View All Blog Posts

Is Meta HIPAA-Compliant?

As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.

Is Meta (Facebook, Instagram & WhatsApp) Advertising HIPAA-Compliant?

What Is Meta?

Meta, the parent company of Facebook, Instagram, and WhatsApp, is a leading force in social media. Its platforms are used by billions of people around the world, making them a valuable tool for marketing in nearly all industries, including healthcare.

While Meta offers several services for businesses including business pages, groups, and other options to expand organic reach, this article will focus on the advertising side of Meta.

Meta’s advertising platforms offer a variety of features that make them well-suited for marketing, including:

  • Targeted advertising: Meta’s advertising platform allows businesses to target their ads to specific demographics, interests, and behaviors. This ensures that businesses reach the right people with their marketing messages.
  • Engaging content: Meta’s platforms are designed to be engaging, with features like video, images, and live streaming. This makes them a great way to connect with customers and build relationships.
  • Data-driven insights: Meta provides businesses with data-driven insights that can help them track the performance of their marketing campaigns and optimize their strategies.

As a result of these factors, Meta’s platforms are a popular choice for marketing in a wide range of industries, including healthcare. Healthcare businesses can use Meta’s platforms to reach a large audience, or a more refined, targeted audience.

This type of advertising, outbound marketing, is often used in conjunction with search ads, a form of inbound marketing from Bing or Google, which we have gone over the compliance of in previous posts. 


Pro Tip:

Meta does have specific guidelines around advertising in Healthcare. Most notably, companies promoting pharmaceuticals & addiction services must be verified through LegitScript in order to advertise on Meta’s platform.

What Data Does Meta Collect?

Of all of the platforms you may be using, it’s possible that Meta is the one collecting the most information about your users. This is largely because users who see your ads are already registered users of Meta’s platforms, meaning that Meta has extensive profiles on each customer, even before they may view your ad. 

  • Information about users from their profiles: everything the user has added or posted, their activity on social media platforms, their friends, likes, groups, and browsing history on sites that have a Meta Pixel installed.
  • Device information: This includes your device’s IP address, operating system, and browser type.
  • Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
  • Location data: This includes your approximate location based on your IP address.

More data can be collected if you have a Meta Pixel installed on the site that your ads are driving to. This pixel links events and conversions on your website to specific ads, as well as specific user profiles. Some of that data can even be passed through the click-through URL, meaning that data is shared with your analytics platform, such as Google Analytics.

Is Meta Advertising HIPAA-Compliant?

After the updated guidance from the Department of Health and Human Services was released, there were two notable companies that faced scrutiny from the FTC, both of which were using Facebook marketing tactics. BetterHelp and GoodRx both settled for large sums after these allegations surfaced. The scariest part? They were using Facebook and Instagram ads in very common use cases. And while compliance isn’t really a black & white concept, from our perspective, Meta is a very risky platform that should be among the first platforms marketers evaluate. 

Furthermore, there are also some tactics available in Meta Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your Meta data, including optimization and data visualization software.

Risk Mitigation

Some risks can be mitigated in Meta ads by taking advantage of options to enhance data privacy. These options include never using remarketing audiences and foregoing the Meta Pixel. This could disrupt how you’re currently evaluating marketing effectiveness, so if Meta is a platform you must keep to grow your business, there are ways to still leverage this channel with limited data sharing risks.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible. 

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!



About the Author

Paid search, paid display, paid social, paid sponsorships - you name it, Hedy & Hopp’s paid media team is ready to take it on. Driven by maximizing your budget and your cost per acquisition, this team’s marketing happy is finding new and exciting ways to deliver your message to engage the right people. They work closely with our analytics team to understand how your marketing campaigns are performing and find new ways to make them even better.

More from this author
Next Blog Post

Is Google Ads HIPAA-Compliant?