Google Display Network for Healthcare: Targeting Patients Without Targeting Conditions
Two healthcare marketing teams run display campaigns on the Google Display Network. One uses contextual targeting: ads appear on health and wellness websites based on page content. The other uses behavioral targeting: ads appear to users based on their browsing history, in-market signals, and website visit data from a remarketing pixel. Both campaigns look identical in the Google Ads dashboard. Both drive impressions, clicks, and conversions. But only one of them is defensible under HIPAA.
The difference between contextual and behavioral targeting on GDN is the difference between placing an ad in a health magazine and following a patient home after their doctor's appointment. One is advertising. The other is surveillance. Understanding where that line falls across GDN's targeting options is essential for any healthcare organization running display campaigns.
Contextual Targeting vs. Behavioral Targeting on GDN
Google Display Network offers targeting methods that fall into two broad categories. The compliance implications of each are fundamentally different.
Contextual targeting places your ad based on the content of the page where it appears. You select topics, keywords, or placements, and Google matches your ad to pages with relevant content. No user data is required. No tracking pixel needs to fire. The ad shows up because the page is about healthcare, not because the viewer has a health condition.
Behavioral targeting places your ad based on who the viewer is. This includes remarketing (showing ads to people who visited your website), in-market audiences (people Google identifies as actively researching healthcare services), custom intent audiences (people who have searched for specific health terms), and similar audiences (lookalike profiles based on your existing audiences). Each of these requires Google to build or receive a profile of the individual user's health interests.
For healthcare advertisers, this distinction is the compliance boundary. Contextual targeting does not require transmitting any patient data to Google. Behavioral targeting requires either (a) installing tracking pixels that send visitor data from your healthcare website to Google or (b) uploading audience data that connects individuals to health conditions.
Where Behavioral GDN Targeting Creates PHI
To understand the risk, trace what happens when a healthcare organization uses behavioral targeting on GDN.
Remarketing. You install the Google Ads remarketing tag on your website. A patient visits your cardiology department page. The tag fires, sending a cookie ID, page URL, and timestamp to Google. Google now knows that a specific browser visited a cardiology page on a healthcare website. When that person later visits a news site in the Display Network, Google shows them your cardiology ad. The remarketing list itself is an association between identifiable browsers and health services. That association lives on Google's servers, and Google does not sign a BAA for advertising products.
In-market audiences for health. Google builds in-market audiences by analyzing users' search and browsing behavior across its properties. When you target the "Health: Hospitals & Healthcare Facilities" in-market segment, you are reaching people Google has identified as actively researching healthcare. Your ad does not create the PHI; Google's profiling does. But your decision to target these audiences, combined with conversion tracking that connects ad interactions to form submissions, can create a data flow where health intent meets identifying information.
Custom intent and custom segments. These audiences let you target people who have recently searched for specific terms. If you create a custom segment targeting users who searched "knee replacement surgery near me," you are effectively asking Google to identify individuals by their health needs and show them your ad. The data flow is Google's, but your campaign configuration directed it.
Similar audiences (now Optimized Targeting). Google analyzes your existing conversion data or customer lists to find users with similar profiles. If your conversion data carries any health context, Google's expansion algorithm inherits that context.
The Contextual Alternative That Preserves Reach
Contextual targeting on GDN is not a compromise. For healthcare, it is often the superior strategy for both compliance and performance.
Topic targeting. Select broad topic categories like "Health" or "Fitness" to place ads on relevant content pages. Your orthopaedic practice's ad appears on pages about joint health, exercise, and wellness. No user profiling required.
Keyword contextual targeting. Provide Google with keywords, and your ad appears on Display Network pages that contain those keywords. This is content matching, not user matching. An ad for your women's health clinic appears on articles about women's health topics. The targeting signal is the page content, not the reader's identity.
Managed placements. Hand-select specific websites, apps, or YouTube channels where you want your ads to appear. This gives you full control over ad context without any behavioral data. A children's hospital might select parenting websites, local community news sites, and education-focused platforms.
Affinity audiences (with caution). Google's affinity audiences are interest-based rather than intent-based. "Health & Fitness Enthusiasts" is a broad lifestyle category, not a health condition identifier. These carry lower risk than in-market or custom intent audiences, but healthcare teams should still avoid narrow health-related affinity segments that could imply specific conditions.
The performance trade-off is smaller than most teams expect. Contextual targeting on GDN often delivers comparable or better engagement rates because the ad appears in a relevant content environment. A patient reading an article about managing back pain is a more receptive audience for a spine care ad than someone being retargeted while reading sports scores.
Conversion Tracking: Where Both Approaches Can Fail
Even with compliant targeting, your conversion tracking setup can create PHI exposure. This is where many healthcare teams make mistakes.
Standard GDN conversion tracking uses the same Google Ads tag (gtag.js) as search campaigns. When a patient clicks a display ad, lands on your site, and submits a form, the conversion tag fires in the browser and sends data to Google. If the conversion page URL contains health context (/services/neurology/appointment-confirmed), that context reaches Google alongside the user's click ID.
The solution is the same regardless of targeting method: server-side conversion tracking. Route conversion events through your own server, strip health context, verify consent, and send only sanitized data to Google's API. Your display campaigns get accurate conversion data. Google never receives the clinical context.
This architecture is especially important for GDN because display campaigns generate high impression volumes across thousands of placements. The more touchpoints your campaign creates, the more opportunities exist for data to flow in unexpected directions. Server-side tracking gives you a single, controlled pipeline for all conversion data.
Enforcement Cases That Started with Display and Pixel Data
Advocate Aurora Health ($12.25M class action, 2024). Advocate Aurora installed Meta Pixel and Google Analytics on its website, app, and patient portal to "better understand patient needs." The tools exposed data of approximately 3 million patients to Meta and Google without consent, from 2017 to 2022. The data included page visits to condition-specific sections of the website, exactly the kind of data that feeds display remarketing audiences. Source
Novant Health ($6.66M class action, 2024). Novant Health deployed Meta Pixel on websites and its MyChart patient portal, collecting and sharing PHI of approximately 1.3 million individuals with Facebook. The pixel data could be used for ad targeting, including display and remarketing campaigns. Source
Both cases involved standard tracking pixels operating as designed. The pixels collected browsing data from healthcare websites and sent it to ad platforms. That data became the foundation for behavioral targeting and remarketing. The enforcement was not about how the data was used for targeting; it was about the fact that health-contextual browsing data reached third-party platforms at all.
Building a Compliant GDN Campaign From Scratch
1. Choose contextual targeting exclusively for health-related campaigns. Use topic targeting, keyword contextual targeting, or managed placements. Avoid remarketing, in-market health audiences, and custom intent segments built on health search terms.
2. Implement server-side conversion tracking. Do not rely on client-side Google tags for conversion measurement. Route all conversion events through your server-side infrastructure, strip health context, and send sanitized conversion data to Google's API.
3. Audit your landing pages. Every landing page in your GDN campaign should be free of client-side tracking scripts that send data to third parties without your control. A web scanner can continuously monitor landing pages for new scripts introduced by marketing team members, agencies, or CMS updates.
4. Use consent-gated data flows. Before any conversion data reaches Google, verify that the user has provided consent for advertising data use. This verification must happen server-side, not through a JavaScript consent banner alone. Consent management is where healthcare compliance is heading across federal and state regulation, and building it into your architecture now prevents retroactive compliance projects later.
5. Monitor placement reports. GDN can place your ads on millions of websites. Regularly review your placement reports to ensure your ads are not appearing on sites that create brand safety issues or associate your organization with inappropriate content. Exclude placements proactively.
FAQ
Can I use Google Display Network remarketing for healthcare?
Google's own policies restrict remarketing based on health conditions. Beyond Google's policy, HIPAA creates additional requirements. Installing Google's remarketing pixel on pages with health context (service line pages, appointment pages, condition-specific content) means you are sending health-contextual browsing data to Google's servers for every visitor. Since Google does not sign a BAA for advertising products, this data transmission lacks the contractual framework HIPAA requires. Contextual targeting achieves similar reach without requiring any user-level tracking data.
What is the difference between topic targeting and in-market audience targeting?
Topic targeting places your ad on pages about specific topics, regardless of who is viewing them. In-market audience targeting shows your ad to specific users Google has identified as interested in a topic, regardless of what page they are currently viewing. The first is content-based; the second is person-based. For healthcare, topic targeting is the compliant choice because it does not require Google to build or use a profile of the viewer's health interests.
Do contextual display campaigns perform worse than behavioral campaigns?
Not necessarily. Studies consistently show that contextual targeting performs comparably to behavioral targeting for many advertisers, and in some cases outperforms it. For healthcare specifically, contextual ads benefit from appearing in a relevant content environment where the reader is already thinking about health topics. This contextual relevance often drives higher engagement than retargeting ads that follow users across unrelated websites.
How do I measure GDN campaign effectiveness without remarketing pixels?
Server-side conversion tracking provides accurate conversion data without client-side pixels. You can measure impressions, clicks, and conversions through Google Ads reporting. For view-through conversion measurement, server-side approaches can capture the initial ad impression ID and reconcile it with conversions on your server, without requiring a tracking pixel on your healthcare website.
Should I exclude health-related placements from my GDN campaigns?
This depends on your campaign objective. If you are running a general brand campaign, you may want to exclude sensitive health content categories to avoid brand safety issues. If you are running a service line campaign using contextual targeting, health-related placements are exactly where you want your ads to appear. The key is that your targeting method (contextual) and your tracking method (server-side) are both compliant, regardless of where the ad appears.
The Google Display Network remains a valuable channel for healthcare brand awareness and patient acquisition. The path to compliance is not about limiting your reach. It is about choosing targeting methods that do not require patient data and tracking methods that do not transmit it.
Ours Privacy provides the server-side infrastructure and continuous monitoring that healthcare organizations need to run GDN campaigns with confidence.
Related reading:
Google Ads for Healthcare: The Complete Setup Guide
Google Ads Audience Targeting for Healthcare
Server-Side vs. Client-Side Tracking
What Is a Tracking Pixel?
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.