Google Ads for Healthcare: The Complete HIPAA Compliance Setup Guide
Every healthcare marketing team eventually faces the same question: how do we run Google Ads without creating the same tracking pixel liability that has generated $193M+ in enforcement actions since 2023? The answer is not to avoid Google Ads. It is to set up every layer of the platform, from account structure to conversion tracking to audience targeting, with compliance built into the architecture rather than bolted on afterward.
This guide walks through the complete setup, step by step. Each section explains what to configure, why the default setting creates risk, and what the compliant alternative looks like.
Step 1: Account Structure and Healthcare Verification
Google requires healthcare advertisers to complete a verification process before running ads in restricted categories. This is a platform policy requirement, not a HIPAA requirement, but it determines what ad formats and targeting options your account can access.
Healthcare and medicines advertiser verification. Depending on your country and the services you advertise, Google may require certification through LegitScript or its own verification form. In the United States, ads for prescription drugs require LegitScript certification. Ads for general healthcare services (hospitals, clinics, medical practices) face fewer restrictions but still fall under Google's personalized advertising policies for healthcare.
Personalized advertising restrictions. Google prohibits personalized advertising (remarketing, similar audiences, custom intent audiences) based on healthcare and medical conditions. This is Google's own policy, independent of HIPAA. You cannot create a Google Ads audience based on users who visited your "Depression Treatment" page, nor can you upload a customer list of patients who received a specific treatment.
These restrictions are baseline. HIPAA requirements go further. Google's restrictions prevent you from targeting based on health data within Google's platform. HIPAA prevents you from sending health data to Google in the first place.
Account-level settings to configure:
Disable auto-apply recommendations. Google's AI may suggest adding broad match keywords, audience expansion, or conversion action changes that conflict with your compliance requirements.
Review data sharing settings. Ensure Google Ads data is not linked to Google Analytics properties that have client-side tracking on healthcare pages.
Document your account structure. Compliance audits require evidence that your advertising configuration was intentional, not accidental.
Step 2: Campaign Architecture That Separates Health Context
The way you structure campaigns determines what data Google associates with your advertising activity.
Name campaigns, ad groups, and conversion actions without clinical language. Google stores all naming data and makes it available across reporting interfaces, Google support interactions, and API integrations. "Campaign: Bariatric Surgery Q2" tells Google exactly what medical service you are advertising. "Campaign: Service Line 3 Q2" does not.
Separate campaigns by compliance risk tier.
Tier 1 (general brand). Brand awareness campaigns, employer branding, community health events. These carry minimal PHI risk because the landing pages and keywords are not condition-specific.
Tier 2 (service line acquisition). Campaigns driving appointments or consultations for specific medical services. These carry moderate risk because the keywords and landing pages reference health conditions.
Tier 3 (sensitive categories). Mental health, addiction treatment, reproductive health, HIV/STI testing. These carry the highest risk due to the sensitive nature of the health data and additional regulatory requirements (42 CFR Part 2 for substance abuse, state laws for reproductive health).
Each tier should have distinct tracking configurations, landing page setups, and conversion measurement approaches.
Step 3: Landing Page Compliance
Your landing pages are where HIPAA risk concentrates. Every script running on a landing page can potentially capture and transmit visitor data to third parties.
Audit every script on conversion pages. Use your browser's developer tools or a web scanner to identify every JavaScript file, tracking pixel, cookie, and network request on your healthcare landing pages. Common offenders include:
Google Analytics tags (especially GA4 with enhanced measurement enabled)
Meta Pixel remnants from previous campaigns
Chat widgets that log visitor behavior
Form tools that send submission data to third-party servers
Heatmap or session recording scripts
Remove or replace client-side tracking. Any script that sends data from the patient's browser to a third-party server is a potential PHI vector when it runs on a page with health context. Replace client-side tags with server-side tracking architecture that routes data through your own infrastructure first.
Handle form submissions server-side. When a patient submits a "Request an Appointment for Orthopedic Surgery" form, that submission should go to your server. Your server then decides what information (if any) to forward to Google for conversion tracking, after verifying consent and stripping health context.
Step 4: Conversion Tracking Without PHI Transmission
This is the most critical step. Standard Google Ads conversion tracking uses a JavaScript tag (gtag.js or Google Tag Manager) that fires in the patient's browser when a conversion occurs. The tag sends the conversion event, along with page URL, click ID, and any enhanced conversion data, directly to Google.
Why the default is dangerous. When a conversion fires on yoursite.com/appointments/cardiology/thank-you, Google receives the page URL, which contains the medical specialty. Combined with the gclid (Google Click ID) that ties the conversion to a specific user who clicked your ad, Google now holds an association between an identifiable individual and a cardiology service.
The server-side alternative. Instead of firing a conversion tag in the browser:
The browser sends the conversion event to your server.
Your server verifies consent.
Your server strips health context from the event (replaces the specific page URL with a generic conversion identifier).
Your server sends the sanitized conversion to Google's Ads API.
For detailed implementation steps, see our Enhanced Conversions guide.
Step 5: Audience Strategy Within Google's Restrictions
Google already restricts healthcare audience targeting, but the restrictions are not comprehensive enough for HIPAA compliance.
What Google restricts: Remarketing lists based on health condition pages. Custom intent audiences using health-related search terms. Customer match lists based on health status.
What HIPAA adds: Even within allowed targeting options, you must ensure that the audience signals you provide to Google do not constitute PHI. For example, uploading a customer list for Customer Match is only compliant if the list does not associate individuals with health conditions and the individuals have consented to advertising use of their data.
Safe audience strategies:
Contextual targeting. Target based on content topics rather than user behavior. Your ad appears next to health-related content, but you are not building an audience based on individuals' health interests.
Broad keyword targeting. Target general health terms ("find a doctor near me") rather than condition-specific terms that might be too narrow and effectively identify users by health status.
First-party audiences with consent. If you build audiences from your own data, ensure every individual in the audience has provided consent for advertising use, and the audience definition itself does not reference health conditions.
See our Google Ads audience targeting guide for a complete breakdown of what is permitted under both Google policy and HIPAA.
Step 6: Ongoing Monitoring and Compliance Maintenance
Setting up a compliant Google Ads configuration is the beginning, not the end. The tracking surface of your website changes constantly.
Marketing teams add scripts. A new campaign launches with a landing page, and someone installs a chat widget or a heatmap tool to optimize it. That tool is now capturing visitor behavior on a health-context page.
Plugins and CMS updates introduce tracking. WordPress plugins, HubSpot embeds, and CMS templates often include third-party scripts that fire on every page, including healthcare service pages.
Agency partners deploy tags. If your Google Ads account is managed by an agency, they may install tags through Google Tag Manager without understanding your compliance requirements.
Every enforcement case in the healthcare tracking space involved tracking that ran for years before anyone noticed. Advocate Aurora Health's Meta Pixel and Google Analytics exposure ran from 2017 to 2022, affecting 3 million patients, before the breach was identified. Source
A web scanner that continuously monitors your site detects every new script, cookie, and tracking pixel as it appears. It flags which scripts lack a BAA, which cookies come from third parties, and which tracking pixels are sending data to platforms without the appropriate agreements. This is the difference between discovering a compliance gap during a quarterly audit and discovering it through a class action lawsuit.
The Enforcement Context Healthcare Advertisers Cannot Ignore
GoodRx ($1.5M FTC + $25M class action, 2023). GoodRx configured Meta Pixel and Google tracking pixels that shared prescription drug names, health conditions, and personal identifiers with Facebook, Google, and other ad platforms. This was the first enforcement under the FTC Health Breach Notification Rule. Source
GoodRx's case is particularly relevant for Google Ads users because the Google tracking pixel was specifically named in the enforcement. The data that created liability was sent through standard, properly configured Google tracking tags. The tags did exactly what they were designed to do. The problem was that no compliance layer existed between the website and Google.
FAQ
Does Google sign a BAA for Google Ads?
No. Google does not sign Business Associate Agreements for its advertising products, including Google Ads, Google Analytics, and Google Tag Manager. This means healthcare organizations must ensure that no PHI reaches Google's advertising infrastructure. The compliance obligation falls entirely on your organization to prevent PHI transmission, which requires server-side architecture between your website and Google.
Can I use Google's auto-bidding strategies like Target CPA?
Yes, but with awareness of the data implications. Auto-bidding strategies use conversion data to optimize bids. If your conversion tracking sends clean, PHI-free data to Google (using the server-side approach described above), auto-bidding can operate safely. The key is ensuring the conversion signal Google receives contains no health context. A generic "Lead Form Submission" conversion with a dollar value works. A "Cardiology Appointment Request" conversion does not.
Is Google Ads remarketing allowed for healthcare?
Google's own policies restrict remarketing based on health conditions. Beyond Google's restrictions, HIPAA generally prohibits creating remarketing audiences from healthcare page visits because doing so associates individuals with health information and transmits that association to Google. Contextual targeting and broad keyword targeting are safer alternatives. If you use any form of remarketing, it must be based on non-health-related pages only (such as your homepage or careers page) and must not associate users with specific medical services.
What about Google Ads conversion tracking for phone calls?
Google's call tracking features (call extensions, call-only ads, website call conversions) involve Google recording or processing phone numbers and call metadata. If a patient calls a number associated with a specific medical service through a Google call extension, Google holds the association between a phone number and a health service. Server-side call tracking through your own phone system, with consent verification before any data reaches Google, is the compliant approach.
How often should I audit my Google Ads compliance setup?
At minimum, audit quarterly. Ideally, use continuous monitoring through a web scanner that flags new scripts, tags, and tracking changes as they happen. Beyond automated scanning, conduct manual reviews whenever campaigns change, landing pages are updated, conversion actions are modified, or new team members or agencies gain access to your Google Tag Manager or Google Ads accounts.
Google Ads remains one of the most effective patient acquisition channels for healthcare organizations. Running it compliantly is not about limiting what you can do. It is about building the right infrastructure so that performance data flows to Google without patient data flowing alongside it.
Ours Privacy provides the server-side tracking, consent management, and continuous monitoring that healthcare organizations need to run Google Ads at scale without compliance risk.
Related reading:
Google Ads Enhanced Conversions for Healthcare
Google Ads Audience Targeting for Healthcare
Server-Side Google Ads Tracking for Healthcare
Server-Side vs. Client-Side Tracking
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.