The High-Stakes Game of Healthcare Data Targeting
A fertility clinic targeting people who filed IVF claims in the past two months. A medical tourism practice reaching Americans browsing plastic surgery options abroad. These are the audience segments that Salubrum, a healthcare data platform, says it can build from a data lake of more than 300 million patient identities.
The promise is seductive: precision targeting in a vertical where most campaigns spray and pray. The risk is equally stark: healthcare marketing operates under the strictest privacy rules in advertising, and the regulatory ground is shifting faster than most compliance teams can map.
The Architecture of "Compliant" Healthcare Targeting
Salubrum's model sits on top of existing healthcare data infrastructure. According to CEO Osama Usmani, the company partners with data aggregators to access licensed, deidentified data, including recent medical claims. Salubrum doesn't receive individual medical records, Usmani emphasized. Instead, it analyzes aggregate patterns to determine which patient "cohorts" respond best to specific messaging.
The commercial logic is sound. Healthcare providers often sell niche services that most people don't need. Alex Campbell, a plastic surgeon at Premium Care Plastic Surgery and a Salubrum client, described the challenge: his Colombia-based practice targets Canadians and Americans "sophisticated and proactive enough to look for options abroad." Traditional digital channels struggle to find these needles in the haystack.
But the compliance architecture deserves scrutiny. The entire model rests on a single assumption: that deidentified data, accessed through commercial licensing deals built on a healthcare platform's own compliance framework, remains outside HIPAA's direct scope.
The Deidentification Bet
HHS guidance on deidentification offers two pathways: Expert Determination and Safe Harbor. Safe Harbor requires removing 18 specific identifiers. Expert Determination requires a qualified statistician to certify that the risk of reidentification is "very small."
The market for deidentified health data is substantial. Industry analysts estimate the global market at $9 billion in 2026, growing at 9.5% annually through 2033. Claims data represents a significant slice of that market, with pharmaceutical companies, research institutions, and increasingly, healthcare marketers as buyers.
Here's where the math gets uncomfortable. Deidentification is not a permanent state. It's a risk assessment at a point in time. As privacy attorneys have noted, the combination of multiple deidentified datasets, cross-referenced with publicly available information, can enable reidentification. The more precise the targeting, the smaller the cohort, the higher the reidentification risk.
A segment of "people who filed fertility claims in the past two months with IVF coverage" is not a broad population health cohort. It's a narrow slice of individuals in a specific, sensitive life circumstance. The compliance question isn't whether the data was deidentified at the point of aggregation. It's whether the downstream use, combined with other signals, creates reidentification risk that would concern a regulator.
The Regulatory Pressure Building
The regulatory environment is not static. Major HIPAA Security Rule changes are expected to take effect in mid-2026, with most provisions requiring implementation within 180 days. The proposed revisions eliminate the distinction between "required" and "addressable" safeguards in favor of mandatory implementation standards.
Meanwhile, the FTC has expanded its enforcement footprint in healthcare privacy, particularly around digital health companies and consumer health data. The agency's position is clear: even if you're not a HIPAA-covered entity, deceptive or unfair practices around health data can trigger FTC Act liability.
State laws add another layer. Twenty states now have comprehensive privacy laws, with consumer health data classified as "sensitive" in all of them. Washington, Connecticut, and Nevada have standalone consumer health data laws that apply regardless of HIPAA status. Maryland's law, effective October 2025, bans unnecessary data sales and limits processing of sensitive information, including health data.
For a platform like Salubrum, operating across state lines with clients targeting consumers in multiple jurisdictions, the compliance surface area is substantial.
The CFO Question
The commercial case for precision healthcare targeting is real. CAC in healthcare marketing is notoriously high, and waste is endemic. If a platform can reduce waste by 40% while maintaining conversion rates, the unit economics improve dramatically.
But the CFO question isn't just about CAC efficiency. It's about tail risk. What's the exposure if a regulator determines that the targeting methodology creates reidentification risk? What's the liability if a state attorney general decides that targeting people based on inferred fertility treatment status violates consumer health data laws?
The average cost of a healthcare data breach hit $7.42 million in 2025. That's before regulatory fines, which can run to $1.5 million per violation category under HIPAA. FTC consent decrees typically include 20-year compliance monitoring requirements.
The math here isn't about whether precision targeting works. It's about whether the compliance architecture supporting that targeting can withstand regulatory scrutiny as enforcement priorities shift.
What a Pilot Should Test
For healthcare marketers evaluating platforms like Salubrum, the diligence checklist should include:
- Data provenance documentation: Can the vendor provide written attestation of the deidentification methodology used by upstream data aggregators? Is it Expert Determination or Safe Harbor? Who certified it, and when?
- Cohort size minimums: What's the minimum audience size the platform will build? Smaller cohorts mean higher reidentification risk. A platform that will build a segment of 500 people based on recent claims activity is making a different compliance bet than one with a 10,000-person floor.
- State law mapping: Does the vendor's compliance framework account for state consumer health data laws, or only HIPAA? If your campaigns target consumers in Washington, Connecticut, or Maryland, HIPAA compliance alone is insufficient.
The opportunity in healthcare marketing is real. The data exists, the targeting technology works, and the commercial incentive is strong. But the compliance architecture matters as much as the campaign performance. A 30% improvement in CAC efficiency doesn't help if it comes with a regulatory enforcement action that costs eight figures and 20 years of consent decree monitoring.
Model the tail risk before you model the lift.
