Healthcare Advertising on Facebook (HIPAA + Meta Policies)

Pix-Vu Team||4 min read
Healthcare Advertising on Facebook (HIPAA + Meta Policies)

Quick Answer

Healthcare advertisers on Facebook must navigate HIPAA (which strictly prohibits sharing Protected Health Information without authorisation), the FTC Health Breach Notification Rule, state privacy laws and Meta's own health and wellness policies (which ban targeting based on health conditions, restrict personal attributes and prohibit before-and-after images). The biggest practical risk is the Meta Pixel inadvertently transmitting PHI to Meta — which has triggered hundreds of HIPAA settlements since 2022.

What the rule actually says

HIPAA (45 CFR Parts 160 and 164), enforced by the HHS Office for Civil Rights (OCR), prohibits covered entities and their business associates from disclosing PHI without authorisation or another permitted basis. The OCR's December 2022 bulletin (reaffirmed in 2024) made clear that sending PHI to Meta via the Pixel is an unlawful disclosure, regardless of whether the user is logged into Facebook.

Key rules:

  • Meta is not a HIPAA business associate and will not sign a Business Associate Agreement.
  • Any PHI transmitted to Meta is a HIPAA violation requiring breach notification under 45 CFR 164.404.
  • The FTC Health Breach Notification Rule applies to non-HIPAA health apps (the FTC fined GoodRx USD 1.5 million in 2023).
  • Meta's health and wellness policy bans targeting based on personal attributes inferring a health condition.
  • Meta prohibits before-and-after images suggesting unrealistic results.
  • State laws (Washington's My Health My Data Act 2023, Connecticut Data Privacy Act, Nevada SB 370) layer additional consent rules on top.

What is allowed and what is banned

Allowed: general healthcare branding ads, ads for services that do not reveal a condition (e.g. 'Find a primary care doctor near you'), educational content, and health and wellness ads that comply with Meta's policies.

Banned: firing the Pixel on any page that captures a condition, treatment or appointment type; targeting users based on inferred health conditions; before-and-after images; misleading health claims; and ads for prescription drugs without case-by-case Meta approval.

Step-by-step compliance setup

  1. Audit every page where the Pixel fires and disable it on any page that captures appointment, condition, medication or treatment data.
  2. Replace the Pixel with the Conversions API server-side, sending only de-identified, hashed events that contain no PHI.
  3. Apply Meta's Limited Data Use flag for all healthcare traffic.
  4. Use generic, condition-neutral landing pages for all Facebook ad clicks.
  5. Avoid any UTM parameters or URL fragments that reveal the user's condition.
  6. Apply for Meta's Restricted Categories review for any health, fitness or pharmaceutical product.
  7. Update your Notice of Privacy Practices to disclose any tracking technologies.
  8. Document a HIPAA risk analysis covering all marketing technologies.
  9. Train marketing and IT staff on the OCR bulletin and Meta's health ad policy.
  10. Document a breach response plan with the 60-day OCR notification rule.

Frequently asked questions

Will Meta sign a BAA?
No. Meta is not a HIPAA business associate and will not sign a BAA. That makes any PHI transmission a HIPAA breach.

Can I retarget healthcare website visitors?
Only if the data sent to Meta does not constitute PHI — which means the URL, event name, and parameters cannot reveal a condition.

Is the Conversions API safer than the Pixel?
It can be, because it lets you control exactly what data is sent server-side. But you still must not send PHI.

What is the maximum HIPAA fine?
Up to USD 2.067 million per violation category per year (2025 inflation-adjusted), plus criminal penalties for wilful violations.

Does Washington's My Health My Data Act apply to Facebook?
Yes. It requires opt-in consent for processing consumer health data and covers the Meta Pixel on health-related pages.

Real fine examples

  • BetterHelp — USD 7.8 million (FTC, 2023) for sharing mental health data with Meta and other advertisers.
  • GoodRx — USD 1.5 million (FTC, 2023) for sharing prescription data with Meta.
  • Cerebral — USD 7 million (FTC, 2024) for sharing mental health data via Pixel.
  • Monument and Tempest — USD 2.5 million (FTC, 2024) for sharing alcohol-use disorder data.
  • Hospital chain (multi-defendant settlement) — USD 65 million (class action, 2024) over Meta Pixel PHI leak.

How Pix-Vu helps

Healthcare marketing teams use Pix-Vu to design and review Facebook creatives for hospitals, clinics, telehealth and pharma brands without ever firing the Pixel — keeping internal QA out of HIPAA scope and giving compliance teams clean documentation. https://pix-vu.com.

Ready to automate your Facebook ads?

Let AI handle your ad creative, targeting, and optimization. Launch profitable campaigns on autopilot.

Get Started Free
Back to all posts