The healthcare marketing data ecosystem has never had more vendors in it, and the quality differences between them have never been harder to assess from the outside. Intent data companies, healthcare audience platforms, clean room providers, and specialty data aggregators all make similar claims about signal quality, privacy compliance, and activation capabilities. The pitch decks reference the same metrics. The compliance language sounds familiar.
What separates a reliable data partner from one that will cause problems — in campaign performance, in regulatory exposure, or in a future privacy audit — usually isn't visible in standard vendor evaluation processes. It surfaces in the specifics: how data was collected, what de-identification process was applied, how match rates are calculated, and what happens to audience data after the campaign ends.
These are the six questions that surface those specifics.
1. What Is the Original Source of Your Health Signal Data?
This is the foundational question, and the answer determines almost everything else about the vendor's data. There are meaningfully different categories of health signal data in the market:
- Open-web behavioral data: signals collected from browsing behavior across health information sites, assembled via standard tracking mechanisms, associated with device identifiers. No underlying health records involved. This is typically the most privacy-conserving source category.
- De-identified claims or prescription data: datasets derived from insurance claims or pharmacy transaction records that have undergone a de-identification process before being licensed for advertising purposes. The source data originated as individually identifiable health information; its privacy posture depends entirely on how the de-identification was conducted.
- Consumer data overlays with health inferences: demographic and lifestyle data from consumer marketing databases with health-related behavioral inferences appended. Source quality and compliance posture vary widely.
- Survey or panel-based self-reported health data: individuals who have opted into a research or survey panel and reported health condition status. Consent-based by design, but representativeness and freshness are variables.
A vendor who can't answer this question specifically, or who describes their data simply as "proprietary health signals" without further detail, is providing insufficient transparency for a healthcare context. The data source drives the risk profile; you need to know it.
2. How Was De-identification Conducted, and Who Did It?
If a vendor's data originates from sources that included protected health information at some point in the data supply chain — claims data, pharmacy data, clinical records — the de-identification process applied to that data is the core compliance mechanism. How it was conducted matters.
The relevant frameworks describe two acceptable de-identification methods for health information: expert determination, which requires a qualified professional to certify that the risk of re-identification is very small; and the safe harbor method, which specifies 18 categories of identifiers to be removed. A vendor working with data that originated as health records should be able to specify which method was used and who performed the expert determination if applicable.
The answer "we're compliant with applicable privacy requirements" is not the same as being able to describe the de-identification process specifically. The former is a statement of self-assessment; the latter is documentable. Reputable vendors in this space can provide — or at minimum describe — their de-identification methodology. Vendors who deflect this question with compliance assurances rather than process details are raising a flag worth noting.
3. How Do You Calculate Match Rates, and What Does "Addressable" Mean?
Match rate — the percentage of a scored audience that can be successfully activated in a given programmatic environment — is one of the most manipulable metrics in healthcare data vendor pitches. A vendor can legitimately report a high match rate while defining "match" in ways that are quite generous: matching at household level rather than device level, counting partial matches, or reporting match rates in a favorable channel while not disclosing match rates in the channels you intend to use.
The right questions here: What is the match rate for the specific DSP or activation platform you're planning to use? Is the match at cookie, device, or household level? How frequently is the audience segment refreshed — weekly, monthly, or less often? An audience built from signals that are 60 days old has different predictive value than one refreshed weekly for conditions with short decision windows.
We're not saying high match rates are automatically suspect — genuinely strong data infrastructure can produce high match rates honestly. The issue is whether the vendor can explain how the rate is calculated, for what channel, and with what refresh cadence. Specifics separate informed vendors from ones who are quoting the most favorable number from their marketing deck.
4. What Downstream Use Restrictions Apply to Your Data?
Healthcare audience data often comes with downstream use restrictions built into the data licensing agreement — and those restrictions can meaningfully limit how you can use the audience in practice. Some data vendors restrict use to specific channels; others prohibit certain ad formats; some forbid using the audience for lookalike modeling; and some have restrictions on what can be said in an ad served to an audience built from their data (particularly for sensitive health condition categories).
Ask for the specific permitted use cases in writing, before the campaign is designed. Discovering mid-campaign that a data segment can't be activated in CTV, or that the license prohibits the retargeting use case you planned, creates delays and possibly budget waste. A vendor who resists putting permitted uses in writing — or who assures you verbally that "everything is fine" without documentation — is not operating with the transparency appropriate for this data category.
5. How Is Audience Data Handled After the Campaign Ends?
Data hygiene after campaign completion is an area that receives insufficient attention in vendor evaluation. When a campaign ends, what happens to the audience segment you built, the match keys that connect your audience to the DSP, and any engagement data collected during the campaign? Is it purged on a defined timeline? Retained indefinitely for vendor use? Available to other clients for their own targeting?
These questions matter for two reasons: direct privacy compliance, and the integrity of your campaign audiences over time. Health intent data decays — a segment built for a condition query audience is less valuable (and potentially misleading) if it's six months old and the underlying signals are stale. But more importantly, health-related behavioral audience data should not persist longer than its operational purpose requires. Vendors with clear, documented data deletion and retention policies are operating with the right posture; vendors who can't answer what happens to audience data post-campaign should be pressed for specifics.
6. Can You Provide Evidence of Your Privacy Practices Beyond Your Own Claims?
Self-attestation is the weakest form of compliance evidence. A vendor who says "we're HIPAA-compliant" or "we follow all applicable privacy regulations" without being able to point to external verification is providing an assertion, not substantiation. External evidence can take several forms: independent audits of data handling practices; contractual privacy addenda that create legally enforceable obligations; participation in industry accountability frameworks; or documented incident response history that demonstrates how the vendor has handled past compliance situations.
The goal of this question isn't to catch vendors out — most reputable healthcare data vendors have done meaningful work on privacy compliance. The goal is to understand what the vendor's accountability structure actually looks like, because the claim "we take privacy seriously" isn't the same as having audited processes, contractual protections, and a documented track record. Vendors who welcome this question and can answer it specifically are likely operating with the rigor the healthcare context requires. Vendors who respond with marketing language should be evaluated accordingly.
Choosing a healthcare marketing data partner is not primarily a price decision. The cost of a data-related compliance issue, a media vendor investigation, or a reputational incident connected to health data misuse is substantially higher than any difference in CPM between a rigorously compliant and a shortcuts-taking data vendor. The questions above exist to surface that difference before it becomes a problem — and to build vendor relationships that will hold up as the regulatory and consumer expectations around health data in advertising continue to evolve.