Healthcare marketers must strike a balance between effective marketing strategies and strict privacy rules. Here's our list of HIPAA-compliant marketing technologies healthcare marketers can use to get their jobs done while still ensuring compliance.
Marketing in healthcare isn’t as straightforward as in other industries. After all, HIPAA compliance is front and center, and it has undergone several significant changes in the last two years. Now more than ever, healthcare marketers need to walk a fine line between doing what’s needed in terms of marketing and adhering to highly important privacy rules. Since the release of an HHS bulletin in December of 2022 and FTC complaints against prominent providers, that line has become even finer.
The good news? Effective marketing in a HIPAA-governed world is still doable with the right tools and strategies in place. We’ve put together a list of marketing technologies that can be used in a HIPAA-compliant manner, as well as recommendations on how to build an optimal technology foundation to maximize the effectiveness of your advertising strategy and investment.
In December 2022, the Department of Health and Human Services released a Bulletin to clarify details on what is considered healthcare information and how it is shared. The big pullout quote? According to the HHS bulletin:
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
What is considered a tracking technology? According to the Bulletin, tracking technology refers to a script or code on a website or mobile app used to gather information about user cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. (A full list can be found at the end of this section).
Following this bulletin, the FTC has accelerated enforcement of the HIPAA Privacy, Security, and Breach Notification Rules. First up, the FTC alleged that GoodRx violated the Health Breach Notification Rule (HBNR) by failing to notify the FTC that it had shared the PHR identifiable health information of millions of users with third-party advertisers and others without the user’s authorization. Since then, other healthcare organizations have faced complaints and lawsuits.
First, don’t be scared by recent rulings. Not all data tracking is bad, and not all data tracking will incur a HIPAA violation. It is, however, important to have a thorough understanding of the HHS guidance.
The long and short of it is this: HIPAA violations occur when you combine personal identifying information (i.e., Name, IP Address, Phone Number, Email, Device ID, etc.) with protected health information.
What is “health information” exactly? Well, it comes in two forms: explicit and implied.
What’s an example of ‘explicit’ health information? Think about when a potential patient submits a website form requesting healthcare services. That would be ‘explicit.’ So-called “implied” health information might involve another user simply visiting a specific condition page. It’s “implied” that they are seeking healthcare, but they haven’t taken action and, therefore, haven’t generated “explicit” health information.
It’s at the confluence of those two types of healthcare information—explicit and implied—that your healthcare marketing efforts could possibly result in a HIPAA violation.
Let’s walk through an example. A user visits your website, providing you with an IP address or device ID. While on your site, that user visits a specific page (say, for oncology treatment), and you use that information to infer that the user has that healthcare condition, then market to them accordingly (using their device ID). That would constitute a HIPAA violation under these new guidelines.
In summary, what happens is that analytics platforms like Google Analytics, HubSpot, etc., are designed to capture a myriad of data. Not all data is bad when viewed in a silo. But when viewed together in the platform, it is possible to tie personal identifying information with implied health information.
According to the HHS, PHI is “individually identifiable health information,” including demographic data, that relates to:
Just because a technology isn’t HIPAA compliant doesn’t mean it’s off-limits to you as a healthcare marketer.
Remember, not every marketing tool captures PHI. To ensure that your solution is not capturing PHI, it’s important to understand what PHI is in the eyes of the HHS (as described above).
When implementing new technologies, ensure you fully understand how the tech will be used, what information is being captured, and where (and how) it’s being stored and sent. Train your marketing and operational team to understand data management best practices.
As a counterexample, you never want anyone on your team uploading customer lists to an ad platform like Facebook or Google or an email marketing platform that hasn’t signed a BAA!
You will need to be especially vigilant with staff that comes to you from other industries, such as retail or CPG. Remember, they’ve been using marketing tech and customer data differently and may need special training to ensure they understand how different the stakes are in healthcare.
An important piece of this new puzzle for healthcare marketers is the BAA or Business Associate Agreement. A business associate agreement defines a legal relationship between HIPAA-covered entities, such as doctors and practices, and business associates (i.e., tech tools, software, etc.) that can potentially access PHI during the course of their work for a HIPAA-covered entity. This type of agreement is designed to ensure complete protection of a patient’s PHI.
How do they make technology and apps HIPAA compliant? Well, a BAA alone doesn’t make a technology HIPAA compliant—it’s one component of a broader compliance strategy. Technology providers must also implement technical, administrative, and physical safeguards, including but not limited to data encryption, access controls, and audit controls.
It’s important to know that getting a BAA in place is not always easy, either. Some marketing technologies and ad platforms will not sign them (E.g., Facebook and Google Ads). Moreover, even if they are willing to sign, they may insist on their own agreement, rejecting your organization’s BAA. This often becomes a contentious issue for compliance teams, and reaching a compromise can become elusive.
As we delve into potential marketing tools, it is crucial to remember that a BAA is not a one-size-fits-all remedy, and a potential tool might not be a solution for your organization.
What do you do when a marketing technology vendor won’t sign a BAA? You can consider implementing a CDP or Customer Database Platform.
Implementing a CDP lets you keep your current technology stack, avoiding expensive switching costs.
CDPs safeguard patient health information and ensure the anonymity of your website users through various mechanisms. Firstly, CDPs employ robust data encryption techniques to secure patient information during transmission and storage. This encryption ensures that the data remains protected even if it is intercepted or accessed by unauthorized individuals. Secondly, CDPs often implement strict access controls, limiting data access to authorized personnel who require it for legitimate purposes. This prevents unauthorized individuals from viewing or manipulating patient health information.
Additionally, CDPs use techniques like data anonymization or de-identification to remove personally identifiable information from the datasets. By anonymizing the data, CDPs help ensure that patient health information is stripped of identifying details, making it nearly impossible to link the data back to specific individuals. These measures collectively safeguard patient privacy, protect health information, and allow marketers to use other technologies in a HIPAA-compliant manner. With identifying information removed, marketers, for example, can pass information between data sources like Google Analytics and Google Ads.
When considering a Customer Data Platform (CDP), there are several established options available. Rudderstack and Tealium are two notable platforms that have proven effective across various industries.
On the other hand, Freshpaint is uniquely dedicated to healthcare, operating as a healthcare privacy platform. It specializes in bridging the gap between patient privacy and digital marketing, ensuring that sensitive data is never shared with tools lacking HIPAA compliance. This focus makes Freshpaint an ideal choice for healthcare-specific digital marketing needs.
Call tracking and analytics is a vital technology in the healthcare marketing toolkit. It provides insights into where your leads are coming from, what they want, and if they ultimately book an appointment. The most innovative of today’s call-tracking solutions leverage AI to track and analyze phone calls and identify crucial data points, including patient sentiment, conversion barriers, lead quality, and more. With this data in hand, marketers can then identify which campaigns, keywords, and resources are generating calls and form fills, enabling them to allocate spend and optimize strategy more effectively.
While there are a number of options out there, we here at Cardinal see our clients use these call-tracking solutions:
Other options to consider? Check out Invoca and CallRail.
To learn more about call tracking and Liine, check out the podcast episode, Unleashing the Power of Call Analytics in Healthcare with Charlie Winn, Chief Revenue Officer at Liine.
Analytics tools in marketing can provide marketers with easy ways to access and analyze metrics that, in turn, provide insight into which marketing efforts are working and which are not.
The go-to analytics solution for many marketing teams has long been Google Analytics. While a hugely popular and effective tool, it is not inherently HIPAA-compliant. Google places the onus directly on marketers, stating that users should not pass any data to Google “that Google could recognize as personally identifiable information (PII)” or that could be considered PHI.
Here’s why it’s so difficult for Google Analytics to remain compliant: Say a man in the Cincinnati area is looking for mental health treatment for a particular condition. After googling “treatment for [condition] Cincinnati,” that potential patient clicks on a link to your site on the results page. Google Analytics’ tracking tool will collect your page URL along with the IP address of the potential patient. These two pieces of information put together violate HIPAA regulations because a connection has been made between a piece of PII (the patient’s IP address) and your URL—potentially identifying the patient’s condition.
While a Customer Data Platform (CDP) can solve the problem—more on that below—you can also use other analytics tools.
When it comes to analytics solutions, we turn to the following, all of which will sign a BAA and offer a solid alternative to Google Analytics 4:
Websites remain an essential first point of contact for patients, serving as the foundation of most patient acquisition strategies. For many, research into a condition and/or care starts online, and websites can serve as a way to continue research, evaluate providers, and, of course, schedule initial appointments. On the provider side, websites can include important tools for communicating directly with potential patients, including chatbots, forms, and live chat.
Now more than ever, however, healthcare marketers need to ensure that they are using secure and HIPAA-compliant tools with their websites.
Chances are, if your site is doing its job, it will be “handling” PHI at some point. Whether patients are filling in forms, engaging in live chats, or just viewing condition web pages, there’s the opportunity to transmit PHI. For this reason, whatever CMS you use must be HIPAA-compliant or offer integrations and plugins to meet security and privacy requirements.
Here are our recommendations, along with some details on how they address compliance:
WordPress: Making a WordPress site HIPAA-compliant is possible with the right tools and data management strategies. It involves implementing security controls and protocols that meet the requirements defined by the US Department of Health & Human Services (HHS). The HIPAA Journal recommends that you:
Joomla: Like WordPress, Joomla has a two-factor authentication plug-in available that can be used to protect HIPAA-controlled data and keep it secure.
Drupal: Things get a bit more complicated with Drupal, as it’s a platform that requires more sophisticated developers and customization. It can get the job done and achieve HIPAA compliance with add-ons.
Patients today want to take action on websites, and one of the main ways they do that is by filling in forms to book appointments. Often, healthcare groups will use these forms to collect PHI, raising the stakes when it comes to compliance. An open text field in a form asking “why are you contacting us” allows a user to enter PHI and exposes you to risk.
As a precaution, we recommend limiting the information you’re collecting.
FormDr: Built for multi-location practices and offers the ability to direct form submissions to appropriate intake locations or providers.
Formstack: Offers mobile-friendly, HIPAA-compliant forms that include data encryption, user-level permissions, audit logging, and security maintenance.
Logiforms: HIPAA and PCI-certified form solutions include SSL, RSA encryption, and two-factor authentication.
MedForward: Submissions are encrypted in transit and at rest and are served over a protected SSL certificate.
Gravity Forms: Gravity Forms is not compliant in it’s free form. You will need to use the HIPAA FORMS plugin to ensure that you are HIPAA-compliant.
JotForm: HIPAA-compliant forms are only available with JotForm’s Gold plan.
FormAssembly: HIPAA-compliant forms are only available with Enterprise and Government plans.
Patients have questions, and they want them answered as soon as possible. That’s where chatbots and live chat come in, providing healthcare groups and marketers with a way to engage patients when they want help.
What are the best options when it comes to these site tools? One chatbot solution is Smartbot360; it’s built specifically for healthcare.
Smartbot360 offers templates so providers can create chatbots easily and choose from numerous healthcare use cases and scenarios.If you want live chat grouped with a chatbot solution, here are several options to consider:
LiveChat: HIPAA compliance is only available with an Enterprise account.
Freshworks: HIPAA compliance is only available with the standalone version of Freshchat.
TeamSupport: HIPAA compliance is only available through an add-on.
Today’s patients want the option of scheduling online; for that reason, many healthcare groups and their marketers turn to online schedulers, which allow patients to initiate the process themselves online. Looking for information is one thing— scheduling an appointment is another that can often capture PHI.
When it comes to online schedulers, check out these options:
Why is NexHealth our top choice?
NexHealth passes data back to Google Ads so you can track campaign performance and train the algorithm on the leads that converted into booked appointments. So not only are you giving patients a seamless booking experience, you’re gaining valuable insights to improve your campaign performance (all in a HIPAA-compliant manner).
Patient no-shows and dropouts are always a concern in healthcare. SMS marketing and communication tools give practices and marketers an easy way to maintain contact with patients and remind patients of upcoming or follow-up appointments.
Here are the SMS solutions we recommend:
As patients research, they often look into a practice’s reputation online. Reputation management tools can help you stay on top of your online reputation by automating review solicitation, compiling reviews in one place, and allowing you to respond when not-so-great reviews come in.
We like:
Ideally, patients and practices have ongoing, long-term relationships. One of the most effective ways to manage patient relationships in the long term is to leverage marketing automation and email marketing tools. You can use these solutions to keep patients up to speed on new services, push out promotions, and engage patients between appointments.
The marketing automation and email marketing tools that we love are:
HubSpot, a widely used marketing automation software platform, is not HIPAA compliant due to its terms of service, which explicitly prohibit users from collecting, storing, and transmitting sensitive health information. Despite this limitation, healthcare marketers can still use HubSpot by implementing effective data management strategies and third-party tools to prevent the platform from being exposed to PHI.
CRMs or customer relationship management solutions serve as a database of patient actions and choices, giving you the information you need to improve patient outcomes and increase patient satisfaction.
We recommend the following CRMs to our clients in the healthcare space:
Zapier is an online automation tool that connects different applications to automate tasks without coding. Healthcare organizations often use Zapier for transmitting form submission data, email campaigns, data aggregation, and CRM updates, thereby streamlining their marketing workflows and improving efficiency.
However, Zapier is not HIPAA compliant because it does not adhere to the security and privacy standards required for PHI. Without these safeguards, using Zapier to process or transmit PHI poses a risk of non-compliance.
So, what’s a viable alternative? Keragon is a HIPAA-compliant automation platform created exclusively for healthcare, including more than 100+ integrations with EHRs, HIPAA-compliant CRMs, and AI medical tools. This makes Keragon an ideal choice for healthcare organizations looking to automate their processes while strictly adhering to HIPAA standards.
Now that you know which technology is HIPAA compliant, it’s time to assemble the right tools in a way that aligns with your business needs. Integrating the proper technology will help you develop more intelligent advertising that reaches the right patients and drives more booked appointments.
Let’s explore the 5 elements of a data-enabled advertising platform that will protect patients privacy:
For effective advertising, you must capture quality signals (site engagement, form submissions, calls, and actual booked appointments) and transfer those signals back to advertising platforms to inform algorithms. HIPAA-compliant solutions that can capture those quality signals include:
Capturing quality data is just the beginning; it’s equally vital to ensure that this data is transmitted back to your advertising platforms in a fully HIPAA-compliant way. It’s possible to pass anonymized conversion actions to advertising platforms manually, but Customer Data Platforms (CDPs) automate this process. CPD options include Tealium, Rudderstack, and Freshpaint, a healthcare privacy platform designed exclusively for healthcare needs.
For a comprehensive view of marketing performance, you need a holistic reporting system that can track all patient activity and normalize it across data points, locations, channels, brands, etc. This can be a tedious, manual process. ETL tools, like Funnel.io, automate the extraction, transformation, and loading (ETL) from various sources into a central data warehouse.
For efficient dashboard and report creation, it’s essential to have a dataset that is not only easy to query but also flexible and rapid, allowing for swift iteration of versions tailored to the needs of various stakeholders. ETL tools can direct data to platforms like:
Having end-to-end measurement enhances your understanding of the patient journey from initial engagement to actual healthcare outcomes and ROI. That means you need an integration with your EHR or PMS, which is something a CPD can help facilitate.
Never fear healthcare marketers; there is a way forward. With the right HIPAA-compliant marketing technologies in place, you can still do your job while protecting the reputation of your providers and ensuring that you are in line with regulations.
About the Author
Some say Alex Membrillo was born to be CEO of Cardinal Digital Marketing. Others say the Flock chose him. Together with his team of high-flyers, Alex has led Cardinal to exponential growth thanks to an innovative approach to digital marketing. Team awards proudly include A Best Place to Work designation and the Inc. 5000 list of fastest-growing privately-held US companies.
A Digital Marketer of the Year by the Technology Association of Georgia (TAG), Alex also contributes to the Forbes Agency Council, with placements in national publications including Entrepreneur, Search Engine Journal, Physicians Practice, and The Wall Street Journal. He’s served as an expert speaker for the American Marketing Association, HCIC, SMASH Senior Care Marketing & Sales Summit, and SHSMD (among others).
The original version of this page was published at: https://www.cardinaldigitalmarketing.com/healthcare-resources/blog/hipaa-compliant-martech/
As a leading healthcare digital marketing agency, Cardinal Digital Marketing has partnered with some of the most recognizable brands in the country. We’ve helped countless multi-location organizati... Read more
