HIPAA + digital marketing: 8 simple rules for clarity

A recent lawsuit seems to have confused marketers about HIPAA, digital marketing, and what’s allowed when it comes to retargeting.

In that lawsuit, the hospital had installed a Facebook pixel within their patient portal in order to retarget patients. The portal is a private area only accessible via a login.

That isn’t allowed as the login can identify the individual and that breaches their privacy and health information. If it isn’t obvious why, here’s the specific explanation from HHS (I’ve highlighted the important sentences below):

“Regulated entities may have user-authenticated webpages, which require a user to log in before they are able to access the webpage, such as a patient or health plan beneficiary portal or a telehealth platform. Tracking technologies on a regulated entity’s user-authenticated webpages generally have access to PHI

Such PHI may include, for example, an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information that the individual may provide when interacting with the webpage. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal.

Therefore, a regulated entity must configure any user-authenticated webpages that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule.

In order to do what they did, compliantly, they’d have to use HIPAA compliant tracking software (the Facebook pixel isn’t HIPAA compliant).

According to the HIPAA Privacy Rule, they’d also need written authorization (like this example) from each patient before marketing to them.

But that doesn’t make all retargeting configurations a breach of HIPAA. If only HIPAA and digital marketing were that simple.

Since retargeting requires users to be somewhere you’d actually want to reach them, Google and Facebook tend to be the most popular options. Both are not HIPAA compliant for retargeting, meaning that only pages that are not HIPAA protected can be used in this case. 

If you use HIPAA compliant tracking instead of Google analytics you’ll have access to track more data, but you’ll still need written authorization to retarget them. 

And you’ll still need a way to make sure they can’t be identified or have health information shared while retargeting them on Google and Facebook. At the time of writing this, I can’t think of a single way that’s possible.

I know this was a lot to digest right off the bat, so in an attempt to make it easier to wrap your head around, I’ve broken HIPAA and digital marketing down into eight rules that’ll help you get clearer on what’s possible if you’re running digital ad campaigns for clinics.

If you’d like the infographic-styled cheatsheet for an easy overview, get it here.

Before diving into the first rule, let me clarify that this isn’t legal advice, but rather a simple reference point to make life easier. This is meant as a quick pocket guide rather than an exhaustive ultimate guide to HIPAA.

Rule 1: retarget website visitors on standard business pages

Instead of patient portals, let’s look at the pages on your website that everyone can access if they have an internet connection.

This is where things get complex as HIPAA protects certain pages but not all.

The ones that you can retarget under normal circumstances with standard analytics tools like Google analytics, or, say, the Facebook pixel, are standard business pages like the homepage, about-us page, or locations page.

Here’s the clarification (highlights are my own):

“Regulated entities may also have unauthenticated webpages, which are webpages that do not require users to log in before they are able to access the webpage, such as a webpage with general information about the regulated entity like their location, services they provide, or their policies and procedures.

Tracking technologies on regulated entities’ unauthenticated webpages generally do not have access to individuals’ PHI; in this case, a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules.”

Things get murkier when we look at pages on our website that cover health information or specific services that could hint at a patient’s health condition.

That brings me to the next rule.

Rule 2: retarget website visitors on health-specific or booking-pages

This is the least clear-cut rule for retargeting with typical digital marketing tools and causes for head scratching.

Your service page doesn’t necessarily fall under personal health information PHI (which is protected by HIPAA), but I could see someone arguing for an exception in certain cases.

For example, if we have your typical marketing landing page promoting a specific maternity exam or product, that seems to fall under PHI. 

HIPAA protects that as it suggests the user has a certain health condition (being pregnant), even if the user is just visiting the page. That means you can’t track anything without HIPAA compliant tools. If you’re looking to retarget based on that page, you’ll need written authorization first (which is impossible to get from a random website visitor as a GDPR notice isn’t enough).

The distinction doesn’t feel transparent as users browsing the website of a maternity-only clinic obviously have something in their life that relates to pregnancy, whereas that isn’t necessarily the case with multi-specialty clinics. You’ll have to use your best judgment as I don’t know your specific situation.

HHS offers us the following example:

“Tracking technologies on a regulated entity’s unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances.

For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the regulated entity is disclosing PHI to the tracking technology vendor, and thus the HIPAA Rules apply.”

If you promote a registration/sign up page (i.e. “create an account”), or a form to leave your contact details for an appointment booking, that page will also be protected under HIPAA’s rules and PHI. 

That, even if it’s just contact information like name and email address as it’s assumed that there will be a future relationship between the clinic and that person.

Here’s the specific text from HHS and my highlights:

“[…] However, if the individual enters credential information on that login webpage or enters registration information (e.g., name, email address) on that registration page, such information is PHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login information or registration information, that information is PHI and is protected by the HIPAA Rules.”

Rule 3: retarget email newsletter subscribers 

Unless you’ve gotten written consent from email subscribers to send the marketing material, that doesn’t fly with HIPAA.

Only with HIPAA compliant software will you potentially be able to retarget email subscribers. However, keep in mind that retargeting platforms like Facebook and Google aren’t HIPAA compliant.

Rule 4: is retargeting leads without any appointments a violation of HIPAA digital marketing?

We’ve already looked at this one through one of the other rules, but I wanted to make a separate section to clarify as an easier reference point. 

Retargeting leads that have given their contact information, but without health information or a completed booking, is not allowed without their written authorization. 

They are protected under HIPAA as it’s assumed that they will have a future relationship with the clinic.

Here’s why (sentences highlighted are done by me):

“All such IIHI [individually identifiable health information] collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. 

This is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.

HHS also describes how you’d need a signed business associate agreement to do retargeting, which Google and Facebook aren’t willing to do at the moment.

If a lead calls from an ad or Google My Business (Google Business Profile), we’ll have to treat them like any other existing patient.

If affiliate partners offer you leads, they’ll need a signed agreement and all those leads count as existing patients as well.

Rule 5: HIPAA digital marketing – on cold lead generation campaigns

Healthcare lead generation campaigns are a popular way to drive patient acquisition. Let’s see how HIPAA and digital marketing works here.

Imagine targeting a cold audience using keywords like “pediatric doctor near me”, interest-targeting, or demographics on social media.

hipaa digital marketing example

As soon as they reach the landing page, you’re best off having them protected with HIPAA compliant tools to be on the safe side.

When it comes to the content of the ad itself, you’ll have to avoid reviews and case studies of patients unless you have written authorization.

Most digital ad platforms don’t allow us to use the same personal identifiers as HIPAA describes anymore, meaning we can’t write an ad that says “do you have breast cancer?”

Rule 6: can you use Facebook lookalike audiences?

Whether you can use lookalike audiences depends.

Since you must have a seed audience to create a Facebook lookalike audience, you could base that on a seed audience from generic pages on your website (homepage, locations page, etc.).

For seed audiences based on pages that tend to be seen as capturing personal health information, like booking pages, you’ll need to use HIPAA compliant tracking software to protect the data from Facebook.

Rule 7: can you create a funnel leading to joining an email newsletter?

If you’ve ever received spam emails that didn’t hit your spam folder, you know how annoying it can be. The annoyance goes up a notch if you find that they don’t stop and there’s no way to get rid of it.

HIPAA affects digital marketing here too. It protects email subscribers from marketing emails, meaning you’ll need written authorization, along with an easy way for them to opt-out, in order to email them.

It’s impossible to get written authorization from random fly-by website visitors as a GDPR notice isn’t enough.

You could get written authorization from existing patients and then create a funnel, but I don’t see the point from a marketing perspective (it would be easier to just email them if you have written authorization already).

What HIPAA defines as marketing communication is complex. It differentiates between marketing communication, health- and patient-necessary information, but has a few exceptions. 

For example:

“This exception to the marketing definition permits communications by a covered entity about its own products or services. For example, under this exception, it is not “marketing” when:

A hospital uses its patient list to announce the arrival of a new specialty group (e.g., orthopedic) or the acquisition of new equipment (e.g., x-ray machine or magnetic resonance image machine) through a general mailing or publication.”

Rule 8: HIPAA, digital marketing, and content – patient case studies and reviews

Whether for your ads or website, if you’re considering using patient reviews or case studies in your marketing material, you’ll need written authorization for that too.


  • The two big items in HIPAA and digital marketing are protecting personal health information with compliant tools and getting written authorization to send marketing material to existing patients and leads
  • Retargeting campaigns on Facebook and Google are not allowed in most cases as both platforms aren’t HIPAA compliant

By Aske

Leave a Reply

Your email address will not be published. Required fields are marked *