top of page

F O L L O W  U S

  • LinkedIn-Black
  • TikTok-Black_
  • Instagram-Black
  • Facebook-Black
  • Twitter-Black

A Guide To Creating HIPAA Compliant Programmatic Campaigns [Updated 2023]

Jul 5, 2022

Running programmatic campaigns for healthcare can require some creativity due to limitations related to HIPAA regulations.

If you’re like many other agencies, you may be struggling with how to navigate HIPAA compliance while also delivering results for your clients.

Our Programmatic Team at Conduit has managed hundreds of campaigns spanning more than one hundred HIPAA-sensitive clients in verticals ranging from CBD to limb prosthetics across multiple DSPs. Today, we’re going to share with you some of their insights for maintaining compliance while striving to reach the right audience.

Let’s dive in.

What is HIPAA?

HIPAA or the Health Insurance Portability and Accountability Act was signed into law by President Clinton in 1996. It has evolved over the past decades to also include protections for digital patient information in the medical industry.

This law has a few different layers into what it does for U.S. citizens. Originally it was created so workers could carry forward insurance and healthcare rights between jobs. In the present day, the law has expanded to include many more nuances and intricacies.

According to the HIPAA Journal, “the Act has since expanded into an act of legislation that also governs health insurance fraud and tax provisions for medical savings accounts and ensures acceptance of workers with pre-existing conditions into occupational healthcare insurance schemes.

Primarily, however, HIPAA concerns the privacy and security of patient health information.

In a lot of ways the implementation of HIPAA regulated a lot of aspects in the medical industry to make the entire health care system more regulated and easily accessible for not only health care providers but also for people to access their own medical records and who else has access to their protected health data.”

But how does HIPAA affect digital marketing and how are they related?

According to the U.S. Department of Health & Human Services, “The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.”

This definition of marketing has certain exceptions, as discussed below.

Examples of “marketing” communications requiring prior authorization are:

  • A communication from the hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.

  • A communication from a health insurer promoting a home and casualty insurance product offered by the same company.”

For marketers, understanding HIPAA and the strict regulations involved in executing these strategies can prove two key factors in running a successful medical campaign.

Due to the continuous evolution of what HIPAA encompasses, marketers should remain updated on these topics to keep pace with the changing requirements and restraints that affect the medical industry. Failure to do so could prevent a campaign from launching, resulting in wasted time and effort.

As a baseline, marketers should remain current on what is and what is not HIPAA-compliant. This will ensure that you can run your campaign without many complications.

There are over 70,000 health-related searches on Google every minute, which equates to over 1 billion every single day, according to Google Health Vice President David Feinberg, MD. via The Telegraph.

So when it comes to programmatic advertising, serving the right ad to the right user at the right time could be a lifesaver for consumers.

So how can marketers leverage this information in an efficient and ethical way for their clients?

HIPAA mandates that marketers cannot use first-party data like cookie-based data, CRM data, and website analytics to link individuals to medical conditions.

Different forms of retargeting also violate HIPAA regulations to link users to their conditions.

Healthcare marketers have been slow to adopt programmatic, in comparison to other forms of digital ads, into their marketing strategy mainly due to uncertainty surrounding the correct way to implement programmatic without violating HIPAA. However, violating HIPAA can definitely be prevented.

How Programmatic Advertising is Bridging The Gap

Through programmatic campaigns, online publishers are permitted to collect data related to a consumer’s interests in specific conditions or symptoms by consumption of related content.

Using that data, publishers can create segments of users interested in certain conditions and make those anonymous audiences available to pharma companies through programmatic pipelines. This targeting can also be extended across devices.

Once a publisher zeroes in on a user’s interest and links the user to an email address, the user’s now private identity can then also be extended to a mobile device.

For example, if a drug manufacturer wants to target people who have diabetes, a publisher can create a segment of site visitors who have shown interest in this topic by reading related content like testing blood sugar. The publisher can then make that segment available to advertisers through a programmatic pipeline for purposes of targeting via display or video advertising.

When it comes to programmatic digital marketers achieving their clients’ overall goals on a tactical level, there are a few tactics in the programmatic space that you can use while still being HIPAA compliant.

Programmatic Tactics

Contextual Targeting

Contextual Targeting is a go-to tactic among several different verticals across multiple programmatic campaigns, but what does it do specifically?

Contextual Targeting monitors a user’s web behavior, like pages visited, blogs engaged with, and searched keywords and phrases. Ads are then served that align with that content. There are a few ways that contextual targeting can be leveraged to maintain HIPAA compliance:

  • Whitelists – targeting contextually relevant domains and serving ads exclusively to that inventory

  • Topic Targeting – pre-set audiences grouped together by topic of interest based on web behavior

  • Custom Browsing Segments – audiences created based on keywords and phrases completely custom-built and highly specific to your advertiser

For instance, say your client is interested in targeting users who have arthritis. Contextual targeting could be implemented through whitelisting websites like or leveraging a custom browsing segment of keywords that people with arthritis engage with like “joint pain relief,” “arthritis remedies,” etc.


Geo-fencing technology allows programmatic marketers to draw a digital virtual fence around a specific brick-and-mortar location. The client’s ads can then retarget users after visiting that physical location in person.

Depending on the type of medical care your client provides, geo-fencing may not prove a HIPAA compliant solution. Locations that provide specialized treatment for conditions deemed medically sensitive may be subjected to heavier restrictions due to the user’s privacy rights preventing them from being retargeted with unwanted ads after leaving the geo-fenced location.

For this reason, there are set restrictions on locations marketers are allowed to geo-fence within their campaigns that must comply with HIPAA. These restrictions vary based on the medical sensitivity of the advertiser, the creatives/ad messaging in use, and the type of location attempting to be geo-fenced. Here are a few scenarios that give insight into the variance:

  • Scenario 1: Your client is a cancer center looking to target users who have pancreatic cancer with ads that speak directly to this audience. They also want to geo-fence other cancer centers in an effort to reach people who would be looking for a second opinion. Because the advertiser is highly medically sensitive, the ads are very specific to the audience, and the location attempting to be geo-fenced is sensitive – geo-fencing would not be allowed.

  • Scenario 2: Your client is a fertility specialist trying to drive awareness about their services couples who may be struggling with infertility. They’re interested in geo-fencing OBGYN offices within the area with creatives that speak directly to their target audience. In this case, geo-fencing is allowed but the fence must have a 1-mile radius implemented around the OBGYN offices.

  • Scenario 3: Your client is an allergy drug company looking to geo-fence local pharmacies and parks in the area in an effort to boost sales. Geo-Fencing would be allowed without any restrictions as neither the advertiser nor the locations being fenced are considered medically sensitive.

HIPAA protects the privacy of protected health information in the hands of a healthcare provider, health plan, or clearinghouse. PHI is information that relates to the past, present or future healthcare, services or payment for an individual. Geo-Fencing does not touch any of that information if the restrictions on medically sensitive locations are navigated appropriately.

You might be wondering what happens if your advertising campaigns fail to adhere to HIPAA guidelines and your platform fails as a safety net? Here’s an example. According to the HIPAA Guide, NPR covered an instance when Copley Advertising set up geofences in reproductive health centers and methadone clinics.

The campaign served ads that contained headlines like “pregnancy help” and “you are not alone”. These were targeted at women who physically visited these locations.

The clients that Copley Advertising were serving for this campaign included adoption agencies and Christian pregnancy counseling organizations. Massachusetts Attorney General Maura Healey began pursuing a case against the agency due to the company violating the state’s consumer protection laws. This resulted in Copley being forbidden to use geo-fencing technology within the state or healthcare facilities that could infer the medical status of a person.

This ties back to not adhering to the creative messaging guidelines paired with sensitive location geo-fencing. Though this is one example of what could happen, advertisers should keep in mind that potential repercussions for HIPAA non-compliance can extend beyond the platform.

Site Retargeting

Site Retargeting, or remarketing, is one of the most impactful strategies that can be deployed. It is also, however, one of the trickiest tactics to utilize for medically sensitive programmatic campaigns. Since this tactic serves ads to users who have visited an advertiser’s website, this poses a direct threat to violating a user’s privacy.

Let’s use an example. A woman just left a routine checkup where she learned she’s showing possible signs of dementia and is referred to see a specialist. In the interim, she goes home and searches “early onset dementia” on Google and a blog on this topic from a local Neurologist’s website is suggested.

She clicks, reads it, leaves the website, and leaves her computer.

Then her husband sits down to find a lasagna recipe on and he’s served a display ad from the Neurologist’s office with messaging that mentions dementia care. Here, the neurologist has disclosed protected health information about a medical condition to an unauthorized third party.

Since there is no control over or method of knowing who is using a given device or shared IP when implementing a retargeting strategy within a medically sensitive vertical, this particular instance is an example of why retargeting is not allowed in the traditional sense.

With that said, there are some instances where retargeting medically sensitive audiences may be allowed. This is typically when the advertiser does not exclusively or primarily offer sensitive services. Limitations will vary by platform but it remains imperative to adhere to all compliance standards and restrictions.

The common denominator among all platforms, however, is the creative messaging and landing page. The ads being used in the campaign cannot imply any knowledge that a user has a specific medical condition. As long as these ads are generic and users are being sent to a nonspecific page, your campaign will remain HIPAA compliant.

For example, a dermatology office may have a section on their website pertaining to skin cancer, but they’re promoting general dermatology services. Site retargeting is permitted in this case, but the ads must remain generic and avoid driving to any page mentioning skin cancer information or treatment, such as the home page or contact page.

Site retargeting can be a very powerful tactic to utilize in a campaign, as mentioned. This tactic targets individuals who are already familiar with your brand so it’s an efficient avenue for reaching relevant users.

When it comes to deciding which pages you want to retarget people from, use the pages of your site that are both conversion-oriented and compliant.


As addressed earlier, creative and overall messaging is a significant component of whether your campaign maintains HIPAA compliance or not.

Consider what you want users to take away from your ads while still maintaining a generalized approach. A useful rule of thumb is if the ad, its messaging, or an accompanying landing page is indicative of a certain condition, it will not be permitted.

The more narrow the targeting, the more generalized the messaging will need to be. For highly targeted tactics, such as search keyword targeting, geo-fencing, and retargeting, it’s best to err on the side of caution and keep these creatives generic so your campaigns remain HIPAA compliant.

Creative messaging can become more specific when casting a wider net through more broad-based tactics like pre-curated audiences and contextual targeting, such as whitelisting.

While pre-curated audiences can get very specific, this tactic is still generally considered more broad than geo-fencing and site retargeting. These audience segments are made up of users who are identified as having particular interests, intents, and demographic criteria. This data is gathered from a variety of methods ranging from Census data, Credit Bureau data, to users’ web behavior. These segments are compiled in accordance with HIPAA regulations in mind so they are free to use for medically sensitive campaigns.

An example for using pre-curated audiences may be a fertility clinic looking to obtain new patients. They may look to target newlyweds or females aged 25 through 35.

Keeping creatives generic doesn’t mean advertisers are not able to get their message across to the right consumers. Top-of-the-funnel branding is what programmatic digital marketing is.

These campaigns are not meant to be lead generating, but rather are meant to reach relevant users in the identified geo-target to increase awareness for the products or services advertisers want to market!

In the medical industry, it’s important to be transparent with potential clients, by informing them about the capabilities they’re able to successfully execute and how while remaining both compliant and relevant to the end goal!

It is then digital marketing experts’ role to provide the client with alternate ways in which they can achieve their goals maximizing the tactics available to them in a HIPAA compliant manner, inclusive of creatives and messaging. 

Final Thoughts & Key Takeaways

Knowing how to navigate around HIPAA and a user’s overall privacy rights can become a frustrating and confusing roadblock when executing programmatic marketing campaigns of this nature.

One of the biggest takeaways is understanding that HIPAA and privacy rights are constantly evolving and what is allowed today may not be allowed in the upcoming year, or even the upcoming months.

Digital marketers need to stay informed and up to date on new HIPAA regulations and privacy laws.

As mentioned, there are ways to successfully execute and run a medically sensitive programmatic campaign without violating a user’s privacy. While some tactics are fair game, others may come with restrictions.

Generally, Contextual targeting is allowed without any restrictions. Where there is a bit of a gray area is particularly with Custom Browsing Segments, or Search keywords.

Sensitive keywords will not be permitted to run regardless of how general the ads or advertiser is. This includes keywords that are highly indicative of a medical condition, such as “cancer” or “dementia.”

Keywords that are not attributed to a medically sensitive treatment or condition, like “sprained ankle” or “urgent care” are eligible to run. For optimal results, consider adjusting the keyword retargeting recency to shorter windows than the standard 30 days.

Whitelisting will allow digital marketers to target specific ad-servable sites that users would be likely to visit based on the nature of the campaign. Since there is no retargeting or exact search pattern associated with this tactic, it makes it a foolproof way to target users without violating HIPAA.

Geo-Fencing is also a great way to reach potential consumers, however, this tactic has to be carefully utilized in medically sensitive programmatic campaigns to ensure you are not invading a user’s private information.

If the targeting is primarily aimed at the patients of medically sensitive locations, generally Geo-Fencing will not be allowed without the use of a 1-mile radius. Geo-fencing medically-sensitive locations are permissible if the advertiser is not medically-sensitive, such as a college looking to increase enrollment in its nursing program.

If you have a client that runs a medically sensitive campaign, it may be best to think of alternative locations to geo-fence outside of medical offices.

For example, if an advertiser runs a weight loss clinic, it may be more effective to geo-fence gyms or nutritional stores. This helps to keep the targeting highly relevant while avoiding any potential legal liabilities.

Site Retargeting is another tactic that will probably be one of the more difficult to successfully execute without violating HIPAA, but it can be done! It is imperative that the ads being used to retarget a user is generic and not specific to a treatment or condition.

So long as the campaign is retargeting people with generic ads and sending them to a non-specific page, something that would not infer they have a specific condition or need a specific treatment, the campaign remains HIPAA compliant.

Site Retargeting and Geo-Fencing are the two tactics that digital marketers should be hyper-conscious of as these two are the most targeted yet pose the biggest threat to violating a user’s privacy if not done properly.

The way advertisers are able to utilize these tactics while remaining HIPAA compliant takes away the more targeted aspect that usually draws advertisers to these tactics.

Pre-Curated Audiences will allow marketers to reach relevant users based on interests, intents, or demographics in a way that has already been collected in a HIPAA-compliant manner. This provides flexibility and creativity in deciding how best to reach the ideal demographic.

It’s a great way to reach users and speak more freely about the particular product or service being advertised without infringing on their privacy.

All in all, the most important aspect of medically sensitive campaigns comes down to the creative elements and messaging.

Campaign creatives, and subsequently the landing page, can make or break campaigns in terms of being HIPAA compliant or not.

If clients are keen on utilizing highly-targeting tactics such as Geo-Fencing, Site Retargeting, or Search keywords, then they must also be equipped with the caveats and restrictions that come with them, including creative messaging. When done right, these tactics are highly effective and provide great value to any campaign.

If the creative is generic and does not implicate a user has a specific condition or needs a certain treatment, the campaign is permitted to run these tactics.

If a client is very set on advertising a specific medically-sensitive product or service, say promoting potential users receiving a new type of radiation treatment, this would come with restrictions on the campaign, such as being unable to run certain tactics.

This campaign would not be able to geo-fence other cancer facilities unless a 1-mile radius was implemented as the ad is targeting users based on the assumption they have cancer and need radiation.

Remember, the more targeted a tactic, the broader the messaging. Save the specific creative for the broader tactics such as Whitelisting, Contextual, and Pre-Curated Audiences. When it comes to the more targeted tactics like Geo-Fencing and Site Retargeting, keep the creative messaging generic!

This will ensure that your medically sensitive campaign remains HIPAA compliant.

Medically sensitive programmatic campaigns can be a tough aspect of digital marketing to navigate, for not only marketers but also advertisers!

But, as long as digital marketers are aware of what is and is not HIPAA compliant they can find digital solutions for any type of medically sensitive campaign that will reach ads to the right consumers.

Launch HIPAA Compliant Programmatic Campaigns for Your Clients

At Conduit Digital, we partner exclusively with successful and established digital marketing agencies to provide elite performance, reporting, and communication infrastructure for their clients’ campaigns. All of our programmatic products are directly managed in-house by our own team of U.S.-based certified Programmatic Analysts.

To learn more about how you can start saying “yes” to better opportunities for your agency in the medical industry with programmatic advertising, or any of our other products, schedule a 20-minute call with us below.









Conduit Logo - Tablet
bottom of page