Auditing Your Marketing Plan For HIPAA Compliance

With the recent changes with CCPA, CPRA and HIPAA, as well as recent lawsuit settlements in headlines and new states updating their data privacy regulations, many marketers (and privacy champions) have been spinning their wheels trying to understand how to stay compliant. What does this mean for our website? What does it mean for how we evaluate marketing performance? What does it mean for our visitors and their experience?

Indeed, balancing what your customers need, what your C-Suite needs and what your state governance requires can be challenging. And no agency understands that better than Hedy & Hopp.

In this post, we share our successful approach to compliance that has helped our clients make a few necessary changes that builds trust with their customers – without losing the ability to derive actionable insights that grow their business in a privacy-forward world.

These changes may seem daunting (and even a bit terrifying) at first, but remember that dealing with change is what marketers are designed to do. We constantly need to adjust based on the information received and this challenge is no different. Marketers can either embrace this new world as an opportunity to improve trust with their audience, or keep doing the same thing until they’re forced to make a change (which is inevitable). 

At Hedy & Hopp, we prefer the former, and want to share with you how we’ve helped our clients make sense of the changes and set themselves up for success in the long-term. 

1. Conduct a thorough audit of your marketing & communication tactics, softwares and tools
2. Determine which state laws apply today, and in the next 12 months
3. Determine which tactics, tools and softwares are the highest priority based on what data is being shared, stored or provided (and how)
4. Determine which high priority items must be kept and which can go 
5. Remove/Replace and modify what’s left

Want more details on these steps? Please keep reading!

Got a case of “TLDR”? Please get in touch – we’d love to help!

Conduct an audit of all tactics, tools and softwares

Like most evaluation efforts when a massive change happens, we start with an audit. Document all of the channels you use, plan to use, are investigating using or/and have used in the last 12 months (to account for changes with seasonality). 

Supplement this list by using third party tools like Wappalyzer to identify any pixels, code, plugins, etc., that may be on your website.

PRO TIP:

It is important not to skip this part. We cannot tell you how many clients have told us that they removed a software but we still saw live tags in GTM or hard-coded on their website There are also many plugins that our clients didn’t even know existed that we were able to identify (and actually remove if needed) through using these tools.

Understand the core requirements of applicable state laws

At least in the initial stage, it’s important for marketers to know what applies to them. Covered entities are always beholden to HIPAA, but health-adjacent companies and non-covered entities also need to be aware of the FTC and state laws, where applicable. Most states require companies to reach a number of annual visitors or/and meet a specific revenue goal in that state before they are required to comply, but it does vary. IAPP is a great resource for keeping up with those details. 

First, conduct a monthly traffic report for the last 12 months, and separate out by state. 

• Add Europe to confirm if GDPR needs to be included

Under the state(s) that are relevant to your company, review the following:

• Are companies who follow HIPAA excluded from compliance? If so, and you are a covered entity, then the state’s laws likely do not apply
• How does the state describe “sensitive information”? This can include marital status, sexual orientation and other non-health-specific (but very personal) information. 
• Is consent required from users before any data can be collected (i.e., before any tags are fired)? If so, how is “consent” defined?

Determine Priority Concerns

You will probably find a lot of softwares that can be excluded from further investigation, like Javascript libraries, fonts and some plugins. But there will be a host of others that, either by nature of the platform or based on your implementation, will cause some issue with privacy – specifically with the “selling” (or sharing) of personal information. 

Below is a guide for the kinds of platforms we have seen make the priority list:

• Analytics tools (i.e., Google Analytics, Mixpanel, Piwik Pro)
• Advertising platforms (i.e., Meta, Google Ads)
• User Experience tools (i.e., Optimizely, Medallia, Lucky Orange, Crazy Egg)
• Website Servers, Hosts, CDNs (i.e., Kinsta, WP Engine, Cloudflare) 
• Customer Relationship Managers/CRM (i.e., Hubspot, Salesforce)  
• Video Embeds (i,e. Wistia, YouTube)
• Product Review platforms (i.e., Yotpo)
• Data Visualization tools (i.e., Marketing Cloud Intelligence (Datorama), Looker Studio)

If this list freaks you out, we see you. It looks like EVERYTHING is a priority! So we broke it down even further to prioritize based on the intent of how the platform is using that data, which makes the list looks a bit more manageable: 

Priority 1: Data shared with additional third parties or/and includes sensitive information

• Analytics tools
• Advertising platforms
• Video Platforms or Embeds 
• Product Review platforms

Priority 2: Data necessary to perform function

• User Experience tools 
• Website Servers & Hosts) 
• Customer Relationship Managers/CRM
• Data Visualization tools 

Ok, that probably still makes your heart race, but what’s important to keep in mind is that the biggest concern for these platforms is based on the information being shared and how. Tools like your Website CMS by nature need to collect IP addresses, so while your company is sharing that “personal” information with a third party, it might not be a big risk for your company since that access is required to work. 

Why do we say that? Although an IP address is still considered PII, it’s not nearly as personal (i.e., 1-to-1) as a diagnosis, a name, or an email address. This is why it’s essential to work with your legal team to determine what platforms are riskier than others based on the agreements in place.

Determine Your Must-Haves

As a marketer, your first instinct may be to say that all of these softwares, tools and platforms are necessary. And that might be the case. In our experience, however, there are usually software or tactics that are duplicative or have a more compliant alternative. Think critically about what your marketing is doing for you and embrace the opportunity for refinement that you now have.  

Here are some questions to ask yourself while evaluating the priority tools:

• Has this tool provided me with information that helped me improve a marketing tactic or initiative? 
• Has this tool impacted my bottom line? Is it a tool that has generated leads or improved customer experience? What data do I have to prove it?

If you said “no” to either of these questions, definitely consider removing those tools and tactics and you’ll be on your way to a cleaner, more compliant marketing plan and website. If you responded yes to any of these questions, then the next step is an important one – so keep reading! 

PRO TIP:

Consider if any of the tools are duplicative. If you can consolidate tools to limit the number of third party tags and tools on your website, we would always recommend doing so.

Remove/Replace/Modify and Evaluate

This is the big one – the future of your marketing activation and evaluation. This last part will take some time and collaboration from your organization and marketing partners. The main question here is how you can modify the implementation or replace the tool to improve compliance. Some tools may offer anonymization, for example, which would be worth exploring. 

Each marketer will implement various tools in various ways (too many variables for this post!). Here are a few best practices that helped us get our clients up to par (without losing their minds). 

• Get Business Associate Agreements (BAA) in place for the platforms that have access to your customer’s PHI. Not all of them will sign one (we’re looking at you, Google and Meta), but those that will sign one should be looked into.
• Consider moving to server-side analytics
  • Pixels are helpful and make optimization really easy and automated. But they are also a primary culprit in why advertising and analytics platforms can be risky. Moving to server-side analytics or incorporating a Customer Data Platform (CDP) might be the way to go if you have the proper IT infrastructure and resources in place. 
  • Moving to server-side doesn’t automatically absolve your website of data privacy concerns, but it could be the first step in a privacy-forward approach to data collection and storage.
• Remove pixels and rely more on manual UTMs and short links. It might seem like a step back for senior marketers, but ensuring that Meta, Google, Microsoft and other advertising platforms have no access to user data is a critical component to compliance, especially for platforms that don’t have the option of a BAA or updated terms.
• Take an extra step in updating tag configurations and settings for tools and platforms that offer such settings, to anonymize or remove specific PII from website visitors
  • Be sure to confirm what they mean by anonymization, and that they don’t really mean pseudonymization. Also, be sure to confirm that data is anonymized before it’s shared and that the third party in no way has access to the actual data). 
• Make sure consent banners and your website’s Privacy Policy have been updated to account for what website data is shared and how (and what privacy regulations you need to follow).

PRO TIP:

If you’ve not done so already, this is the time to make absolutely sure your legal team is aware and involved in these discussions. With the number of nuances with HIPAA privacy, it’s critical that your company’s legal team has the opportunity to engage and provide input on updates, specifically on privacy policies and  the company’s overall data privacy approach.

Activate and Evaluate

Once these changes are in place, consider the next 30-60 days as a trial period. Are you missing any data for evaluation? Any new questions arising with the data you can see? It’s a good reminder that any change that you make will take some adjusting, but that doesn’t mean insights can no longer be found.

PRO TIP:

Don’t forget to update your data visualization dashboards to account for any new placements, accounts or configurations!

Need more support for your specific marketing plans?

We’d love to help. Contact us today to see how we can get you and your team data privacy compliant!

Contact Us

The original version of this page was published at:  https://hedyandhopp.com/blog/auditing-your-marketing-for-hipaa-compliance/