Penrod Blog

How Legal Teams Enforce HIPAA Compliant Digital Ads

What your marketing team needs to know

Written by Matt Fiel

Marketing teams focus on optimizing digital ad campaigns across Google Ads, Meta, and other platforms to reach the widest audience possible and increase click-through rates (CTRs) and conversions. Aggressive optimization directly conflicts with the legal team's mission to ensure compliance and minimize risk. The least risky option is to shut off digital advertising completely. However, this is untenable from a business perspective – the opportunity cost of shutting down advertising is too great. Additionally, with the proper guidance from the legal team, there are ways to ensure the marketing team can leverage the most powerful ad platforms while making the risk negligible.

Here are the high-level considerations you must enforce with the marketing team when they run digital ads.

Thinking Man

Make sure your marketing team complies with the Ad Platform’s internal policies

Apart from government regulations like HIPAA, the first barrier to risk are the guidelines of your ad platforms. Most digital ad platforms have internal policies specifically written for healthcare-based advertising. Restrictions are particularly stringent when it comes to pharmaceutical companies, but each platform has its own policies that must be adhered to.

Google Ads
Google Ads has various content, search terms, location, and sub-industry restrictions. While your marketing team should already be following these, the legal team should run regular audits to ensure compliance.

Read Google Ads healthcare marketer policy

Facebook and Meta Ads
Meta’s policies are slightly less specific than Google’s, but they focus on ensuring that ads don’t make misleading claims or generate negative self-perceptions among users.

Read Meta Ads healthcare marketing policy

Make sure your marketing team isn’t relying on third-party non-BAA vendors to redact identifiers or PHI.

Some ad platforms claim that they remove certain identifiers before they are stored. As a result, marketers may believe that a HIPAA violation isn’t occurring. However, according to Health and Human Services (HHS), this is not permissible.

The HHS specifies that it is  “insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information.”

Make sure your marketing team has BAAs in place with vendors who offer them.

Business associate agreements (BAAs) are a blanket of protection from violation. Make sure your marketing team has them in place with those who offer them. Just remember that the majority of ad platforms do not offer them, so those require different compliance solutions.

Commonly Offers BAAs:

  • CRMs
  • Marketing Automation Tools
  • Paid Websites Analytics Platforms
  • Consent Management Platforms

Usually Doesn’t Offer BAAs:

  • Content Management Systems
  • Ad Platforms (Google Ads, Meta, Facebook, X, LinkedIn, and Pinterest)

BAAs must indicate what a vendor is permitted to do and what it is required to do with the data it receives. Additionally, the vendor must agree to disclose security issues, breaches, and more.

Additionally, your marketing team can use a customer data platform as an intermediary between your digital properties and non-compliant digital ads platforms to redact PHI or de-identify users.

Make sure your marketing team knows a privacy policy or consent isn’t enough.

Some marketers think that third-party trackers are OK as long as they inform visitors of their use in the privacy policy or consent pop-up. This isn’t the case. According to Health and Human Services guidance, they do “not permit disclosures of PHI to a tracking technology vendor based solely on a regulated entity informing individuals in its privacy policy, notice, or terms and conditions of use that it plans to make such disclosures. Regulated entities must ensure that all tracking technology vendors have signed a BAA”

Make sure your marketing team isn’t mixing protected health information with user identifiers.

The recent AHA ruling in Texas confirmed that user identifiers more specific than IP addresses can be interpreted as user identifiers from a HIPAA perspective. Most ad platforms collect a variety of digital information about a user. Ensure your marketing team isn’t pairing any of the following with PHI:

  • Click IDs
  • Device IDs
  • User Names
  • Email Addresses
  • IP Addresses

Make sure your marketing team isn’t using non-BAA trackers on authenticated healthcare portals

The OCR ruling was surprising because it called into question trackers on unauthenticated pages. However, using these third-party trackers on authenticated pages, like myChart or other healthcare portals, remains a huge red flag. Ensure your marketing team hasn’t mistakenly or intentionally added trackers for Google Ads, Google Analytics, Meta Ads, or others on any healthcare portals users log in to. If your marketing uses a third-party tracker on a page like this, they must have a signed BAA with that vendor.

Conclusion

Ensuring HIPAA-compliant digital advertising is not just about avoiding violations; it’s about maintaining trust and integrity in your healthcare brand. As the legal team, your job is to mitigate risk by ensuring the marketing team isn’t using ad platforms in a manner that violates HIPAA.

By enforcing the right policies, you can make sure your marketing team uses powerful ad platforms while minimizing risk.

About The Author


Matt Fiel

EVP of Marketing

With over 15 years of experience in marketing strategy, web development, and creative design, I lead the marketing team at Penrod, a boutique Salesforce partner focused on the healthcare and life sciences industry. As a Salesforce Certified Pardot Consultant, I have deep knowledge and skills in leveraging the platform to optimize marketing automation, lead generation, and customer engagement.

Ready to get compliant?

Get a free HIPAA compliance action plan for your digital ads.

Schedule a 30-minute consultation.

 

Related Resources

07/01/20

Is Salesforce Health Cloud the Right Fit for Your Organization?

At Penrod, we often have health care clients ask if Salesforce Health Cloud is the right fit for them. From satellite clinics to larger healthcare systems and specialty…

# Blog # Health Cloud # Health Providers
Read More

07/31/24

5 Dreamforce 24′ Sessions We’re Excited About

Whether you're joining in-person or virtually, here are the sessions we're particularly interested in.

# Blog # Health Providers # Labs # Medical Device # News
Read More

07/22/24

How Legal Teams Enforce HIPAA Compliant Digital Ads

Learn what the ruling in the AHA lawsuit means for healthcare companies, what could still change, and what you need to do next.

# Blog # Health Providers # Labs # Medical Device # Pharma
Read More

07/09/24

What the AHA Lawsuit Means for Healthcare and Tracking Tech

The US District Court for the Northern District of Texas Fort Worth Division has written the next chapter on how providers across the United States will interpret the…

# Blog # Health Providers # Labs # Medical Device # Pharma
Read More

07/09/24

Google Ads and HIPAA Compliance

Learn how to navigate the choppy waters of regulatory compliance in this comprehensive guide on Meta Ads and HIPAA.

# Blog # Health Providers # Labs # Medical Device # Pharma
Read More

06/25/24

Meta Ads and HIPAA Compliance

Learn how to navigate the choppy waters of regulatory compliance in this comprehensive guide on Meta Ads and HIPAA.

# Blog # Health Providers
Read More

06/25/24

A Complete Guide to the OCR Ruling

What HIPAA-regulated agencies need to know about online tracking technologies on their mobile applications and websites.

# Blog # Health Providers
Read More