You cannot copy content of this website, your IP is being recorded.

Retargeting Patients Visiting a Medical Spa Website

Common question: Is it legal to retarget clients and patients visiting our medical spa website?

Retargeting potential clients / patients who visit a medical spa website or any medical or dental is generally not legal under US law without explicit patient authorization, primarily due to the Health Insurance Portability and Accountability Act (HIPAA). Major advertising platforms like Google and Meta also have policies that prohibit this type of advertising for healthcare services. 

Legal and Platform Policy Restrictions

  • HIPAA Compliance: Medical spas are considered healthcare providers and are subject to HIPAA. Patient data collected on a website, even an IP address or the specific pages visited (e.g., a page about a specific condition or treatment), can be considered Protected Health Information (PHI) if it can be tied back to an individual. Using this information for marketing purposes (retargeting) without a patient’s specific, written consent is a violation of the HIPAA Privacy Rule.
  • Advertising Platform Policies: Google and Meta (Facebook/Instagram) have strict policies against using website visitor data to retarget individuals with ads for sensitive health topics, medical conditions, or treatments. These platforms typically do not sign Business Associate Agreements (BAAs), which are required under HIPAA for third parties handling PHI, making any exchange of patient data non-compliant.
  • State Laws: Other privacy laws like the California Consumer Privacy Act (CCPA) also have specific regulations regarding consumer data, though HIPAA-covered information often has different stipulations. State medical boards may also have specific rules on medical advertising. 

These resources clarify the legal risks and advertising policy violations associated with retargeting website visitors for healthcare services:

Due to the risk of severe financial penalties (fines can reach millions) and the high scrutiny from regulators (like the FTC and OCR), many expert healthcare marketers recommend either avoiding retargeting entirely on major ad platforms or using only privacy-safe technologies that remove all PHI before disclosure.

Is Google and Google tools, PPC ads, re-marketing TAG manager, Google Analytics HIPAA compliant?

No, using standard Google tools for retargeting clients or patients of a medical spa is not recommended because it’s not HIPAA compliant. HIPAA-covered entities cannot use services that track or share Protected Health Information (PHI), and Google’s retargeting tools involve sharing data that could identify patients, making them a violation of the law. You can, however, use compliant advertising strategies like broadly targeting demographics or using HIPAA-compliant advertising platforms, as long as you do not use PHI. 

Why standard retargeting is not compliant

  • PHI exposure: Retargeting ads use pixels and cookies that can track and log user data, including device IDs, IP addresses, or click IDs, which can be considered PHI.
  • Google’s policies: Google does not sign Business Associate Agreements (BAAs) with healthcare providers, and its policies prohibit using PHI for retargeting.
  • Sensitive data: Even with a BAA, retargeting sensitive health-related pages on your website would require explicit written consent from the user, which is difficult to obtain and manage in the retargeting context.
  • Enforcement: The U.S. Department of Health and Human Services (HHS) has issued guidance that non-authenticated traffic on a website can be considered PHI, and the use of tracking technologies is prohibited unless the data is not considered PHI. 

Compliant alternatives

  • HIPAA-compliant marketing platforms: Use platforms that sign BAAs and are built to be HIPAA compliant.
  • Broad targeting: Instead of retargeting specific users, use broad demographic targeting to reach potential patients based on factors like age, location, and general interests, but not health conditions.
  • Content-based targeting: Target users based on the general category of content they viewed (e.g., “gut health” or “hormone balancing”) rather than specific patient data.
  • Exclusion lists: Remove your existing patients from remarketing lists to prevent them from seeing retargeting ads.
  • Opt-out options: Ensure users have a clear and easy way to opt out of retargeting and personalized ads through your website’s privacy policy and ad settings. 

Is it legal to retarget clients and patients visiting our medical spa website using Meta tools, apps, and platform in general?

No, it is not legal to retarget clients or patients using Meta tools because it violates HIPAA regulations and Meta’s own policies. The Meta Pixel and similar tools are not HIPAA compliant because they do not sign a Business Associate Agreement (BAA), which is required for handling protected health information (PHI). Sharing data from a medical spa website can be considered PHI, and Meta’s recent restrictions explicitly prohibit using website activity for ad targeting in the healthcare sector. 

Why retargeting is not allowed

  • HIPAA non-compliance: The Meta Pixel and other tracking tools are not HIPAA compliant, as they can collect and transmit PHI without the necessary Business Associate Agreement in place.
  • Inadvertent PHI disclosure: If a patient visits a page about a specific condition or service on your website, this information could be shared with Meta. Displaying targeted ads for that service on their social media could inadvertently reveal their health concerns to others.
  • Meta’s restrictions: Meta has specific restrictions for healthcare advertisers that prevent the use of website activity for retargeting and custom audiences. This includes prohibiting tracking on pages that handle health-related information and creating lookalike audiences from health data.
  • Risk of lawsuits: Numerous lawsuits have been filed against healthcare providers for using tracking pixels on their websites, highlighting the significant legal and regulatory risk. 

Compliant alternatives for marketing

  • Use broad, non-health-related targeting: Focus on general interests rather than health conditions. For example, target users interested in “wellness” or “beauty” instead of targeting people who visited a page about a specific procedure.
  • Run general awareness campaigns: Use Meta’s tools for broad campaigns to increase brand awareness instead of retargeting.
  • Focus on top-of-funnel metrics: Run campaigns optimized for top-of-funnel events like traffic or brand awareness, as Meta restricts optimization for mid- or lower-funnel events like form submissions in healthcare.
  • Ensure the public part of your website is compliant: If you have a patient portal or section requiring a login, use tracking only on the publicly accessible pages and ensure no third-party trackers are used in private sections. 

Contact PatientGain to see if our solutions can still help you.