Instagram Ads isn't HIPAA-compliant out of the box.
With approximately 2.4 billion active users, Instagram Ads offer a compelling opportunity for marketers. However, recent high-profile lawsuits have made healthcare organizations cautious, as the potential for reputational damage often outweighs even significant marketing benefits.
Similar to platforms like Facebook, Google Ads and Bing Ads, Instagram Ads present unique risks for healthcare companies. The primary concern lies in the way the Meta Pixel links user identifiers to protected health information (PHI) on landing pages.
Meta, the parent company of Instagram and Facebook, declines to enter into business associate agreements (BAAs) with healthcare organizations. Without these agreements, Meta is legally prohibited from collecting or storing PHI. Following the Health and Human Services (HHS) guidance on tracking technologies, healthcare entities face a tough decision: either mitigate risks by suspending Instagram Ad campaigns or continue, knowing they may be vulnerable to costly lawsuits.
Challenge
Preventing the Meta Pixel from sending protected health information to Instagram
Solution
Salesforce Data Cloud, a HIPAA-compliant customer data platform (CDP)
Results
HIPAA-compliant marketing on Instagram Ads, Safeguarded PHI
Solving the Use Case
Healthcare organizations are prohibited from combining Protected Health Information (PHI) with conversion events because Instagram Ads does not enter into business associate agreements (BAAs). In the context of digital advertising, PHI encompasses a broad spectrum of data, including any information on a landing page that indicates a visitor's intent to seek treatment for a health condition.
PHI goes beyond the data users actively submit, such as form entries. It can also include landing page titles, URLs, content, and other visible elements. Instagram Ads employs the "Meta Pixel," the same code Facebook uses, to track visitor interactions on websites, enabling advertisers to monitor conversions and build remarketing audiences. This tool collects both user identifiers and content-related data to optimize ad performance.
The Meta Pixel identifies users with the following data points:
- fn
Represents the first name. Instagram requires this value to be hashed. - ln
Represents the last name. Instagram requires this value to be hashed. - em
Represents the email address. Instagram requires this value to be hashed. - ph
Represents the phone number. Instagram requires this value to be hashed. - db
Data of birth. Instagram requires this value to be hashed. - fb_login_id
Issued when a user logs into the Instagram app. - fbc
Represents the Instagram click ID and tracks user journeys after clicking on an ad. - client_ip_address
IP address of the user's browser.
Instagram Ads identifies the content that drives conversions using the following parameters:
- content_category
Designates the category of the content. - content_type
Designates the type of content. - content_name
Designates the name of the content. - action_source
Includes specific datapoints of where the conversion took place, such as email, website, chat, phone, or physical location. - referral_url
Previous URL that lead to the conversion page. - event_source_url
URL of where the event took place.
Each Meta Pixel parameter enables Instagram Ads to identify which users converted on specific pages in response to particular advertisements. Retaining conversion data is essential for evaluating the effectiveness of ad campaigns. However, combining sensitive information with identifiable data poses a significant risk of violating HIPAA regulations.
To maintain HIPAA compliance while using Instagram Ads, organizations must ensure that conversion data is preserved without including any Protected Health Information (PHI). This requires fully redacting PHI from parameters such as action_source, event_source_url, and content_type before sharing data with Instagram Ads.
Here is a diagram of what we're trying to achieve:
Covered entities need an intermediary to bridge the compliance gap when using non-compliant platforms like Instagram Ads. Recent updates to the OCR Bulletin from the Department of Health and Human Services (HHS) recommend that marketers safeguard PHI by leveraging a secure Customer Data Platform (CDP). This approach ensures that PHI is appropriately protected while enabling marketing efforts to continue within regulatory guidelines. Salesforce Data Cloud, a leading Customer Data Platform (CDP) recognized in the Gartner Magic Quadrant, is equipped to enter into a Business Associate Agreement (BAA) with covered entities. This agreement provides the legal framework for managing healthcare data in compliance with HIPAA, allowing organizations to handle user identifiers collected via the Meta Pixel securely and responsibly.
The Platform
To achieve HIPAA compliance with Instagram Ads, we implement a secure server-side container for data processing, paired with a robust Customer Data Platform (CDP) such as Salesforce Data Cloud for safe and compliant data storage.
- The CDP collects PHI and identifiers from web conversions.
- A secure server-side container executes redaction scripts to remove PHI from page titles, content, user-provided data, and more, guaranteeing that sensitive data doesn't reach Instagram Ads.
The platform architecture for Instagram Ads is structured like this:
Our environment makes sure that user identifiers from the Meta Pixel are never linked to PHI, helping covered entities to launch effective marketing campaigns using Instagram Ads.
Redacted PHI
Retained Conversion Data
Compliant Retargeting
Request Free Consultation
Need redacted PHI, retained conversion data, compliant retargeting, and a partner who can help?
We're here for you. Fill out the form on the right for a free consultation!
Trusted by the leaders in healthcare and life sciences.
