Meta’s New Data Restrictions for Healthcare: What We Know So Far

For healthcare marketers, change isn’t just inevitable—it’s relentless. Just when you’ve figured out a strategy to adapt to the latest shift, HHS, lawsuits, or Meta step in to rewrite the rules.

The most recent example of this comes from Meta. Meta is introducing new data-sharing restrictions for regulated industries, including healthcare, starting in 2025. These changes could significantly impact how businesses use tools like Meta’s Pixel, their CAPI (Conversions API), and their App Events API to optimize campaigns.

Unfortunately, Meta has been extremely vague in what these restrictions mean for healthcare organizations. To help, we’ve been working closely with Meta insiders and leading healthcare brands to navigate these changes and to continue effectively using Facebook. 

This article breaks down why these changes are happening, what we know so far, and how you can adapt if your organization has been hit with a data restriction.

One caveat before we dive in: Meta hasn’t officially confirmed anything you’ll read here. These are our learnings from talking with dozens of healthcare organizations and Meta insiders over the past few weeks. We’re still working to get official confirmation on all of it. Sign up for our newsletter, the Freshpaint 5, to stay up to date on our latest learnings. 

Why Is Meta Making These Changes?

Meta’s new data-sharing restrictions are less about innovation and more about self-preservation. Here’s what’s driving the shift:

• Lawsuits: Meta has been named in several lawsuits over its data collection practices in healthcare, particularly for mishandling sensitive health information. These challenges have put the social media giant under intense scrutiny, prompting the need to reduce liability.
• Regulatory Complexity: With a growing number of state-level privacy laws, Meta faces the challenge of complying with a patchwork of regulations. Rather than addressing each state’s requirements individually, Meta is adopting universal compliance measures to simplify its approach.
• Public Sentiment: Increasing awareness and concern around data privacy, especially in healthcare, have further pressured Meta to act. High-profile breaches and growing distrust in how companies handle sensitive data have made it clear that protecting user privacy is no longer optional—it’s essential for maintaining trust and credibility.

These drivers make it clear: Meta’s focus isn’t on eliminating healthcare advertising but on minimizing its own risk in an increasingly complex and privacy-conscious landscape.

What Do We Know About These Changes (So Far)?

Meta is categorizing healthcare organizations into broad groups, such as Health & Wellness, with subcategories like Provider or Patient Portal. Your category determines how heavy handed the data restrictions will be for your organization.

It's worth noting that there is no software or tool that can change your classification. While you can appeal through Meta’s process, it is a basic and automated system that does not allow you to submit supporting evidence. To date, we have not heard of any organization successfully overturning their classification through an appeal.

Here's what else we know:

• Patient Portal organizations are those that share data originating from an authenticated (logged-in) portal. They face the strictest restrictions.
• Condition-specific websites (e.g., a website focused solely on anxiety treatment) are being more restricted than general healthcare system websites.
• E-commerce healthcare businesses may face additional restrictions if they send post-purchase data back to Meta.
• Bottom-of-funnel standard events like ‘Schedule’ or ‘Find Location’ may face stricter controls or be blocked entirely.

These restrictions will mostly affect standard lower-funnel events like “Schedule” or “Find Location,” and could impact data shared through Meta’s Pixel, Conversions API (CAPI), or App Events API. As a result, healthcare marketers may face limitations in how effectively they can optimize their campaigns.

What Types of Events Are Being Restricted?

As mentioned above, standard lower-funnel events are restricted for many healthcare organizations advertising on Meta's platforms.

But, notice our wording above “standard lower-funnel events” The use of the word “standard” is intentional because custom events still remain available to many healthcare organizations, with a few caveats:

• Custom events must be registered. According to the documentation Meta shared on this, custom events will automatically be blocked until you, as the advertiser, review and confirm them. Meaning, the responsibility is on the advertiser to approve custom events.
• Custom events cannot mirror a standard event. So, you can’t just create a custom event that is exactly the same as a standard “Find Location” event.
• Custom events will not be available to organizations faced with full restrictions.

The final point about custom events is crucial: Meta is shifting the compliance burden onto advertisers. Meta said this to one large healthcare organization, “While Meta’s systems are designed to help ensure prohibited information is not shared via these custom events, you are responsible for the data you share and your compliance with our terms.”

In simpler terms, Meta is providing the tools but putting the onus on advertisers to ensure the data they send is compliant. This means advertisers must take extra precautions when using custom events, ensuring no sensitive information (like PHI) is shared. 

And while it’s not clear which standard events are restricted, we know that these standard events will not be restricted:

• Donate
• Search
• View Content
• Page View
• App Install

Lastly, if an event is restricted, your ads won’t be shut off overnight. You’ll receive notifications from Meta about which ad sets are affected, and delivery & effectiveness will decline over time. Now, it’s worth pointing out that “over time” is ambiguous and data moves quickly on Meta so a restriction could have an impact on your ad metrics very quickly. 

How Leading Healthcare Brands Are Staying Ahead of Meta’s Restrictions

From our conversations over the past few weeks, it’s clear there is a lot of ambiguity with all of these changes and who is affected. We know that not all healthcare organizations are equally affected, even two companies that seem very similar are being impacted differently.

Some leading healthcare brands have shared that Meta has indicated they’re not impacted by the restrictions due to their adoption of privacy-first strategies. These organizations are successfully navigating the changes by:

• Remove Meta’s Pixel: Remove Meta’s Pixel from your site and replace it with a BAA-supported tracker like Freshpaint to ensure compliance (if you're one of our customers, you're already covered).
• Block PHI from being shared with Meta: Remember, Meta is putting the onus on the advertiser to comply with their terms. Using tools like Freshpaint, that prevent sensitive health information from being shared with Meta, will be crucial.
• Use neutral custom event names: Maybe the most important step in all of this. Since, as we mentioned earlier, custom events are still okay, renaming conversion events to remove specific intent (e.g., replacing “appointment_booked” with a generic label like “event_T4B9”) is a crucial step.

If you've already heard from Meta and they're indicating that your data sharing is likely to be restricted, here's what you should do today:

• Create custom events that limit data sharing: Ensure your custom events only reference the FBCLID (Facebook Click Identifier) as the signal for conversions and avoid sending any additional context to Meta.
• Use extra caution in custom event naming: Be deliberate about event names to ensure they don't imply sensitive intent (e.g., avoid names like "appointment_booked" or "screening_requested").
• Plan for conversion optimization without patient portal data: If restrictions persist, develop a strategy to optimize campaign performance without relying on "Patient Portal" data, such as using landing page views as a signal.‍
• Appeal your categorization: If you believe your website has been incorrectly categorized as a "Patient Portal," submit an appeal. Meta allows for appeals every 30 days.‍
• Follow privacy-first best practices to stay ahead: This appears to be a "CYA" move for Meta, meaning advertisers who follow privacy-first best practices will be okay. However, since Meta hasn’t provided definitive guidance, it’s crucial to monitor enforcement closely.

By taking these proactive steps, some advertisers are maintaining the ability to optimize campaigns effectively, even under Meta’s evolving guidelines, but it still remains to be seen exactly how it will play out moving forward.

Navigating the Path Forward

Meta’s new data-sharing restrictions signal yet another shift in the ever-changing landscape of healthcare marketing. While these changes introduce uncertainty, they also present an opportunity for healthcare marketers to double down on privacy-first strategies that not only ensure compliance but also sustain campaign performance.

Still unsure how these changes impact you? Book a meeting with an expert to explore the best path forward and keep your marketing both compliant and effective. And sign up for the Freshpaint 5 to receive the latest insights on Meta’s restrictions and privacy-first marketing strategies straight to your inbox.