Healthcare marketers have been very positively impacted by advances in technology over the past several years, allowing them to gather more accurate and real-time inputs to create and distribute content most likely to resonate with their audiences and compel them to action. One example: website traffic analysis tools like Google Analytics, SEMRush, Ahrefs, and a host of others.
The use of these analytics tools has been considered just a natural part of the digital marketing process. While healthcare marketers have long been aware of and taking active steps to be compliant with the rules of HIPAA, many didn’t realize the potential implications of these tools to data privacy.
Until recently.
HIPAA, which was introduced in the 1990s, didn’t take into account guidance for digital advertising. After all, there wasn’t much, if any, of that going on back then. That’s all changed, of course. A series of class action suits against major hospital systems and Meta (formerly Facebook) brought these practices to the forefront, prompting HHS to update its HIPAA guidance.
The lawsuits were based on these hospital systems using web trackers like the Facebook pixel and Google Analytics on their healthcare websites. By default, then, these sites would be submitting context about the visitor’s journey and identifiers like IP addresses and device ID.
Because the ad tools themselves weren’t willing to provide any legal framework to protect this data, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights and the Federal Trade Commission (FTC) determined that the privacy and security risks associated with these tracking technologies, and their potential for the unauthorized disclosure of protected health information (PHI), was a problem.
That guidance was updated in September 2023 causing quite a stir among healthcare marketing pros.
The way these tools work is through the use of cookies and pixels that gather information about the user experience, like where users came from, where they entered a website, what they looked at on the website, etc.
The problem—particularly for healthcare, at least for now—is that capturing information like IP address along with insights into the type of healthcare information being looked at could potentially make consumers’ protected information accessible outside of their healthcare organizations and by other organizations that have not signed Business Associate Agreements (BAAs) as required by the HIPAA Privacy Rule.
"Health systems found themselves in a challenging situation," remarked Chris Boyer, an expert in digital healthcare. "Before, they were grappling with how to effectively use website analytics to enhance online patient experiences. Tools like Google Analytics offer free insights into user behavior and can be integrated with existing digital marketing tools. However, the directive from HHS/FTC forced them to 'de-Google', pushing healthcare marketers towards more expensive platforms, which might not align with their specific needs for tracking and analysis."
Freshpaint recently introduced a Healthcare Privacy Platform to address this problem in a privacy-first way that ensures HIPAA compliance and addresses HHS and FTC concerns.
When data is collected by organizations like Facebook, Google, and others, it basically becomes part of a “black box” where there is no control or transparency around the data collected. Unlike other basic web technologies, trackers are opaque by design. Determining how the collected data is used by each tracker is difficult, time-consuming, and subject to change.
Freshpaint’s solution replaces these hard-to-control trackers with a tracker from Freshpaint, allowing healthcare organizations to control the data collected and ensure that, when it is shared with tools like Facebook, it doesn’t include PHI. And Freshpaint signs a BAA with its healthcare clients in accordance with the HIPAA Privacy Rule.
Ray Mina, Vice President of Marketing at Freshpaint, explains that Freshpaint’s software was initially developed a few years ago for innovative healthcare organizations who wanted to address concerns around PHI being shared with third-party tools that weren’t HIPAA-compliant. The software was designed to capture data about visitors or patients and use that data to create a better experience. In working with early healthcare customers, though, Freshpaint realized the need for a tool that could control the data collected and ensure that when shared with other tools like Facebook, it would not include PHI.
“We give healthcare providers an interface and the ability to control that data,” Mina says. “This ensures that PHI, which is a combination of an identifier and health information, is never shared with third-party tools that aren’t HIPAA-compliant. That, he says, allows healthcare marketers to “continue to run high-performance consumer marketing on the biggest channels in the world, but in a privacy-first way that meets current regulations.” It’s a “Healthcare Privacy Platform" that sits in the middle, he says, designed to manage the flow of data.
Could healthcare organizations, with the aid of their IT departments, build their own interfaces? Technically, yes. But, practically, probably not both because it’s a process that is time-consuming and likely to tax an already overtaxed department and because staying on top of the ever-changing regulatory landscape to continually update the software would be a daunting task even for the most sophisticated healthcare IT operations.
Partnering with a third-party vendor offers a viable, cost-effective, and safe alternative.
When selecting a technology partner, an absolute must-have is a provider that is willing to sign a BAA. That’s table stakes, Mina says. Beyond this, it’s important to ensure that:
The vendor can collect data from your website in a manner that will ensure compliance.
The tool provided is usable by marketing and compliance teams—designed in a way that even non-technical staff can use and manage it effectively.
The vendor can ensure that the tools do not inadvertently allow data to be shared with downstream tools and have the ability to easily filter out sensitive information like IP and email addresses from the data being sent.
Offers an opt-in approach to data sharing. For example, IP addresses should never be shared when connecting to non-HIPAA-compliant tools like Facebook unless manually chosen to do so.
The tool is future-proof—not a point solution for a single issue, but durable and comprehensive to ensure the ability to adapt as regulations change.
In addition, it’s important for healthcare marketing leaders to:
Build relationships with other key stakeholders, like legal and compliance teams. There should be ongoing discussions and collaboration between these groups.
Review current practices. What kind of information are you currently gathering about users of your apps or visitors to your website?
Be transparent. Make sure that you are continually—and clearly—informing both your patients and non-patient consumers about how you are tracking and using their information.
Communicate broadly. It’s not just patients and the consumer audience that needs to understand your tracking technology practices and how you are ensuring compliance, transparency, and the protection of PHI—your employees should also understand and be prepared to respond to questions they might receive from patients and others.
Finally, while compliance of any kind generally comes with an aura of negativity and the tendency to view the process as a hindrance, try to view compliance as an opportunity for improvement. After all, especially in the healthcare arena, you’re doing this for patients.
Freshpaint helps healthcare providers keep their first-party customer data HIPAA-compliant by default. We replace the tracking technology used by Google, Facebook, and others to enable you to use t... Read more
Ask a Healthcare Lawyer: HIPAA Compliance for Healthcare Marketers
Your FAQs...Answered!
