HIPAA Conversion Tracking: Meta CAPI, Google Offline Conversions, and PHI

First: this is not legal advice

This article is an educational risk framework for marketers, operators, and implementation teams. HIPAA analysis is fact-specific. If you are a covered entity, business associate, digital health company, agency, or vendor handling health-related conversion data, involve privacy counsel before sending data to Meta, Google, analytics tools, data warehouses, or server-side tag managers.

What HIPAA actually protects

HIPAA does not treat every word about health as PHI in every possible setting. The core test is context.

Under 45 CFR 160.103, health information relates to health, care, or payment for care. Individually identifiable health information adds an identifier or a reasonable basis to identify the person. PHI, or protected health information, is individually identifiable health information held or transmitted by a covered entity or business associate, with specific exclusions.

That is the core Meta CAPI HIPAA and Google Ads HIPAA issue: the ad API is not the problem by itself. The problem is sending protected health information, or data that reveals health care intent, into a destination that is built for advertising measurement and optimization.

In plain English:

• email = jane@example.com is an identifier.
• /oncology-second-opinion/booking-confirmed is health-care context.
• jane@example.com + oncology booking + IP address + timestamp can become a PHI problem for a regulated healthcare entity.

That is why the same technical field can be harmless in one account and risky in another. A Lead event on a generic B2B SaaS demo page is not the same as a Lead event on a treatment, prescription, fertility, addiction, oncology, weight-loss, or mental-health appointment flow.

HHS has been explicit about tracking technologies

HHS OCR says tracking technologies can collect information such as email address, appointment dates, IP address, geographic location, device IDs, and unique identifying codes. It also says tracking on authenticated pages such as patient portals or telehealth platforms generally has access to PHI.

HHS also gives the practical example that if a covered clinic's website lets a person make an appointment and a third-party tracking technology automatically transmits appointment information and the person's IP address, the tracking vendor may be a business associate and a BAA may be required.

There is nuance. In June 2024, a federal court vacated part of HHS's guidance about an IP address plus a visit to an unauthenticated public health-condition page being enough by itself. But that does not make appointment forms, symptom checkers, login pages, patient portals, mobile health apps, or health questionnaire data safe for ad platforms.

Why Meta CAPI can receive PHI-like data if you are not careful

Meta CAPI is usually implemented to send server events such as Lead, CompleteRegistration, Schedule, InitiateCheckout, or Purchase. A typical event can include:

• event_name
• event_time
• event_id
• event_source_url
• action_source
• user_data
• custom_data
• client_ip_address
• client_user_agent
• hashed email, phone, name, city, state, zip, country, or external ID
• browser identifiers such as fbp and click identifiers such as fbc

None of those fields is automatically bad. The risk comes from the combination.

Examples that can cross the line:

• event_source_url = /anxiety-treatment/book-now
• custom_data.content_name = GLP-1 consultation
• event_name = Purchase for a prescription, device, therapy, fertility, or medical service
• external_id that maps directly to a patient record
• user_data containing email, phone, IP, browser ID, and location on a health-specific conversion

Hashing helps match identities. It does not erase the meaning of the event. If the event itself says the person requested addiction treatment, booked a therapy consult, purchased a medical device, or submitted symptoms, hashing the email does not turn the payload into safe marketing data.

Why Google Ads offline conversions and enhanced conversions raise similar issues

Google Ads offline conversion imports are used to send downstream outcomes back to Google Ads. Enhanced conversions for leads can supplement imports with user-provided data such as email address, phone number, name, home address, and GCLID. Google requires normalization and SHA-256 hashing for certain customer fields when uploaded through the API.

That can be useful for ordinary lead generation. It is risky for health conversions.

Google's customer data policies say enhanced conversions, enhanced conversions for leads, and store sales uploads may not include conversion information related to sensitive categories. Google specifically lists health or medical information, including purchases of medical services, prescription drugs, or medical devices.

So there are two separate filters:

• HIPAA and health privacy law may restrict the disclosure.
• Google policy may independently prohibit the measurement use, even if a marketer thinks the data was collected first-party.

That matters because a successful API upload does not equal compliance. An accepted payload can still be unlawful, policy-violating, or unsafe.

Where to draw the practical PHI line

Use this simple framework before you send anything to Meta CAPI, Google Ads API, enhanced conversions, Customer Match, custom conversions, analytics destinations, or a server-side tag manager.

Usually safer: attribution context

These fields are often useful for first-party attribution and do not describe care by themselves:

• UTM source, medium, campaign, term, and content
• landing page ID if it does not reveal a condition or service line
• gclid, gbraid, wbraid, fbclid, msclkid
• first-touch and last-touch source
• generic conversion timestamp
• generic lead stage such as lead_submitted
• consent state and form source

Even here, keep retention, access, and consent disciplined. "Usually safer" does not mean "ignore privacy."

Review carefully: context that can reveal health intent

These fields can become sensitive when combined with identifiers:

• full page URL
• page title
• form name
• appointment type
• provider specialty
• service line
• product name
• condition-specific campaign name
• CRM lifecycle stage
• zip code plus dates
• referral source from a condition page

Example: utm_campaign=brand_search is different from utm_campaign=ketamine_depression_consult.

Do not send to ad platforms as conversion data

Keep these in HIPAA-governed systems, not ad-platform optimization pipelines:

• diagnosis
• symptoms
• medication or prescription details
• lab results
• procedure names
• medical record number
• health plan beneficiary number
• insurance ID
• patient portal behavior
• appointment date tied to a patient
• free-text health questionnaire answers
• condition-specific purchase details
• reproductive, mental-health, substance-use, fertility, sexual-health, or chronic-condition facts tied to an identifier

If the field would make a reasonable person say, "Now I know something about this person's health or care," do not send it to Meta or Google for ad measurement.

Sources checked:

• 45 CFR 160.103 definitions
• HHS OCR: Use of Online Tracking Technologies
• HHS: HIPAA De-identification Guidance
• HHS: HIPAA Marketing Guidance
• HHS: Business Associates
• Meta Conversions API server event parameters
• Meta Conversions API customer information parameters
• Meta Business Tools Terms
• Google Ads API: Manage Offline Conversions
• Google Ads Customer Data Policies
• Google Ads enhanced conversions for web
• FTC: GoodRx health data enforcement
• FTC: BetterHelp health data order
• FTC: Health Breach Notification Rule guidance