Facebook Domain Insights

Use Case: Domain-level analytics and content performance tracking via Facebook for Business; verifies domain ownership and enables richer insights into how Facebook users interact with your website content

Why it matters:

Facebook Domain Insights is used to gain a deeper understanding of how Facebook users engage with content on your website. It requires domain verification through Facebook Business Manager and enables enhanced data sharing between your site and Facebook including referral tracking, user behavior, and content attribution.

When installed on a healthcare-related website, Domain Insights can collect behavioral data about visitors who engage with sensitive health content, click to learn about treatment options, or navigate to scheduling pages. This can constitute Protected Health Information (PHI) if the data can reasonably be tied to an individual’s interest in care.

Facebook does not offer a Business Associate Agreement (BAA) for Domain Insights or related marketing and analytics tools. As such, its use on HIPAA-covered websites presents a significant compliance risk.

What HHS says:

HHS guidance states that tracking technologies used on healthcare websites may impermissibly disclose PHI even on public-facing pages when they involve individual interaction with health-related content.

Although a June 2024 court decision vacated the portion of that guidance treating visits to public pages and IP addresses as inherently subject to HIPAA, HHS continues to enforce HIPAA protections in cases where tools collect behavior tied to a person’s interest in or relationship to care.

Since Domain Insights facilitates extended user tracking and attribution for Facebook campaigns without offering HIPAA-aligned safeguards it should be considered high risk in regulated environments.

Recommendation:

If Facebook Domain Insights is active on your site and tracks engagement with health-related pages or forms, we recommend removing it immediately. It is not built to support HIPAA compliance, and Meta does not provide a Business Associate Agreement for this tool.

Before using any third-party analytics or attribution tools, conduct a full data flow audit and confirm whether any user interactions could signal a health condition, service inquiry, or care intent. Consider privacy-preserving alternatives that are designed with HIPAA compliance in mind and offer signed BAAs.