What HIPAA-Compliant Marketing Actually Means for Medical Practices in California

AUTHOR: Ben Mansouri

AUTHOR BIO: Ben Mansouri is the founder and president of Zevi Digital (zevidigital.com), a Los Angeles marketing agency exclusively serving medical and dental practices. He is a designated HIPAA Officer and the author of two books on healthcare marketing: The Smart Clinic and Digital Marketing for Modern Dental Practices, both available on Amazon.

Most medical practices in California have a HIPAA problem with their marketing — and most of them have no idea.

It’s not intentional. The violations don’t happen because a doctor is careless or indifferent. They happen because the standard tools that every marketing agency uses — Google Analytics, Meta Pixel, Google Ads remarketing, standard contact forms — were not built with HIPAA in mind. They were built for e-commerce. And when you apply e-commerce marketing infrastructure to a medical practice, you create exposure.

The good news is that HIPAA-compliant marketing is achievable. It just requires understanding what compliance actually means in a marketing context — which is different from what most compliance officers or general marketing agencies will tell you.

Here is what California medical practices need to know.

WHAT COUNTS AS PHI IN A MARKETING CONTEXT

The first thing to understand is that Protected Health Information (PHI) in marketing contexts is broader than most practitioners expect.

PHI is any individually identifiable health information. In a clinical setting, that means names, dates, diagnoses, and treatment records. In a marketing context, it gets more complicated.

When a patient fills out a contact form on your website asking about treatment for a specific condition, that submission contains PHI — even if you never see it as a medical record. When a patient clicks on a Facebook ad for your weight loss program and Facebook’s pixel fires, recording that click against their profile, that action arguably creates PHI because it associates an individual with a health-related inquiry.

When Google Analytics tracks that a user visited your “Knee Replacement Consultation” page, spent four minutes reading it, and then submitted a contact form — and that data is stored on Google’s servers without a Business Associate Agreement — you have a potential HIPAA violation.

None of these scenarios involve a malicious actor. All of them involve standard marketing tools used correctly for non-medical businesses. The problem is that medical practices are not non-medical businesses.

THE FIVE MOST COMMON HIPAA MARKETING VIOLATIONS IN CALIFORNIA PRACTICES

Working with medical practices across Los Angeles and Southern California, the same violations appear repeatedly. These are the five most common:

1. Standard Google Analytics Without a BAA

Google Analytics collects user behavior data and stores it on Google’s servers. Google does not sign Business Associate Agreements for standard Google Analytics. This means any patient data flowing through your analytics is being stored by a third party without the legal protection HIPAA requires. The solution is either moving to a HIPAA-compliant analytics alternative or implementing server-side tracking that strips PHI before it leaves your server.

2. Meta Pixel on Clinical Pages

The Meta Pixel tracks user behavior and sends that data to Meta to optimize ad delivery and build audiences. When the pixel fires on a page about a specific medical condition or procedure — and that data is associated with a Facebook user profile — it creates a potential PHI disclosure to a third party without a BAA. Meta does not sign BAAs. This means any practice running Facebook ads with the standard pixel on clinical pages is operating in a gray zone at minimum and a clear violation at worst.

3. Remarketing Audiences Built From Clinical Page Visitors

Even if you never know who is in your remarketing audience, building an audience of “people who visited my vasectomy consultation page” and serving them ads across the internet creates a functional disclosure of health-related information. HIPAA-compliant remarketing requires either excluding clinical pages from audience building entirely or using only anonymized, aggregated signals.

4. Standard Contact Forms Without Encryption

Most off-the-shelf contact forms — including standard WordPress contact plugins — transmit form data without end-to-end encryption. A patient submitting a form asking about treatment for a sensitive condition may have that data transmitted insecurely and stored without proper protections. HIPAA requires that any electronic PHI be protected with appropriate technical safeguards.

5. No Business Associate Agreements With Marketing Vendors

If your marketing agency, analytics provider, CRM, or email platform handles any data that could constitute PHI, HIPAA requires a signed Business Associate Agreement before that relationship begins. Most marketing agencies — even those who work with medical clients — do not offer BAAs. This is not a technicality. It is a legal requirement, and the absence of a BAA creates liability for the practice, not just the vendor.

WHAT A HIPAA-COMPLIANT MARKETING INFRASTRUCTURE ACTUALLY LOOKS LIKE

A properly built HIPAA-compliant marketing stack is not dramatically more expensive or less effective than a standard one. It requires different tools and different configuration, but it can deliver equivalent — and in some cases better — results.

Here is what the infrastructure looks like when built correctly:

Analytics: Replace standard Google Analytics with a HIPAA-compliant alternative such as Freshpaint, Piwik PRO, or a server-side Google Analytics implementation that strips PHI before data is sent. Alternatively, configure your analytics to exclude any pages where PHI might be submitted.

Conversion Tracking: Implement server-side conversion tracking for Google Ads and Meta Ads. This allows you to track conversions — form submissions, phone calls, appointment bookings — without sending raw user data to ad platforms. The conversion event fires on your server, which you control, rather than in the user’s browser, which you do not.

Contact Forms: Use HIPAA-compliant form providers that offer encryption, BAAs, and secure data storage. Several vendors in this space, including Heymarket and JotForm’s HIPAA plan, offer this capability.

Google Ads: Run search campaigns targeting procedure and specialty keywords — this is the highest-converting, lowest-risk channel for medical practices because it captures intent without requiring you to build behavioral audiences. Avoid broad audience targeting, interest-based targeting, or any audience segment that could imply health status.

Remarketing: Either avoid it entirely, or restrict it to visitors of non-clinical pages — your homepage, about page, or contact page — and never build audiences from procedure or condition-specific pages.

BAAs: Before engaging any vendor that will touch patient data, request and sign a Business Associate Agreement. If a vendor refuses or does not offer one, do not use them for anything that could involve PHI.

THE CALIFORNIA-SPECIFIC LAYER: CMIA

California practices face an additional layer of compliance beyond federal HIPAA requirements. The California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA) both impose obligations on how medical practices handle patient data.

CMIA specifically prohibits the disclosure of medical information without patient authorization and applies to any business that creates, maintains, preserves, stores, or transmits medical information as part of its activities. Marketing data that captures health-related user behavior may fall under CMIA even in cases where federal HIPAA does not clearly apply.

California practices should treat HIPAA compliance as a floor, not a ceiling, and review their marketing data practices against CMIA and CCPA requirements as well.

THE PRACTICAL STARTING POINT

If you are a California medical practice and you are not certain your marketing is HIPAA-compliant, the practical starting point is an audit. Before changing anything, understand what you currently have:

— What analytics platform are you using, and does your vendor have a BAA with you?

— Is the Meta Pixel or any third-party tracking pixel firing on clinical pages?

— Are you building remarketing audiences from condition or procedure pages?

— Do you have signed BAAs with every vendor who touches your website, CRM, or patient inquiry data?

— Are your contact forms encrypted and stored securely?

The answers to these five questions will tell you where your exposure is. From there, the fixes are systematic — not dramatic.

HIPAA-compliant marketing is not a reason to avoid digital marketing. Practices that get the infrastructure right can run aggressive, effective patient acquisition campaigns across Google, AI search, and social platforms without the compliance exposure that makes most medical marketers nervous.

The practices that figure this out first will have a significant advantage in patient acquisition over the next several years — both because they can market more boldly and because AI search systems are beginning to favor entities with established, credible digital presences.

Getting the compliance foundation right is Step 1. Everything else follows from there.

AUTHOR BIO:

Ben Mansouri is the founder and president of Zevi Digital (zevidigital.com), a Los Angeles marketing agency exclusively serving medical and dental practices. He serves as Zevi Digital’s designated HIPAA Officer and personally oversees HIPAA compliance for all client campaigns, content, and data handling. He is the author of two books on healthcare marketing — The Smart Clinic and Digital Marketing for Modern Dental Practices — both available on Amazon. Ben is a member of Forbes Agency Council.