Scene: A Monday morning strategy call...
The CMO of a national telehealth network is excited. “We finally have a campaign people love—targeted content based on condition pages users visited. Can we scale it?”
Her privacy officer winces. “Well... it depends. Did the user log in? Submit anything? Or just browse?”
“No login. It’s our main web page. They just submit a form requesting more information,” the CMO replies. “All we have is an email address.”
“Okay. Then maybe. But we’re still in that weird limbo thanks to OCR’s pixel guidance... even after the AHA lawsuit.”
And just like that, the campaign’s on hold again.
Quick Legal Recap on HIPAA and 3rd Party Tracking: The AHA sort of won—but OCR’s warning still looms
In 2022, HHS’s Office for Civil Rights dropped a bombshell: using tracking tech on health websites—even for anonymous users—might violate HIPAA. Their logic? If a user visits a page about diabetes, and that visit is connected to an IP address, boom: you’ve created Protected Health Information (PHI).
Hospitals pushed back hard. The American Hospital Association (AHA) sued. And in summer 2024, a federal judge agreed. But that’s not the whole story.
The court struck down OCR’s claim that basic tracking on public, unauthenticated pages automatically created PHI. The court referred to the concept as “proscribed combination” and struck it down because there is no reasonable method for connecting an IP address (not readily connected to an individual without other information) and their intent to seek healthcare services.
Importantly, this limited ruling didn’t kill the rest of the amended guidance document signaling the scrutiny of information sharing with 3rd party tracking technology vendors. Anything involving logged-in users, forms, or identifiable data tied to health or healthcare? Covered entities (and their Business Associates) are still subject to HIPAA and all that entails (e.g., obtaining valid authorization from users before sharing data for marketing/advertising purposes).
Bottom line: Healthcare providers got some breathing room, but the broader shift toward tightening digital health privacy online still stands.
Why Marketers Should Pay Attention (Even If You’re Not “HIPAA-Covered”)
Two landmark FTC cases from the last 3 years—GoodRx and BetterHelp—show us what happens when marketing moves fast and compliance moves... never.
- GoodRx claimed it wouldn’t share user data. Then quietly sent people’s prescription info to Meta and Google. A 20-year Order and $1.5M fine.
- BetterHelp promised therapy clients their data was safe. Then fed emails and intake answers to ad platforms. A 20-year Order and $7.8M in refunds.
Neither company was technically a HIPAA-covered entity. But the FTC now actively enforces where OCR lacks authority, and the agency specifically indicated it will prioritize scrutiny of healthcare companies.
A New Reality for Health Marketers: Every Funnel Click Has a Legal Trigger
Let’s rewind to our CMO’s campaign.
Stage 1: The user browses a page about cardiac rehab
No login, no form. Pre-AHA ruling? OCR might’ve said this alone = PHI.
Post-ruling? You’re probably safe—unless tracking tools can connect the person’s identity to the person’s intent to obtain healthcare. The court in Becerra said that if the determination of intent requires “clairvoyance” it doesn’t count. Ah, Texas judges. But I digress.
Stage 2: They submit a form for a consult
Now they’ve given a name, email, and care need. This is PHI. If the national telehealth network is a Covered Entity (and otherwise subject to HIPAA), HIPAA applies. Even sharing an IP address with the CRM or email tool needs a BAA (Business Associate Agreement).
Stage 3: Your team uploads the user’s email to Meta
Subject to HIPAA? Unless you have a Business Associate Agreement with Meta (spoiler: they won’t provide one) or an explicit, written HIPAA authorization from each person? That’s a violation. This is exactly what GoodRx and BetterHelp did—and why they were punished by the FTC.
The Underlying Problem: Marketing and Legal Are Speaking Different Languages
In the GoodRx case, internal documents showed no one was really in charge of privacy. Marketers just... did things. Shared data. Installed pixels. Built lookalike audiences. There was no privacy program—until the FTC forced one.
BetterHelp? Same deal. The marketers probably thought “this is normal.” But their privacy policy said otherwise. That’s what made it deceptive under the FTC Act.
What both cases reveal is this: lack of coordination between marketing and legal is no longer just inefficient. It’s a threat to the business.
The Risk Isn’t Just Fines. It’s Trust.
These aren’t abstract regulatory threats. Sharing someone’s mental health intake with an ad platform can lead to:
- Stigma
- Discrimination
- Emotional distress
- Loss of trust
In healthcare, trust is your brand. And no amount of click-through rate (CTR) optimization can buy that back once it’s lost.
How Smart Orgs Are Navigating This New World
Let’s go back to our CMO.
This time, she pulls legal in before launching the campaign. Together, they:
- Map the data flows: Where does user info go? What tools collect it?
- Limit tracking to public pages only—with no forms or identifiers.
- Use contextual ad targeting (e.g., “ads about joint pain on health blogs”), not behavioral retargeting.
- Create a clear opt-in moment: “Would you like to receive follow-up content based on what you just read?”
And maybe—just maybe—they hire a CRM that signs a BAA and keeps everything in-house to avoid needing the lengthy and complex HIPAA Authorization that all marketers despise.
The Takeaway: Compliance Isn’t the Enemy of Growth
In fact, it can be your superpower.
Patients and consumers increasingly care how you treat their data. If your marketing honors that trust—and makes privacy a visible part of your value—you stand out.
What winning healthcare marketers are doing now:
- Swapping pixels for personas: Marketing by health interest groups, not individual tracking.
- Using content, not cookies: Building engagement through blogs, webinars, and tools that don’t require identifying data.
- Using new de-identification tools: To de-identify any data before it can travel to 3rd party analytics providers.
- Training marketing + legal together: So teams speak the same language—and avoid last-minute scrambles.
- Auditing tools and partners: If they won’t sign a BAA or follow FTC privacy rules, they’re off the list.
Final Word: Respecting Boundaries Isn’t Playing Small—It’s Playing Smart
Regulators are drawing new lines in the digital sand, and expanding protections for consumers across the country. But that doesn’t mean healthcare marketing needs to retreat. It just means we have to get sharper, more creative, and more transparent.
The smartest orgs aren’t asking, “What can we get away with?”
They’re asking, “How do we earn trust at every touchpoint?”
And they’re growing because of it.
Need help building a compliant funnel or vetting your ad strategy?
Let’s talk. Elevare helps digital health orgs scale without stepping into regulatory quicksand.
Like our insights? Subscribe to our newsletter for more strategic advice.