44% of Healthcare Payers Overlook Privacy Risks: A Guide to Protecting PHI in Digital Advertising

Healthcare payers face a tough choice: maintain effective marketing or protect member privacy. Privacy laws, including HIPAA, are tightening, and non-compliance risks are rising. 

Despite these increased privacy risks, in a recent Becker’s survey of healthcare payers, 44% of respondents said they were unaware of the risks posed by digital advertising tools. 

For healthcare payers, ignorance of these risks can be costly, as seen in recent HIPAA-related fines. Just ask Cerebral, a healthcare organization that, like all healthcare payers, is a covered entity. Cerebral was recently fined $7M for sharing PHI with third parties, including TikTok, Google, Snapchat, and Meta, via trackers on its website and app.

Understanding PHI: Why Healthcare Marketing Needs Extra Care

The first step in understanding why this happens is to start by explaining Protected Health Information and its role in marketing. 

Protected Health Information, or PHI, is any information that:

1. Relates to an individual’s past, present, or future physical or mental health, the healthcare they receive, or the payment for that care, and
2. Includes personal identifiers, such as a name, address, date of birth, or Social Security Number, that can link the data to a specific person.

When it comes to marketing, those two data points are often collected by web trackers that live on healthcare payers’ websites. Take Google Ads, for example. If you use it as an advertising platform, you likely have its tracking tool installed on your website. By default, it collects both health information and personal identifiers about the visitors on your website. 

Tracking tools created by Google Ads are why HHS released its December 2022 guidance and why the FTC followed up with a privacy warning a few months later. 

How Ad Trackers Put PHI at Risk

Marketers need to understand the performance of their ads for reporting and optimization. Ad platforms also need to know which users took positive actions on the marketer’s website so they can serve the ad to similar users, increasing the chances of more positive actions for the marketer. That, in turn, helps the marketer’s ad achieve a positive ROI.

Tracking tools—often called cookies, pixels, snippets, or similar terms—help marketers and ad platforms optimize performance. These tools are typically installed in a website’s code to monitor user actions from ad platforms. The trackers report information back to the marketer for performance optimization and also enable ad platforms to refine targeting.

While tracking tools gather various information, they frequently collect personal identifiers, including:

• Visitor location
• Device IDs
• Form fill information

Tracking tools also receive health information based on the pages that the website visitor is viewing. Health information, combined with one of those personal identifiers, is Protected Health Information (PHI), which means if you’re using a tracking pixel, the ad platform is receiving PHI. And can lead to a HIPAA violation.

This exact scenario led to The Kaiser Foundation Health Plan notifying millions of members that their PHI was shared with advertisers like Microsoft and Google.

Steps for Payers to Protect PHI in Advertising

At this point, many healthcare organizations try to get a Business Associate Agreement (BAA) with the advertising platform of their choice. But, none of the major ad platforms, like Google or Meta, will sign BAAs because doing so would imply they’re willing to limit their data collection, which would suggest to the market that they may be collecting more data than necessary—a core privacy concern. 

The next solution healthcare payers often land on to protect PHI in advertising is to stop using ad trackers. But removing ad trackers disrupts the flow of critical data to advertising platforms, resulting in:

• Skyrocketing Cost Per Lead (CPL): Without accurate data, platforms struggle to optimize campaigns, causing CPL to surge.
• Inefficient Marketing Spend: Companies cannot verify data accuracy, leading to ineffective strategies and wasted resources.
• Reduced Visibility: Lack of insights hampers the ability to make informed decisions.

This is exactly what happened to Allergy Partners, which saw its CPL increase from $12 to $300 without ad trackers.

It seems like a no-win situation: use ad trackers and risk severe HIPAA violations and legal repercussions, or remove them entirely and watch your marketing spend spiral out of control.

There is a third option, however. Implement privacy-first marketing through a tool like Freshpaint. 

The Third Option: Privacy-First Marketing

Privacy-first marketing involves moving from third-party data, where native ad pixels sit on your site and collect what they want, to a world of first-party data, where a BAA-supported platform replaces all native trackers and gives the healthcare payers complete control over what data can be shared to advertising tools.


The Office for Civil Rights called out a solution in its March 18, 2024, guidance that involves replacing web tracking technologies that won’t sign business associate agreements with tools like Freshpaint that sign BAAs and help govern the flow of data so PHI is never shared with downstream tools:

“If the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the regulated entity can choose to establish a BAA with another vendor, for example, a Customer Data Platform vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA with a regulated entity.”

Want to protect member PHI without sacrificing ad performance? See a demo of Freshpaint’s Healthcare Privacy Platform and get a free web tracker report to see all the risky web trackers on your website.

‍