The Situation
A healthcare SaaS company was running Google Ads and Meta campaigns but had never audited whether their tracking was HIPAA-compliant. An internal review flagged that Protected Health Information (PHI) might be reaching ad platforms through form submissions and page URLs containing patient identifiers.
Marketing was told to pause all paid campaigns until the issue was resolved. The CMO needed to prove the stack was safe before the compliance team would clear them to resume spending.
What We Found
- Consent Mode v2 was implemented but not gating tags correctly — health-related page URLs were being sent to Google Ads as referrer data
- Meta Pixel was firing on pages with PHI in query parameters
- No server-side filtering layer existed — all data flowed directly from browser to ad platform
- GA4 was collecting user-provided data fields that included email addresses from form fills without hashing
What We Did
- Migrated all tracking to server-side GTM with a filtering layer that strips PHI before data reaches any ad platform
- Implemented proper Consent Mode v2 gating with a CMP that blocks all tags until explicit consent
- Set up Meta CAPI through sGTM with hashed-only user data parameters
- Created an audit document mapping every data flow from browser to destination
Before & After
| Metric | Before | After |
|---|---|---|
| PHI exposure risk | High — unfiltered data to 3 ad platforms | None — server-side filtering + consent gating |
| Paid campaign status | Paused — compliance hold | Active — cleared by legal |
| Attribution coverage | 45% of conversions tracked | 87% of conversions tracked |
| Time to compliance clearance | Blocked indefinitely | 18 days from engagement start |
Outcome
The compliance team cleared the marketing team to resume paid spend 18 days after the engagement started. Attribution coverage actually improved because server-side tracking captured conversions that browser-side tracking had been missing due to ad blockers and consent rejection.