The tools you rely on for effective digital advertising could disappear tomorrow. That’s not hyperbole, or a scare tactic. It’s already happening to healthcare providers right now. As trust in payers erodes and scrutiny around privacy intensifies, it’s only a matter of time before legislative and regulatory attention turns to payers.
With privacy laws like HIPAA tightening and the risk of non-compliance growing, healthcare organizations face mounting pressure to adapt. Yet, alarmingly, a recent Becker’s survey on the 2025 State of Payer Marketing revealed that only 24% of payer marketers are aware of the privacy risks associated with advertising tools.
This knowledge gap can lead to costly repercussions, as demonstrated by recent fines for HIPAA violations. One notable case involves BetterHelp, a healthcare organization fined $7.8 million by the FTC for improperly sharing sensitive user data with third parties like Facebook and Google for advertising purposes. The company was also prohibited from using consumer health data for targeted advertising. As a result, BetterHelp has shifted its ad spend to channels like podcasts and influencer marketing, which don’t rely on user data for targeting. That’s why you hear their ads on so many podcasts lately.
Understanding PHI: Why Healthcare Marketing Needs Extra Care
To address these risks, it’s essential to understand what constitutes Protected Health Information (PHI) and how it intersects with marketing. PHI includes any data that:
- Relates to an individual’s physical or mental health, healthcare received, or payment for that care.
- Contains personal identifiers, such as names, addresses, or Social Security Numbers, which can link the information to a specific individual.
In digital advertising, PHI is often collected by web tracking tools used by many healthcare payers. Those web tracking tools expose payers to significant risks.
How Web Trackers Put PHI at Risk
Web trackers—cookies, pixels, or snippets—are integral to digital advertising. They provide insights into ad performance, allowing marketers to optimize campaigns for better ROI. Ad platforms also use these tools to identify users who take positive actions on a marketer’s site, refining their targeting to drive similar actions from other users.
However, these trackers often collect personal identifiers, such as:
- Visitor location
- Device IDs
- Information submitted via forms
When combined with health-related data, these identifiers create PHI. For instance, tools like Google Ads tracking pixels gather health-related information and personal identifiers from website visitors. Sharing that data with non-HIPAA-compliant destinations puts any company at risk of violating HIPAA.
The Kaiser Foundation Health Plan was recently required to disclose a data breach because of this exact situation. They were using web trackers from Microsoft and Google, which inadvertently shared patient information with the ad platforms.
Steps for Payers to Protect PHI in Advertising
Many healthcare organizations attempt to mitigate these risks by seeking Business Associate Agreements (BAAs) with advertising platforms. Unfortunately, major platforms like Google and Meta refuse to sign BAAs, as doing so would limit their data collection practices.
Another approach is to remove ad trackers entirely. While this prevents PHI exposure, it disrupts the flow of critical data to advertising platforms, leading to:
- Increased Cost Per Lead (CPL): Without accurate data, ad platforms can’t effectively optimize campaigns, leading to inefficient spend and CPL increases of up to 8x— a trend we’ve observed across multiple healthcare organizations.
- Inefficient Marketing Spend: Inaccurate data undermines strategy effectiveness, wasting resources.
- Reduced Visibility: Limited insights hinder informed decision-making.
For example, Allergy Partners experienced a surge in CPL from $12 to $300 after removing ad trackers, highlighting the high cost of this approach.
The Third Option: Privacy-First Marketing
Fortunately, there’s a third option: implementing privacy-first marketing through solutions like Freshpaint. This approach involves replacing third-party tracking tools with a BAA-protected platform that provides complete control over data sharing and complies with HIPAA requirements.
In March 2024, the Office for Civil Rights highlighted this solution, recommending that healthcare organizations replace non-compliant tracking technologies with platforms capable of de-identifying PHI before sharing it with downstream tools. Freshpaint’s Healthcare Privacy Platform, for example, operates under a BAA and ensures that only de-identified data is shared with advertising platforms, eliminating the risk of PHI exposure.
Take Action Today
Healthcare payers cannot afford to ignore the privacy risks associated with digital advertising. To protect member PHI while maintaining marketing effectiveness, organizations should:
- Audit existing web trackers to identify potential risks.
- Transition to privacy-first solutions like Freshpaint that sign BAAs and ensure compliance.
- Educate internal teams about PHI and its implications for digital marketing.
Want to see how privacy-first marketing can transform your approach? Schedule a demo of Freshpaint’s Healthcare Privacy Platform and receive a free web tracker report to uncover the hidden risks on your website.
