Healthcare PPC in 2026 needs a different playbook than e-commerce or B2B SaaS. The combination of Google's Healthcare and Medicines policy, regional regulations (HIPAA in USA, MHRA in UK, MOH in GCC, ANVISA in Brazil, DPDP in India), and the high-stakes nature of medical decisions means compliance constraints shape every layer of the account: tracking, targeting, ad copy, landing pages, and audience strategy. Get it wrong and you face account suspensions, regulatory fines, and reputational damage.
This guide is for medical, dental, and veterinary practices running Google Ads — single-location and multi-location. The playbook covers the four regions where SteerAds operates: North America (HIPAA scope), Europe (MHRA + GDPR), Middle East (MOH GCC + PDPL), Brazil (ANVISA + LGPD), India (DPDP). We'll cover specifically what's allowed, what's tracked-but-not-PHI, what converts, and what the realistic CPLs look like.
Updated 2026-05-08 with current Google Healthcare policy guidance and post-Consent-Mode-v2 tracking architecture.
Why healthcare PPC needs a different playbook
Three structural differences from non-healthcare:
1. PHI cannot be passed to ad platforms. In HIPAA scope (US), passing protected health information (name + diagnosis, name + procedure, etc.) to Google through tracking pixels is a HIPAA violation. Google does not sign BAAs (Business Associate Agreements) for ad services, so the obligation to redact lies entirely with the advertiser. Equivalent constraints exist in Europe (GDPR special-category data), GCC (PDPL/MOH), Brazil (LGPD), and India (DPDP).
2. Many keywords are restricted or prohibited. Google's Healthcare policy prohibits targeting users based on inferred medical conditions, restricts certain symptom keywords (especially mental health, sexual health, addiction), and prohibits unsubstantiated medical claims in ad copy. Each region adds its own rules.
3. Audience signals are constrained. Customer Match works (with hashed identifiers), but in-market segments related to healthcare are limited. Lookalike modeling on patient lists is restricted. Cross-device tracking can break PHI redaction if not carefully architected.
The combined effect: healthcare practices that try to run Google Ads using e-commerce playbooks routinely get suspended. The compliance-first playbook below is what works in 2026.
Compliance constraints by region
For the compliance-tracking architecture in detail, see our multi-region privacy guide.
Conversion tracking without PHI leakage
Standard 2026 healthcare conversion tracking architecture:
Layer 1 — Server-side GTM (sGTM) — Mandatory for HIPAA scope. All conversion events flow through your sGTM container before being forwarded to Google Ads. The container is configured to: (a) redact any URL parameters containing PHI, (b) strip diagnostic/treatment data from event payloads, (c) hash email/phone before forwarding.
Layer 2 — Enhanced Conversions for Leads — Hash email/phone using SHA-256 lowercase trimmed, send to Google Ads server-to-server. No name, no address, no clinical data. Improves attribution by 8-15% in HIPAA-compliant manner.
Layer 3 — Offline conversion uploads via gclid — When a lead becomes a confirmed appointment, upload the gclid + conversion value (no clinical data) to Google Ads. Standard practice for B2B-style lead nurturing.
Layer 4 — Phone call tracking — Use Google's call extension or a HIPAA-compliant call tracking provider (CallRail's HIPAA tier, Invoca's HIPAA-compliant offering). Avoid call recording features unless a BAA is in place.
For the tracking foundation, see our server-side tracking guide.
Account structure for medical practices
Single-location practice (general):
- Campaign 1: Branded (own practice name) — defensive
- Campaign 2: Service Line A (e.g. general dentistry) — Search
- Campaign 3: Service Line B (e.g. cosmetic dentistry) — Search, higher CPC
- Campaign 4: Emergency / after-hours (separate ad scheduling)
- Campaign 5: Local Services Ads (if eligible)
Multi-location practice:
- One campaign per location × service-line matrix, or
- One campaign per service line with location targeting and location feeds.
- Use MCC structure for separate billing/reporting per location.
Specialty practice:
- Tighter campaign segmentation by sub-specialty.
- Often higher CPCs ($25-$95 for orthopedic surgery, neurology, cosmetic).
- Branded protection becomes critical (competitors aggressively bid on specialty-practice brand names).
For multi-location complexity, see our franchise/multi-location guide.
Keyword & ad copy patterns that convert
Keyword patterns that work (compliant):
- "[service] near me" — primary intent driver
- "[service] [city]" — geographic intent
- "[service] cost / price" — high-intent, qualifying
- "best [specialty] in [city]" — branded comparison
- "[provider name]" — branded protection
Keyword patterns to avoid (policy/compliance risk):
- Diagnosis-based ("treatment for [condition]") — risk of policy flag
- Symptom-based ("[symptom] doctor") — narrow margin of compliance
- Drug-name based — restricted in most regions
- Sensitive conditions (mental health, addiction, fertility) — separate policy
Ad copy patterns that convert:
- License/credential visible (e.g. "Board-Certified Dentist", "DDS, MD")
- Local trust signals ("Serving [city] since [year]")
- Concrete service offer (free consultation, financing available, same-day appointments)
- No claims of cure or guaranteed outcome
- No patient testimonials in regions where prohibited (e.g. some US states for some specialties)
For RSA writing methodology, see our RSA writing method.
Landing page requirements (compliance + CRO)
Healthcare landing pages must be both compliant (no PHI capture in non-secure forms, no prohibited claims, accessibility) and conversion-optimized:
- HIPAA-compliant form hosting in US scope (most major form builders offer HIPAA tiers — Jotform HIPAA, Formstack HIPAA, custom builds via HIPAA-compliant hosts).
- Mobile-first, LCP under 2.5s, INP under 200ms.
- H1 matching ad headline — message match drives QS.
- Prominent phone number (click-to-call on mobile) — many medical conversions are still calls, not form fills.
- Visible licensure/credentials — trust signal and compliance requirement in many regions.
- Office hours and emergency contact — practical patient intent.
- Insurance accepted (US) — qualifies the lead.
- No diagnostic data capture in any form not under BAA.
- Cookie banner — required by GDPR/PDPL/LGPD/DPDP; integrated with Consent Mode v2 in EU scope.
- Accessibility (WCAG 2.1 AA) — increasingly enforced; reduces complaints/lawsuits.
For landing page methodology, see our landing pages guide.
Budget tiers and CPL benchmarks
GCC budgets: roughly USD-equivalent × 3.7 (in AED). India budgets: USD × 80 (in INR). Brazil: USD × 5 (in BRL).
Vertical-specific notes (dental, vet, primary care, specialty)
Dental. Highest CPC range and broadest service spectrum. Cosmetic dentistry (implants, veneers) commands 2-3× general CPC. Local Services Ads work very well in eligible US markets.
Veterinary. Lower CPCs ($2-$5 USA general); not in HIPAA scope (animals don't have PHI). Customer Match audiences highly effective. Emergency vet specialty has strong conversion economics.
Primary care / family medicine. High volume, lower CPC, often insurance-driven. Local Services Ads + standard Search dominate. Telehealth-specific keywords are a 2024+ growth area.
Specialty (orthopedic, dermatology, cardiology, etc.). High CPCs ($15-$95+ depending on specialty), longer consideration cycles, larger LTVs justify the spend. Compliance review burden is highest in mental health and addiction specialties.
Common compliance mistakes (and fines)
Mistake 1 — Sending PHI to Google in URL parameters. Booking confirmation pages with diagnostic codes in the URL are common HIPAA violations. Fines can reach $50,000 per violation under HIPAA, with annual caps of $1.5M+.
Mistake 2 — Using non-HIPAA-compliant form builders. Default Mailchimp, ActiveCampaign, etc. are not HIPAA-compliant on standard tiers. Use HIPAA-tier offerings or HIPAA-compliant builds.
Mistake 3 — Patient testimonials in restricted states/specialties. Some US states (e.g. Texas) restrict testimonial advertising for certain medical specialties. ASA in UK applies similar limits.
Mistake 4 — Performance Max for healthcare. Lack of placement transparency creates compliance risk; ads can land on inappropriate sites. Stick to Standard Search + Local Services Ads.
Mistake 5 — Recording calls without BAA. HIPAA-compliant call tracking requires a BAA with the provider. Default call recording in Google's call extensions is not BAA-covered.
HIPAA fines can scale to $1.5M annually for systematic violations. The cost of doing healthcare PPC compliance right (sGTM, HIPAA-tier forms, monthly compliance review) is typically $800-$2,500/month — far less than a single fine. Always invest in compliance before scaling spend.
This healthcare PPC playbook is updated quarterly by SteerAds. Last update: 2026-05-08. Compliance guidance is informational; consult your legal counsel for specific regulatory advice. All CPL benchmarks are 2025-2026 panel medians; expect ±25% variance by sub-specialty and metro area.
For complementary reading, see our CPC by industry & region matrix, our conversion tracking guide, and our multi-region privacy guide. To audit your healthcare account against compliance and performance benchmarks, run our free audit.
Sources
Official sources consulted for this guide:
FAQ
Can healthcare practices run Google Ads in 2026?
Yes, but with strict compliance constraints. Google's Healthcare and Medicines policy plus regional regulations (HIPAA in USA, MHRA in UK, MOH in GCC, ANVISA in Brazil, DPDP in India) shape what you can target, what you can claim in ad copy, and how you can track conversions. Practices that follow the rules see strong results — typical CPL $40-$150 for general practice, $80-$280 for specialty. Practices that ignore compliance face account suspensions and regulatory fines.
Is HIPAA-compliant Google Ads tracking possible?
Yes, but it requires server-side tracking (sGTM) with explicit PHI redaction, hashed identifiers in Customer Match (avoiding PHI in raw form), and offline conversion uploads via gclid (not via PHI). Google does not sign BAAs (Business Associate Agreements), so PHI must never reach Google's servers in identifiable form. Standard 2026 setup: sGTM container with field-level redaction, Enhanced Conversions for Leads using hashed email/phone only, no diagnostic codes or treatment data in URL parameters.
What CPL should I expect for a dental practice?
Dental practice CPL benchmarks 2026: $40-$80 USA general dentistry, $80-$180 specialty (ortho, implants, cosmetic). $30-$60 Europe general; €60-€140 specialty. AED 120-AED 280 GCC general dental; AED 280-AED 650 specialty. ₹350-₹900 India general; ₹900-₹2,500 specialty. Conversion rate 6-12% on lead forms with phone-call option. Performance Max not recommended for healthcare (lack of placement transparency creates compliance risk).
Can veterinary clinics use Customer Match?
Yes, with the same hashing requirements as human healthcare. Veterinary practices can upload hashed pet-owner email/phone to Google Ads as Customer Match audiences. Vet practices have an advantage: no HIPAA scope (animals are not 'patients' under HIPAA), so the compliance bar is lower. Standard practices upload customer lists for retention campaigns and lookalike seeding. Effective for clinics with 1,000+ active customer records.
What's the best campaign type for medical practices?
Standard Search campaigns + Local Services Ads (where eligible). Performance Max is generally NOT recommended for medical practices because of: (1) opaque placements which can land ads on inappropriate sites; (2) limited control over creative shown, raising compliance review burden; (3) cross-device tracking that can break PHI redaction. Local Services Ads are excellent for primary-care, dental, and vet practices in eligible US/Canada markets — pay per lead, Google pre-screens advertisers.
Can I use medical condition keywords in ads?
Mostly no. Google's Healthcare policy prohibits targeting users based on inferred medical conditions and restricts certain symptom keywords. Generic condition-related terms ('back pain doctor') are usually allowed; sensitive conditions (HIV, mental health, fertility) face stricter rules. Best practice: target service-based keywords ('chiropractor near me', 'dental implants cost') rather than diagnosis-based keywords. Always test in non-production before scaling.
How long until Google Ads delivers leads for a clinic?
First leads typically arrive within 48-96 hours of campaign launch on a properly configured account. Smart Bidding learning takes 14-30 days; meaningful CPL stabilization takes 30-60 days. Local Services Ads typically deliver first leads in 24-72 hours after Google's vetting (background check, license verification) which can take 7-21 days at setup. Plan for a 60-day ramp before declaring performance verdicts.
What's the minimum budget for a medical practice on Google Ads?
Practical minimums for a single-location practice: $1,500-$3,000/month USA, €1,200-€2,500 Europe, AED 5,000-AED 10,000 GCC, ₹40,000-₹100,000 India. Below these, Smart Bidding starves and CPL volatility is high. Multi-location practices should plan $3,000-$8,000/month per location for properly geo-targeted campaigns. Specialty practices (oral surgery, orthopedics) may need $5,000-$15,000/month due to higher CPC.