Facebook and Google are powerful channels for acquiring new dental and medical patients. But if you are not careful with patient data, you can violate HIPAA and face serious penalties. Many healthcare providers unknowingly run non-compliant campaigns by using custom audiences built from patient lists, tracking pixels that reveal health information, or targeting based on health conditions. This guide explains exactly how to run ads on Facebook and Google while staying HIPAA-compliant.
HIPAA and Digital Advertising
HIPAA regulates the use of patient data. This includes patient information in your marketing. Specifically, you cannot use patient data to target ads, create lookalike audiences, or send data to ad platforms unless you have the proper safeguards in place.
The risk is real. If you upload a list of your patients to Facebook and create a lookalike audience (Facebook's feature to find people similar to your patients), you are exposing patient data to Facebook. If Facebook experiences a data breach, your patients' health information could be compromised. The HHS Office for Civil Rights (which enforces HIPAA) has issued guidance specifically warning healthcare providers against this practice.
You can still run very effective ads on Facebook and Google. You just need to do it safely. This means using generic audience targeting (interests, behaviors, demographics) instead of patient lists, and having careful controls around tracking pixels.
Pro tip
The safest approach: do NOT upload patient lists to any ad platform. Instead, target people based on interests (orthodontics, cosmetic dentistry, dental anxiety) and behaviors (people who have searched for these terms). This is just as effective but carries zero HIPAA risk.
What You Cannot Do
These practices violate HIPAA if you are not careful:
- •Upload patient lists to Facebook, Google, or any ad platform. Even if you "hash" or encrypt the data, you are transmitting patient information outside your control. Do not do it.
- •Create lookalike audiences from patient data. Facebook's "lookalike audience" feature is designed to find people similar to your best customers. But it requires uploading your customer list first. For healthcare, this is a violation.
- •Track patient behavior after they click your ads using unencrypted pixels. Facebook and Google pixels collect information about what users do on your website. If your patient booking confirmation page is tracked, Facebook knows a patient just booked. This is sensitive health data.
- •Retarget patients using unencrypted data. Once a patient is on your website, you can retarget them with ads. But the pixel must not reveal what they did or what health information they viewed.
- •Use patient testimonials or before-and-after photos without explicit written consent. This overlaps with both FTC advertising rules and HIPAA.
Safe Targeting Strategies
You can still run highly effective ads on Facebook and Google using audience targeting that does not involve patient data. Here is how:
Interest-based targeting: Target people interested in "dentistry," "cosmetic dentistry," "orthodontics," "dental anxiety," "teeth whitening," etc. Facebook and Google maintain lists of users based on pages they follow, searches they conduct, and content they engage with. This is not HIPAA-sensitive because you are not using patient data; you are using their general interests.
Behavioral targeting: Target people based on their online behavior, such as "people who searched for dental implants in the past 30 days" or "people who visited dental websites." Again, this is based on their behavior, not patient data.
Demographic targeting: Target by age, location, household income, education level. These are demographics, not health information.
Keyword targeting (Google Ads only): Show your ads when people search for keywords like "dentist near me," "teeth whitening," "dental implants," "pediatric dentist," etc. This is transparent and safe because the user has explicitly searched for these terms.
These strategies are more effective than you might think. A person searching for "orthodontist near me" is actively looking for your service right now. Interest and behavioral targeting can reach millions of people in your local area with affordable CPCs (cost per click).
Facebook Compliance Rules
Custom Audiences: Facebook offers a feature called "Custom Audiences" that lets you upload customer lists. Do not use this feature with patient data. Even though Facebook hashes the data (encrypts it), you are still transmitting patient information to a third party, which may violate HIPAA.
Lookalike Audiences: Facebook's "Lookalike Audience" feature finds users similar to your customers. Creating a lookalike from a patient list is a violation. Stick to interest-based and behavioral targeting.
Pixel Tracking: Facebook pixels collect data about user behavior on your website. This is generally compliant, but be careful about what pages you track. Do not track patient login pages, appointment confirmation pages, or pages that reveal health information. If a visitor books an appointment through your form, do not configure the pixel to send that confirmation event back to Facebook. Use a "nonce" or aggregate conversion reporting that does not send specific health data back to Facebook.
Ad Copy and Targeting: Avoid targeting based on health conditions. Do not say "For people with dental anxiety" or "Orthodontic patients." Use neutral language like "For people interested in dental care" or "For people looking for an orthodontist."
Google Ads Compliance Rules
Customer Match (Google's equivalent to Facebook Custom Audiences): Google offers a feature called "Customer Match" that lets you upload customer email lists to target ads. Do not use this feature with patient data. Same risk as Facebook.
Remarketing Tags: Google uses remarketing tags (similar to Facebook pixels) to track users who have visited your site and show them ads later. This is compliant as long as you do not track sensitive health data. Use Google's "Event Snippets" to track general conversion events, not specific health information.
Search Keyword Targeting: Google Ads lets you bid on specific keywords. "Dentist near me," "teeth whitening cost," "emergency dental care," "orthodontics for adults" are all safe keywords. They show your ads to active searchers. Google automatically blocks many health-related keywords to prevent abuse, but you can still target general dental/medical practice keywords.
Location-Based Targeting: Target Google Ads to people in specific locations (cities, ZIP codes, even within a certain distance of your practice address). This is HIPAA-safe and incredibly effective for local practices.
Conversion Tracking and Pixels
You want to know if your ads are driving appointments. But you need to track conversions carefully to stay compliant.
Safe conversion events: "Form submission," "Call button click," "Add to cart" (for product sales), "Lead captured." These events show that someone took action, without revealing what the action was or what health information they viewed.
Unsafe conversion events: "Appointment confirmed for dental implant," "Patient viewed orthodontics page," "User searched for root canal treatment." These events reveal health information.
Best practice: Use aggregate conversion reporting. Instead of sending individual conversion data back to Facebook or Google (which reveals specifics), use their aggregate event measurement tools. Facebook's "Aggregated Event Measurement" and Google's "Event Snippets" allow you to track that a conversion happened without sending the details. This protects patient privacy while still giving you enough data to optimize your campaigns.
Documentation and Audit Trail
If your practice is ever audited by HHS or has a data breach, you need documentation showing that your advertising practices were HIPAA-compliant. Keep records of:
- •Ad targeting decisions: Document why you chose certain audience segments. Keep a list of keywords you bid on, interests you target, and geographic areas you serve.
- •Pixel and conversion tracking configuration: Take screenshots of your pixel setup, showing what events you track and how data is sent back to the platform.
- •Audience exclusions: Document any audiences you explicitly exclude (you might exclude existing patients so you are not paying to re-target them).
- •Business associate agreements: If you use any ad agency or marketing partner to manage your Facebook or Google Ads, you need a Business Associate Agreement with them.
HIPAA-compliant Facebook and Google Ads are absolutely possible and highly effective for patient acquisition. The key is: never upload patient lists to any ad platform, use interest and behavioral targeting instead, implement careful conversion tracking that does not reveal health information, and document your decisions. Most practices report strong ROI from paid advertising campaigns while staying fully compliant with HIPAA and FTC regulations.
Frequently Asked Questions
How long does this typically take to implement? +
For most practices, 2 to 6 weeks depending on current setup and resources available.
What if my practice is small? +
These strategies work for all practice sizes. Start with the highest-priority item and build from there.
Do I need professional help? +
Some tasks require professional expertise. Start with what you can do, and hire specialists for technical items.
What is the ROI? +
Most practices see ROI within 3 to 6 months if done correctly. Patient acquisition cost drops and patient retention improves.
How do I measure if this is working? +
Track metrics relevant to each strategy. Use Google Analytics, your PMS, and call tracking to measure impact.
What if I do not have budget for this? +
Many of these strategies are free or low-cost. Start with free tools and tactics, then invest in paid solutions as revenue allows.
How often do I need to update this? +
Most strategies require quarterly reviews. Some, like reviews and content, benefit from ongoing attention.