Minimum necessary collection
Campaign forms and workflows should request only the information needed to respond to an inquiry, evaluate basic service fit, and arrange an appointment.
Healthcare marketing safeguards
Data handling is defined for the actual engagement.
Demand Prism does not use a blanket “HIPAA compliant” claim. The appropriate safeguards, tools, access, agreements, and responsibilities depend on the information involved and the services being performed.
Working principles
Practical safeguards for patient acquisition work.
These principles describe Demand Prism's intended approach. Final requirements are documented for each engagement and should be reviewed by the practice's legal, privacy, security, or compliance advisors where appropriate.
Advertising platform separation
Protected health information, clinical records, diagnosis details, treatment notes, insurance identifiers, and other sensitive patient data should not be uploaded or transmitted to advertising platforms.
Purpose limited access
Demand Prism requests access only to the accounts and information required for the agreed marketing, measurement, optimization, and reconciliation activities.
Practice as source of truth
The healthcare practice remains responsible for patient records, clinical communication, scheduling, attendance records, and the accuracy of patient status.
Contractual safeguards
If Demand Prism's services require creating, receiving, maintaining, or transmitting protected health information on behalf of a covered entity, the need for a Business Associate Agreement and appropriate safeguards must be addressed before access is provided.
Tool and subprocessor review
Hosting, forms, communication tools, tracking, call systems, and other vendors should be evaluated against the information they receive and the practice's contractual and regulatory requirements.
Retention and deletion
Retention periods should be proportionate to the purpose, contractual recordkeeping, security, reconciliation, and applicable legal requirements. Access should be removed when it is no longer needed.
Incident communication
Suspected unauthorized access, disclosure, or security incidents involving engagement information should be escalated promptly according to the applicable agreement and response process.
Advertising considerations
Healthcare categories are subject to additional platform restrictions.
Campaign design must account for the current policies of each advertising platform, the selected specialty, the claims being made, and the jurisdiction involved.
Sensitive targeting
Google restricts personalized advertising involving sensitive health interests, including infertility and health conditions. Targeting strategy must respect those limitations.
Pixel and event data
Meta prohibits advertisers from sharing certain health and other prohibited information through Meta Business Tools. Event configuration must be reviewed accordingly.
Healthcare certifications
Certain healthcare products, pharmacies, telemedicine services, drugs, and jurisdictions may require platform certification or may be prohibited from advertising.
Patient facing claims
The practice must approve service accuracy, clinical statements, eligibility information, outcome language, pricing, insurance information, and required disclosures.
Reference resources
Healthcare organizations and their advisors may wish to review current guidance from the U.S. Department of Health and Human Services on business associates, HHS guidance on online tracking technologies, Google Ads healthcare policies, and Meta's guidance regarding prohibited information.
This page describes an operating approach and does not constitute legal, privacy, security, or compliance advice. The final controls and agreements must reflect the actual services, systems, data, entities, and jurisdictions involved.
Contact
Questions about the data handling approach may be sent to info@demandprism.com.
Last updated: June 13, 2026