Posted By Freshpaint on 11/01/2023

Introducing Freshpaint’s Healthcare Privacy Platform: Unlocking HIPAA-Compliant Performance Marketing

Introducing Freshpaint’s Healthcare Privacy Platform: Unlocking HIPAA-Compliant Performance Marketing

Today, we’re launching the Freshpaint Healthcare Privacy Platform. It’s the only technology in the industry that’s designed to help healthcare marketers balance performance marketing and HIPAA compliance.

What makes that balance so difficult? 

Privacy and performance marketing don’t always go hand-in-hand. 

Performance marketing relies on data feedback loops – data from user actions needs to be sent to analytics tools and ad platforms for further analysis. That feedback loop gives marketers the ability to optimize their performance and the best ROI across their marketing channels. 

The problem, however, is the web trackers that power those feedback loops often default to sharing sensitive data, like protected health information (PHI). 

And that’s only the surface-level problem with those feedback loops. If we double-click on the issues, we see four specific problems that healthcare organizations run into when trying to balance performance with compliance.

Problem 1: Protected health information (PHI) is inadvertently shared with non-compliant marketing tools

PHI is often inadvertently shared with the tools healthcare marketers rely on, and marketers often don’t know this is happening because the tracking tools don’t disclose what data they collect from website visitors. It’s not easy to figure out what data each tracking tool is collecting without a deep technical understanding of how web trackers function.

Regardless of the fact that marketers don’t know what data the tracking tools are collecting, it’s still happening, which means they're in violation of HIPAA guidance.

This is the exact situation that led to several class action lawsuits against WakeMed, Advocate Aurora, and other large healthcare providers. Those lawsuits were a result of those organizations unknowingly sharing PHI with Facebook through the Meta Pixel. 

And it’s not just Facebook’s web trackers that are the problem. There are dozens, possibly even hundreds, of other commonly used web trackers that collect PHI without marketers realizing it.

Problem 2: Marketers have no control over the data that is passed to third-party tools

Even if a marketer is aware of the data a web tracking tool collects, they’re rarely able to turn on or off any aspects of that data collection. 

Let’s use Google Analytics as one example: it’s used by over 4 million organizations across all industries, including a whole host of healthcare providers. It is, without a doubt, the most widely-used analytics tool. 

But, Google Analytics collects PHI through user location data and information about the pages users visit. Marketers have no control over that. If they want to use Google Analytics, they can’t pick and choose which data Google Analytics collects. It just gobbles up everything. 

As healthcare marketers have begun to realize this, they’ve started looking for ways to control the data that Google Analytics collects. Unfortunately, that’s just not possible unless they want to spend time concocting hundreds of engineering-intensive solutions. Most healthcare organizations don’t have the resources for that type of project.

Problem 3: Marketers have no transparency into the data that is passed to third-party tools

When marketers are trying to figure out if the web trackers they use are risky for HIPAA compliance, they often look at two things:

  1. The user dashboard of the tool to see what data exists there
  2. The tool’s documentation to find explanations of what data is collected

The problem is that neither location provides a clear explanation of what data is collected by a given web tracker. User dashboards rarely show the full picture of what data is being collected, and documentation is often confusing or simply fails to explain what data the web tracker collects. 

Google Analytics is an offender here. In their documentation, Google claims they don’t log or store IP addresses in Google Analytics 4. At first glance, it seems like GA4 is safe for HIPAA compliance. But their phrasing raises a lot of questions:

  • If Google is not logging or storing IP addresses, is Google still collecting them?
  • Why doesn’t Google mention that they’re not collecting IP addresses either?
  • Does that mean they are collecting IP addresses?
  • If they are collecting IP addresses, are they extracting data and then discarding it? 
  • If they’re extracting and discarding that data, is it still a HIPAA violation?

Google won’t answer those questions. They make it confusing on purpose because they don’t want end users to really know how they collect data for their products.

It’s not just Google either. Very few web trackers explain exactly what they collect and what they do with that data.

This lack of transparency isn’t a problem for Google, Facebook, or other common web trackers because they’re not covered by HIPAA. However, it is a problem for healthcare providers that are covered entities. 

Problem 4: Web trackers are added to websites without much thought or knowledge of the tracker 

Web trackers are extremely useful tools. Because they’re so useful, everyone from marketing agencies to in-house marketers to IT teams often add web trackers to websites without giving too much thought to the functionality of those tools.

A common scenario that illustrates this happens when healthcare organizations hire web development agencies to build new websites. The web development agencies may implement a web tracker to understand user behavior on the websites they build. The agency may mention the web tracker in passing, or they might just use it in the background without mentioning it because that’s a standard operating procedure for them. Regardless, the web tracker is on the healthcare organization’s new website collecting data.

Time passes, the agency’s project is done, employees leave the healthcare organization, and everyone forgets about that web trackers. But they’re still sitting there, collecting data, just waiting for someone to realize the HIPAA violation.

You can replace the agency in this scenario with any number of employees, making it a common scenario for companies in all industries, including healthcare organizations.

How Freshpaint’s Healthcare Privacy Platform creates the balance

The problems we’ve touched on are not unique to healthcare organizations. 

Any company that’s worried about data privacy (which, realistically, should be all of us), runs into these issues. Yet few industries have data regulations as strict as HIPAA.

That’s why we developed the first-ever Healthcare Privacy Platform; Healthcare organizations need the power to combat the four problems above. If we can solve those problems for healthcare providers, those organizations can unlock the same great marketing tactics that other industries use, while still maintaining HIPAA compliance. 

Solution 1: Freshpaint’s industry-best integrations

Freshpaint’s Healthcare Privacy Platform integrates with the most widely-used ads, analytics, and embedded video tools. 

With industry-leading integrations, healthcare marketers can choose which data is shared with the platforms that are most important to them like Facebook, Google, and Youtube. 

Each integration is purpose-built to support each specific use case, totally out of the box. Take, for example, analytics: Freshpaint’s Google Analytics integration supports de-identification by default. This functionality ensures that PHI doesn't end up in unauthorized tools.

These integrations allow healthcare marketers to use their preferred, well-loved marketing tools without risking HIPAA violations.

Solution 2: Freshpaint’s Allow List

Freshpaint’s Allow List functionality allows healthcare marketers to control the flow of data through an easy-to-use visual interface. Marketers can choose which events they send to a given destination without needing to rely on engineers to manually filter each event.

Since marketers in healthcare rarely have engineering teams at the ready, Freshpaint’s Allow List is an absolute game changer.

This approach of showing every event and then giving marketers the ability to opt in (or out) flips the script from how data is traditionally shared with end destinations. Traditional data routing tools, like Customer Data Platforms, take an “always on” approach to data sharing – meaning that ALL data is shared with end destinations.

Our Healthcare Privacy Platform takes the reverse approach by going “always off” until marketers choose to share a specific data point through their Allow List dashboards. This prevents data from inadvertently being shared with end destinations to help ensure HIPAA compliance. 

Solution 3: Freshpaint’s Event Verification

Earlier in this article, we talked about how web tracking tools aren’t transparent when it comes to the data they’re collecting. Freshpaint’s Event Verification gives healthcare organizations the power to see exactly what information is being sent to third-party tracking tools.

Event erification shows a before/after of the data Freshpaint collects and sends. Users see exactly what information Freshpaint collects, exactly what is sent to the end destination, and in what format it is sent. 

For example, if Freshpaint, which is a BAA-protected platform, receives the IP address of your website visitors, but you don’t want to share that information with Google Analytics, you can use Event Verification to see definitive proof that Google Analytics has not received an IP address.

Event Verification can also prove that sensitive data, like Device ID, is cryptographically hashed before it is sent to any end destination. This gives healthcare organizations peace of mind (and proof) that PHI is not shared with any unauthorized end destinations.

Read more: Event Verification: Providing More Transparency Into Your Data 

Solution 4: Freshpaint’s Web Tracker Monitoring

Freshpaint’s Web Tracker Monitoring gives marketers complete visibility into the third-party web trackers that may be running on their websites without their knowledge. Having this information at their fingertips means that companies can swiftly identify and address any potential privacy risks, ensuring patient data remains protected at all times.

It doesn’t matter if an agency or employee installed the web tracker, or even when it was installed. With Web Tracker Monitoring, we catch it, flag it, and equip healthcare organizations with the knowledge to do something about it.

Ready to unlock high-performance healthcare marketing?

Unlocking high-performance healthcare marketing requires a privacy-first approach. Being a privacy-first healthcare marketer is all about understanding the technology you use for marketing and having the ability to do something about it. 

Freshpaint’s Healthcare Privacy Platform gives healthcare organizations the transparency they need to understand their tools and the governance abilities they need to prevent PHI from being shared with those tools.

Ready to see it in action? Request a demo here.


Freshpaint helps healthcare providers keep their first-party customer data HIPAA-compliant by default. We replace the tracking technology used by Google, Facebook, and others to enable you to use t... Read more


More by Freshpaint

Ask a Healthcare Lawyer: HIPAA Compliance for Healthcare Marketers


Privacy First: Healthcare Privacy Platforms vs Generic CDPs


HHS Approves Tools Like Freshpaint In Latest Guidance Update


Head Off Compliance Risks in an Era of Heightened PHI Concern