With billions of users, Facebook Ads present an enticing opportunity for marketers. However, recent high-profile lawsuits have made healthcare companies wary of jeopardizing their reputations, even when significant marketing rewards are on the line.
Like Google Ads, Bing Ads, and other digital advertising platforms, Facebook Ads pose risks for healthcare organizations. The challenge arises from how the Meta Pixel associates user identifiers with protected health information (PHI) on landing pages.
Meta, the parent company of Facebook Ads, refuses to enter into business associate agreements (BAAs) with healthcare companies. As a result, they cannot legally collect or store PHI. In light of the Health and Human Services ruling on tracking technologies, covered entities face a difficult choice: they can either mitigate risk by discontinuing their Facebook Ads campaigns or expose themselves to the threat of substantial lawsuits.
Preventing the Meta Pixel from sending protected health information to Facebook
Salesforce Data Cloud, a HIPAA-compliant customer data platform (CDP)
HIPAA-compliant marketing on Facebook Ads, Safeguarded PHI
Healthcare companies are prohibited from combining Protected Health Information (PHI) with conversion events, as Facebook Ads does not engage in business associate agreements (BAA). In the realm of digital advertising, PHI encompasses a wide array of information. It includes any element on a landing page that suggests a visitor's intent to address a health condition or ailment.
PHI extends beyond just the data users provide in forms; it can also be reflected in landing page titles, URLs, content, and any visible information. Facebook Ads enables visitor tracking through the "Meta Pixel," a tool that captures customer interactions on your website. This allows you to monitor conversions and create remarketing audiences. To facilitate conversions, the Meta Pixel gathers both user identifiers and content identifiers.
The Meta Pixel identifies users with the following data points:
Facebook Ads identifies the content that drives conversions using the following parameters:
Each Meta Pixel parameter helps Facebook Ads pinpoint who converted on which pages for specific advertisements. Retaining Facebook conversion data is crucial for assessing ad performance. However, combining sensitive data with identifiable information risks violating HIPAA regulations. To ensure that Facebook Ads remains HIPAA compliant, it is essential to retain conversion data while completely redacting any protected health information (PHI) from parameters like action_source, event_source_url, and content_type.
Here is a diagram of what we're trying to achieve:
Covered entities require an intermediary to bridge the gap between themselves and non-compliant platforms like Facebook Ads. Recent updates to the OCR Bulletin indicate that the HHS advises marketers to protect PHI within a customer data platform (CDP). Salesforce Data Cloud, a leading CDP, is prepared to enter into a Business Associate Agreement (BAA) with covered entities, thereby granting them the legal authority to manage healthcare data alongside user identifiers collected from the Meta Pixel.
To ensure Facebook Ads are HIPAA compliant, we implemented a secure server-side container for data processing, alongside a Customer Data Platform (CDP) like Salesforce Data Cloud for secure data storage.
The resulting platform architecture for addressing the HIPAA-compliant Facebook Ads use case is structured as follows:
This setup ensures that user identifiers from the Facebook Ads Pixel are never linked to PHI, enabling covered entities to launch effective marketing campaigns using Facebook Ads.