View All Blog Posts

Is Google Ads HIPAA-Compliant?

As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.

Is Google Ads Compliant?

What Is Google Ads?

Google Ads is a pay-per-click (PPC) advertising platform that allows businesses to display their ads on Google’s search engine results pages (SERP) and other Google properties, such as YouTube and Gmail. When someone searches for a keyword that is relevant to your business, your ad may appear at the top of the search engine results page. You only pay when someone clicks on your ad, so you can control your advertising budget. Google Ads offers a variety of ad formats, including text ads, display ads, video ads, and shopping ads. You can also target your ads to specific demographics, interests, and even locations.

Healthcare marketers can use Google Ads to reach the following audiences:

  • Patients who are searching for information about specific health conditions. These patients are likely to be in the early stages of their research, so they are open to learning about new products and services.
  • Doctors and other healthcare professionals who are looking for new products or services. These professionals are often looking for ways to improve the care they provide to their patients, so they are a valuable target audience for healthcare marketers.
  • Patients who are considering making a purchase or making an appointment. These patients are already in the decision-making process, so they are a key audience to market to.

Pro Tip:

Google does have specific advertising policies that apply to some Healthcare products and services including pharmaceuticals, speculative and experimental medicine, clinical trial recruitment, health insurance, and addiction services. In order to advertise pharmaceutical products or addiction services, a LegitScript certification is required. In order to advertise health insurance, a G2 certification is required.

What Data Does Google Ads Collect?

Google Ads collects a variety of data about its users, including:

  • Device information: This includes your device’s IP address, operating system, and browser type.
  • Search history: This includes the keywords you’ve searched for and the websites you’ve visited.
  • Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
  • Location data: This includes your approximate location based on your IP address.
  • Session data: This includes your web browsing history.

Additionally, Google Ads can collect personal information, including names, email addresses, phone numbers, and location data when using Enhanced Conversions and Customer Audience Data Imports.

Is Google Ads HIPAA-Compliant?

According to the updated guidance from the Department of Health and Human Services, there isn’t a clear yes/no answer. However, knowing that Google Ads will not sign a Business Associate Agreement (BAA), we think using Google Ads, specifically when using conversion tags, does pose a risk.

Furthermore, there are also some tactics available in Google Ads that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your Google Ads data, including optimization and data visualization software.

Risk Mitigation

As with anything HIPAA related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible. Some risks can be mitigated in Google Ads by taking advantage of options to enhance data privacy. These options include using server-side tagging, never using audience imports, remarketing audiences, or enhanced measurement, and not tagging pages that could potentially pass PII/PHI in URL parameters.

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!



About the Author

The Hedy & Hopp digital production team is the glue that keeps all activation work running. From auditing websites and tagging, to content strategy and CRM implementation, our digital production unicorns ensure the tiniest detail is reviewed and accurate before it gets to our clients. Their determination in finding solutions for any challenge makes this team marketing happy.

More from this author
Next Blog Post

Are Microsoft Ads (Bing Ads) HIPAA-Compliant?