HIPAA-compliant paid acquisition:
what’s actually allowed in 2026.

Most healthcare practices running paid ads in 2026 are running them illegally. Not intentionally, the configurations are usually inherited from an agency that set them up in 2018, back when the rules were softer and the enforcement was rarer. But the rules changed, the platforms changed, and enforcement against covered entities has accelerated substantially since 2022.

What follows is a mechanical guide to what’s actually compliant in 2026, the configurations that work, the four common setups that violate HIPAA, and the specific platform policies that have changed recently enough to catch good agencies by surprise. This is the framework we run for every AdsPRO client and the audit pattern we walk prospects through before we recommend paid at all.

The short version, for skimmers.

PHI, Protected Health Information, cannot be shared with an ad platform. Not as an audience, not as a conversion event, not embedded in a URL, not as a pixel parameter. Full stop. The entire compliant-paid design is built around this constraint.¹

PHI is broader than most practice owners think. It is not just “the patient’s chart.” It is any information that, combined with identifiers, indicates a relationship with a healthcare provider, which means the fact that someone visited your condition page, completed your intake form, or clicked a booking link is itself PHI-adjacent if you pair it with their IP address, email, or a pixel ID.²

Compliant paid works by moving the conversion signal server-side. The ad platforms receive that a conversion happened; they do not receive which condition, which procedure, or which patient. This is the entire architectural shift of the last three years, and it is not optional anymore.

What counts as PHI in the ad context.

HIPAA’s definition of PHI is notoriously broad: any information, held by a covered entity, that identifies an individual and relates to their past, present, or future physical or mental health, healthcare provision, or payment for healthcare.³The ambiguity is in what counts as “identifying.”

The Office for Civil Rights (OCR), which enforces HIPAA, clarified in December 2022, and reaffirmed with expanded guidance in March 2024, that the use of online tracking technologies by covered entities is regulated even when the individual has not logged in, because an IP address combined with a visit to a condition-specific page can identify a patient-provider relationship.⁴ That guidance has been litigated, partially struck down, partially upheld, and the net effect is that the compliance posture a conservative healthcare agency takes in 2026 is:

• Assume any combination of (identifier) + (clinical signal) is PHI, regardless of whether HIPAA technically applies.
• Never upload patient lists to ad platforms. Not hashed, not encrypted, not ‘anonymized.’
• Never fire pixel events that encode condition, procedure, or specialty.
• Keep all PHI inside the CRM/EHR perimeter, the ad platform never sees it, ever.

The four configurations that almost always violate HIPAA.

In every audit we run for a new client, we check for these four setups. Three out of four paid accounts we inherit have at least one of them running. The agencies that set them up did so in good faith, under the older interpretation. Good faith does not help in an OCR audit.

The compliant architecture.

A compliant paid funnel for a healthcare practice has three properties. First, targeting is built from non-clinical signals, demographics, geography, interests, job titles, and platform-native intent keywords. These are legal. A plastic-surgery practice targeting “women, 30-55, within 25 miles of Miami, interested in wellness” is fine. The same practice uploading a list of prior cosmetic-consult patients is not.

Second, the conversion signal is server-side. When a patient books an appointment or submits an inquiry, the event that fires to Google or Meta is generic: “Lead,” “Conversion,” “FormSubmit.” It does not encode the condition they were looking at, the procedure they were interested in, or the form field they filled out. The server deduplicates, hashes any identifiers the platform needs (which are limited to what’s necessary for conversion attribution), and strips everything else.⁵

Third, the site (particularly any clinical, condition, procedure, or intake page) has no third-party pixels of any kind. Analytics, yes, but server-side only (Vercel Analytics, GA4 via server-side GTM, Plausible with proxy). Meta pixel, no. TikTok pixel, no. Microsoft UET tag on clinical pages, no. The tracking technologies guidance from OCR is explicit: client-side pixels on pages that imply a patient-provider relationship are a violation even without login.⁴

LegitScripts and the healthcare-advertiser policy layer.

On top of HIPAA itself, ad platforms impose their own healthcare-advertiser policies. Google Ads has required LegitScripts certification for certain healthcare categories since 2019; the certification categories expanded in 2023 to include compounded medications, online pharmacies, and several telehealth verticals.⁶ Practices that prescribe GLP-1s via telehealth, compound pharmacies, and certain weight-loss programs now need LegitScripts certification to run Google Ads at all.

Meta doesn’t require LegitScripts but has its own healthcare advertising policy, restricting targeting options, blocking certain condition-specific audience signals, and requiring that ad creative not imply individualized medical claims.⁷Meta’s policy has tightened steadily: in 2023, they removed several health-interest categories from audience targeting; in 2024, they added automated content-detection that blocks ads implying “before and after” outcomes for medical procedures absent disclaimers.

Microsoft Ads (the second-largest paid search channel, worth running for most healthcare practices) has similar restrictions and enforcement that has become substantially more aggressive since 2024.⁸ TikTok has specific healthcare policies that are the most restrictive of the major platforms and are a primary reason we rarely recommend TikTok for most healthcare verticals.

What this means practically.

For a healthcare practice running paid in 2026, the honest checklist is: do you have a HIPAA-compliant Conversions API implementation? Are your pixels absent from clinical and intake pages? Is any audience upload you’ve ever done actuallynon-PHI, or does it include condition-inferable signals? If you’re running Google Ads in a LegitScripts-required vertical, are you certified? If not, the account is one enforcement pass away from suspension.

Most practices can’t answer those questions confidently. Most agencies can’t answer them on behalf of their clients. The configurations that were industry-standard in 2019 are industry-violations in 2026, and the knowledge gap between what agencies are selling and what the regulations actually require has widened, not narrowed. We still see major national agencies running condition-specific audience uploads as part of their standard onboarding. We don’t know what to tell their clients except that they should leave.

A final word on pass-through spend.

One ancillary point. Almost every healthcare agency marks up ad spend, billing the client the platform invoice plus a percentage, or simply wrapping spend into a retainer. This is not a HIPAA issue, but it is a conflict-of-interest issue. When an agency profits from the client spending more, it has a structural incentive to recommend spending more, not spending smarter. We do not mark up spend. Clients pay the platforms directly. Our invoice is the management fee only. This is not virtue-signaling; it’s how an audit-friendly operation runs.

References.

1. 1. 45 CFR § 164.502(a). Uses and disclosures of protected health information: general rules. eCFR.
2. 2. 45 CFR § 160.103. Definitions (Protected Health Information). eCFR.
3. 3. U.S. Department of Health & Human Services, Office for Civil Rights. Summary of the HIPAA Privacy Rule. HHS.gov.
4. 4. HHS-OCR Bulletin. Use of Online Tracking Technologies by HIPAA-Covered Entities and Business Associates (updated March 2024). HHS.gov.
5. 5. Meta. Conversions API Overview and Best Practices for Healthcare. Meta for Developers.
6. 6. Google Ads Healthcare and Medicines Policy (LegitScripts certification). Google Ads Help.
7. 7. Meta Advertising Policies. Personal Health and Appearance. Meta Business Help Center.
8. 8. Microsoft Advertising Policies. Healthcare. about.ads.microsoft.com.

Nothing in this article is legal advice. If you are uncertain about your practice’s compliance posture, consult healthcare counsel before making changes. The patterns described here reflect Macbach’s operating standard across its active client book; your specific obligations may differ.