Clinics get flagged because their pixel sends names, appointment URLs, and IPs straight to Meta. Healthcare Mode strips identity at the source, exports only events you’ve approved, and backs it with a signed BAA.
BUILT FOR DENTAL · MED SPA · CLINICS · WELLNESS
WHAT META RECEIVES
// a normal pixel
name: “María Fernández”
url: /citas/implante-dental?tel=…
referrer: google.com/search?q=dentista…
ip: 189.203.11.4 · ua: iPhone 15…
// with Atribu
event: “Schedule” ✓ on your allowlist
id: sha256(…) — hashed, never raw
url: clinica.mx — origin only
ip: — · ua: — · referrer: — · ldu: on
Exports stay locked until the legal gate is complete.
WHY CLINICS GET BLOCKED
01
The pixel overshares
Page URLs like /citas/implante-dental are health data. Sent raw, they violate HIPAA — and Meta’s own health-data rules.
02
So accounts get restricted
Meta’s filters detect health signals and block the events — or the whole ad account. Appeals take weeks; campaigns die in the meantime.
03
Turning it off isn’t an option
No conversion signals means Meta optimizes blind — CPAs climb and you can’t tell which ads bring in patients.
HOW HEALTHCARE MODE WORKS
Once Healthcare Mode is on, its rules can’t be weakened by any signal rule or team member — restrictions can only be added on top.
1
Track first-party, on your site
Atribu’s tracker captures visits and bookings on your domain. Patient identity stays in your Atribu workspace — never in a third-party pixel.
2
Scrub, then allowlist
Identity is hashed, URLs reduced to the origin, and only event types you’ve explicitly approved can ever be exported.
3
Legal gate before anything flows
DPA and HIPAA BAA are accepted in-product. Until then, every export is blocked — and every change is written to the change log.
ALWAYS ENFORCED — NOT OPTIONAL
NEVER LEAVES YOUR SITE
names, phones, emails — raw
client IP · user agent
referrer · page title
URL paths & query strings
fbclid / gclid identifiers
WHAT META RECEIVES
allowlisted event names only
hashed identifiers — sha256
origin-only URL — clinica.mx
LDU flags — always on
nothing, until DPA + BAA accepted
EVERY SKIPPED OR SENT EVENT IS LOGGED WITH ITS REASON — SHOW YOUR AUDITOR, NOT YOUR WORD
NO TRADE-OFF
Meta still receives clean, high-confidence “Schedule” and “Purchase” signals — hashed and allowlisted — so campaigns keep optimizing. And the AI media buyer works the account like any other: audits, briefings, approved changes.
Ian Cooper Clarke
Co-founder, Aristeia — growth for aesthetic clinics
@iancooperclarke · 115k
Aristeia runs done-for-you growth for aesthetic clinics and MedSpas across LATAM and Spain — and runs its client campaigns on Atribu.
Bring your compliance questions — we’ll walk through the privacy floor, the BAA, and your first campaign on the call.
Demos in English or Spanish · DPA & BAA available for review