Skip to Main Content
Close
Ready to talk?
Give us a call at: 770-534-2515
is retargeting hipaa compliant

Can Healthcare Organizations Do Retargeting Ads?

What many people recognize as “the ads that follow you around the Internet,” retargeting is a type of advertising where you can show ads to people who previously visited your website or app. This type of advertising is a powerful tool to help close the deal with individuals who’ve already shown an interest in your services or products. 

As marketers, we love to have the most granular data available to help grow our businesses and show ROI, and as healthcare marketers, we share the same responsibilities as our counterparts in the clinical setting to safeguard the data of patients. We’re entering a new era of online privacy, where regulators and lawmakers are paying more attention to digital advertising practices. But advertising giants like Google and Facebook are about as transparent about their data collection practices as mud.  

Here at Full Media, we’re consistently investing resources to stay on top of the latest federal and state guidance and to research the technology and best practices to develop new ways to help our clients doing marketing and keep patient data safe. 

We don’t know all the answers, and we certainly aren’t qualified to give legal advice. But as a healthcare-specialized digital marketing agency, we wanted to share what we do know about retargeting and healthcare.

Advertiser policies on retargeting healthcare services

If you’re considering retargeting for healthcare, first consider whether the advertising platform will even allow it.

While it may be legal to advertise certain types of products and services, advertising platforms have the right to decide their own terms and services. They may ban or restrict certain types of advertising on their platform for sensitive topics, and healthcare is often one of those sensitive areas. 

Google Ads Healthcare Policies

Google’s healthcare in personalized advertising policy does not allow those advertising medical services and products used to treat physical or mental conditions or disabilities to use custom audiences. Custom audiences include:

  • Customer Match
  • Your data segments (retargeting audiences)
  • Similar segments
  • Custom segments

Meta Ads Healthcare Policies

Meta Ads allow healthcare advertisers to upload lists with customer data or use the Meta Pixel to collect user data from their website to build a retargeting list. There are some restrictions around healthcare advertising to consider, including:

  • Meta’s Personal Health & Appearance policy, which requires that ad content must not imply or attempt to generate negative self-perception in order to promote diet, weight loss, or other health-related products.
  • Meta’s Personal Attributes policy, which requires that ads must not contain content that asserts or implies personal attributes like disability, physical or mental health (including medical conditions).

Other ad networks

Each ad network may have its own policies and terms around the usage of retargeting and other personalized advertising. The fact remains, however, that the advertising network does not have the same burden of responsibility for safeguarding patient data as the healthcare provider does. HIPAA regulations apply to “covered entities,” which are organizations that submit healthcare claims to obtain payment.

It's important to use an abundance of caution when sharing personally identifiable data about patients or potential patients to third parties.

Retargeting that doesn't promote medical services

Advertisers may allow healthcare companies that are not promoting medical services and products to use retargeting. Some examples of these types of advertising might include:

  • B2B healthcare services, like executive medicine, occupational health, GPO and more
  • Medical education, residencies and fellowships
  • Medical careers / advertising to clinicians searching for jobs

Sometimes these types of organizations can run into issues with advertising platforms and need to appeal decisions if the policy review team has miscategorized their business. Health systems, hospitals and physician groups may also get disapproved for retargeting if they send these ads to the same website where they also market medical services and products. For example, if a health system is trying to use retargeting to promote careers, but their careers pages live within their main health system website, they may not be able to use retargeting. 

We recommend exercising caution anytime you’re trying to use retargeting advertising on a main health system, hospital or physician group domain, even if it’s not advertising geared towards patients. 

Retargeting audiences, if they aren’t set up appropriately, can scoop up vast amounts of user data and provide them to advertising platforms. It would be easy to unintentionally collect patient data. Especially for larger healthcare organizations, many of its employees are also its patients! While we may not intend to send them advertising related to medical conditions, healthcare providers are held to a different standard when it comes to protecting all potential or current patient data. 

Is retargeting HIPAA compliant?

The Office of Civil Rights’ latest guidance seems to indicate that the federal government is concerned anytime a healthcare organization allows a large technology company to access an individual’s identifying information alongside any information that may indicate their medical conditions. 

While many advertisers claim to collect and then de-identify or aggregate data, this is insufficient according to the OCR. The healthcare website cannot give them access to this data at all, regardless of what the advertising platform does with the data afterward.   

Google Retargeting Tag / Google Signals

Google offers businesses two methods to build an audience for retargeting: the Google retargeting tag and Google Signals. Again, the first thing to remember is that it’s against Google’s policy to use retargeting audiences to market healthcare services. The second thing to remember is that Google collects a lot of data out of the box that may violate the OCR’s new guidelines. 

Beyond IP address, Google Signals tracks a user who is logged in to Google in their device or their browser across their different sessions and devices. Presumably, this would mean that Google understands who this user is and can connect that to all kinds of data from your Google Analytics account. This is pretty sticky territory at that point. 

Our ultimate recommendation is that Google Ads retargeting is just too risky.

Meta Pixel

What makes the Meta Pixel so powerful is that it takes information from your website, like the pages an individual viewed or the actions they took, then connects it back to their individual social media account. Unlike Google, which often must guess who we are and what our interests are, we tell social media platforms who we are outright. 

If you use an analytics proxy such as server-side Google Tag Manager or a Customer Data Platform to run the Meta Pixel on your website, it will not send back the data that the Meta Pixel needs to identify and retarget to individual accounts. At most, it will send back a total count of conversions, associated with a campaign or creative. This will enable you to tell which campaigns, creative or targeting are working best within Meta’s platform, but it will not give you the powerful audience targeting non-healthcare businesses benefit from. 

There just doesn’t seem to be a path to do HIPAA-compliant Meta retargeting. 

HIPAA regulations are evolving.

With the OCR, the FTC and even state legislators wading into the murky waters of online data privacy, it’s created significant margin for interpretation. Google and Meta have yet to answer these questions directly by providing more transparency in their data collection and targeting practices. Moreover, these new regulations do not address every platform or scenario. 

So, what is a healthcare marketer to do? It’s time to develop a closer relationship with your organization’s legal counsel. Make sure you work with vendors who are educated about these issues. And finally, consider different advertising approaches to get in front of patients, while offloading your careers or educational marketing to a subdomain to be safe.
 

Talk with our experts

Ready to get started? Contact our team to discuss your marketing and analytics needs.