Google Performance Max for Healthcare: Campaign Structure That Protects PHI
Performance Max campaigns let Google's AI decide where your ads appear, who sees them, and how your budget is allocated across Search, Display, YouTube, Gmail, Maps, and Discovery. For most advertisers, this automation is the selling point. For healthcare advertisers, it is the compliance risk.
Standard Google Ads campaigns give you manual control over targeting, placements, and conversion tracking. You can choose contextual targeting over behavioral targeting. You can exclude sensitive audience segments. You can control which landing pages serve which campaigns. Performance Max removes most of those controls and replaces them with machine learning that optimizes for conversions using whatever data and targeting methods Google's algorithm determines are most effective.
The question is not whether Performance Max can drive results for healthcare. It can. The question is whether the automation surrenders too much control over data flows for an industry where a misrouted data point can become a $12 million settlement.
What PMax Controls vs. What Manual Campaigns Control
Understanding what you give up with Performance Max is the starting point for evaluating its compliance implications.
Control | Manual Campaigns | Performance Max |
|---|---|---|
Search keyword targeting | Full control (exact, phrase, broad) | Google selects search terms automatically |
Display placements | Managed placements or contextual | Google selects placements automatically |
YouTube targeting | Topic, placement, keyword | Google selects automatically |
Audience signals | You select; they are applied | You provide "signals"; Google decides weight |
Creative combinations | You build specific ads | Google mixes and matches asset groups |
Conversion optimization | You choose conversion actions | Google optimizes across all eligible actions |
Search term reporting | Full reporting | Limited reporting |
For compliance, the critical losses are: you cannot guarantee PMax will not use behavioral targeting on the Display Network, you cannot confirm which search terms triggered your ads (limiting your ability to exclude health-condition terms), and you cannot control which conversion actions PMax prioritizes if you have multiple actions configured.
The Two Approaches: PMax vs. Manual Campaign Architecture
Approach 1: Performance Max with compliance guardrails. You set up PMax with audience signals, asset groups organized by service line, and conversion tracking. You layer on exclusions and restrictions to limit where and how Google uses your data. This approach delivers Google's automation benefits but requires constant monitoring to ensure the algorithm is not creating data flows that cross compliance boundaries.
Approach 2: Manual campaigns with full control. You build separate Search, Display, and YouTube campaigns with manual targeting, explicit placement selections, and campaign-specific conversion tracking. This approach requires more management time but gives you complete visibility into where your ads appear, who sees them, and what data reaches Google.
For healthcare organizations, the trade-off is between operational efficiency and compliance control. Most compliance teams, when presented with both options, choose the approach that lets them document exactly what data goes where. That is the manual approach.
However, some healthcare organizations use PMax successfully by implementing the guardrails described below. The right choice depends on your organization's risk tolerance, your compliance team's capacity to monitor PMax behavior, and whether you have server-side tracking infrastructure in place.
Making PMax Work: Healthcare-Specific Configuration
If your organization decides to use Performance Max, these configurations reduce compliance risk.
Organize asset groups by compliance tier, not service line. Instead of creating asset groups named "Cardiology" and "Oncology," create groups based on content sensitivity. "General Services" for broad healthcare topics. "Specialty Services" for condition-specific content. This prevents Google's asset mixing from combining sensitive health terms with personally identifiable targeting data.
Use audience signals, not audience exclusions, to steer targeting. PMax does not support traditional audience exclusions the way manual campaigns do. Instead, provide audience signals that guide the algorithm toward appropriate audiences. Provide signals based on demographics, general interest categories, and location rather than health-specific audiences. Be aware that signals are suggestions, not restrictions. Google may disregard them if its algorithm finds better conversion opportunities elsewhere.
Limit conversion actions. If you have multiple conversion actions in your account (appointment requests for different specialties, phone calls, form submissions), PMax will optimize across all of them unless you restrict which actions the campaign can use. Create a single, generic conversion action for PMax ("Lead Submission") rather than specialty-specific actions ("Psychiatry Appointment," "Dermatology Consultation"). This prevents Google from associating conversion data with specific health services.
Use URL expansion controls. PMax can send traffic to any page on your website that it determines will convert well. If your site includes patient portal login pages, condition-specific resource pages, or pages that imply health conditions, PMax may drive traffic to them. Use URL exclusion rules to prevent PMax from sending traffic to sensitive pages. Review the landing page report regularly to confirm PMax is not discovering and using pages you did not intend.
Monitor placement reports. PMax provides limited but available placement reporting. Review where your ads appeared across Display, YouTube, and Discovery. Exclude any placements that create brand safety concerns or that might indicate Google's algorithm is targeting health-condition-specific content in ways you did not authorize.
Conversion Tracking: The Hidden PMax Risk
The biggest compliance risk in Performance Max is not the targeting automation. It is the conversion tracking.
PMax is heavily dependent on conversion data to optimize. The more conversion data it receives, the better it performs. This creates pressure to send as much conversion data to Google as possible, including data that carries health context.
Standard PMax conversion tracking flow: A patient clicks a PMax ad, lands on your cardiology page, and submits a consultation request. The Google Ads tag fires in the browser, sending the conversion event, the page URL (which contains "cardiology"), the click ID, and any enhanced conversion data to Google. PMax uses this to find more users like this one and show them similar ads.
The problem: Google now knows that a specific user converted on a cardiology page. PMax's optimization algorithm uses this health-contextual conversion data to build its targeting model. The algorithm may then target other users it identifies as similar to cardiology converters, effectively creating a health-condition-based audience without your explicit direction.
The compliant approach: Route all conversion data through server-side tracking infrastructure. Strip health context before the conversion reaches Google. Send a generic "Lead Form" conversion to Google rather than "Cardiology Lead." PMax still receives the conversion signal it needs to optimize, but the signal carries no health context.
Enforcement Context: When Automation Meets Health Data
Sutter Health ($21.5M class action, 2025). Sutter Health implemented Google Analytics, the Meta Pixel, and other advertising tracking tools on its MyHealthOnline patient portal. The tools tracked and disclosed private patient data to Google and Facebook without authorization. Source
Sutter's case is relevant to PMax because Performance Max campaigns rely on the same Google tracking infrastructure that generated Sutter's exposure. When PMax optimization uses conversion data from health-specific pages, it inherits the same data flow risk that led to Sutter's $21.5M settlement.
Kaiser Permanente ($47.5M class action, 2025). From 2017 to 2024, Kaiser's websites, patient portals, and mobile apps used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X without member consent. The breach affected 13.4 million members across 9 states. Source
Kaiser's case illustrates the scale of exposure when tracking technologies operate without compliance controls across multiple Google properties. PMax, which distributes ads and tracking across Search, Display, YouTube, Gmail, and Maps simultaneously, creates a similar multi-property data surface.
When to Choose Manual Campaigns Over PMax
Choose manual campaigns when:
Your compliance team requires full documentation of targeting methods, placements, and conversion data flows
You advertise sensitive health services (mental health, addiction treatment, reproductive health, HIV care)
You cannot implement server-side conversion tracking that strips health context before data reaches Google
Your organization has experienced a tracking-related compliance incident and needs demonstrable control improvements
Your legal team requires the ability to prove that no health-condition-based targeting was used
Consider PMax with guardrails when:
You have server-side conversion tracking in place that strips health context
Your services are general enough that conversion data does not carry sensitive health signals
Your compliance team can commit to monthly monitoring of PMax placement reports, search term reports, and conversion action usage
You have URL exclusion rules covering all sensitive pages on your site
You accept that PMax's targeting decisions cannot be fully audited
FAQ
Can I run Performance Max for a hospital without violating HIPAA?
You can, but it requires significant infrastructure. Server-side conversion tracking that strips health context before data reaches Google is essential. URL exclusions preventing PMax from sending traffic to sensitive pages are necessary. Generic conversion action naming that does not reference medical services is required. Without these guardrails, PMax's automated optimization creates data flows that are difficult to audit and potentially impossible to make compliant.
Does Performance Max use remarketing automatically?
Yes. PMax can serve remarketing ads to users who previously visited your website, provided a Google Ads remarketing tag or GA4 audience is available. For healthcare, this means PMax may retarget users who visited condition-specific pages. If your remarketing audiences include users who visited health-contextual pages, PMax will use them for targeting. Disabling website visitor audiences in your PMax campaign settings or removing client-side remarketing tags from health-specific pages mitigates this.
Why is PMax search term reporting limited, and why does it matter for healthcare?
Google provides limited search term visibility for PMax campaigns, showing only a subset of the terms that triggered your ads. For healthcare, this matters because you cannot confirm whether PMax is showing ads for sensitive health search terms. A patient searching "HIV testing near me" might see your ad, and you would have no way to know. With manual search campaigns, you control the keywords and can review every search term. This visibility gap is a significant compliance concern for sensitive specialties.
How do I prevent PMax from advertising sensitive service lines?
Create separate PMax campaigns for general and sensitive services. For sensitive services, consider using manual campaigns instead. If you use PMax, exclude URLs for sensitive service pages, use broad asset group themes that do not reference specific conditions, and provide audience signals that steer away from health-condition-based targeting. Monitor landing page reports to catch any cases where PMax discovered and served sensitive pages.
Should I use PMax or standard Search campaigns for patient acquisition?
For most healthcare organizations, standard Search campaigns offer a better compliance profile for patient acquisition. You control the keywords, the ad copy, the landing pages, and the conversion tracking with full visibility. PMax is better suited for brand awareness and general reach campaigns where the compliance requirements around targeting specificity are lower. The ideal approach for many healthcare organizations is a combination: manual Search campaigns for service line acquisition, and PMax (with guardrails) for broader awareness, if your infrastructure supports it.
Performance Max is a powerful campaign type that delivers results through automation. For healthcare, that automation requires a compliance infrastructure that most organizations do not have out of the box. The choice between PMax and manual campaigns is ultimately a choice about how much control your organization needs over patient data flows.
Ours Privacy provides the server-side tracking, consent management, and continuous monitoring that make compliant advertising possible across every Google Ads campaign type.
Related reading:
Google Ads for Healthcare: The Complete Setup Guide
Google Ads Enhanced Conversions for Healthcare
Google Display Network for Healthcare
Server-Side Google Ads Tracking for Healthcare
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.