HIPAA’s Impact On Programmatic Advertising

How can advertisers successfully execute medically sensitive programmatic campaigns without violating HIPAA? Medically sensitive campaigns can be a huge pain point for digital marketers and can find themselves coming back to the same question, “How can I target a relevant audience of users without violating HIPAA while still achieving my clients goals?” For those of you who may be unaware of what HIPAA is, we’ll go into some background. 

HIPAA or the Health Insurance Portability and Accountability Act, is a law that was put in place back in 1996 by President Clinton. This law really has a few different layers into what it does for U.S. citizens. Originally it was created so workers could carry forward insurance and healthcare rights between jobs, but the law has expanded into so much more. According to the HIPAA Journal, “the Act has since expanded into an act of legislation that also governs health insurance fraud and tax provisions for medical savings accounts, and ensures acceptance of workers with pre-existing conditions into occupational healthcare insurance schemes. Primarily, however, HIPAA concerns the privacy and security of patient health information. In a lot of ways the implementation of HIPAA regulated a lot of aspects in the medical industry to make the entire health care system more regulated and easily accessible for not only health care providers but also for people to access their own medical records and who else has access to their protected health data.” According to HIPAA the following information is considered to be protected. 

Names (or parts of names)Any Unique Identifying Characteristic
Geographical IdentifiersDates Directly Related To An Individual
Phone NumbersFax Numbers
Email AddressSocial Security Numbers
Medical Record NumbersHealth Insurance Beneficiary Numbers
Account NumbersCertificate or License Numbers
Vehicle License Plate NumbersDevice Identifiers or Serial Numbers
Web URLsIP Addresses
Fingerprints, Retinal or Voice printsFull Face or Comparable Photographic Images

But how does HIPAA affect digital marketing and how are they directly related? According to U.S. Department of Health & Human Services:

“The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.” This definition of marketing has certain exceptions, as discussed below. Examples of “marketing” communications requiring prior authorization are:

  • A communication from the hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.
  • A communication from a health insurer promoting a home and casualty insurance product offered by the same company.”

How does HIPAA affect digital marketers and potential advertisers?

For marketers, understanding HIPAA and the strict regulations that go into executing these campaigns can be a key factor in running a successful medical campaign. It’s important as marketers to be aware of what is and is not HIPAA compliant since it’s evolving constantly. Violating HIPAA and a users privacy rights can come at a high cost to digital marketing agencies, so it’s important that digital marketers themselves are aware of what is and is not HIPAA compliant.

According to SmartBug 89% of consumers are turning to search engines when they’re looking to answer questions about their healthcare queries. So when it comes to programmatic targeting, serving the right ad to the right user at the right time could be a life saver for consumers.

So how can marketers use and leverage this information in a productive way for their clients? HIPAA mandates that marketers cannot use first-party data like cookie-based data, CRM data, and website analytics to link individuals to medical conditions. Different forms of retargeting also violate HIPAA regulations to link users to their conditions. According to eMarketer, health marketers are lagging inordinately in adopting programmatic, as compared with their peers in other industry categories. Indeed, programmatic penetration is 4X as high across other U.S. sectors, accounting for 19% of healthcare digital advertising budgets versus 80% elsewhere. Health related marketers have been slow to adopt programmatic into their digital marketing strategy mainly due to uncertainty surrounding the correct way to implement programmatic without violating HIPAA, however, violating HIPAA can definitely be prevented.

Through programmatic campaigns, online publishers are permitted to collect data related to a consumer’s interests in specific conditions or symptoms by consumption of related content. Using that data, publishers can create segments of users interested in certain conditions and make those anonymous audiences available to pharma companies through programmatic pipelines. It’s even possible to extend that targeting across devices. Once a publisher zeroes in on a user’s interest and links the user to an email address, the users now private identity can then also be extended to a mobile device. So, for example, if a drug manufacturer wants to target people who have diabetes, a publisher can create a segment of site visitors who have shown interest in this topic by reading related content like testing blood sugar. The publisher can then make that segment available to advertisers through a programmatic pipeline for purposes of targeting via display, video or mobile advertising. When it comes to programmatic digital marketers achieving their clients overall goals on a tactical level, we will now go through some heavily utilize tactics in the programmatic space and how each of these tactics can be implemented to a programmatic campaign while still being compliant with HIPAA regulations.

Breaking Down Programmatic Tactics

  • Search / Contextual Targeting

Search Retargeting is a go-to tactic among several different verticals across multiple programmatic campaigns, but what does it do specifically?

  • Search Retargeting monitors a users web behavioral and targets these users by segmenting them based on their web behavior, like pages visited, searches performed, products purchased, and links clicked.
  • This tactic also allows us to implement contextual targeting, this type of targeting looks at the category or keywords of the current page a consumer is viewing and then serves them ads that are highly relevant to that content.

When advertisers want to utilize the Search Retargeting aspect specifically, marketers are able to run certain keywords at a specific recency. Setting a recency on these keywords allows marketers to either target a user specifically in the instant they are performing a search and only in that instant or retarget that users for a selected amount of time, this selected amount of time can within 5 minutes, 10 minutes, 15 minutes, 30 minutes, 1 hour, 1 week, 2 weeks, or even 1 month. Recency allows the campaign to stay extremely relevant at all times, for example, if an advertiser wants to run a campaign to promote the opening of a new urgent care facility, and wants to target users who are searching for content like, skin rash, sprained ankle, or cold symptoms, we know that these users are looking for an immediate need, something happened to them and they are performing a search to see what next steps need to be taken. We wouldn’t want to target these users for a full 30 days because if someone has a skin rash, cold, or sprained ankle, it’s highly likely that this user is not going to wait a month to get their ankle fixed. We want to target these users at a lower recency so the campaign can remain highly targeted by reaching users who are searching for an immediate need. For a scenario like this, we would ideally want to target these users for about a week so we deliver the ads the campaign is running and then continue targeting new users who are searching for these more immediate types of keyword searches. Users who were originally in the pool would be targeted for the amount of time the recency was set for, so in this example 1 week, and then those users would be removed from the pool and would only be served another ad if they were to perform another search from the list of keywords the campaign is running. Search retargeting can be utilized in medically sensitive campaigns IF these keywords are set at an instant recency, again meaning the user is only able to be served an ad during the exact time of their search and not anytime after when they are performing any other searches. HIPAA regulations will be violated if these keywords are set to retarget users. The actual content of the creative plays a huge role in this as well, but this is something we’ll get into a little later on.

  • Geo-Fencing

Now diving into another heavily utilized programmatic tactic, geo-fencing. This technology allows programmatic marketers to draw a digital fence around a specific location and retarget users with ads after visiting that geo-fenced location. There are specific regulations on where marketers are allowed to geo-fence within their campaigns that fall within HIPAA compliance and again needs to be set on a specific recency. Geo-Fencing can be a tricky tactic in the medical industry for programmatic campaigns being that the action of targeting these users in the instance they are in a geo-fenced location may not be violating HIPAA, but tracking these users after they’ve left the geo-fenced location can invade the privacy rights of that user by retargeting them with unwanted ads. Again, the recency of targeting these potential users plays a huge role in whether or not your campaign is HIPAA compliant, or not.

The following is a quote from MedCity News about geo-fencing and HIPAA compliance, “Since geofencing ads are broadly targeted and do not rely upon personal information currently held by an entity, HIPAA probably does not get invoked. HIPAA protects the privacy of protected health information in the hands of a healthcare provider, health plan or clearinghouse. PHI is information that relates to the past, present or future healthcare, services or payment for an individual. As already discussed, geofencing does not need to touch any of that information. Instead, geofencing establishes a perimeter-based upon predetermined requirements that sits waiting for anyone to enter the particular area. The healthcare entity does not need to know anything about an individual. The healthcare entity only needs to know that a person goes to a certain location that triggers the geofenced action. Given the circumstances, HIPAA will not apply to the establishment of the fence. However, information collected as a result of an individual responding to the targeting from geofencing or information otherwise provided to the healthcare entity could result in a different analysis.”

According to the HIPAA Guide, “NPR mentioned a case where Copley Advertising set up geofences in reproductive health centers and methadone clinics. Ads like ‘Pregnancy Help’ and ‘You Are Not Alone’ were sent to women who visited the facilities. In that case the clients were adoption agencies and Christian pregnancy counseling services. Maura Healey, the Massachusetts’ attorney general, pursued a case against the advertising agency for violating state consumer protection laws. Copley was prohibited from using geofencing technology in the state of Massachusetts or in healthcare facilities to infer medical conditions or health status of people.”

This all really circles back to the actual creatives the digital marketing campaign is running. If you are setting the recency of your geo-fencing capabilities to target users only within the instance they are in the geo-fence and your creatives are strictly branding material, and not trying to sell users on a specific product or implicate a specific condition or treatment, your campaign will remain HIPAA compliant. Where marketers can find themselves to be in trouble is when you are retargeting users in your geo-fence after they’ve left the fence, you are then tracking and serving unwanted ads to consumers which violates their privacy rights. And on the other side of this, if you are geo-fencing a medically sensitive location like a cancer center, and you are targeting users only within the instant they are in the geo-fence but your creative and messaging would imply that these users have a specific disease to promote them with alternate treatment opportunities, you are still violating the users privacy because you are encouraging that user to get alternate treatment from your business.

  • Site Retargeting

Continuing on this tactical trend, we’ll discuss retargeting capabilities through programmatic campaigns while staying HIPAA compliant. Site Retargeting or remarketing is one of the most utilized tactics in the programmatic space since this tactic serves ads to users who have already engaged with your site and are familiar with your brand. Retargeting is one of those tactics that will be harder to utilize within a medically sensitive programmatic campaign since this tactic will retarget users who have been to a site which invades a users private information.

Let’s use an example, A woman is having pain experiencing cramps and bloating. She searches for ovarian cyst on Google and your practice’s condition page comes up. She clicks, reads it, leaves the website and gets up from his computer. Then her husband sits down and he’s served up a Google Ad about getting her ovarian cyst pain diagnosed with a pelvic ultrasound from your medical practice.

What you’ve done is basically disclosed protected health information about a medical condition (one that necessitates an ultrasound) to an unauthorized third party. You have no control over and no way of knowing who is using a given browser when you add that cookie and retarget your ad. This is a clear violation of HIPAA and an invasion of a users privacy. In order to utilize retargeting while staying HIPAA compliant, you have to do it in a generic fashion. You can’t advertise a particular treatment or any specific conditions. The safest way is to send the people who click on the ad to your home page or a nonspecific landing page. Again, it all seems to come back to the creative the campaign is utilizing. The ads that are being used in the campaign cannot imply any knowledge that a user has a specific medical condition. As long as these ads are generic and users are being sent to a nonspecific page, your campaign will remain HIPAA compliant. Site retargeting can be a very powerful tactic to utilize in a campaign, as mentioned, this tactic targets users who are already familiar with your brand so it’s a great way to reach relevant users. When it comes to deciding which pages you want to retarget people from, use the pages of your site that are conversion oriented.

  • Whitelisting

Whitelisting or contextual targeting is a tactic marketers use to create a list of ad servable domains they want that specific campaign to serve on and serve users within a specific geography the campaigns ads whenever they visit a website that is on that campaigns whitelist. This is a great tactic for medically sensitive campaigns to utilize in the regard that there is no targeting to a specific user. The only targeted aspect of this tactic are the websites that the marketer wants the campaigns ads to be served on which would not violate any HIPAA or Privacy regulations. Contextual targeting can also play an influential role in a programmatic campaign since it gives marketers the ability to target users who are searching for related content on a website without directly searching for that term which also makes this a full-proof way to target potential consumers without violating any privacy since you’re not targeting users through their exact internal search habits.

To give an example, if you’re executing a campaign for an OBGYN, and the advertiser wants to use whitelisting as a tactic, you’re able to use sites like webmd, women’s health, women’s day, everyday health, and target users within your campaigns geo-target with your campaigns ads regardless of whether they performed a specific search or not. This is a great tactic to use in medically sensitive campaigns because you can stay relevant by using websites that potential users are likely to visit without violating any HIPAA or privacy rights.

  • Creative & Messaging

As addressed in the tactical breakdown of this paper, creative and overall messaging is a huge part of whether your campaign is HIPAA compliant or not. It’s important to put thought into what you want users to take away from your ads while still maintaining a generic fashion since the creative cannot imply that a user has a specific condition. As outlined in the tactical breakdown, keeping creatives generic has been the main differentiator in whether or not a campaign is invading users privacy rights. When it comes to more targeted tactics like search targeting, geo-fencing, and retargeting, it’s best to err on the side of caution and keep these creatives generic so your campaigns remain HIPAA compliant. When it comes to the more broader tactics like geo-targeting and whitelisting, this is when you’re able to get more creative and specific with the messaging of your creatives. We didn’t get into a specific breakdown of what geo-targeting is, but in simple terms, geo-targeting is a way to reach any and all users within a specific geography and target those users with ads. There is nothing really targeted to this tactic other than the actual geography the tactic is covering so we have room to be more specific here in the overall creative messaging. As we’ve mentioned with whitelisting, this tactic is a work around for a lot of marketers in regards to HIPAA because we’re not targeting a specific user, we’re just serving ads on relevant sites regardless of the user.

Keeping your creatives generic doesn’t mean you’re not able to get your message across to the right consumers. When it comes to programmatic specifically, top of the funnel overall branding is what programmatic digital marketing is. These campaigns are not meant to be lead generating, they are meant to reach users in a certain geography and increase awareness for the products or services that advertisers want to market! In the medical industry, it’s important to be transparent with your potential clients, by informing them about the types of capabilities you’re able to successfully execute while remaining compliant, while also making them aware of the capabilities that they really wouldn’t be able to utilize based on creative. It’s then our job as digital marketing experts to provide the client with alternate ways in which they can achieve their goals all while utilizing tactics in a way that does not violate HIPAA with overall recommendations on their targeting and messaging so they can use all tactics in a HIPAA compliant way.

Final Thoughts & Takeaways

Knowing how to navigate around HIPAA and a users overall privacy rights can be a very frustrating and confusing aspect of executing programmatic marketing campaigns that are medically sensitive. It’s important to understand that HIPAA and privacy rights are constantly evolving and what is allowed today may not be allowed in the upcoming years. Digital marketers need to stay informed and stay up to date on new HIPAA regulations and privacy laws. As previously mentioned, there are a few work-arounds that will allow medically sensitive campaigns to target relevant users without violating a users privacy, but can really only be done successfully through a few tactics. In regards to Search/Contextual Targeting, you are able to utilize this tactic but carefully. One of the key takeaways from this tactic specifically is that it is imperative to set your keyword recency to instant (if they keywords are related to a specific treatment or condition) to ensure that a user will not be retargeting with your campaigns ads after performing a search, retargeting users based on their exact search habits is an invasion of their privacy rights! If your campaign is utilizing keywords that aren’t attributed to a specific treatment or condition (like a sprained ankle) you’re able to retarget these users but for optimal results, it’s best to keep this retargeting at a shorter recency than the standard 30 days. Geo-Fencing as outlined is also a great way to reach potential consumers however this tactic has to be carefully utilized in medically sensitive programmatic campaigns to ensure you are not invading a users private information. A key factor of keeping your geo-fencing tactic HIPAA compliant is making sure your creative & messaging remains generic and that you are targeting users only in the instance they are in the geo-fence. Once a campaign tracks a user’s location after they’ve left the geo-fence, you are violating that users privacy and violating HIPAA! If you are targeting users in a geo-fence and serving them an ad that would indicate they have a specific condition or that they should receive a specific treatment you are violating a users privacy! If you have a client that runs a medically sensitive campaign, it may be best to think of alternate geo-fencing capabilities other than targeting specific medical offices. For example, if you have a client that runs a weight loss clinic and you want to err on the side of caution and not geo-fence other weight loss clinics, try geo-fencing gyms or nutritional stores, this will keep the targeting relevant while avoiding any run ins with the law at all! Site Retargeting is another tactic that will probably be one of the more difficult to successfully execute without violating HIPAA but it can be done! It is imperative through site retargeting that the ads you are retargeting a user with are not specific to a treatment or condition. If you are retargeting people with generic ads and sending them to a non-specific page (something that would infer they have a specific condition or need a specific treatment) you are staying HIPAA compliant. Site Retargeting like Geo-Fencing are probably the two tactics that digital marketers should steer clear of when it comes to medically sensitive campaigns since these two tactics are probably the easiest ways to violate a users privacy if not done properly. The way that you are able to utilize these tactics while remaining HIPAA compliant takes away the more targeted aspect that usually draws advertisers to these tactics. Whitelisting and Geo-Targeting can be two of the most powerful tactics to utilize within a medically sensitive programmatic campaign that truly have no way of violating HIPAA or the Privacy Rule since there is no real user targeting aspect of these tactics. Whitelisting will allow digital marketers to target specific ad-servable sites that users would be likely to visit based on the nature of the campaign. Since there is no retargeting or exact search pattern associated with this tactic, it makes it a full proof way to target users without violating HIPAA. Geo-Targeting will also allow marketers to serve ads to users in a certain geography without targeting a user based on search habits or locations they’ve visited. While both of these tactics won’t violate HIPAA they aren’t as targeted as some of the other programmatic tactics advertisers can utilize. It’s a great way to reach an audience without invading their privacy while being able to make your creative and messaging less generic since these aren’t intended for a specific user based on their conditions/treatments. But as outlined throughout this paper, the most important aspect of medically sensitive campaigns comes down to the creative and messaging. Campaign creative can make or break your campaigns in terms of being HIPAA compliant or not. If your client really wants to utilize the more targeted tactics like Search Retargeting, Geo-Fencing, and Site Retargeting, marketers need to be aware of the recency they are targeting these users for and the nature of their creative. If the creative is generic and does not implicate a user has a specific condition or needs a certain treatment, you can get by using these tactics. If you have a client that is very set on serving a specific set of creatives, say promoting potential users gets a new type of radiation, inform that client on the limitations using that creative would entail. They cannot geo-fence other cancer facilities even on an instant recency because that ad is assuming users in that geo-fence have cancer and need radiation. Save the specific creative for the broader tactics (Whitelisting & Geo-Targeting), when it comes to the more targeted tactics keep the creative and messaging generic! This will ensure that your medically sensitive campaign remains HIPAA compliant. Medically sensitive programmatic campaigns can be a tough aspect of digital marketing to navigate, for not only marketers but also advertisers! But, as long as digital marketers are aware of what is and is not HIPAA compliant they can find digital solutions for any type of medically sensitive campaign that will reach ads to the right consumers.


Maddie Beyrouty
Maddie BeyroutyLead Programmatic Analyst