Penrod Blog

Meta Ads and HIPAA Compliance

Navigating the Choppy Waters of Compliance

While there are many ways to market healthcare services in the digital space, Meta Ads is theoretically the most powerful. The ads leverage Meta's immense reach and accurate targeting to push promotional messages to the right audience at the right time.

Then again, using Meta Ads in healthcare is controversial. Meta Ads are not HIPAA compliant out of the box unless you tailor them to HIPAA's strict regulations.

An Overview of the Platforms Meta Controls

When you use Meta Ads, you get an opportunity to target millions of users on various Meta platforms. With the ads, you get a chance to target over 2.9 billion monthly active users on Facebook and 2.4 billion monthly active users on Instagram. 

When done following the right strategy, Meta Ads will improve your brand’s visibility to the online community, a move that can attract millions of prospects.

Reasons to Use Meta Ads With Caution: Fines and Violations That Have Occurred

Although deemed as a powerful marketing platform, running a successful Meta Ads campaign in the healthcare industry is not easy. The reason is that you have to be careful of what goes into the ads, lest you attract severe penalties that can amount to millions of dollars.

For instance, in 2023, BetterHelp, a mental health organization disclosed sensitive patient information to Facebook and Snapchat. As a result, FTC penalized BetterHelp around $7.8 million.

Meta’s Policy Restrictions on Healthcare Advertising

Just like any content posted on Meta platforms– Facebook and Instagram– healthcare ads must meet the community’s regulatory standards. Meta instituted these restrictions to reduce the spread of misinformation and protect user privacy.

Ideally, there are two significant restrictions on health ads. For one, Meta allows medical companies to promote their products. However, the ads should not offer misleading claims or generate negative self-perceptions among users.

Additionally, health companies selling prescription drugs need written consent from Facebook before running their ads. This requirement ensures that the advertisements comply with Meta and other relevant authorities, including HIPAA.

Meta Ads and Regulatory Restrictions: Why are Meta Ads Not HIPAA Compliant?

Even with Meta’s regulations on medical ads, the promotions still fall short in other regulatory aspects. For instance, Meta Pixel tracks sensitive user identifiers such as form submissions and page titles.

Meta uses insights from the tracking code to identify users accurately, something that is against HIPAA rules. Other notable shortcomings of Meta Ads  when it comes to HIPAA compliance include the following:

1. Meta Ads Have User Identifiers

Ad clicks from Meta platforms — like Facebook and Instagram — have user identifiers embedded within them. These identifiers include IP addresses, cookies, device information, and a unique user ID.

Since the mentioned identifiers can provide detailed information about the user who clicked on the ad, HIPAA can penalize you. The regulator requires health organizations to secure patient data, as well as keep it confidential.

2. Meta Uses Information from Your Site to Create Lookalike Audiences

Meta’s pixel code uses sensitive information from your site, including user form submissions, medical visits, and health service usage, which is against HIPAA. Meta uses the PHI to identify and target new users who could be interested in the services you offer.

3. Meta Doesn’t Sign a BAA

HIPAA requires third parties who access PHI to sign a Business Associate Agreement. However, Meta does not sign BAAs. This lack of a BAA means that Meta does not protect PHI collected through advertising activities.

Ways to Use Meta Ads in a Compliant Way

Despite the restrictions from HIPAA and Meta, your healthcare organization cannot afford to stay away from Meta Ads. This is because the ads help you target and reach a large audience with precision. Then again, since you cannot afford to breach HIPAA’s regulations, here are the top ways to use Meta Ads in a compliant way.

1. Use a Server-side Conversion

When using Meta Ads, have a server-side conversion solution. The solution, most preferably a CDP, isolates and stores sensitive PHI on your servers before sending the rest of the data to Meta. The isolation ensures that sensitive information is kept safe on your server.

2. Sign a BAA When Working With an Intermediary

At times, you might need a third party like Salesforce Data Cloud to help you run Meta Ads. Supposing these intermediaries get access to PHI, make sure they sign a Business Associate Agreement before you begin the cooperation.

The BAA ensures that the intermediary adheres to HIPAA’s privacy and security standards when handling your marketing data.

3. Do not Pair PHI with Identifiers During Conversion Events.

During conversion events, limit the data sent to Meta to only the email address. By all means, avoid pairing the basic contact information with Protected Health Information to reduce the risk of exposing sensitive information.

4. Don’t Create Lookalike Audiences from PHI

When creating lookalike audiences, avoid using Protected Health Information for this purpose. Instead, use broad targeting criteria such as age ranges, geographic location, and general interests to create the audiences without going against HIPAA.

5. Avoid Retargeting Ads that Rely on PHI Visitor Behavior

Arguably, retargeting is one crucial aspect of a successful Meta Ads campaign. The strategy allows you to reach out to users who have previously interacted with your website but never took the desired action.

Although powerful, retargeting in healthcare is problematic because it uses visitor behaviors that involve PHI. This is why Penrod generally does not recommend retargeting for healthcare services.

Let Penrod Help You Get the Most From Meta Ads

Running Meta ads in the healthcare sector is a complex task. You have to do the marketing following HIPAA and Meta’s restrictions. Otherwise, you risk non-compliance, an issue that can result in a loss of reputation and hefty monetary penalties.

At Penrod, we help clients navigate the complexities of Meta Ads and HIPAA. We will help you create and optimize ad campaigns that reach target audiences without disclosing sensitive patient health information. Fill out the form below to get a free OCR compliance consultation.

Ready to get compliant?

Get a free OCR compliance action plan.

Schedule a 30-minute consultation on the right and get compliant.