Meta’s New Data Restrictions for Healthcare: What We Know So Far

For healthcare marketers, change isn’t just inevitable—it’s relentless. Just when you’ve figured out a strategy to adapt to the latest shift, HHS, lawsuits, or Meta step in to rewrite the rules.

The most recent example of this comes from Meta. Meta is introducing new data-sharing restrictions for regulated industries, including healthcare, starting in 2025. These changes could significantly impact how businesses use tools like Meta’s Pixel, their CAPI (Conversions API), and their App Events API to optimize campaigns.

Unfortunately, Meta has been extremely vague in what these restrictions mean for healthcare organizations. To help, we’ve been working closely with Meta insiders and leading healthcare brands to navigate these changes and to continue effectively using Facebook. 

In this article, we’ll break down why this is happening, what we know so far, and our interpretation of it. 

One caveat before we dive in: Meta hasn’t officially confirmed anything you’ll read here. These are our learnings from talking with dozens of healthcare organizations and Meta insiders over the past few weeks. We’re still working to get official confirmation on all of it. Sign up for our newsletter, the Freshpaint 5, to stay up to date on our latest learnings. 

Why Is Meta Making These Changes?

Meta’s new data-sharing restrictions are less about innovation and more about self-preservation. Here’s what’s driving the shift:

• Lawsuits: Meta has been named in several lawsuits over its data collection practices in healthcare, particularly for mishandling sensitive health information. These challenges have put the social media giant under intense scrutiny, prompting the need to reduce liability.
• Regulatory Complexity: With a growing number of state-level privacy laws, Meta faces the challenge of complying with a patchwork of regulations. Rather than addressing each state’s requirements individually, Meta is adopting universal compliance measures to simplify its approach.
• Public Sentiment: Increasing awareness and concern around data privacy, especially in healthcare, have further pressured Meta to act. High-profile breaches and growing distrust in how companies handle sensitive data have made it clear that protecting user privacy is no longer optional—it’s essential for maintaining trust and credibility.

These drivers make it clear: Meta’s focus isn’t on eliminating healthcare advertising but on minimizing its own risk in an increasingly complex and privacy-conscious landscape.

What Do We Know About These Changes (So Far)?

First, Meta is grouping healthcare organizations into a broad category like "Health & Wellness." From there, you’ll get further grouped into a subcategory such as “Provider” or “Patient Portal.” 

They make this determination based on the source of the data you share with Meta. So if you’re sharing data from your website, your app, or an authorized (logged in) patient portal, that’s what determines the categorization. 

The "Patient Portal" categorization is expected to face the most stringent restrictions. Meta defines this category as organizations that share data originating from an authorized (logged-in) patient portal. Essentially, if users create a profile to access services and any data related to that profile — such as preferences or activity — is shared with Meta, your organization may be classified as a Patient Portal. This classification increases the likelihood of facing full restrictions on lower-funnel events and data sharing capabilities.

But, restrictions are not just limited to patient portals, the content on your website, app, or patient portal also seems to play a role in categorization. Condition-specific websites, like a website dedicated solely to anxiety, could be heavily restricted. While general healthcare websites, like the website of your local healthcare system, might be less restricted.

Your go-to-market approach could influence Meta’s categorization too. For example, if your healthcare company includes an “e-commerce” component—such as selling products online—you may be more likely to face restrictions. Especially if you're sharing data back to Meta from a post-purchase state.

But regardless of your categorization, it seems likely that both Providers and Patient Portals are subject to data restrictions. These restrictions will mostly affect standard lower-funnel events like “Schedule” or “Find Location,” and could impact data shared through Meta’s Pixel, Conversions API (CAPI), or App Events API. As a result, healthcare marketers may face limitations in how effectively they can optimize their campaigns.

What Types of Events Are Being Restricted?

Sounds pretty serious so far, right? Fortunately, there’s hope.

First, you’ll be able to appeal your categorization every 30 days if you have a strong reason for doing so. This means that if you’ve made changes to your data source or adjusted how your ad strategy operates, you’ll have the option to appeal. It’s unclear what the appeal process is, but it will be possible to do. 

Second, notice our wording above “standard lower-funnel events” The use of the word “standard” is intentional because custom events will still remain available to many healthcare organizations, with a few caveats:

• Custom events must be registered. According to the documentation Meta shared on this, custom events will automatically be blocked until you, as the advertiser, review and confirm them. Meaning, the responsibility is on the advertiser to approve custom events.
• Custom events cannot mirror a standard event. So, you can’t just create a custom event that is exactly the same as a standard “Find Location” event.
• Custom events will not be available to organizations faced with full restrictions.

The final point about custom events is crucial: Meta is shifting the compliance burden onto advertisers. Meta said this to one large healthcare organization, “While Meta’s systems are designed to help ensure prohibited information is not shared via these custom events, you are responsible for the data you share and your compliance with our terms.”

In simpler terms, Meta is providing the tools but putting the onus on advertisers to ensure the data they send is compliant. This means advertisers must take extra precautions when using custom events, ensuring no sensitive information (like PHI) is shared. 

And while it’s not clear which standard events are restricted, we know that these standard events will not be restricted:

• Donate
• Search
• View Content
• Page View
• App Install

Lastly, if an event is restricted, your ads won’t be shut off overnight. You’ll receive notifications from Meta about which ad sets are affected, and delivery & effectiveness will decline over time. Now, it’s worth pointing out that “over time” is ambiguous and data moves quickly on Meta so a restriction could have an impact on your ad metrics very quickly. 

How Leading Healthcare Brands Are Staying Ahead of Meta’s Restrictions

From our conversations over the past few weeks, it’s clear there is a lot of ambiguity with all of these changes and who is affected. We know that not all healthcare organizations are equally affected, even two companies that seem very similar are being impacted differently.

Some leading healthcare brands have shared that Meta has indicated they’re not impacted by the restrictions due to their adoption of privacy-first strategies. These organizations are successfully navigating the changes by:

• Remove Meta’s Pixel: Remove Meta’s Pixel from your site and replace it with a BAA-supported tracker like Freshpaint to ensure compliance (if you're one of our customers, you're already covered).
• Block PHI from being shared with Meta: Remember, Meta is putting the onus on the advertiser to comply with their terms. Using tools like Freshpaint, that prevent sensitive health information from being shared with Meta, will be crucial.
• Use neutral custom event names: Maybe the most important step in all of this. Since, as we mentioned earlier, custom events are still okay, renaming conversion events to remove specific intent (e.g., replacing “appointment_booked” with a generic label like “event_T4B9”) is a crucial step.

If you've already heard from Meta and they're indicating that your data sharing is likely to be restricted, here's what you should do today:

• Create custom events that limit data sharing: Ensure your custom events only reference the FBCLID (Facebook Click Identifier) as the signal for conversions and avoid sending any additional context to Meta.
• Use extra caution in custom event naming: Be deliberate about event names to ensure they don't imply sensitive intent (e.g., avoid names like "appointment_booked" or "screening_requested").
• Plan for conversion optimization without patient portal data: If restrictions persist, develop a strategy to optimize campaign performance without relying on "Patient Portal" data, such as using landing page views as a signal.‍
• Appeal your categorization: If you believe your website has been incorrectly categorized as a "Patient Portal," submit an appeal. Meta allows for appeals every 30 days.‍
• Follow privacy-first best practices to stay ahead: This appears to be a "CYA" move for Meta, meaning advertisers who follow privacy-first best practices should be okay. However, since Meta hasn’t provided definitive guidance, it’s crucial to monitor enforcement closely.

By taking these proactive steps, some advertisers are maintaining the ability to optimize campaigns effectively, even under Meta’s evolving guidelines, but it still remains to be seen exactly how it will play out when the restrictions are fully implemented next month.

Navigating the Path Forward

Meta’s new data-sharing restrictions signal yet another shift in the ever-changing landscape of healthcare marketing. While these changes introduce uncertainty, they also present an opportunity for healthcare marketers to double down on privacy-first strategies that not only ensure compliance but also sustain campaign performance.

Want to stay up to date? Sign up for the Freshpaint 5 to receive the latest insights on Meta’s restrictions and privacy-first marketing strategies straight to your inbox.