How To Make Facebook Ads HIPAA Compliant

As a healthcare organization, reaching out to the community is important. There are various ways to do this, from running traditional advertisements in newspapers, on the radio, and on billboards to paying for online ads. However, if you are running ads on Facebook or another online platform, you must take steps to ensure that you comply with HIPAA.

Unlike advertisements like billboards, when users view ads on Facebook, the company collects data about them. This data is then transmitted to Facebook - including potentially protected information. Turning off or restricting Facebook’s data-gathering tool (Meta Pixel) can help your organization avoid the risk of a HIPAA violation.

At Inclind, we are proud to have dedicated services specifically for healthcare websites. We have in-depth knowledge of the various requirements associated with healthcare organizations’ use of technology, which we put to work for our clients. Reach out today to learn more about our award-winning website design and development services.

What Is HIPAA?

HIPAA - or the Health Insurance Portability and Accountability Act - is a 1996 law that addressed many aspects of our healthcare system. In particular, HIPAA protects patients’ private medical information. If a healthcare organization is a “covered entity” under HIPAA, then they must take steps to maintain and protect what is known as protected health information (PHI).

Covered entities include health insurance companies, third parties that process PHI, and mosthealthcare providers (including doctors, therapists, and physical therapists). PHI includes a wide range of information, including your billing information, medical records, and even conversations that healthcare professionals have between themselves about your care.

Covered entities - like doctor’s offices - must take steps to ensure that PHI isn’t improperly used or disclosed. For example, a hospital system should put safeguards in place to ensure that employees can’t snoop into celebrity’s medical records or look at records if they have no reason to access them. Any covered entity should also have agreements in place with third parties to ensure that any PHI that they may access through contracted work is not used or disclosed improperly.

Healthcare organizations should take steps to protect PHI for obvious reasons: because privacy is important to patients. However, there are also significant consequences for HIPAA violations. Depending on the nature and scope of the violation, the penalty could include prison time and fines that range from $50,000 to $250,000.

Are Facebook Ads HIPAA Compliant?

Facebook ads - purchased through parent company Meta - are not HIPAA compliant, for the same reason that other types of web services (like Google Analytics) are not compliant. To understand why Facebook ads are not HIPAA compliant, it is important to understand how this service works.

Meta allows companies to run targeted ad campaigns. For example, you may run an ad campaign for your medical practice that is targeted to women of childbearing age living in a certain geographic area. The problem comes in when users click on or otherwise engage with these ads. At this point, Facebook can collect data that may be considered PHI about these users.

The Department of Health and Human Services (HHS) specifically prohibits covered entities from using tracking technologies that would result in the improper disclosure of PHI to the technology company. In this context, PHI can include a person’s IP address, geographic location, email address, and name. While Meta might not consider this information to be personally identifying, HIPAA certainly does - which means that there is a huge disconnect between what the law requires and what Meta scrapes when gathering data.

When a Facebook user clicks on an ad, then a tool known as the Meta Pixel captures as much data about them as possible. This can include things like

• Information about the user’s device, web browser, operating system, and web session.
• Their IP address
• The URL that they clicked to the site from
• Their page views
• Any button clicks that they made 

Meta Pixel can also gather information about what pages the user navigated to on a website - such as performing a search for heart disease treatment. The Meta Pixel may even capture information that a user inputs into the site, such as a name and email address entered onto a form.

The HIPAA violation occurs in this situation because PHI - combined with personally identifying information (PII), like IP address -  is transmitted back to Facebook/Meta through the Meta Pixel. Facebook is not a covered entity, and will not sign agreements with healthcare providers about the use and disclosure of information. In other words, if you are a covered entity, it is YOUR responsibility to ensure that no PHI is captured by Meta when you run ads on its site.

Making Facebook Ads HIPAA Complaint

Fortunately, there is a way to make Facebook ads HIPAA compliant. Running ads on social media sites is an important tool for healthcare organizations, given that many people spend a lot of time on sites like Facebook and Instagram. 

The best option for using Facebook ads HIPAA compliant is to turn off Meta Pixel. This will reduce the functionality of targeted ad campaigns - but it will also ensure that you don’t run afoul of HIPAA.

To disable the Pixel, you will need to go to your website’s administrative dashboard. Under tracking and analytics, click the toggle to disable Meta Pixel. When you do that, Facebook can no longer track user activity once they click on your website.

Alternatively, you can limit the scope of Meta Pixel through Facebook’s ads manager. For example, you can set it up so that the Pixel only gathers information from specific ad campaigns- such as a page for a charity walk that a hospital is hosting. In this way, you are only giving Meta Pixel access to the parts of your website that will not violate HIPAA when it gathers data. Keep in mind that this approach should be undertaken carefully, as it requires some expertise to avoid HIPAA violations.

Managing digital ad campaigns and tracking technology as a healthcare organization can be challenging. An experienced website design and development team can work with you to help you find the best ways to gain valuable insights about activity on your website and the success of ad campaigns without breaking federal law. 

Improve Your Healthcare Website With Inclind

Having an online presence as a healthcare organization in 2023 is more or less required. Unfortunately, it is also a minefield as the standard tools used on websites can lead to an inadvertent HIPAA violation. Using other types of technology - like Facebook ads - can also be a HIPAA violation.

At Inclind, we work with healthcare organizations to make websites that are efficient, effective accessible, and compliant. We understand the unique needs of healthcare entities, including the necessity of being secure and maintaining patient privacy. Our website design and development team will use their knowledge of the industry and technology tools to help you build a website that is functional and compliant. We can also help you make updates to your existing site to maintain compliance with our website support and maintenance services.

If you're interested in knowing more about our web design, development, and support services, we are always here to chat with you. You can fill out our online contact form or hit the live chat button to speak to one of our experts about your healthcare website.