Google Ads Audience Targeting for Healthcare: What's Safe and What's Not
Two healthcare advertisers set up Google Ads campaigns on the same day. Both target patients in the same metro area. Both run search campaigns for the same medical specialty. One uses Customer Match to upload a patient email list. The other uses in-market audience segments. One has just created a HIPAA violation. The other has not.
The difference between a compliant Google Ads campaign and a liability is not the campaign budget, the ad creative, or the bidding strategy. It is the audience targeting method. Google offers more than a dozen audience targeting options, and for healthcare advertisers, each one carries a different compliance profile. Some are safe to use without modification. Some require server-side infrastructure to use compliantly. And some should never be used by a healthcare organization under any circumstances.
Approach 1: Google's Built-In Audience Segments (Generally Safe with Caveats)
Google builds audience segments based on users' browsing behavior, search history, app usage, and demographic signals. Healthcare advertisers can use several of these segment types without creating HIPAA exposure, because the segments are built and maintained by Google, not by the advertiser.
Affinity Audiences
What they are: Broad interest-based audiences like "Health & Fitness Enthusiasts" or "Beauty & Wellness." Google builds these from long-term browsing patterns.
Compliance profile: Lower risk. You are targeting a Google-defined segment, not uploading patient data. The targeting does not create PHI because you have no patient relationship with the people in the segment, and Google is not receiving health data from you. The audience definition is broad enough that individual health conditions are not implied.
Best for: Top-of-funnel awareness campaigns for health systems, wellness programs, and preventive care services.
In-Market Audiences
What they are: Users actively researching or comparing products and services in a category. Google infers purchase intent from recent search and browsing behavior. Healthcare-relevant in-market segments include "Medical Facilities & Services," "Health Insurance," and others.
Compliance profile: Moderate risk. In-market audiences are closer to health intent than affinity audiences. When you target "people actively searching for orthopedic surgeons," you are reaching individuals with a current health need. However, since Google defines and manages the audience, and you are not providing patient data to Google, the HIPAA risk sits with Google's data practices rather than yours. The risk increases if you combine in-market audiences with narrow geographic targeting (which could identify individuals in small populations).
Best for: Mid-funnel campaigns for specialty practices and elective procedures where you want to reach people actively evaluating options.
Demographic Targeting
What it is: Age, gender, household income, parental status. Standard demographic filters applied to campaign targeting.
Compliance profile: Low risk. Demographic targeting does not involve health data and does not create PHI. Combining demographics with health-related ad content does not change the compliance profile because the demographic data comes from Google's systems, not from your patient records.
Best for: Refining any healthcare campaign to reach the most relevant age groups or household income brackets for your services.
Approach 2: Advertiser-Provided Audience Data (High Risk)
These targeting methods involve the advertiser providing data to Google. For healthcare organizations, this is where HIPAA exposure becomes significant.
Customer Match
What it is: You upload a list of email addresses, phone numbers, or mailing addresses to Google Ads. Google matches those identifiers against its user base and targets ads to the matched users.
Compliance profile: High risk for healthcare. When a healthcare organization uploads a patient email list to Google for advertising purposes, it is sharing PHI with Google. The email addresses are individually identifiable, and the fact that they came from a healthcare organization's patient records creates a health context. Google does not sign BAAs for Google Ads customers. This means the data sits on Google's platform without HIPAA-mandated protections.
The comparison: Customer Match is the same data-sharing pattern that triggered the GoodRx enforcement. GoodRx shared health-related identifiers with advertising platforms for targeting purposes. The mechanism was pixels rather than list uploads, but the principle is identical: sending identifiable health data to an advertising platform without BAA coverage.
GoodRx ($1.5M FTC + $25M class action, 2023). GoodRx configured tracking pixels that shared prescription drug names, health conditions, and personal identifiers with Facebook, Google, and other ad platforms for targeted advertising without consent. Source
Can it ever be used compliantly? Potentially, if the list contains people with no health relationship to your organization (e.g., a list of general community event attendees with no health context), but in practice, most lists that a healthcare organization would want to target carry health implications. The safest approach is to avoid Customer Match entirely for healthcare advertising.
Remarketing Lists (Website Visitors)
What it is: Google builds an audience of people who visited specific pages on your website, using the Google tag (gtag.js) or Google Tag Manager. You can then target these visitors with ads across Google's network.
Compliance profile: High risk for healthcare. When Google builds a remarketing list from visitors to your cardiology services page, Google now has a list of identifiable users associated with cardiac care interest. This is PHI. Google's healthcare advertising policies already restrict remarketing based on health conditions, but the restriction is based on policy, not architecture. If the Google tag is installed on health-specific pages, Google receives the data regardless of whether you activate remarketing campaigns against it.
The compliant alternative: Remove client-side Google tracking from health-specific pages. Use server-side tracking that sends conversion events to Google without page-level health context. If you need to reach past website visitors, build server-side audience segments in your HIPAA-compliant CDP and use privacy-preserving activation methods.
Similar Audiences (Discontinued) and Lookalike Segments
What they were: Google's Similar Audiences feature, which created lookalike audiences from your remarketing lists, was discontinued in 2023. Google now uses audience expansion and optimized targeting to find similar users automatically.
Compliance profile: The discontinuation of explicit Similar Audiences does not eliminate the risk. Google's optimized targeting still uses signals from your conversion data and audience lists to find new users. If the seed data contains health-associated identifiers, the expanded targeting carries forward that association.
Approach 3: Contextual and Keyword Targeting (Safest for Healthcare)
Contextual targeting places your ads based on the content someone is viewing rather than who they are. For healthcare advertisers, this approach avoids PHI entirely.
Custom Intent Audiences (Keyword-Based)
What they are: You provide keywords, and Google targets users who have recently searched for those terms or visited websites related to those terms. You define the intent signals; Google finds the users.
Compliance profile: Lower risk. You are providing keywords to Google, not patient data. Google identifies users based on its own data. The compliance risk is minimal because the targeting input (keywords) contains no individually identifiable health information. However, Google's algorithm for matching users to these keywords relies on its own tracking infrastructure, which healthcare organizations should be aware of.
Best for: Reaching users actively searching for specific treatments, conditions, or healthcare services without uploading any patient data to Google.
Placement Targeting
What it is: You choose specific websites, YouTube channels, or apps where your ads appear. The targeting is based on where the ad shows, not who sees it.
Compliance profile: Low risk. Placement targeting involves no patient data exchange. You select content environments relevant to your audience (health information websites, medical news sites, condition-specific YouTube channels), and Google places your ads there. No PHI is created or transmitted.
Best for: Display and video campaigns where you want to control the content environment and reach health-interested audiences without any data exchange.
Topic Targeting
What it is: You select topic categories (e.g., "Health > Health Conditions > Diabetes"), and Google shows your ads on pages classified under those topics.
Compliance profile: Low risk. Similar to placement targeting, topic targeting is content-based rather than user-based. No patient data is shared with Google. The ad appears based on page content, not user health status.
Where Conversion Tracking Creates Audience Data You Did Not Intend
Even if your audience targeting is compliant, your conversion tracking can create non-compliant audience data without your knowledge.
When you install the Google tag on your healthcare website for conversion tracking, Google collects data about every visitor, not just those who convert. This data feeds into Google's audience systems. Visitors to your "knee replacement" page are tagged with a health interest signal in Google's systems. This happens automatically when the Google tag fires, regardless of your audience targeting settings.
Advocate Aurora Health ($12.25M class action, 2024). Advocate Aurora installed Meta Pixel and Google Analytics on its website, including its patient portal, to "better understand patient needs." The tools exposed data of approximately 3 million patients to Meta and Google without consent from 2017 to 2022. Source
The fix is architectural, not configurational. Remove client-side Google tracking from health-specific pages. Implement server-side conversion tracking that sends conversion signals to Google without page-level health context. This ensures that your conversion tracking does not inadvertently build health-related audience profiles in Google's systems.
Building the Compliant Audience Strategy
The compliant audience strategy for healthcare advertisers on Google Ads combines safe targeting methods with server-side infrastructure.
Use Google's built-in segments for reach. Affinity, in-market, and demographic audiences are managed by Google and do not require you to share patient data. Use them for awareness and consideration campaigns.
Use keyword and contextual targeting for intent. Custom intent audiences, placement targeting, and topic targeting let you reach health-interested users based on their current behavior without creating PHI.
Replace client-side tracking with server-side infrastructure. Remove the Google tag from health-specific pages. Use a HIPAA-compliant CDP for server-side conversion tracking and audience building. This ensures that Google receives optimization signals without receiving health-contextual data about individual users.
Gate all data flows on consent. A consent management platform should verify consent server-side before any data is sent to Google. This is increasingly important as state privacy laws expand and patient expectations around data handling evolve. Consent and privacy infrastructure is where healthcare advertising compliance is heading, and the organizations that build it now will be positioned for what comes next.
Monitor your tracking surface continuously. A web scanner should crawl your site to verify that no client-side Google tracking scripts appear on health-specific pages. Marketing teams, agencies, and Google Tag Manager updates can all introduce tracking that bypasses your server-side architecture.
FAQ
Can I use Google's health-related in-market audiences for hospital advertising?
Yes, with caveats. Google's in-market audiences like "Medical Facilities & Services" are built from Google's own data, not yours. Using them does not create PHI because you are not sharing patient information with Google. However, combining very narrow in-market segments with tight geographic targeting could theoretically identify individuals in small populations. Use these segments for broad geographic areas and combine them with compliant server-side conversion tracking.
Is uploading a patient email list to Google Customer Match a HIPAA violation?
Uploading a patient email list to Google for Customer Match creates significant HIPAA risk. The email addresses are individually identifiable, and their association with a healthcare organization implies a health relationship. Google does not sign BAAs for Google Ads customers. The safest approach is to avoid Customer Match with any list that contains individuals who have a patient or health-related relationship with your organization.
What about Google's Enhanced Conversions, which require sending user data to Google?
Enhanced Conversions send hashed user data (email, phone number, address) from conversion events to Google for improved matching. For healthcare advertisers, the compliance depends on how the data is sent. Server-side Enhanced Conversions, sent through the Google Ads API with consent verification, can be implemented compliantly if the data is hashed and the health context is stripped. Client-side Enhanced Conversions, which send data from the browser, carry the same PHI risks as standard conversion tracking.
How does Google's restricted category policy for healthcare affect audience targeting?
Google restricts personalized advertising for sensitive health categories. This means you cannot use remarketing or Customer Match to target users based on health conditions. However, this policy is a platform restriction, not a compliance guarantee. Google may still receive health-contextual data through its tracking tags even if it does not allow you to activate remarketing campaigns against that data. Server-side tracking ensures Google does not receive the health-contextual data in the first place.
Can I use Google Analytics 4 audience segments for Google Ads targeting?
GA4 can export audience segments to Google Ads for targeting. If GA4 is installed client-side on health-specific pages, the audiences it builds contain health-interest signals. Exporting these audiences to Google Ads for targeting is sharing health-contextual data with an advertising platform. The compliant approach is to use server-side GA4 implementation (via server-side tagging or a HIPAA-compliant CDP) and carefully evaluate any audience exports to ensure they do not contain health-specific signals.
Google Ads audience targeting for healthcare is not about avoiding Google Ads. It is about understanding which targeting methods create PHI and which do not. The compliant path uses Google's built-in audience segments for reach, contextual targeting for intent, and server-side infrastructure for conversion tracking and audience building. If your healthcare organization is running Google Ads campaigns, Ours Privacy provides the server-side tracking, consent management, and continuous monitoring that keeps your audience strategy compliant.
Related reading:
Google Ads for Healthcare: The Complete HIPAA Compliance Setup Guide
Google Ads Enhanced Conversions for Healthcare: Server-Side Setup Without PHI Leakage
Google Ads Consent Mode v2: What Healthcare Advertisers Need to Know
Google Display Network for Healthcare: Targeting Patients Without Targeting Conditions
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.