How To Make Facebook Ads HIPAA Compliant and Still Get Conversion Tracking
Facebook Ads is presenting a huge challenge for healthcare providers.
Meta isn’t HIPAA-compliant. They don't sign BAAs, and the Meta Pixel acts like a giant personal user data vacuum sending PHI to Meta servers. Healthcare providers that have been using Facebook tracking are being sued by patients and have been hit with growing fines.
If you followed the Facebook (or other general) documentation to set up your ads and conversion tracking using the Meta Pixel, remove the Pixel now. We're past the inflection point for this issue now–there is enough evidence and support out there that if you continue to use Facebook's standard setup, you stand the chance of getting sued by users/patients and fined by the government.
But this doesn't mean wrecking your entire growth program. Suppose you want to continue to have ad click attribution or use a conversion-optimized bidding strategy in Facebook. In that case, you need better control over what you send to Facebook to stay HIPAA-compliant.
Let's look at how this problem arises, a few example scenarios that can get you into trouble, and how you can better control your data for HIPAA compliance and better conversion tracking.
The Meta problem
One of Facebook's strongest value propositions is its ability to create campaigns that help advertisers maximize conversions. Advertisers can leverage Facebook's algorithm to optimize towards driving more clicks that are more likely to convert. Facebook is good at doing this, so good in fact that it helps drive a $100B annual ad business.
Let's think about how this would play out in a healthcare context. To maximize conversions, you send a successful action (say a new member sign-up) back to Facebook. Based on those new member sign-ups, Facebook will use its treasure trove of data to find more users to click on the ad that are more likely to convert.
But some fundamental things make this a no-go for healthcare providers concerned with HIPAA compliance:
- To maximize conversions, Facebook needs to know the identities of the users who clicked on the ad and converted (who became new members in the example above). Facebook uses all the data points they have about the people behind those initial successful conversions to build a larger audience of users with similar traits. It's all very "black box," and it's hard to know what intersection points Facebook uses from campaign to campaign. The key thing to understand here is that the user's personal identifier is required to make this feedback loop work. That by itself isn't so much of an issue. But when combined with the next set of data, healthcare providers are at risk.
- When a Facebook user clicks an ad and lands on a healthcare provider's website, the Meta Pixel loads and captures as much data as possible. Most importantly, this can include URL names of pages visited, and actions taken – all of which could be potential examples of health information. If the Meta Pixel can see that a visitor navigated to a page on diabetes treatment, is that considered health information? Yes, it certainly is.
These problems come down to the fact that you can't control the information sent to Facebook using the Pixel. The Pixel thinks it's at a smorgasbord, eating all the personal user data it can (we wrote more about how tracking technology actually works here).
And if you're a healthcare provider, the two types of data that make up PHI you're concerned about Facebook having access to are:
- Personal Identifiers. This is any data that can reveal the actual identity of an individual. Facebook doesn't consider things like an IP address as PII, but HIPAA does, along with 17 other identifiers. The Meta Pixel captures IP addresses, device IDs, and even identifiers entered on form and submission pages.
- Health Information. This is the medical information about the user. Something as simple as visiting a find a doctor page or viewing a treatment page with a URL containing fibrolamellar carcinoma would be considered health information. The Meta Pixel captures the page names and actions across the site.
Any ad clicks originating from Facebook means Meta has the user's identity. And since the Pixel is capturing pages that user visits that potentially contain health information, sharing that data back to Facebook are a HIPAA violation. The most important thing to understand here is that PHI = Personal Identifiers AND Health Information. The violation happens when you share that combined dataset with a non-compliant destination like Facebook.
And if you're sitting there saying, "Well, I don't even use health information in Facebook campaigns," it doesn't matter. What matters is that the Facebook Pixel you loaded collects that data, and Meta is certainly using it.
In case you're thinking of a wait-and-see approach, none of this is speculation. An investigation by The Markup found that PHI was being sent to Facebook servers by multiple major healthcare providers. That set off a series of events that has led to class action lawsuits, updates in the HIPAA guidelines, and ultimately FTC fines as high as $7.8M.
There is a way forward, though. You can continue to use Facebook ads in a healthcare setting WITH maximize conversions as a bidding strategy. To do so, you need to:
- Cut off Facebook’s all you can eat approach to data by removing the Pixel
- Block all health information from being shared with Facebook
Let’s see how you do that.
How to make Facebook Ads HIPAA-compliant
By using the Pixel, your users’ data is going from website -> Facebook directly. We need to remove the Pixel and use a platform like Freshpaint as a layer of data governance to severely limit the data that is sent to Facebook.
This website -> Freshpaint -> Facebook path means you can take advantage of Freshpaint’s HIPAA compliance:
- BAA For Full Protection. Freshpaint signs a BAA and is purpose-built to collect, store, and manage sensitive data across your tech stack (Facebook does not sign BAAs).
- Safe by Default. Freshpaint’s default state is to never send ANY data to non-compliant tools (Facebook’s snippet sends all data by default vs. Freshpaint sends no data by default).
- Server-Side Implementation. Freshpaint is only implemented server-side to give you control over your data (Facebook’s Pixel is installed client-side on a provider’s website, giving facebook the ability to intercept identifiers, health information, and whatever data it wants).
- Forced Allowlists. By default, no data is sent to Facebook Ads. Instead, you choose the data and events you want to continue to send, eliminating the risk of accidentally sending PHI.
So what is the minimum dataset needed in order to use Facebook’s maximize conversions performance goal?
Ad Click Attribution
Facebook has an ad click ID that attributes that a user clicked on a specific ad. Capturing that data point in Freshpaint and sending it back to Facebook helps you understand how to attribute visits. Which campaigns did they come from?
Since you’re trying to maximize conversions, you have a desired business goal. Earlier in this article, we discussed “new member sign-ups” as an example. Freshpaint can capture that successful conversion and share it back to Facebook. Since that conversion action also contains the ad click ID, Facebook can now attribute the original Facebook ad clicks with the business goal. Facebook knows that an ad click resulted in your business goal.
Maximizing New Conversions
That last piece revolves around “how do I find more users likely to click and convert?” This performance model relies on Facebook knowing who clicked and converted. Send Facebook a certain number of weekly conversions (many say 50, although I’ve seen this perform on much less), and Facebook will use its data to find the best possible audience. We’ve determined that an email or IP address is the best identifier.
If this part gives you pause and you’re asking, “isn’t sharing email or IP address with Facebook a HIPAA violation,” let me remind you what PHI is in the first place. Earlier, we talked about Personal Identifier AND Health Information = PHI. Facebook needs identifiers to make the maximize conversion part of their product work. Facebook does NOT need any health information.
By removing the Pixel and using Freshpaint instead, advertisers can limit the data shared with Facebook to only the three things below.
Freshpaint’s approach allows you to continue leveraging your conversion tracking with Facebook Ads in a HIPAA-compliant way.
How to use Freshpaint to make Facebook Ads HIPAA-compliant
Here’s how you can set that up in Freshpaint. We’re going to need our Pixel ID from our events manager dashboard:
We’ll also need to generate an access token in the same dashboard:
We’ll add these to our Freshpaint Facebook Conversions API integration.
You then set the conversion events to share with Facebook. In HIPAA-mode, no data is sent by default. You must instead add the Facebook data you want to send to an enforced allowlist. For each event (the conversion action) we recommend sending the fbclid to handle the click attribution and the user email or IP address to handle the maximize conversions performance goal.
Finally, you need to add a Transformation to map your event to the standard Purchase or Lead event in Facebook. Facebook conversion tracking is set up to track a bunch of standard events, but you can map any event to this field and add a specific revenue amount if needed. Just be sure in naming conversion events that you don't share any health information with Facebook in the event name.
When you create your campaign in Facebook, you’ll want to choose “maximize number of conversions” as your performance goal and choose the event you’re mapping to like “lead” for the new member sign up example.
That’s it. Conversion tracking is ready to go!
You still need to be careful about how you use this information. Having Freshpaint in the loop doesn’t mitigate your role in making sure you are using patients, users, or visitors’ data responsibly. What it does do is make it so you can use this data in conversion tracking to improve your Facebook Ads.
If you want to learn more, we wrote a free guide to making your ad platforms and Google Analytics HIPAA-compliant.