What Is Retargeting?
Retargeting is a form of digital advertising that allows you to show ads to people who have already visited your website. If someone visits your practice's page about a specific treatment and then later browses another website or scrolls through social media, retargeting allows you to display an ad to that same person — reminding them of your practice and encouraging them to return.
For most industries, retargeting is a straightforward and highly effective strategy. A person who has already shown interest in what you offer is far more likely to convert than a cold audience. The economics are compelling.
For medical practices, however, retargeting carries a layer of complexity that most advertising guides do not address. Done incorrectly, it creates a HIPAA violation before a single ad is ever shown.
Why Healthcare Retargeting Is Different
Retargeting works by placing a small piece of code — called a pixel — on your website. When a visitor arrives, the pixel fires and adds that visitor to an audience list held by the advertising platform. Google and Meta both operate this way.
Here is the problem: the page that visitor landed on may reveal something about their health. If someone visits a page about diabetes management, thyroid treatment, or mental health services, the fact that they visited that page is itself health information. When that information is connected to an identifiable person — even through an anonymous-seeming device identifier — it meets the definition of Protected Health Information under HIPAA.
That information is now sitting in Google's or Meta's systems, neither of which signs a Business Associate Agreement for their advertising products. The moment the pixel fired and the data was transmitted, a disclosure occurred — one that HIPAA does not permit without patient authorization.
What the HHS Guidance Says
The December 2022 bulletin from the U.S. Department of Health and Human Services addressed this directly. It stated that tracking technologies placed on webpages where individuals seek information about specific health conditions or providers can result in impermissible disclosures of PHI to tracking technology vendors.
This applies specifically to condition-specific pages, appointment scheduling pages, and any page where the act of visiting reveals something about a person's health status or intent. A general homepage carries lower risk. A page titled /services/hormone-replacement-therapy does not.
Does This Mean Retargeting Is Off the Table?
No. It means retargeting requires a more deliberate approach than simply installing a pixel and turning on an audience campaign. There are compliant ways to use retargeting in healthcare — they just require intentional setup.
Restrict pixel placement to non-sensitive pages. The most direct solution is to limit where your retargeting pixels fire. A pixel on your homepage, your about page, or your general contact page carries significantly less risk than one placed on condition-specific service pages. You can configure Google Tag Manager to fire pixels only on approved pages and exclude all others.
Use aggregated or modeled audiences instead of individual-level tracking. Google's Enhanced Conversions and Meta's Conversions API both offer ways to measure ad performance using aggregated, privacy-safe data rather than individual user tracking. These approaches reduce the granularity of what is transmitted while preserving enough signal to optimize campaigns.
Route data through a HIPAA-compliant intermediary. Platforms like Freshpaint act as a privacy layer between your website and advertising platforms. They intercept data before it is transmitted, strip out or hash identifying information, and only pass along what is permissible. This allows you to maintain retargeting and conversion tracking functionality without exposing PHI directly to platforms that will not sign a BAA.
Use contextual targeting instead of behavioral targeting. Contextual advertising places your ads based on the content of the page being viewed — not on the past behavior of the viewer. A physician specializing in cardiology can advertise on pages about heart health without needing to track anyone. This approach entirely sidesteps the PHI problem and is often more effective for reaching patients in active research mode.
What About Patient Lists?
Some practices consider uploading patient email lists to Google or Meta to create custom audiences for retargeting. This is a separate issue and carries its own significant risks.
Uploading a patient list to an advertising platform constitutes a disclosure of PHI to a third party. Without a BAA in place — and neither Google nor Meta signs BAAs for advertising products — this is not permissible under HIPAA regardless of how the list is used afterward. Even hashed email addresses derived from patient records carry risk if the originating data is PHI.
Patient lists should not be uploaded to advertising platforms. If you want to re-engage existing patients, email is the appropriate channel — provided your email platform has a BAA and is configured correctly.
Conversion Tracking vs. Retargeting
These two functions are often conflated because they use similar technology, but they serve different purposes and carry different risk profiles.
Conversion tracking measures whether someone who saw your ad took a desired action — such as submitting a contact form or calling your office. Retargeting serves ads to people who previously visited your site. Both involve pixels, but conversion tracking is about measuring outcomes while retargeting is about re-engaging individuals.
Both require careful configuration in a healthcare context, but retargeting carries higher inherent risk because it involves building audience profiles based on health-related page visits. Conversion tracking can often be configured in a more privacy-safe way without abandoning it entirely.
How Doctor Rebrand Handles This
We do not advise practices to abandon paid advertising or retargeting. We advise them to use it correctly. That means evaluating which pages carry PHI risk, configuring pixel placement accordingly, selecting the right intermediary tools where needed, and making sure the advertising strategy does not depend on data that should never have been collected in the first place.
Every practice we work with that runs paid advertising gets a tracking audit as part of our onboarding process. In most cases, we find pixels firing on pages they should not be on — not because anyone made a reckless decision, but because default configurations are not built with healthcare compliance in mind.
The Bottom Line
Retargeting is a legitimate and valuable tool for patient acquisition. The goal is not to avoid it — the goal is to use it in a way that does not create legal exposure for your practice.
The configuration decisions that determine compliance are not visible to patients, and they are not something most website developers or general marketing agencies think about. In healthcare marketing, the setup matters as much as the strategy. Getting it right from the beginning is far less costly than addressing a breach after the fact.