Is Your Health Plan’s Digital Marketing Flying Blind?
The signals your Medicare acquisition campaigns depend on are evolving. Third-party data isn’t dead but using it well has gotten a lot more complicated.
The rules of digital marketing for health plans changed faster in 2024 and 2025 than at any point in the past decade. Meta’s healthcare advertising restrictions, accelerating cookie deprecation, stricter HIPAA oversight of online tracking and the rise of AI-powered search have each forced health plan marketers to rethink how they find and convert prospective members. Together, they’ve made the old playbook increasingly unreliable.
If your Annual Enrollment Period or New to Medicare (NTM) acquisition campaigns feel less predictable lately, like conversions shifting without explanation, attribution looking off or cost-per-enrollment creeping up, you’re not imagining it. The infrastructure underneath your campaigns is eroding. For regional health plans, the pressure is sharper than it is for national carriers. Tighter budgets and leaner technology stacks make it harder to absorb platform changes on the fly.
The answer isn’t to abandon third-party data or declare it dead, but to stop relying on it passively and start using first-party data to make it dramatically more effective.
First, a Plain-Language Primer: First-Party vs. Third-Party Data
These terms get used constantly but are rarely explained. Here’s the distinction that matters most for health plan marketers:
First-party data is information you collect directly. A prospective member fills out a form on your plan website, downloads a Medicare guide, calls your enrollment line, registers for a community seminar or engages with your member portal. You own it. You know exactly where it came from. The person chose to share it with you.
Second-party data is someone else’s first-party data, shared with you through a partner relationship, like a publisher, data co-op or trusted broker partner.
Third-party data is aggregated data purchased from outside vendors. Demographic segments, behavioral interest profiles and modeled lookalikes built from many sources. Identity resolution platforms like LiveRamp, TransUnion and Neustar have made this data significantly more sophisticated in recent years. The challenge for health plans isn’t that this data doesn’t work. It’s that using it well now requires more from your organization, like stricter compliance governance, stronger technology infrastructure and closer collaboration across internal teams.
The health plans pulling ahead aren’t abandoning third-party data. They’re combining it with first-party signals to build smarter, more precise and more defensible campaigns.
Why Your Campaign Results Are Becoming Less Reliable
The unreliability appearing in your campaigns has structural causes. Most of them are solvable, but they require investment.
Cookie deprecation is real and growing. Safari and Firefox have blocked third-party cookies for years. Google stepped back from full Chrome deprecation, but signal loss across programmatic environments is significant and accelerating. The practical effect: Third-party audience segments are thinner than they used to be, and attribution gaps are widening. The fix isn’t to stop using programmatic, but to rebuild the measurement foundation underneath it with server-side tracking, compliant analytics tools and proper data-layer configuration.
Platform restrictions hit health plans especially hard. Meta’s special ad category rules for health insurance (updated January 2025), Apple’s App Tracking Transparency, and walled-garden signal limitations mean the behavioral data your campaigns once used for targeting and attribution is now partial. A campaign that previously attributed 80% of its conversions may now show 50% or less, not because performance dropped, but because the measurement infrastructure broke. The solution is investing in compliant tracking tools — server-side event APIs and analytics tools that sign a Business Associate Agreement (BAA) — and making sure you’re sending the right signals back through the right channels.
HIPAA creates real constraints, but they’re more specific than you might think. This is where health plan marketers often overcorrect. HHS’s Office for Civil Rights issued guidance (2022, updated March 2024) warning that standard third-party tracking pixels on health plan websites could constitute an impermissible disclosure of Protected Health Information (PHI). That’s the live HIPAA exposure: How pixel-based tracking on your owned digital properties shares data with ad platforms. It is not, importantly, the same risk as purchasing an activated audience segment from an identity graph provider. When a health plan buys a modeled audience — selecting against parameters like “Medicare-eligible, 64–66”, the health plan never handles PHI. The data provider holds the underlying data. You just activate a segment. Those are meaningfully different compliance postures with different mitigation strategies.
The emerging regulatory risk for third-party audience activation is actually at the state level. Washington’s My Health MY Data Act (2023) and similar laws in Nevada extend “consumer health data” protections to inferred health data, meaning audiences modeled from behavioral signals. Health plans targeting Washington residents using condition-modeled segments should consult legal counsel on exposure under those frameworks.
Separating your tracking environment from PHI and configuring your data layer correctly is the compliance work that matters most. First-party data — owned, consented and cleanly separated from clinical information — is what makes that architecture possible.
What HIPAA Allows — and What It Doesn’t
Not all data your organization touches is fair game for advertising. HIPAA draws a clear line between behavioral signals you can legitimately use and protected health information you cannot, no matter how accessible it may be within your organization.
Compliant for digital advertising use:
- Website navigation patterns and page visits (on non-clinical, unauthenticated pages)
- Email engagement data (opens, clicks — not content revealing health status)
- Form submissions and content downloads (guide downloads, webinar sign-ups and quote requests)
- Call center interaction records (enrollment inquiries, callback requests — no clinical data)
- Event attendance (community seminars, broker events and health fairs)
Off-limits under HIPAA — always:
- Diagnoses, treatment history or prescription records
- Claims data or health status information
- Any information that reveals why someone needs health insurance
- PHI — even if technically accessible within your organization
Errors occur when health plans inadvertently create exposure through pixel-based tracking or retargeting setups that aren’t architected with HIPAA in mind. Rebuilding to a first-party data model is an opportunity to get this right. This includes separating tracking environments, configuring your data layer properly and ensuring every vendor in your stack has signed appropriate agreements.
Why First-Party Data Outperforms — The Evidence
The business case for first-party data isn’t only about what you’re losing on the third-party side. First-party data makes all of your targeting better, including third-party.
Google + Boston Consulting Group found that brands using first-party data for key marketing functions achieved up to 2.9x revenue uplift and 1.5x improvement in cost savings compared to brands that did not. (Think with Google / BCG, “Responsible Marketing with First-Party Data,” 2020)
Forrester Consulting’s 2024 research found that using first-party behavioral data can improve customer acquisition costs by 83%, conversions by 73% and ROI by 72%.
First-party data is accurate (from real interactions, not modeled proxies), consented (reducing regulatory and reputational risk), durable (unaffected by platform policy changes) and owned (a proprietary asset that compounds in value over time). Critically, it also unlocks higher-quality third-party activation. When you bring your CRM into a platform like Resonate, you can generate better lookalike and modeled audiences than you’d get from an off-the-shelf segment, shaped by the behavioral signatures of your real members, not a generic demographic profile. However, when you activate or utilize first party data from your chosen platform, or share it out with a 3rd party, they either must sign a BAA, or you must anonymize and strip the data of those sensitive identifiers.
Prioritizing Where to Focus: The Three-Tier Audience Framework
With limited budgets, regional health plans can’t activate every audience segment equally. The good news is that they don’t need to. The data consistently shows that a handful of high-intent audiences drive the vast majority of conversions.
Tier 1 — Highest intent, activate now: Prospects who have taken a direct action in the recent past — requested a quote, started and abandoned an enrollment form, downloaded a plan comparison guide or called your enrollment line within the last 30 days. These audiences convert at the highest rates. Your budget, messaging frequency and creative urgency should be concentrated here first.
Tier 2 — Engaged but not yet in-market: Prospects who have interacted with your content — attended a Medicare 101 webinar, visited your plan comparison pages or opened AEP emails — but haven’t taken a high-intent action yet. These are your best seed audiences for lookalike modeling. The investment you make nurturing Tier 2 prospects today compounds into broader, more accurate Tier 3 reach tomorrow.
Tier 3 — Modeled and expanded reach: Lookalike audiences built from your highest-performing Tier 1 and Tier 2 profiles — extended through specialized platforms, like Resonate, into cold prospecting reach. Plans that bring first-party CRM data into these platforms also gain access to richer behavioral intelligence: layering a tool onto your seed audience reveals psychographic and intent-based signals that inform targeting parameters for expansion beyond your existing list. The quality of your seed data directly determines the quality of your reach.
Healthcare-Compliant Solutions for When You’re Building From a Limited Starting Point
Not every regional health plan is starting from a position of data strength. If your organization has limited website traffic, a small email list, or a CRM that hasn’t been consistently maintained, healthcare-compliant platforms can bridge the gap while you build your owned capabilities.
Resonate builds audience segments from consented survey and behavioral data — psychographic and intent-based profiles that are universally compliant by the letter of the law, which become significantly more powerful when layered with your own first-party seed data. IQVIA uses large-scale, anonymized healthcare datasets with built-in privacy protections, opening condition-adjacent targeting use cases that would otherwise be off-limits. LiveRamp solves the scale and cross-channel reach problem, matching hashed identifiers to anonymized users across the open web with BAA-covered services for healthcare clients.
Use these platforms as bridges, not foundations. As your CRM grows, your email list expands and your website behavioral data accumulates, your dependence on external platforms should decrease. Your targeting precision, cost-efficiency and compliance confidence should increase in parallel.
A Note on Implementation: This Requires Internal Collaboration
One thing that often surprises health plan marketing teams is that building a first-party data strategy isn’t something the marketing department can execute alone. Getting the technology right — server-side tracking, compliant analytics tools and proper data-layer configuration — requires your IT and data engineering teams. Activating CRM data through external identity platforms requires sign-off from legal and compliance. Configuring healthcare-specific ad tools may require procurement and vendor review.
That’s not a reason to delay. It’s a reason to start internal conversations now. The plans that are pulling ahead on first-party data didn’t get there by accident. They got there by making it a cross-functional priority before AEP season forced the issue.
Measuring Performance When Platforms Limit What They’ll Show You
The measurement problem is just as significant as the targeting problem. Meta’s special ad category restrictions limit the conversion signals platforms report back. The answer isn’t to accept less visibility — it’s to build your own measurement infrastructure.
Triangulate across multiple signals rather than relying on platform-reported conversions alone — server-side conversion events (Meta CAPI, Google Enhanced Conversions), CRM progression velocity, email engagement post-exposure and spikes in branded search volume or inbound call activity. When multiple signals trend positive simultaneously, you have a defensible, multi-source case for campaign effectiveness, regardless of what platforms show you. Establish this measurement architecture before campaigns launch, not after.
The Window to Build an Advantage Is Open Right Now
If you’re a regional health plan navigating these changes, you’re likely at one of two places. You have first-party data assets that aren’t being fully activated, or you’re building that infrastructure from scratch. Either way, the competitive window is open right now, before the next round of platform restrictions narrows it further.
Third-party data isn’t going away. But using it well now requires something it didn’t before — a first-party foundation to build from, the right technology stack to activate it compliantly and the internal alignment to make it happen. Plans that build that foundation today will have a durable advantage in AEP 2026 and beyond. The ones still relying on passive, off-the-shelf audience data will keep wondering why the numbers don’t add up.
Ready to build your first-party data strategy? Download our Healthcare Marketer’s First-Party Data Starter Guide or schedule a consultation with the Media Logic health plan team.
Last Updated: March 2026 | This content reflects current HIPAA regulations, HHS guidance, and platform policies as of publication date. Always consult your legal and compliance teams before implementing new marketing strategies.
