 million in HIPAA fines related to tracking technology violations. The lawsuit filed against UCSF Medical Center and Dignity Health Medical Foundation exemplifies this trend. According to the lawsuit, the healthcare providers collected sensitive health information from patient portals and used it for retargeting ads on Facebook, transmitting the data to Facebook without patient consent.

Healthcare data breaches, although alarming, are neither new nor rare. As of July 2023, healthcare organizations reported 330 breaches of sensitive health information affecting 41.4 million individuals to the HHS Office for Civil Rights, compared to 52 million affected in all of 2022. Many breaches involve the inadvertent disclosure of private health data through tracking technologies, known as pixels, utilized by social media companies. In 2022, The Markup found that 33 of the top 100 US hospitals used Facebook pixels on their websites.

New guidance on using tracking technologies

Many healthcare companies remain unaware of HIPAA provisions. The December 2022 HHS bulletin clarified how existing HIPAA rules apply to tracking technologies, broadening the scope of what qualifies as PHI and sparking widespread compliance concerns.

Earlier in 2023, numerous healthcare organizations submitted breach reports, acknowledging that they had violated the guidance issued by HHS in December. Telehealth provider Cerebral filed a data breach notification with HHS, admitting to having disclosed PII to other parties without sufficient HIPAA-protective measures. 

In July 2023, the FTC and HHS sent a joint letter to approximately 130 hospital systems and telehealth providers, alerting them to the risks of tracking technologies on websites and apps that can impermissibly disclose consumers’ sensitive personal health data to third parties.

The AHA lawsuit against the HHS bulletin

The American Hospital Association (AHA) filed a lawsuit against HHS OCR in November 2023, challenging its guidance on the use of online tracking technologies. This lawsuit, joined by several hospital associations and health systems, aimed to block the enforcement of OCR’s December 2022 bulletin. In June 2024, a judge ruled in favor of the AHA, declaring that the OCR had exceeded its authority under HIPAA. 

It is crucial to understand the narrow scope of this ruling. The court specifically addressed the use of IP addresses and website visit data from unauthenticated web pages. However, the ruling does not invalidate other parts of the bulletin, particularly those relating to authenticated pages or the use of other types of data. 

Healthcare organizations continue to have HIPAA obligations and should still:

• Document all data processing activities
• Avoid tracking pixels on authenticated pages
• Choose vendors willing to sign BAAs

What happens if you don’t comply with HIPAA

The unauthorized use of protected health data for marketing and advertising may have some serious consequences. HIPAA breaches lead to the harshest and most direct penalties, including fines ranging from $141 per violation to $1,806,757 annually, depending on the level of negligence. In 2024 alone, OCR closed 22 enforcement actions with settlements or civil monetary penalties. Criminal sanctions can include up to 10 years in prison for cases involving intent to sell, transfer, or use PHI for commercial advantage or malicious harm.

Marketing and HIPAA: The problem goes beyond Facebook

Under HIPAA, marketing is “communication about a product or service that encourages purchase or use.” Example: promotional emails about new medical devices. Written patient authorization is generally required before using PHI for such purposes.

It’s worth noting that communications related to treatment, case management, care coordination, or recommendations for alternative therapies are not considered marketing and don’t require patient authorization. 

Examples include:

• Prescription refill reminders.
• Information about health-related services included in a health plan.
• Communications aimed at improving patient care without promoting specific products.

What is PHI

PHI includes any individually identifiable health information, which can be interpreted broadly. This means that even seemingly innocuous data, such as IP addresses or contact information, could be considered PHI if linked to health-related information. 

HIPAA’s definition of PHI lists 18 types of data, including names, addresses, and medical records, as well as user IDs and IP addresses, which are often used to recognize visitors across channels. Even data collected from marketing pages and used in retargeting campaigns may constitute PHI. Also, data that doesn’t include health information may become PHI when combined with user data from social networks.

Signing a BAA

By signing a business associate agreement (BAA) with a marketing or advertising vendor, a HIPAA-covered entity can securely share PHI with them. Popular advertising platforms (Facebook, Google, LinkedIn Ads) don’t sign BAAs. The same issue applies to other tools used by marketers as well. Most analytics platforms (including Google Analytics 4 and Adobe Analytics) don’t offer BAAs and prohibit the use of PHI data in their products. These platforms cannot be configured in a HIPAA-compliant manner without extensive de-identification.

How to run compliant ad campaigns under HIPAA

Using retargeting in healthcare is possible if you take some precautions.

Here are some tips for HIPAA-compliant advertising:

• Remove marketing pixels from your password-protected apps and websites, such as patient portals. Consider limiting their use to your homepage. Some subpages of your website, such as blog posts about a specific disease or treatment, may still contain health information and can pass it to advertising platforms. 
• Strip your data of any traces of PHI before you push it to ad networks. Ensure that you remove any unique identifiers and sensitive data that could be used to identify an individual. Follow the privacy guidelines of your chosen ad platform.
• Create remarketing campaigns based on simple and broad targeting, for example, website visits. This way, instead of targeting individuals, you create broad remarketing campaigns that don’t involve PHI.
• Consider using a safe tag management system for better control over the information you send to the ad platforms. This way, you will control where and when pixels are allowed to run.

Real-world HIPAA marketing scenarios

The compliance of your retargeting ads depends on your practice’s specialization. Consider these real-world scenarios:

Scenario 1: General health insurance (Low risk)

• Setup: Health insurance provider creating a remarketing campaign for users who visited the website
• Targeting: Website visitors
• Ad content: General insurance benefits
• PHI involved: No unique identifiers, no health condition data
• Compliance assessment: ✅ Likely compliant if properly de-identified

Scenario 2: Fertility clinic (High risk)

• Setup: Fertility clinic retargeting based on page visits
• Targeting: Users who visited specific treatment pages
• Ad content: Fertility services
• PHI involved: Website visit reveals potential infertility issues
• Compliance assessment: ⚠️ High risk – visiting the fertility clinic site discloses sensitive health information

Scenario 3: Dermatology clinic (Medium risk)

• Setup: Dermatological clinic remarketing campaign
• Targeting: Website visitors who searched for dermatitis treatment
• Ad content Option A: “Get dermatitis treatment at [Clinic]” → ❌ Violates privacy
• Ad content Option B: “Expert dermatology care at [Clinic]” → ✅ Likely compliant (general messaging)
• Compliance assessment: Depends on ad specificity

Critical principle: The more specialized your practice area and the more specific your ad messaging, the higher your HIPAA risk.

Consider implementing search engine advertising (SEA) or contextual targeting using keywords instead of PHI. You can also integrate ad platform data with HIPAA-compliant analytics, such as Piwik PRO, to evaluate performance without exposing data to Google or Facebook.

How to run compliant marketing campaigns under HIPAA

HIPAA-covered entities can engage in compliant marketing by following these strategies:

Content marketing

• Create educational content that does not require PHI, such as blog posts on health topics, videos about common medical conditions, and infographics on preventive care.
• Focus on general health information rather than specific patient cases.

Social media engagement

• Use social media to share general health tips and wellness advice, avoiding discussions of specific patient cases.
• Implement disclaimers to clarify that direct medical advice is not provided on social platforms.
• Educate staff on HIPAA-compliant social media practices.

Email marketing

• Obtain proper consent for marketing emails and use secure, HIPAA-compliant email platforms.
• Focus on general health information and practice updates rather than personalized health data.

Onsite retargeting and personalization

• Reengage patients directly on your website or inside your app and serve them special offers, discounts, or recommendations. 
• Get upsell and cross-sell opportunities that may not require patient authorization.

Creating a first-party data marketing strategy

Despite your best efforts, marketing campaigns run on popular advertising platforms always pose some compliance risks. For greater peace of mind, consider investing in a safe first-party data ecosystem to use the potential of PHI in a way that fully respects HIPAA.

The benefits of a first-party data marketing strategy include:

• Better compliance – Direct data collection provides full control and transparency, helping you comply with data protection laws such as HIPAA. 
• Higher data accuracy – Data comes directly from patients, not aggregated sources, making it more relevant to your business.
• Patient trust – Transparency about data use builds stronger relationships.
• Enhanced personalization – Granular user data lets you personalize patient experiences and better resonate with them. It also lets you create detailed segments of users based on demographics or health plan details.
• Increased customer engagement – Direct relationships with visitors and previous patients create opportunities for optimizing customer experiences.

Customer data platforms (CDPs) and HIPAA compliance

You can use a customer data platform (CDP) to establish and manage a first-party data strategy. 

A HIPAA-compliant CDP, like Piwik PRO Data Activation, unifies data from analytics, email, CRM, consent managers, and offline sources into unified patient records. It centralizes consent management and ensures compliance across all connected systems.

One of the key features of a CDP is data activation, which allows you to target users with relevant content or recommendations, such as:

• Create tailored treatment or medication plans and share them with patients via secure portals or apps.
• Show real-time on-site banners to encourage users to learn more about your services.
• Send emails reminding users to complete their booking for a test or a doctor’s visit.
• Provide recommendations for higher treatment plans for frequent users.

How to find a HIPAA-compliant marketing vendor

A HIPAA-compliant MarTech vendor must sign a BAA, obligating both parties to protect PHI and comply with HIPAA’s guidelines. This means ensuring compliance with the proper standards for data encryption, private hosting, data minimization, and other safety measures required by the act.

Look for additional security features in your chosen marketing tools, such as:

• User authentication: Unique login credentials with two-factor authentication (2FA).
• Access controls: Role-based access limiting PHI exposure.
• Audit logs: Track data access patterns to detect breaches.
• End-to-end encryption: For all PHI creation, storage, and transmission.
• Encrypted backups: Offsite storage with recovery capabilities.

If the vendor you choose won’t sign a BAA with you, you need to de-identify all data that can be considered PHI before sharing it with the vendor. At the same time, de-identified data lacks valuable information that would make your marketing campaigns more effective.

On-premises hosting often eliminates BAA requirements since vendors don’t access your infrastructure. However, this requires significant IT resources that not every company has. For a middle-ground solution, explore other secure, less resource-intensive options, such as a private cloud.

Marketing and HIPAA: A summary

Using popular ad platforms or non-compliant marketing platforms in healthcare puts organizations at risk of data breaches and regulatory non-compliance. Consider these alternatives: 

• On-site personalization instead of third-party retargeting
• First-party data strategies for better compliance, accuracy, and patient trust
• HIPAA-compliant platforms with BAA support (analytics, CDPs, email tools) 
• Educational content marketing that doesn’t require PHI 

Frequently Asked Questions about HIPAA marketing

Can I use Google Analytics for healthcare marketing?

Google Analytics 4 does not sign BAAs and explicitly states in its terms that it should not be used in ways that expose Google to PHI. Healthcare organizations must either implement extensive de-identification or switch to HIPAA-compliant alternatives.

Do I need patient authorization for email newsletters about general health topics?

No, if the content is educational and doesn’t promote specific products/services for purchase, it typically doesn’t qualify as “marketing” under HIPAA and doesn’t require authorization.

What’s the difference between de-identified data and anonymized data under HIPAA?

De-identified data has all 18 HIPAA identifiers removed and meets Safe Harbor standards. Anonymized data cannot be re-identified. Both can be used without authorization, but de-identification has specific HIPAA requirements.

Can I retarget patients who visited my appointment booking page?

Yes, but only with broad, non-specific targeting that doesn’t reveal health information. For example, you can target “website visitors” with general clinic promotions, but not “users who visited fertility treatment pages” with fertility-specific ads.