If you’re running Facebook ads for a healthcare organization, there’s a good chance that you’re violating HIPAA and you don’t even know it.
For years, many doctors and healthcare administrators have operated under the misconception that high-level tracking data—like an IP address or a website visit—doesn’t constitute Protected Health Information (PHI).
They are wrong.
The regulatory landscape shifted dramatically with the December 2022 HHS/OCR Bulletin.
This guidance explicitly clarified that when a “regulated entity” (like a hospital or clinic) uses tracking technologies like the Meta Pixel, the information collected is often PHI if it connects an individual to the entity’s services.
Essentially, if a user’s IP address is captured while they are browsing a page about a specific condition, the government now views that as a disclosure of their intent to seek care for that condition.
The consequences aren’t just theoretical; we’ve seen massive settlements, such as the $6.6 million paid by Novant Health and $12.25 million by Advocate Aurora Health, specifically over the use of tracking pixels.
In this article, I’m going to share with you some tips to take the first steps towards running Meta ads, making them HIPAA compliant while not making your performance completely tank.
Step 1: The Non-Negotiable Rule
Step number one: there is one non-negotiable rule.
Meta can never receive PHI.
Do not upload your patient lists to Meta’s back end to the Facebook Ads Manager.
Step 2: Remove the Meta Pixel from Sensitive Pages
For step two, remove the Meta Pixel from sensitive pages.
Because the Meta Pixel automatically sends page views, URLs, and metadata about those pages back to Facebook, if Meta wanted to, they could tie back a specific user to needing information and potentially having a specific condition.
So just to use a very sensitive topic, let’s say you run an STD clinic and you have a URL for chlamydia treatment in Chicago.
When Mary Smith visits that page because she’s interested in scheduling an appointment, you sending that URL information back to Meta will constitute a HIPAA violation.
So if you do decide to ignore my advice and you do install the Meta Pixel on this website, don’t fire it on your appointment pages, your patient portals, your intake or your medical forms, any sort of care-related thank you pages, or frankly, any condition or treatment-specific pages.
Which means don’t install it in the header or the footer.
And if you do, default to not firing it and really just define what pages it is allowed to fire on.
Step 3: Stop Sending Sensitive Information Through Events and URLs
Step three: stop sending sensitive information through your events and your URLs.
So even with the pixel removed, PHI can still leak through event names.
In other words, something like “start therapy intake” or any URLs or parameters that include words related to conditions, provider names, or appointment types.
Strip all query parameters and use generic names like “lead” or “contact,” and don’t pass any page titles back to Meta either.
Step 4: Use Server-Side Tracking with a HIPAA Compliant Intermediary
Step four: use server-side tracking with a HIPAA compliant intermediary.
Meta will not sign a BAA.
Google Ads won’t sign a BAA.
But Google Cloud will.
Which means instead of sending data straight from your website over to Meta, you can send it through Google Cloud and clean it.
You can control what Meta receives.
Anything resembling PHI can be filtered or erased entirely.
Free text fields can be blocked, and accidental leaks are going to be far less likely.
Using Intermediary Tools for Data Governance
When it comes to server-side tracking, many organizations are now turning to specialized intermediary tools or Customer Data Platforms (CDPs) that are built specifically for healthcare.
Platforms like Freshpaint or Snowflake act as a “governance layer” between your website and your advertising platforms.
Because these vendors will sign a Business Associate Agreement (BAA), they can legally receive your raw data.
They then allow you to “scrub” that data—removing IP addresses, specific URLs, or form details—before passing a generic, anonymized conversion signal to Meta.
This allows you to maintain your marketing feedback loop without ever letting PHI leave a HIPAA-compliant environment.
Step 5: Configure Your Conversions API (CAPI)
All right, step five.
This is the big part.
You’re going to configure your Conversions API without compromising PHI.
Mind you, it’s not going to be able to optimize the delivery to people on the platform that look like people that have visited your website, but at least now it’ll know what ads and what creative are actually driving outcomes from your campaign.
Start with a strict whitelist; only send the bare minimum that Meta needs.
Send fields like lead event times.
Again, don’t send any information about a diagnosis or treatment, appointment IDs, inpatient information, or page titles or URLs that have conditions in them.
Next, create a denial list of pages that should never be sent back to Meta: appointment or booking URLs, patient portals, and condition-specific paths.
Any query parameters, which means event source URL, are not getting sent back.
This actually is the most common PHI leak point.
Next, use generic event semantics.
“Contact,” like I said earlier, is fine.
Not fine: “scheduled appointment,” “consult requests,” or “intake started.”
In these cases, these events are telling Meta that this visitor booked an appointment.
Next, do not send free text fields: message fields, symptoms, or reasons for visit.
None of this should get sent back to Meta.
Visibility and Maintenance
Finally, you’re going to need visibility.
Log outbound copy payloads securely.
Review samples regularly, and make sure that you’re retesting all of this.
Every time that you change the website, you add new forms, you put up a new campaign, or if you’re doing anything with Tag Manager.
And at the end of the day, Meta should only receive high-level non-identifiable conversion data.
So, sending information back about generic leads is okay.
Non-medical page views are also okay.
Aggregated campaign performance is okay.
Audiences and Targeting Precautions
But I would also add that you should avoid any sort of retargeting, any sort of condition-based audiences, and any sort of lookalikes from sensitive needs.
I’d even add in here that even any sort of targeting that happens on-platform—for example, that you create an audience of people that watched a specific Instagram Reel that you posted and delivering further ads to those people—is not a HIPAA violation, but in many cases, if you are a high-profile target, you are painting a bullseye on your back.
And even if that wasn’t a violation, you could potentially have lawyers digging around looking for something else that you may have made a mistake with.
Something silly, like you embedded a YouTube video in a blog, so if that would have flown under the radar had it not been for this targeting you did on a platform that wasn’t even a HIPAA violation to begin with.
The Strategy Shift
So now that your tracking is going to become a lot more limited, your strategy matters more.
You can’t rely on the AI to do all your work for you.
That means you’re going to have to lean into broader audience targeting.
You’re going to have to lean into messaging and creative that’s going to call out the people that you want the platform to get in front of, and you probably are going to have to adjust your attribution expectations.
You’re going to have a lot of leads that you generate and a lot of revenue that you drive that you are not necessarily going to be able to know came from your Meta ads campaigns.
Welcome to the modern age of digital marketing.
