HIPAA · Advertising compliance

HIPAA-compliant advertising for cosmetic surgery clinics.

Federal law, not a marketing preference. Elytra Partners was architected from day one to keep protected health information off advertising platforms.

Request a pixel audit See the architecture

$23M+

In settlements since 2022

Federal enforcement actions

1.36M

Patients in one notification

§ 160.103

Definition of PHI applies

02 · THE PROBLEM

Your pixel is sending patient data to Meta. Right now. Automatically.

A standard Meta Pixel installed on a cosmetic surgery website fires on every page view. It captures the URL the visitor landed on, the URL parameters in the address bar, the visitor’s IP address, their cookie identifiers, and, when a form is submitted, the contents of unhashed form fields if they are present in the DOM at submission time.

On a /rhinoplasty page, the URL itself communicates a medical inquiry. Combined with the IP address Meta already has indexed against a real human identity, the transmission becomes individually identifiable health information, PHI under 45 C.F.R. § 160.103. The clinic is the covered entity. The clinic bears the liability. The platform does not.

The HHS Office for Civil Rights issued formal guidance in December 2022 and revised it in March 2024 stating exactly this: tracking technologies on regulated webpages that transmit identifiable user activity to third parties constitute a disclosure of PHI requiring HIPAA compliance.[6][7] Settlements followed.

03 · WHAT PHI MEANS

PHI is broader than medical records. Much broader.

Protected health information, as defined under HIPAA, is any individually identifiable information that relates to a person’s past, present, or future physical or mental health, the provision of healthcare to them, or payment for that healthcare.[7] It does not require the existence of a medical record. It does not require a diagnosis. It does not require that a treatment relationship has begun.

An IP address combined with the inference that the visitor is researching a specific cosmetic procedure is PHI. A name and email submitted through a consultation form is PHI. The procedure interest itself is PHI. Transmission to a third party without a Business Associate Agreement is a disclosure, whether or not a breach occurs, whether or not anyone is harmed, whether or not the transmission was intentional. Intent is not part of the test.

Tap each example to see why it is, or isn’t, PHI:

IP address + the inference that the visitor is researching a specific medical procedure is, under HHS/OCR guidance, individually identifiable health information.
An identifier (name/email) combined with the act of requesting a clinical consultation creates a covered relationship under HIPAA from the moment of submission.
Procedure interest is health information. Transmitted alongside any identifier, or even an IP, it is PHI.
Properly aggregated and de-identified counts (no per-row data, no identifiers, k-anonymity respected) are outside HIPAA's scope and safe to share with advertising platforms or vendors.
Any pixel that fires on this page captures the URL, and the URL itself is now a PHI payload, regardless of which platform receives it.
Until the visitor takes a clinically-identifying action, viewing a procedure-specific page, submitting a form, accessing a portal, the visit alone is not PHI.

04 · ARCHITECTURE

Five components. Each one closes a specific transmission path.

Compliance is not a single switch. It is an architecture, five components that together prevent any identifiable patient data from reaching Meta, Google, or any other advertising endpoint while preserving full campaign measurement.

What it is

A private server (sGTM) sitting between the clinic's website and every advertising platform.

What it does

All tracking data routes through infrastructure you control before any of it reaches Meta, Google, TikTok, or any other endpoint.

Why it matters

At the server layer, PHI can be identified, redacted, or blocked entirely before it leaves the clinic's perimeter. Browser-side pixels cannot do this, they ship raw data to the platform first and ask questions later.

Hosted on the clinic's own cloud subdomain (e.g. metrics.clinic.com) so cookies remain first-party and survive Safari ITP and iOS privacy restrictions.

Server-side GTM, The gatekeeper

05 · BUSINESS ASSOCIATE AGREEMENT

We sign a BAA. Meta and Google do not. That asymmetry is the entire point.

A Business Associate Agreement is a federally-required contract between a HIPAA-covered entity and any vendor that creates, receives, maintains, or transmits PHI on the covered entity’s behalf. Without a BAA, that vendor relationship is not lawful under HIPAA.[7]

Elytra Partners signs a BAA with every clinic partner before any patient-adjacent data, analytics access, or CRM integration changes hands. The BAA is part of the standard engagement, not an add-on, not a premium tier, not optional.

Meta and Google’s public position, restated in their own documentation, is that they do not sign BAAs and do not want PHI on their advertising platforms.[8] That is precisely why the architecture in section 04 exists: PHI never reaches them. The compliance work happens at our infrastructure layer, where a BAA does apply, before any outbound transmission occurs.

06 · COMPLIANCE AUDIT

Eight checks. Five business days. One written remediation roadmap.

The pixel audit is how every engagement begins. The deliverable is a written report, specific tags, specific URLs, specific exposure paths, and a prioritized fix list, that the practice owns regardless of whether the engagement continues beyond the audit.

0 of 8 reviewed

07 · AD POLICY COMPLIANCE

HIPAA is the legal layer. Platform policy is the operational one.

Meta’s policies for cosmetic surgery and weight-loss advertising change frequently and without notice. The most common violations: before/after imagery in ad creative, body-shaming language, prohibited procedure categories (BBL, labiaplasty), and branded pharmaceutical terms without certification. A single policy flag can pause a campaign mid-month and, in repeat cases, suspend the entire ad account.

We maintain at least two compliant creative variants in active rotation on every campaign so a single flag does not kill the week. We monitor Meta and Google policy updates weekly and adjust client campaigns ahead of enforcement, not after. Each procedure category sits at a different risk tier; the campaign is built accordingly.

Procedures in this tier

Injectables (Botox, Dysport)
Dermal fillers
Laser resurfacing
Chemical peels
Microneedling
CoolSculpting
Hydrafacial

How we run it

Standard compliant rotation. Creative reviewed against the current Meta health-and-wellness clause and the FTC's endorsement guides. Conversion campaigns run on consultation-booked events, not raw lead forms.

08 · ONGOING MONITORING

Compliance is a state you maintain, not a project you complete.

Monthly

Pixel verification

Confirm sGTM is functioning, no browser-side PHI transmission has crept back in via a new vendor or plugin, and CAPI events are firing with the expected EMQ.

Weekly

Platform policy monitoring

Track Meta and Google healthcare-advertising policy changes. Pre-emptively update creative and targeting before enforcement triggers.

Per change

Website change review

Any update to forms, tracking, page structure, or the consent management platform triggers a compliance recheck before the change goes live.

Annual

Full re-audit

The complete eight-point audit from section 06, repeated every twelve months and included in the engagement at no additional cost.

Ad hoc

Client communication

Proactive outreach when a policy change requires creative, targeting, or landing-page adjustments, in plain language, with a specific recommended action.

Quarterly

Vendor stack review

New tools the practice has added (chat widgets, booking platforms, review tools, CRMs) are evaluated for independent PHI transmission before they affect the compliance posture.

09 · FOR YOUR PRACTICE

You don’t trade performance for compliance. You get both.

Campaigns run with the same effectiveness as a non-compliant setup, in most accounts we have migrated, with measurably better signal quality. Server-side CAPI typically lifts Meta’s Event Match Quality from the 4–6 range a browser pixel produces to the 8–10 range, which directly improves bidding accuracy.

Patient data never touches Meta or Google in a form that could be identified or reused. The practice’s patients do not appear in lookalike audiences built from medical inquiries. Their identities do not become advertising primitives.

The practice is insulated from the class of enforcement actions and class actions that have cost peer healthcare organizations between $1.5M and $7.8M each since 2023.

If a regulator or plaintiff ever examines the practice’s advertising setup, the architecture is documented, defensible, and pre-prepared for audit.

10 · FAQS

The questions you should be asking your current agency.

Our current agency says we're already compliant, how do we know?

Ask three specific questions. One: is server-side Google Tag Manager installed and running on a clinic-controlled subdomain. Two: what is the current Event Match Quality score in your Meta Events Manager, a CAPI-driven setup typically scores 8–10, a browser-pixel setup scores 4–6. Three: what happens to form-field data on the confirmation page, does the URL contain the patient's name, email, or procedure interest. If the agency cannot answer those three questions with specifics, the setup is not compliant in the sense that matters for HIPAA.

Can't we just use Meta's built-in privacy tools?

Meta provides some controls, the Limited Data Use flag, restricted data processing, the Health & Wellness category opt-out, and they reduce exposure. They do not eliminate PHI transmission at the level a healthcare advertiser needs, and Meta does not sign a Business Associate Agreement. Meta's own documentation states that advertisers are responsible for not transmitting health data via the pixel. Server-side architecture is the only setup that prevents PHI from reaching Meta in the first place.

We've been running ads for years without any issues, does this really matter?

Enforcement accelerated sharply after the December 2022 OCR bulletin on tracking technologies and HHS's 2024 update. The fact that no enforcement action has hit your practice yet is a function of investigative bandwidth, not evidence of compliance. The FTC and OCR have limited resources; the plaintiffs' bar handling class actions does not. The wave of pixel litigation that started with Advocate Aurora in 2022 is still expanding into 2026.

What if we're not running Meta ads, does this still apply?

Yes. Google Tag, Google Analytics 4, Microsoft Clarity, TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, and most chat and booking widgets transmit user data to third parties on roughly the same legal footing. The architecture we install applies to whichever platforms the practice uses, the underlying mechanism (PHI exiting the browser to an advertising endpoint) is the same.

Is this a one-time fix or ongoing?

Ongoing. Website updates, platform policy changes, new tags added by other vendors, iOS and browser privacy updates, and the practice's own marketing experiments all create opportunities for compliance gaps to reopen. Monthly pixel verification and an annual full audit are how the architecture stays intact over time.

Do we need a lawyer involved?

We are not lawyers and nothing on this page is legal advice. The compliance architecture we implement addresses the technical mechanism of PHI transmission via advertising tracking. For legal review of the practice's overall HIPAA compliance program, BAA portfolio, risk analysis, and breach-notification procedures, a healthcare attorney should be involved. We refer clients to healthcare-law specialists who work with medical practices when that scope is needed.

Will the compliant setup hurt our ad performance?

No, and in most clinic accounts we have migrated, it improves it. Server-side CAPI lifts Event Match Quality, which directly improves Meta's bidding accuracy. The data Meta needs for optimization (the fact that a conversion happened, attributed to a campaign) is unchanged; what changes is that the patient's raw PHI no longer travels with it.

11 · WHAT WE ARE NOT

A note on scope. Honest about what this is, and what it isn’t.

Elytra Partners is a digital advertising agency. It is not a HIPAA compliance consultancy and it is not a law firm. The compliance architecture described on this page addresses the technical mechanism of PHI transmission through advertising tracking, it is not a full HIPAA compliance program.

A complete HIPAA program also includes workforce training, physical-safeguard policies, breach-notification procedures, a documented risk analysis, and an executed BAA portfolio across every vendor that touches PHI. Those are the work of a dedicated healthcare compliance officer or a healthcare-law specialist. We refer clients to specialists for anything outside the advertising-and-analytics scope.

The BAA we sign covers our specific role as the practice’s advertising partner. It does not cover the practice’s broader HIPAA obligations to its patients, its employees, its EHR vendor, or any other third party.

A HIPAA Pixel Audit. Five business days.

A written report that maps exactly what is leaking from the practice's current setup, where it's going, and what it takes to fix. Specific tags, specific URLs, specific remediation steps. The practice owns the report regardless of what happens next.

Request the audit

No obligation beyond the audit itself

Or email support@clinicads.com with the practice URL.

CITATIONS

[1]Novant Health pixel-disclosure class settlement, U.S. District Court for the Middle District of North Carolina (final approval 2024). $6.6M; 1.36M patients notified. See HHS OCR "Use of Online Tracking Technologies by HIPAA Covered Entities" bulletin (Dec 2022, updated Mar 2024) for the underlying regulatory frame.
[2]FTC v. Cerebral, Inc., Proposed Stipulated Order (Apr 2024). $7.0M monetary judgment, permanent restrictions on use of consumer health data for advertising. FTC press release: "FTC Action Leads to Ban on Cerebral's Use or Disclosure of Sensitive Consumer Data for Most Advertising Purposes."
[3]FTC v. BetterHelp, Inc., Final Order (Jul 2023). $7.8M in consumer refunds; first FTC enforcement to require consumer redress for unauthorized health-data disclosure to advertising platforms.
[4]FTC v. GoodRx Holdings, Inc., No. 3:23-cv-00460 (N.D. Cal. Feb 2023). First enforcement action under the FTC Health Breach Notification Rule. $1.5M civil penalty; permanent ban on disclosing user health information for advertising.
[5]The Markup, "Facebook Is Receiving Sensitive Medical Information from Hospital Websites" (Jun 2022). Subsequent breach notifications and class filings: Advocate Aurora (3.0M patients), Community Health Network, WakeMed, Novant, and others through 2024–2026. See also HHS OCR enforcement priorities released May 2024 reaffirming online tracking as a focus area.
[6]HHS Office for Civil Rights, "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates," bulletin originally issued Dec 1, 2022; revised Mar 18, 2024. Defines transmission of authenticated-user activity and certain unauthenticated-user activity on regulated webpages as a disclosure of PHI requiring HIPAA compliance.
[7]45 C.F.R. § 160.103, definitions of "individually identifiable health information" and "protected health information." 45 C.F.R. § 164.502, uses and disclosures of PHI.
[8]Meta Business Help Center, "Sending Customer Information from Your Website", Meta's own guidance prohibiting the transmission of health-related data via the pixel and placing responsibility for compliance on the advertiser.

This page is informational. It is not legal advice. For legal review of a HIPAA compliance program, consult a healthcare attorney. Last updated: May 2026.

See also our broader compliance overview covering Meta ad policy, patient content releases, and substantiation of campaign claims.