Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

4 min read

Healthcare ads and HIPAA compliance: The ultimate guide

Healthcare ads and HIPAA compliance: The ultimate guide


HIPAA, the Health Insurance Portability and Accountability Act of 1996, regulates everything about healthcare in the U.S., from health insurance to patients and their protected health information (PHI). In fact, the  HIPAA industry is vast, and covered entities (CEs) and their  business associates (BAs) must function and flourish under HIPAA’s rules concerning PHI use and disclosure. This includes all marketing, such as healthcare ads. This ultimate guide will explore online healthcare ads and what CEs should understand about this advertising method. And at the end, it will make the case that HIPAA compliant email marketing is a simpler and more secure marketing method for CEs.


HIPAA compliance and marketing

The HIPAA Privacy Rule regulates how CEs can employ PHI for marketing and advertising, giving “individuals important controls over whether and how their [PHI] is used and disclosed.” In general, a CE must have a  patient’s authorization (i.e., written consent) before marketing to them. Keep in mind that there is a distinction between the types of communication that HIPAA considers marketing and when this permission is necessary.


RELATEDHIPAA Definition of Marketing Explained


HIPAA regulations are not intended to restrict a CE’s ability to communicate. Rather, they should encourage a CE to pause and assess whether or not patient authorization is required before marketing to them. It is also worth noting that HIPAA’s definition of marketing concerns interaction between a CE and a patient as well as a CE and a potential patient. Since online ads can be seen by anyone, CEs must ensure HIPAA compliance before ads are visible, especially on social media platforms.


HIPAA compliance and healthcare ads

Social media usage has grown exponentially over the years. It is only natural for businesses to exploit such platforms to connect with and attract customers. This includes healthcare organizations interested in finding new patients and/or partners.


RELATED: Social Media & HIPAA Compliance: The Ultimate Guide


Generally, there are two methods of online advertising: straight-forward, simple ads to attract clicks, or targeted ads that utilize user behavior to entice. Pay-per-click advertisements (PPC) (largely based on keyword searches) are mostly allowed under HIPAA. Whether or not an ad is compliant depends on the specificity of the included information. Conversely,  retargeting (or remarketing, using cookies to bring your ad to users who visited your website) is not HIPAA compliant; such ads announce to others accessing the same computer/portable device what website was visited recently. It is possible for unsanctioned PHI disclosure via both types of ads, although organizations have more control over the former. Given this potential breach of confidentiality, CEs must sign a  business associate agreement (BAA) with the advertising company. The Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed BAA. If the advertising company is willing to sign a BAA, the CE must then analyze its policiess against HIPAA’s. Then the CE must figure out how to advertise without violating the act or decide to focus on an alternative marketing method. Given the above, let’s see how the three most popular advertisement platforms measure up.


Google Ads

Google Ads is an expansion of Google which started in 2000. Currently, Google Ads is the biggest provider of search engine advertising on the market. It was the first-ever self-serve online advertising platform and utilizes both PPC and retargeting ads.


RELATEDGoogle & HIPAA Compliance: The Ultimate Guide


Google Ads puts restrictions on what covered entities can include in a healthcare ad. For example, although Google Ads utilizes retargeting, it does not allow healthcare organizations to do so. Also, CEs are unable to get a signed BAA from Google for using its advertising program. Therefore, Google Ads is not HIPAA compliant .


Microsoft Ads

Microsoft Ads (known as Bing Ads until 2019) are visible on all Bing, Yahoo, and AOL platforms, as well as on MSN search. Advertisers can target and focus their ads to increase clicks. Microsoft  addresses HIPAA on a compliance web page, though the discussion does not mention advertising specifically. And on another web page, the company lists  healthcare products that cannot appear in advertisements but doesn’t mention any other restrictions. Microsoft offers a  BAA to CEs for  Microsoft 365 and some cloud services. However, there is no mention of Microsoft Ads in the BAA.  It also uses PPC and retargeting. Microsoft Ads is not HIPAA compliant.


Facebook Ads

Created by Facebook in 2007, Facebook Ads was introduced to connect users with companies through targeted advertising. It also uses PPC (what Facebook calls "costs-per-clicks") and retargeting. Facebook Ads generated close to $84.2 billion in 2020.

Facebook does not offer a BAA for any of its products. Furthermore, Facebook relies on retargeting and collecting user data for its advertising program with no concern for HIPAA. Facebook Ads is not HIPAA compliant .


RELATEDIs Facebook Pixel HIPAA Compliant? 


LinkedIn Ads

LinkedIn is one of the largest social networks in the world. The first advertisements on LinkedIn ran in 2005.   LinkedIn Ads are used on the LinkedIn feed or through its messenger, using PPC (or cost-per-impression) and retargeting. LinkedIn will not sign a BAA for any of its components. Furthermore, LinkedIn Ads does not have a firm policy on healthcare advertisements and relies on both targeting and retargeting for marketing campaigns. LinkedIn Ads is not HIPAA compliant .


RELATED: Is LinkedIn HIPAA compliant?



Neither Google Ads, nor Facebook Ads, nor LinkedIn Ads are HIPAA compliant. Healthcare providers could still use these platforms for marketing if they steer clear of sharing possible PHI. However, rather than gamble on a potential breach in the future, CEs can instead choose to focus on a solution that removes the stress and worry.


Choose HIPAA compliant email for more security

Rather than putting a lot of effort into creating online ads, CEs should turn toward HIPAA compliant email for more security and ease. In fact, an email communication program can help grow a CE’s patient base while ensuring the organization does not share information accidentally or intentionally. Using an email marketing solution can even get a CE more social media followers. By writing an effective healthcare email newsletter and sharing social media platforms within the email, people can easily follow you to receive and share general information.


RELATED: Social Media and Email Marketing for Healthcare: A Virtuous Circle


Paubox Marketing provides CEs with all they need to advertise their organization. Paubox will not only sign a BAA but will also work tirelessly to keep you and your patients and potential patients safe. Our solution allows recipients to view marketing emails like regular emails but with strong encryption and  email security at all times. No extra steps for the sender or the receiver, and no worry about leaked PHI. Compared to the standard marketing tools,  Paubox Marketing is the best option for maintaining HIPAA compliance. Rather than hassle with healthcare ads, use  HIPAA compliant email marketing not only to create personalized marketing campaigns but also to maintain PHI security.

Try Paubox Marketing for free and make your email marketing HIPAA compliant today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.