HIPAA Isn't the Only Law That Matters Anymore

HIPAA used to be the whole game. Now it's just one rule in a much bigger playbook.

For years, healthcare marketers built their audience strategies around HIPAA — assuming that if HIPAA didn't apply, they were in the clear.

But that's no longer true.

As of 2025, 21 states have passed their own privacy laws, many of which go far beyond HIPAA. These laws bring new definitions, new restrictions, and new risks — especially when it comes to health data used for advertising.

And many don't just regulate actual health conditions — they regulate inferences.

That means the old playbook is out of date.

State privacy laws have introduced new categories of regulated data — and they're rewriting the rules for healthcare marketers.

Two terms matter most:

• Sensitive Personal Data (found in most state laws, such as Texas, Virginia, Colorado, etc.)
• Consumer Health Data (Washington, Nevada)

Both go well beyond HIPAA.

HIPAA regulates data from specific sources. But — for advertising — these new laws regulate how data is built and why you're using it.

For example:

• If you infer or predict a health condition, that is considered sensitive in some states.
• If your purpose is to target someone based on their health — that may trigger restrictions.

This is a major shift.

Even anonymized data used for media targeting can fall under these rules.
In other words, the way a consumer is identified matters much less than how data is built and how it's used.

If you're a hospital marketer or head of media at a health agency, this affects you.

When advertising, you may not be touching HIPAA data. But if you're using lookalikes, models, or predictive audiences, you're likely in sensitive territory.

In this new environment, audience strategy = compliance strategy.

If you're in healthcare marketing — on the brand, agency, or platform side — it's time to ask some hard questions:

• Do we know how our audiences are built?
• Are vendors using inferences — like lookalikes, propensity models, or predictive audiences?
• Are we using individual-level data to reach people with specific health conditions?
• Would our audience data hold up under legal or regulatory scrutiny?
• Have we gotten answers from our vendors about their audience creation methods?

If you don't have clear and confident answers, you're not alone.

But you are at risk.

At Blueprint, we're rebuilding audience targeting from the ground up — with transparency, compliance, and performance in mind.

We don't infer. We don't predict. And we don't pretend HIPAA is all that matters.