Programmatic Display for Healthcare: Third-Party Exchange Privacy
Two healthcare systems run programmatic display campaigns to promote their cardiology services. Both target adults over 45 in their service area. Both use similar creative. Both measure conversions through their website.
The first buys through an open exchange. Its bid requests travel through a supply-side platform, pass through multiple exchanges, and are evaluated by dozens of demand-side platforms before a winner is selected. At each hop, data about the user, the page content, and the ad opportunity is shared with entities the healthcare system has never heard of and will never audit. When a user clicks the ad and visits the cardiology services page, a third-party tracking pixel fires, sending the visit data back through another chain of intermediaries.
The second buys through a private marketplace deal with curated health publishers, routes all conversion tracking through a server-side API, and ensures no patient-level data enters the bid stream.
Both campaigns reach the same audience. One creates a compliance exposure that extends across dozens of unknown third parties. The other does not. The difference is architectural, and it is the difference that matters under HIPAA.
Open Exchange Bidding: Where Healthcare Data Enters the Wild
Programmatic advertising's core value proposition is efficiency: automated auction-based buying across millions of publisher sites. For most industries, the complex chain of intermediaries is a feature, not a bug. For healthcare, it is the primary compliance risk.
Bid stream data is the hidden exposure. When a publisher page loads and triggers an ad auction, the bid request contains information about the user (IP address, device ID, cookie IDs, location data) and the page (URL, content category, contextual signals). If the publisher is a health content site, the bid request may include contextual signals indicating the page is about "diabetes management" or "cancer treatment." This bid request is broadcast to every demand-side platform connected to the exchange. The healthcare advertiser has no control over who receives this data or how they use it.
Conversion tracking adds a second layer. Standard programmatic conversion tracking uses third-party pixels placed on the advertiser's website. When a user who saw a programmatic ad later visits the healthcare system's cardiology page and books an appointment, the conversion pixel fires, sending data to the DSP and potentially to additional measurement partners. That data includes the URL (which carries health context), user identifiers, and the conversion event itself.
Data leakage is structural, not accidental. Open exchange programmatic advertising was designed to share data across a network of participants. This is not a misconfiguration or a bug. It is the system working as intended. Every bid request, every impression log, every conversion event creates a data trail across entities that have no BAA with the healthcare organization and no obligation to protect PHI.
Private Marketplaces vs. Open Exchanges: A Compliance Comparison
The distinction between open exchange and private marketplace buying is where programmatic healthcare advertising either breaks down or becomes viable.
Open exchange (real-time bidding). Bid requests flow through SSPs to multiple exchanges and are available to any connected DSP. The advertiser selects targeting parameters but has limited visibility into the supply chain. Contextual and user data passes through numerous intermediaries. Conversion measurement typically relies on third-party cookies and pixels.
Private marketplace (PMP) deals. The advertiser or their agency negotiates directly with specific publishers or publisher groups through a deal ID. The bid request is restricted to invited buyers. The advertiser knows exactly which publishers will serve their ads. Fewer intermediaries see user and contextual data. This does not eliminate compliance concerns, but it significantly reduces the number of entities that handle data.
Programmatic guaranteed. The advertiser commits to a fixed volume at a fixed price with specific publishers. No auction occurs. The ad is served through programmatic pipes for efficiency, but the buying model is closer to a direct insertion order. This offers the most control over where ads appear and which entities handle data.
For healthcare, the progression from open exchange to PMP to programmatic guaranteed maps directly to decreasing compliance risk. Each step reduces the number of intermediaries handling data and increases the advertiser's ability to audit the supply chain.
The Mass General Brigham Precedent for Website Tracking
Mass General Brigham's $18.4M class action settlement (2024) is instructive for programmatic healthcare advertisers. Thirty-eight named providers, including Massachusetts General Hospital and Dana-Farber Cancer Institute, used cookies, tracking pixels, and web analytics tools on hospital websites. These tools collected visitor data and shared it with third parties without consent. Source
The connection to programmatic advertising is the tracking infrastructure on the healthcare website. When a programmatic campaign drives a user to a hospital website, the conversion measurement depends on scripts and pixels that identify the user and transmit behavioral data to third parties. Mass General Brigham's exposure came from standard marketing tools doing exactly this: collecting visitor data on health-specific pages and sharing it with entities outside the covered entity's BAA framework.
Kaiser Permanente's $47.5M class action settlement (2025) amplifies the point. Kaiser's websites, patient portals, and mobile apps used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X without member consent. The breach affected 13.4 million members across 9 states. Source The tracking code on Kaiser's public website is architecturally identical to the conversion pixels that programmatic DSPs require advertisers to install.
Building Compliant Programmatic Campaigns for Healthcare
Programmatic display can work for healthcare organizations. The architecture just needs to be different from the default setup that DSPs recommend.
Choose private marketplace or programmatic guaranteed deals. Restrict your buying to known publishers through deal IDs. Build a curated list of health content sites, local news publishers, and lifestyle sites in your service area. This limits the number of entities that see bid stream data and gives you the ability to audit each publisher's data practices.
Require your DSP to support server-side conversion measurement. Replace third-party conversion pixels with server-side postback URLs or conversion APIs. When a user converts on your website, the conversion event should flow from your server to the DSP, not from the user's browser through a pixel. This eliminates the client-side data exposure that drove the Mass General Brigham and Kaiser settlements.
Implement contextual targeting instead of behavioral targeting. Behavioral targeting in programmatic relies on user-level data: cookie profiles, device graphs, browsing history. Contextual targeting places ads based on the content of the page, not the identity of the user. For healthcare, contextual targeting on health content sites reaches relevant audiences without creating user-level health data profiles in the bid stream.
Verify your DSP's data handling practices. Your DSP is a critical link in the data chain. Evaluate their SOC 2 Type II certification (all five trust criteria, not just Security), their data retention policies, and their willingness to contractually limit how they use healthcare campaign data. A DSP that certifies only Security has met table stakes, not the bar healthcare requires.
Gate conversion data on consent. Before any conversion event flows to a DSP (even server-side), verify that the user has consented to marketing data sharing. Server-side consent gating ensures no data moves until consent status is confirmed. As state privacy laws proliferate and patient expectations around data control increase, consent-gated data flows are becoming the baseline for healthcare marketing compliance.
Audit your supply path regularly. Use supply path optimization (SPO) tools to understand exactly which SSPs, exchanges, and resellers are involved in your ad delivery. If an intermediary you cannot audit is handling bid stream data that includes health contextual signals, that is an uncontrolled data flow.
Measurement Without Exposure: What Compliant Attribution Looks Like
The biggest objection healthcare marketers raise about compliant programmatic campaigns is measurement loss. If you remove third-party cookies and client-side pixels, how do you know your campaigns are working?
Server-side conversion tracking preserves attribution. Conversion events sent from your server to the DSP's API still provide campaign-level, ad group-level, and creative-level performance data. You lose some user-level granularity, but you retain the metrics that actually drive campaign optimization: conversion volume, cost per conversion, and conversion rate by placement.
First-party data strategies replace cookie-based targeting. Build first-party audiences through compliant consent-gated registration on your website. Use these audiences (with proper consent and hashed identifiers) for targeting through your DSP's customer match features, rather than relying on third-party cookie pools.
Incrementality testing replaces pixel-based attribution. Instead of tracking individual user paths from impression to conversion (which requires cross-site user identification), run geo-based or time-based incrementality tests to measure the true lift of your programmatic campaigns. This approach measures campaign impact without requiring user-level tracking.
A web scanner catches unauthorized tracking scripts. Even after removing third-party pixels, new scripts can appear. A DSP's tag management snippet might load additional tracking. A publisher's ad tag might inject cookies. A web scanner running continuously on your website detects any new third-party scripts, cookies, or tracking pixels the moment they appear, before they have time to accumulate months or years of unauthorized data collection.
FAQ
Can healthcare organizations use open exchange programmatic buying at all?
Open exchange buying exposes bid stream data to an uncontrollable number of intermediaries. For healthcare organizations running campaigns on health-specific landing pages, this creates PHI exposure risk that is difficult to mitigate. Private marketplace deals and programmatic guaranteed buys offer the same programmatic efficiency with significantly more control over data flows.
Do DSPs sign BAAs for healthcare advertisers?
Most major DSPs do not sign BAAs as standard practice. Some will negotiate healthcare-specific data handling terms as part of enterprise agreements. However, the more effective approach is to ensure that no PHI reaches the DSP in the first place by using server-side conversion tracking that strips health context before transmission.
How does contextual targeting compare to behavioral targeting for healthcare campaign performance?
Contextual targeting typically delivers lower click-through rates but comparable or better conversion rates for healthcare campaigns. Users reading an article about joint replacement who see an ad for an orthopedic practice are in a relevant mindset. Contextual targeting avoids the privacy concerns of behavioral targeting while reaching users at moments of genuine health interest.
What happens to bid stream data after an auction?
Bid stream data is retained by SSPs, exchanges, and DSPs according to their individual data retention policies, which vary widely. Some delete bid-level data within hours; others retain it for months for analytics and optimization. Healthcare advertisers have no control over this retention once data enters the open exchange.
Should healthcare organizations avoid programmatic advertising entirely?
No. Programmatic display remains an effective channel for healthcare awareness and patient acquisition when implemented correctly. The key is choosing private marketplace deals over open exchange, replacing client-side conversion tracking with server-side APIs, and using contextual targeting over behavioral targeting. The channel is viable; the default architecture is not.
Programmatic display advertising offers healthcare organizations broad reach and efficient buying. The compliance challenge is not the advertising itself but the data infrastructure that supports it. If your organization runs programmatic campaigns, Ours Privacy provides the server-side conversion tracking and consent-gated data flows that make programmatic healthcare advertising compliant.
Related reading:
Google Display Network for Healthcare: Targeting Patients Without Targeting Conditions
Connected TV Ads for Healthcare: Streaming Platform Compliance Guide
What Is Server-Side Tracking? A Guide for Healthcare Marketers
Client-Side vs. Server-Side Analytics: The Healthcare Decision
HIPAA-Compliant Tools
Continue Learning
Explore more HIPAA compliance resources for healthcare marketers.
Tool Compliance Reviews
Find out which marketing tools are HIPAA compliant and which ones put your organization at risk.
Server-Side TrackingServer-Side Tracking Guides
Replace risky client-side pixels with secure, compliant data collection that protects patient privacy.
Advertising Platform Guides
Step-by-step guides for running compliant healthcare campaigns on Google, Meta, TikTok, and more.
GlossaryHealthcare Marketing Glossary
Clear definitions for healthcare marketing, privacy, and compliance terms explained for marketing teams.