March 9, 2026
The privacy landscape for health-related advertising has never been more complex or more consequential. A growing patchwork of state laws, evolving federal enforcement, and heightened consumer expectations are reshaping how the health advertising industry approaches data. For marketers, this can make it harder to determine when certain information may be considered “sensitive” and what that means in practice. Understanding these changes and how to navigate them confidently is becoming an essential part of running effective, compliant campaigns.
That's why the Network Advertising Initiative's (NAI) newly released Factor Analysis for Health-Related Sensitive Personal Information is such an important development, and why DeepIntent embraces it as a practical framework for the industry. Our goal is to make this evolving area of privacy easier to understand—so our partners can move forward with confidence, knowing we’re continuously doing the work behind the scenes to ensure responsible, compliant advertising.
What Is the NAI?
The NAI is the leading self-regulatory organization for the digital advertising industry in the United States. It develops and enforces high standards for responsible data collection and use in digital advertising. As a self-regulatory body, it helps translate complex state and federal laws (like HIPAA and the CCPA) into practical guidance, giving marketers clearer guardrails for how to engage audiences responsibly while maintaining trust.
The NAI Self-Regulatory Framework binds member companies to heightened safeguards for sensitive personal information, including health-related data. Building on that framework, the newly released Factor Analysis provides structured guidance for determining when personal information may qualify as Health-Related Sensitive Personal Information (HSPI).
This is important because the regulatory fragmentation in the US has produced a set of unintended consequences that the NAI identified directly in its new guidance. Some companies are over-classifying all health-adjacent data as sensitive, imposing burdensome restrictions even where no meaningful privacy risk exists,while others are under-classifying, inadvertently leaving gaps. And some are withdrawing from certain use cases or jurisdictions altogether, reducing consumer access to beneficial health information.
The Five Factor Framework
Rather than relying on a single rigid definition, the new framework encourages organizations to evaluate data holistically. By doing so, companies can conduct a structured, documented analysis that supports responsible health advertising while aligning with evolving legal and self-regulatory standards. The five factors are as follows.
Factor 1: The source of the PI being processed
Factor 2: The contents of the PI being processed
Factor 3: The intended use of the PI
Factor 4: Whether consumers have a heightened expectation of privacy
Factor 5: The risk of consumer harm
You can read more about the NAI’s HSPI Factor Analysis here.
How the DeepIntent Approach Fits Within the Framework
Our approach to healthcare advertising is inherently aligned with the NAI’s five-factor framework, because privacy and compliance are embedded into our operating model and products. We evaluate data sources carefully, prioritizing environments and partners that are appropriate for regulated healthcare marketing. We assess the nature of the data itself, avoiding the use of directly identifiable condition-level signals where heightened safeguards would apply, and we distinguish clearly between contextual relevance, demographic modeling, and impermissible individual-level health inference. Intended use, which the NAI emphasized as often being the decisive factor, is a core control point in DeepIntent’s governance process.
By focusing on aggregated insights, maintaining strict HIPAA de-identification compliance, and implementing strict data governance controls, DeepIntent aligns with the NAI’s guidance on minimizing HSPI risk while still enabling relevant, responsible healthcare advertising.
To illustrate how this framework works in practice, the NAI’s Factor Analysis document walks through several hypothetical scenarios that apply the five-factor test to common advertising use cases. One example, Hypothetical #3, is particularly relevant to our approach at DeepIntent. The scenario describes a pharmaceutical company working with an ad tech partner to target a diabetes medication by analyzing de-identified insurance claims data to understand the demographic characteristics most common among existing drug purchasers. The NAI walks through all five factors and concludes that this approach does not involve the use of HSPI. The de-identified insurance claims data is not personal information at all, and the demographic data used to build the targetable audience is health-neutral on its face. DeepIntent relies on a population-level correlation to improve relevance without making any individual-level health inferences.
The result is a targeting approach that is more relevant for consumers, more effective for pharmaceutical brands, and built on a privacy architecture supported by the NAI's framework.
