The Targeting Problem in Healthcare Marketing (And How to Fix It Without Violating HIPAA)

Say your organization is opening a new clinic in a new region. You've known it was coming for a while, and now it’s go time. Your job is to start generating demand ahead of the launch and ensure the schedule fills up fast.

But budgets are tight, timelines are tighter, and expectations haven't budged. You need to be efficient. In most industries, this would be a simple task: run a campaign targeting people who are actually likely to book. People who live nearby, who haven't had a primary care visit in the past year, and who've recently visited your website or logged into your patient portal.

That kind of targeting is table stakes in other industries. In healthcare, it feels out of reach.

HIPAA, and an increasingly aggressive patchwork of state laws, make it incredibly difficult for healthcare marketers to collect, use, and share data for advertising purposes. Especially when it comes to platforms like Google and Meta.

Freshpaint's recent research found that just over 49% of healthcare marketers have stopped targeting altogether because of HIPAA. That means nearly half of healthcare organizations are running blind – launching campaigns and hoping they reach the right audience by chance.

But the organizations that do find a way to target their campaigns are seeing the payoff. Audience targeting typically delivers a 20–50% lift in conversion rates, with some healthcare marketers reporting up to 2x higher click-through rates.

That gap, between what you want to do and what you can do, is where most healthcare marketers get stuck. You know the audience you want to reach. You just don't have a compliant way to reach them.

To understand why, it helps to get specific about what audience targeting actually means, and what's standing in the way.

What is audience targeting?

Audience targeting is the practice of using data to identify, segment, and deliver personalized messages to specific groups of people based on their behaviors, demographics, or characteristics. It helps marketers reach the most relevant audiences for each campaign instead of broadcasting a one-size-fits-all message to everyone.

Here are a few common forms of targeting:

• Audience segmentation: Dividing users into specific groups based on shared traits. For example, creating a segment of people in Cincinnati for a campaign announcing a new clinic in the city.
  
• Lookalike targeting: Sharing an audience segment with a platform like Meta or Google Ads, which uses its own data to find similar users who match your audience profile.
  
• Exclusions: Removing certain users from a campaign to reduce waste. A healthcare marketer might exclude patients who already received their flu shot from a flu awareness campaign.
  
• Retargeting: Reaching people who previously interacted with your website or content, like those who visited an appointment booking page but didn't finish the process.

In most industries, these are baseline tactics. In healthcare, they're extremely difficult to implement.

Why is audience targeting so difficult for healthcare marketers?

Effective audience targeting depends on data. To run a campaign aimed at, say, people in your region who haven't seen a primary care provider in the last year and recently visited your website, you need access to behavioral and demographic signals.

But in healthcare, HIPAA classifies much of that data as protected health information (PHI). Which means it can't be shared with third-party platforms like Google or Meta unless they’re willing to sign a Business Associate Agreement (BAA). And unfortunately, most major ad platforms won't sign a BAA. 

Without a BAA in place, healthcare marketers are blocked from using patient data to build or activate audiences, whether it's through client-side pixels or server-side integrations.

But the risk goes far beyond HIPAA risks. The broader regulatory and legal environment around patient data has grown more aggressive and more expensive.

The FTC has stepped in alongside HHS, signaling that regulators are taking a broader view of what constitutes a privacy violation. In 2023, the FTC fined BetterHelp and GoodRx for sharing sensitive health information with advertisers, citing deceptive practices under longstanding consumer protection laws.

Meanwhile, class action lawsuits have surged. Plaintiff attorneys are using older laws, like wiretapping laws, the Electronic Communications Privacy Act, and the Stored Communications Act, to go after healthcare organizations that use tracking technologies like the Meta Pixel. In Stewart v. Advocate Aurora Health, for example, the organization was accused of violating multiple privacy statutes and settled for $12.225 million.

State-level enforcement is also ramping up. In early 2025, Washington became the first state to take action under its new My Health My Data Act, filing a lawsuit against Amazon for allegedly mishandling health-related data.

And marketers can't count on ad platforms for cover. In January 2025, Meta implemented new restrictions on healthcare data within its ad platform, shifting liability back to healthcare organizations. If you misuse data, even unintentionally, it’s your organization that's on the hook.

How is this impacting healthcare marketers today? 

Healthcare marketers who aren't able to perform audience targeting see significantly higher acquisition costs across their campaigns. Heartland Dental, for example, saw an 8x increase in CAC after removing pixels from their website and stopping audience targeting. When marketers can't focus campaigns on the most relevant users, they’re forced to rely on broad, untargeted campaigns that waste spend on irrelevant audiences.

To make matters worse, campaigns that are performing poorly can't be optimized. Re-targeting and exclusion tactics can violate HIPAA, and incomplete measurement makes it difficult to understand which campaigns are working and which aren't. 

On a recent webinar, DJ Willard, Senior Director of Strategic Marketing at Priority Health, describes that after removing pixels and pausing audience targeting, his team had no way of knowing if their marketing was effective. 

“We moved swiftly in response to what we were seeing in the changing regulatory environment. Without an understanding of how our media campaigns were performing, we were flying blind.”

In the long run, inefficient campaigns and stagnant performance have residual effects for marketing teams. Departments across the organization begin to see marketing as a cost center as opposed to a revenue driver, with recent research showing that healthcare marketing budgets shrank from 9.6% of total revenue in 2023 to 7.2% in 2024.

A better way: Privacy-safe targeting that actually works

To deliver results and regain internal trust, marketing needs to get back to targeting the right audience with the right message without putting PHI at risk.

That’s why Freshpaint is building Audiences, a new segmentation solution that gives healthcare marketers a way to build and activate privacy-safe audiences across platforms like Meta, Google Ads, and StackAdapt.

With Audiences, you can:

• Build high-performing segments based on real patient behavior without sharing PHI
• Use compliant retargeting, lookalike, and exclusion tactics that pass legal review
• Upload and activate your own data to create tailored, privacy-respectful audience lists

If you're ready to see how it works, register for our upcoming webinar. We'll walk through a live demo and show you how to get started.