Is Facebook Pixel HIPAA compliant?

Facebook is the largest social media platform in the world with over 1.69 billion users. With so many daily users sharing both public and private information, Facebook has become an essential marketing channel for businesses worldwide thanks to Facebook Pixel. This leaves medical professionals curious: is Facebook Pixel HIPAA compliant? Facebook is an ideal platform for companies to spread their messages and increase brand awareness.  If you are using Facebook for marketing your healthcare company, particularly leveraging a Facebook Pixel, it is vital to know its HIPAA limitations to safeguard your business.

SEE ALSO: Social Media & HIPAA Compliance: The Ultimate Guide

About Facebook Pixel

According to Facebook , Facebook Pixel is “an analytics tool that allows you to measure the effectiveness of your advertising by understanding the actions people take on your website.”  A Facebook Pixel is a snippet of code that you embed into your website. This code communicates with Facebook and reports website visitors’ behavior. It also enables you to measure your Facebook ads since it can track conversions, like booking an appointment online. The question about Facebook Pixel and HIPAA compliancy lies in its retargeting ability since it uses Facebook user information to retarget ads.

Medical professionals using Facebook Pixel

Some medical professionals are using Facebook to run ad campaigns which use Facebook Pixel to track their campaign results. However, this is very risky. Facebook continually encounters serious security threats because of the plethora of profile information that the platform aggregates, like when the platform discovered a security issue directly affecting 50 million accounts in 2018 . A platform that is susceptible to such security threats poses a serious risk for covered entities which can be subject to HIPAA fines for security breaches.

Facebook and the business associate agreement

For a software to be deemed HIPAA compliant, a  business associate agreement , or BAA, is required by law. A BAA is a written contract between a  covered entity  and a business associate . Facebook does not offer a BAA. One communications agency reported that when they inquired with Facebook about its Pixel, they responded: “ Facebook is not HIPAA compliant nor do we have a BAA. ”

Facebook Pixel and HIPAA compliance

The lack of a BAA is a red flag for medical professionals. Unfortunately, that also includes Facebook ads and Facebook Pixel.

Conclusion: Facebook Pixel is not HIPAA compliant.

Facebook Pixel has revolutionized retargeting ads and has made them a useful digital marketing strategy.  However, it is not ideal for the medical industry. It’s unwise to retarget ads because of the possibility of exposing protected health information (PHI). The US Department of Health & Human Services (HHS) explained Facebook ads and its privacy limitations—and risks—in greater detail here . Facebook isn't alone. Many top web platforms are not HIPAA compliant like Instagram, Skype, Mailchimp, and Hubspot. Medical professionals should also avoid WhatsApp, a messaging app recently acquired by Facebook, because it is also not HIPAA compliant.

Other HIPAA-safe marketing options

Although Facebook and its retargeting ads are not a HIPAA compliant option for medical professionals, there are other effective marketing strategies available, like Paubox Marketing . Paubox Marketing is the best HIPAA compliant email marketing solution available.  The platform's military-grade encryption allows you to send HIPAA compliant email marketing directly to recipients’ inboxes — no plugins or portals required. 

You can store PHI on the platform and even include PHI in the emails you send.  That means medical professionals can finally take advantage of personalized email marketing. If you are a healthcare provider subject to HIPAA, you risk significant HIPAA fines by partnering with Facebook.  The only way to be HIPAA compliant is to use fully HIPAA-compliant marketing software.