Facebook Conversion Tracking

Use Case: Measuring ad performance, tracking conversions (e.g., form submissions, button clicks), and optimizing Facebook ad campaigns

Why it matters:

Facebook Conversion Tracking is often used alongside the Facebook Pixel to measure specific user actions taken after viewing or clicking on a Facebook ad, such as submitting a form, booking an appointment, or visiting a particular page. On healthcare websites, these tracked actions may directly indicate a person’s intent to seek care or learn about a specific condition, turning routine behavioral data into Protected Health Information (PHI).

This tracking sends data to Meta (Facebook), which does not offer a Business Associate Agreement (BAA) for these tools. As a result, using Facebook Conversion Tracking on pages that may involve PHI intentionally or unintentionally could represent an impermissible disclosure under HIPAA.

What HHS says:

According to HHS guidance, third-party trackers that collect information tied to an individual’s health-related activity may be considered handling PHI even on unauthenticated pages if the data connects a person to a health condition, treatment, or provider.

While a June 2024 court ruling vacated the portion of that guidance which treated IP address and public health webpage visits as automatically subject to HIPAA, HHS continues to enforce HIPAA protections in cases where tools like Facebook Conversion Tracking could identify or infer someone’s interest in care.

Because Meta does not provide a BAA and does not structure this tool for HIPAA compliance, its use on healthcare-related websites remains a high-risk practice.

Recommendation:

If your site uses Facebook Conversion Tracking to measure outcomes like form submissions, appointment clicks, or health service interactions, we recommend removing it immediately from all pages that may relate to care, treatment, or health conditions.

Meta does not offer a Business Associate Agreement for this tool, and relying on disclaimers or privacy policies does not satisfy HIPAA requirements. If conversion tracking is essential, consider exploring privacy-focused platforms that support HIPAA compliance and will sign a BAA, but only after proper configuration and vetting.