The Targeting Problem in Payer Marketing (And How to Fix It Without Violating HIPAA)

Say your organization is launching a new Medicare Advantage plan in a new service area. You've been tracking the timeline for months, but now it's crunch time. Your job is to generate demand, hit enrollment targets, and make sure every dollar of your campaign spend is pulling its weight.

Budgets are tight. Timelines are tighter. Expectations? Still sky-high.

In most industries, this would be straightforward: run campaigns that reach people who are actually likely to enroll. People turning 65. People recently eligible for Medicaid. People who've engaged with your site or called your call center but haven't converted yet.

That kind of targeting is table stakes in other industries. In healthcare, it feels out of reach.

HIPAA, and an increasingly aggressive patchwork of state laws, make it incredibly difficult for payer marketers to collect, use, and share data for advertising purposes. Especially when it comes to platforms like Google and Meta.

Freshpaint's recent research found that just over 49% of healthcare marketers have stopped targeting altogether because of HIPAA. That means nearly half of healthcare organizations are running blind – launching campaigns and hoping they reach the right audience by chance.

But the organizations that do find a way to target their campaigns are seeing the payoff. Audience targeting typically delivers a 20–50% lift in conversion rates, with some healthcare marketers reporting up to 2x higher click-through rates.

That gap, between what you want to do and what you can do, is where most payer marketers get stuck. You know the audience you want to reach. You just don't have a compliant way to reach them.

To understand why, it helps to get specific about what audience targeting actually means, and what's standing in the way.

What is audience targeting?

Audience targeting is the practice of using data to identify, segment, and deliver personalized messages to specific groups of people based on their behaviors, demographics, or characteristics. It helps marketers reach the most relevant audiences for each campaign instead of broadcasting a one-size-fits-all message to everyone.

Here are a few common forms of targeting:

• Audience segmentation: Creating groups based on geography, eligibility, engagement, or claims history. For example, you might segment by Medicare-eligible individuals in a specific ZIP code who've visited your website during AEP.
• Lookalike targeting: Sharing an audience segment with a platform like Meta or Google Ads, which uses its own data to find similar users who match your audience profile.
  
• Exclusions: Removing people from a campaign to reduce waste – such as excluding current members from an acquisition campaign, or removing prospects who have already completed enrollment.
  
• Retargeting: Reaching people who previously interacted with your website or content, like those who started, but didn't finish, an enrollment application.

In most industries, these are baseline tactics. For payer marketers, they're incredibly hard to do without crossing compliance lines.

Why is audience targeting so difficult for healthcare marketers?

Effective audience targeting depends on data. To run a campaign aimed at, say, people in your region who haven't seen a primary care provider in the last year and recently visited your website, you need access to behavioral and demographic signals.

But in healthcare, HIPAA classifies much of that data as protected health information (PHI). Which means it can't be shared with third-party platforms like Google or Meta unless they’re willing to sign a Business Associate Agreement (BAA). And unfortunately, most major ad platforms won't sign a BAA. 

Without a BAA in place, healthcare marketers are blocked from using member data to build or activate audiences, whether it's through client-side pixels or server-side integrations.

But the risk goes far beyond HIPAA risks. The broader regulatory and legal environment around patient data has grown more aggressive, and more expensive.

The FTC has stepped in alongside HHS, signaling that regulators are taking a broader view of what constitutes a privacy violation. In 2023, the FTC fined BetterHelp and GoodRx for sharing sensitive health information with advertisers, citing deceptive practices under longstanding consumer protection laws.

Meanwhile, class action lawsuits have surged. Plaintiff attorneys are using older laws, like wiretapping laws, the Electronic Communications Privacy Act, and the Stored Communications Act, to go after healthcare organizations that use tracking technologies like the Meta Pixel. In Vita v. Blue Cross & Blue Shield of Mass., Inc, for example, the organization was accused of for allegedly embedding tracking code on its member website and patient portal, which allowed third parties like Google and Facebook to intercept private health information without patient consent

State-level enforcement is also ramping up. In early 2025, Washington became the first state to take action under its new My Health My Data Act, filing a lawsuit against Amazon for allegedly mishandling health-related data.

And marketers can't count on ad platforms for cover. In January 2025, Meta implemented new restrictions on healthcare data within its ad platform, shifting liability back to healthcare organizations. If you misuse data, even unintentionally, it's your organization that's on the hook.

How is this impacting healthcare marketers today? 

Healthcare marketers who aren't able to perform audience targeting see significantly higher acquisition costs across their campaigns. Heartland Dental, for example, saw an 8x increase in CAC after removing pixels from their website and stopping audience targeting. When marketers can't focus campaigns on the most relevant users, they’re forced to rely on broad, untargeted campaigns that waste spend on irrelevant audiences.

To make matters worse, campaigns that are performing poorly can't be optimized. Re-targeting and exclusion tactics can violate HIPAA, and incomplete measurement makes it difficult to understand which campaigns are working and which aren't. 

On a recent webinar, DJ Willard, Senior Director of Strategic Marketing at Priority Health, describes that after removing pixels and pausing audience targeting, his team had no way of knowing if their marketing was effective. 

“We moved swiftly in response to what we were seeing in the changing regulatory environment. Without an understanding of how our media campaigns were performing, we were flying blind.”

In the long run, inefficient campaigns and stagnant performance have residual effects for marketing teams. Departments across the organization begin to see marketing as a cost center as opposed to a revenue driver, with recent research showing that healthcare marketing budgets shrank from 9.6% of total revenue in 2023 to 7.2% in 2024.

A better way: Privacy-safe targeting that actually works

To deliver results and regain internal trust, marketing needs to get back to targeting the right audience with the right message without putting PHI at risk.

That's why Freshpaint is building Audiences, a new segmentation solution that gives healthcare marketers a way to build and activate privacy-safe audiences across platforms like Meta, Google Ads, and StackAdapt.

With Audiences, you can:

• Build high-performing segments based on real member behavior without sharing PHI
• Use compliant retargeting, lookalike, and exclusion tactics that pass legal review
• Upload and activate your own data to create tailored, privacy-respectful audience lists

If you're ready to see how it works, register for our upcoming webinar. We'll walk through a live demo and show you how to get started.