Pixel Tracking, Healthcare Advertising, And HIPAA

TL;DR 

Today we go through how pixel tracking and direct-to-consumer marketing work for healthcare companies. There are a lot of recent changes around how healthcare data is handled in these situations and what triggers something to become a HIPAA violation.

‍Ours Privacy is a company that makes it easier for companies to use online marketing platforms in a HIPAA-compliant way. We’ll talk about how their product works, some of the trends they’re riding, and some of the things that are risks for the company.  

This is a sponsored post - you can read more about my rules/thoughts on sponsored posts here. If you’re interested in having a sponsored post done, let us know here.

Company Name - Ours Privacy

Ours Privacy is a company that enables consumer marketing for healthcare companies that need to adhere to HIPAA. They sound like they were named by someone with a tenuous grasp of how English grammatical rules work.

They used to be a therapy company called Ours, which provided a couples counseling marketplace. They built their HIPAA-compliant marketing tool for internal use but then other companies asked if they could share it. They realized the real relationship to fix? It was between ad platforms and healthcare companies.

So they pivoted. And they decided to rebrand as Ours PRIVACY. 

What’s the Pain Point Being Solved? How Pixel Tracking Works

Have you ever gotten an instagram ad so good and targeted, you’re scared because it requires staring at the reflection of your soul? How could they know you were depressed after looking at instagram reels for 4 hours???

It’s worth explaining how pixel tracking works because it’s how these targeted ads work. At a high level:

1. Someone on the marketing team at Mental Health Startup creates an ad campaign on Facebook, Google, Tiktok, etc.
2. They give some parameters around who they want to target and characteristics about them. You could also upload emails or IP addresses that you might have collected on the Mental Health Startup site. Those identifiers would get connected to a specific person’s Facebook account, and ads would be displayed to them
3. They also install a small pixel (a snippet of code) from the advertising platform across different pages on your website. This small pixel will send back data to Facebook/Google on things you’re doing on the site (which pages you’re visiting, did you buy something, etc.). Each of the actions they’re tracking are called “events”.
4. As the pixel collects data and sends back information to the advertising platform on these events, it will inform which campaigns are doing well (e.g. did the person actually checkout when they clicked through this ad?). This will then let you spend more ad dollars on the ones that are working well. 

However, there’s an issue in healthcare! What if I go to a web page that’s specifically for a hair loss drug and check out? Or if I go to a page specifically meant for people with alopecia? If that pixel sends back data to Facebook/Google that I was on those pages, then they’ll know the conditions I have. If you are a covered entity and HIPAA applies to you, you often can’t send that kind of patient data back to these sites.

This has been a bit of a gray area for a long time - maybe people are just browsing the site, can we really infer their condition from that? Or maybe they checked out and never used the service. 

However, in the last few years the government has created more clarity on the rules here and sued several companies that have been breaching them. 

• Hospitals that had the pixel tracking enabled on MyChart login pages and appointment scheduling pages, sending data back about what the appointment is for.
• Some companies were using answers on the patient intake form and including those in emails uploaded to Facebook to target patients (e.g. if a patient answered yes to “Have you been in counseling or therapy before?”, an ad would target them suggesting they return). 
• While events track what a customer does, you would try to name them something else like Event1 so it says “Event 1 = True”. But companies were naming their events things like “Drug Name = Lipitor”. So if you sent the data back of a patient email that’s being tracked and the drug name…well it doesn’t take a genius.

Healthcare companies heavily rely on marketing to engage patients and get new ones. But in order for them to work, you need data to personalize the campaigns and make sure they’re relevant. Can you do that in a way that’s HIPAA compliant? 

What does Ours Privacy do? What pain point do they solve?

Ours Privacy is a Customer Data Platform (CDP), a term created in the jargon mines of Moria. A customer data platform collects a bunch of data about a person and how they’ve interacted with marketing/products from many many sources. This could be data from how customers use your product, to data about Facebook campaigns, Google Analytics data, etc. 

It stitches them all together, connects them to a customer ID of some kind, and then can use data from the different sources to improve marketing across channels.

The quirk with Ours Privacy is the HIPAA compliant piece. They will sign a Business Associates Agreement with you so that you can send patient data to them and it’s not a HIPAA breach. They’re also SOC 2 Type II compliant, which the compliance nerds will care about.

First you need to understand what third party pixels / tracking is on your site. They have a web scanner tool that highlights places you might be potentially accidentally sending sensitive data to non-BAA-signing third parties.

Then you set up sources and destinations of data. A source of data might be your website (via Google Tag Manager) where page views, email drops and interactions happen, or a form provider / customer relationship management tool like Hubspot that collects information from leads and customers. A destination of data might be an ad platform like Facebook or Google Ads, or an analytics platform like GA4 or Mixpanel.

Finally you set up events within that platform, including modifying or scrubbing data. The customer has full control over what gets sent to destinations. For example, you might obfuscate an event like “Nikhil Krishnan looked at the Minoxidil page lmao” to “BlueApple” so that destinations do not receive health information. Or you might remove IP addresses and email so that destinations do not receive identifying information.

Through this you get enough data to understand if a campaign was successful which allows Facebook/Google to improve the ads that are served. But it doesn’t reveal the actual data that might suggest your health condition to their platform.

What Is The Business Model And Who Is The End User?

Ours Privacy charges a SaaS fee, with different tiers based on usage. They work across different parts of healthcare specialty-wise, and have a few different customer types.

• Digital Health Companies: Telehealth, digital pharmacies, and health apps that say things like “CAC:LTV” to normal people that don’t care what that means. 

• Hospitals and Health Systems: Large providers navigating strict compliance rules and complex configurations and have no idea if people are even using their website.
• Dental or Management Service Organizations: Large management organizations that provide non-clinical services to practices (admin, marketing, business support). Very PE-core.
• Medical Products Companies: Teams that are marketing regulated health products and devices and hedge all their marketing copy in question form. Do you have diabetes?
• Wellness Brands: Direct-to-Consumer and enterprise products & services that are healthcare-adjacent and privacy-focused (e.g. genetics testing).
• Med Spas: Clinics offering cosmetic treatments like injectables, laser services and skincare. The things we go through to be dewy.

Job Openings

Ours Privacy is currently hiring for an Account Executive, Customer Support Specialist and Technical Success Engineer roles. I love technically succeeding.

You can learn more and apply here.

Out-Of-Pocket Take

I did say in my 2025 predictions that healthcare marketing was going to become more of a shitshow in 2025. Ours Privacy read that and was like “what if we staked our entire future on this guy’s rambling?” Just kidding I had nothing to do with this.

A few things I like about the company

‍Privacy trends - There are several privacy headwinds currently happening. HHS is putting out continuously updated guidance on what they consider to be a HIPAA breach and the FTC is actively enforcing this with lawsuits. Individual states are putting out their own privacy laws, like California’s Consumer Privacy Act (which now includes the right to limit how sensitive information is used). 

As this landscape becomes more complex, having a tool to manage this becomes more useful. Ours Privacy is trying to add more to their compliance suite to be a one-stop shop for all of them (e.g. they recently launched an integrated “consent management” product to manage cookies, which is more about consumer privacy than healthcare)

‍Simple set up - Ours Privacy has a software developer kit, data/health information scrubbing tools, and identity stitching to connect all of your data sources together. This lets you keep your existing tracking setups, pass it through the Ours Privacy engine, and send data back to the different destinations without needing to overhaul a lot of your existing systems. They said typically implementation timelines are about days to weeks, depending on your team resources, how complex the setups are. Sometimes it’s even hours, privacy.

‍Platform flexibility  - One thing we talked a bit about is what happens if people start shifting to new platforms. What if everyone just searches for everything on ChatGPT in the future? It seems to be happening for healthcare searches anyway.

Ours Privacy is trying to build their system so that when new advertising platforms pop up, it’s easy to add it to their platform. For example you can use them for Snapchat, Tiktok, and even Quora lmao. There’s no healthcare product that can save a person still on Quora.

‍–

As with any company, here are some of the issues I could see a company like Ours Privacy facing as they grow.

‍Regulation and platform risk - Ours Privacy basically exists because of regulation around data privacy. You think their customers would do this out of the goodness of their heart? But just as regulation can giveth, it can taketh away. If there is a rollback on these privacy regulations or reduced enforcement, then this market largely vanishes. But since you’re seeing an increasing number of state level privacy laws, we’re probably trending to more regulations.

The other potential issue is the ad platforms themselves like Meta/Google deciding that they don’t even want the de-identified versions of these data streams or want any healthcare companies advertising at all. They decide the liability just isn’t worthwhile, and proactively bans healthcare companies from advertising. Starting September, Meta is putting further restrictions on sharing health-related data with them to target ads. But what if one day they just don’t want health ads at all?

‍Competition - Competition here comes in three different forms.

The first is the ad platforms themselves. Why doesn’t Meta set up a HIPAA compliant version of their ad manager and sign a BAA with advertisers? They could make a lot of money if they offered this as a service to healthcare companies directly.

The general answer seems to be that the increased level of liability + totally changing their architecture to support this is not worth the effort to them. In fact, Meta seems to be going the totally opposite direction and removing the ability to target by healthcare condition. 

The second vector of competition is generalist customer data platforms. These companies can do some of the things that Ours Privacy does like create custom events, prevent health information from being shared, etc. But this typically requires much more custom implementation and engineering time from their customers, vs. healthcare specific platforms to do things like data scrubbing and preventing identifiable data from flowing out of the box.

The last vector is other healthcare customer data platforms. This is a very new space - basically all of the rules around HIPAA compliance and marketing were figured out in the last 2 years. As you can imagine, that’s making this area very cut throat. Ours Privacy is trying to differentiate by adding more and more compliance tools marketers need in one place (e.g. cookie management). But this is definitely a first mover space right now.

‍Single Point Of Failure Risk - A general issue with using customer data platforms is that all of the data needs to flow through their system before it goes to the right destination. While this is what enables the easy setup, it also presents a single point of failure risk. If Ours Privacy goes down, then the data pipes to all of your different marketing channels goes down with it. Though they can repopulate the old events when they’re back up. 

Or if you want to switch to a different platform, you’ll have to rebuild the data pipelines since you’ll no longer have access to their tools/scrubbing. That’s the general tradeoff you make for ease of implementation! If you get big enough to worry about problems like that, you’re in a good place.

Conclusion And Parting Thoughts On Marketing

The reality is that we need targeted marketing in healthcare. Engaging patients is really f***ing hard, and even with hyper targeted marketing companies struggle to get patients excited. You’re competing with gambling apps,fast food, and form fitting linen shirts for a low price. If you’re a healthcare company you need all the data you can get to get people’s attention. 

While regular companies typically don’t have a ton of consumer data privacy laws they need to deal with, healthcare companies have to contend with HIPAA. This makes it more difficult to stitch together a story about a customer to give them the right ad for them. This usually means suboptimal and non-targeted healthcare ads are the ones delivered. Hence why I, a relatively healthy 33 year old, can do a singalong of the side effects in the Skyrizi ads despite not having any autoimmune condition. 

If we actually care about patient engagement, then we need to be able to target people based on the types of healthcare services they might need to activate them. This means getting data about patients in a way that’s privacy preserving, which is what Ours Privacy is aiming to do.

It’s a brave new world of healthcare marketing, but I’m just hoping the ads finally get a little better without Facebook knowing I have ##### [hashed and redacted by Ours Privacy].

Thinkboi out,

Nikhil aka. “Hashed tags” aka. “Wait do…THOSE sites have pixels”

Twitter: ​@nikillinit​

IG: ​@outofpockethealth​

Other posts: ​outofpocket.health/posts​

{{sub-form}}

‎If you’re enjoying the newsletter, do me a solid and shoot this over to a friend or healthcare slack channel and tell them to sign up. The line between unemployment and founder of a startup is traction and whether your parents believe you have a job.