Healthcare Marketing & HIPAA: What’s Changing?

Healthcare marketers, take note: The government is refining guidelines around what data you can and cannot use. Good news is you can still engage patients in effective, HIPAA-compliant marketing if you take the right steps.

Healthcare Marketing & HIPAA: What’s Changing?

The news is in—big changes are afoot in healthcare marketing. Recent FTC complaints against GoodRX and BetterHelp have caused the government to solidify its position on what information healthcare companies can use and share with marketing technology providers. What does this exactly mean for your healthcare marketing endeavors? Let’s take a look at exactly what information is protected and how healthcare groups can still advertise to healthcare consumers within these new parameters.

Table of Contents

Review of Recent Regulatory and Legal Activity

In December of 2022, the Department of Health and Human Services released a Bulletin to clarify details on what is considered healthcare information and how it is shared. The big pullout quote? According to the HHS bulletin:

Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

What is considered a tracking technology? According to the Bulletin, tracking technology refers to script or code on a website or mobile app used to gather information about user cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting script.

What inspired the increasing scrutiny of how healthcare data is used? Let’s take a quick look at the FTC complaints.

GoodRx & BetterHelp FTC Complaints

Here’s essentially what happened: BetterHelp shared email addresses, IP addresses, and information users had entered into a health questionnaire with Facebook, Snapchat, Criteo, and Pinterest. And GoodRx? They used Facebook’s ad targeting platform to match specific users to their PHI and designed campaigns around that. Not only that, their privacy policies said they wouldn’t share or use that information. We’ll dive into exactly why that’s out of compliance in a minute. For now, suffice to say that both companies have been censured and fined, and the government is taking these violations very seriously. According to S. Levine, the Bureau of Consumer Protection Director at the FTC,    

“When a person struggling with mental health issues reaches out for help, they do so in a moment of vulnerability and with an expectation that professional counseling services will protect their privacy.”

In recent years, as Facebook moved to restrict access to third-party data, advertisers have relied more heavily on first-party data to build advertising audiences. In these cases, healthcare groups are using customer lists as a means to build advertising audiences. This behavior is a clear-cut example of a HIPAA violation. 

The situation, however, is more nuanced when we examine different ways data is collected online.

So, what is a HIPAA Violation?

First things first—don’t be scared by recent rulings. Not all data tracking is bad, and not all data tracking will incur a HIPAA violation. It is, however, important to have a thorough understanding of the HHS guidance.

The long and short of it is this: HIPAA violations occur when you combine personal identifying information (i.e., Name, IP Address, Phone Number, Email, Device ID, etc.) with protected health information.

What is “health information” exactly? Well, it comes in two forms: explicit and implied.

What’s an example of ‘explicit’ health information? Think about when a potential patient submits a website form requesting healthcare services. That would be ‘explicit.’ So-called “implied” health information might involve another user simply visiting a specific condition page. It’s “implied” that they are seeking healthcare, but they haven’t taken action and, therefore, haven’t generated “explicit” health information.

It’s at the confluence of those two types of healthcare information—explicit and implied—that your healthcare marketing efforts could possibly result in a HIPAA violation. 

Let’s walk through an example. A user visits your website, providing you with an IP address or device ID. While on your site, that user visits a specific page (say, for oncology treatment) and you use that information to infer that the user has that healthcare condition, then market to them accordingly (using their device ID). That is what would constitute a HIPAA violation under these new guidelines.

In summary, what happens is that analytics platforms like Google Analytics, HubSpot, etc. are designed to capture a myriad of data. Not all data is bad when viewed in a silo. But when viewed together in the platform, it is possible to tie personal identifying information with implied health information.


Are ANY Marketing Technology Platforms Compliant with HIPAA?

Good question. The answer is that it depends, and many are not. How can you ensure that your technology platform is compliant? To be compliant, a platform must have business associate agreements (BAAs) in place. Who are the “business associates” with whom these agreements are made? According to HHS, a business associate is any individual or entity “that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI.”

By entering into a BAA, a HIPAA-covered entity establishes a legally-binding relationship designed to protect personal health information.

The bad news? Most marketing platforms do not have BAAs in place, including heavy hitters such as Google Analytics, Facebook, Google Ads, HubSpot, etc.


Marketing Recommendations to Ensure HIPAA-Compliance

What to do? First, it’s vital to assess your marketing tech stack and patient acquisition strategy. From there, we have a few recommendations to ensure that you can meet regulatory standards and your business goals. Here’s our recommendations:

  • Stop all campaigns that use customer data.
    • Do not use customer lists.
    • Do not create lookalike audiences based on customer lists.
  • Audit your marketing analytics and tracking technologies.
    • Ask: What tracking codes have you implemented on your website or landing pages? 
    • Does data go to a platform that also stores PHI?
  • Audit your marketing technology stack.
    • Are all your marketing platforms and tools HIPAA-compliant? Which ones aren’t? How vital are they to your marketing outcomes?
    • N.B.: Most marketing technology platforms do not have BAAs in place and won’t sign them.
  • Evaluate your media campaign performance.
    • If you have been running retargeting campaigns, evaluate their performance.
    • Determine if they play a critical role in new patient acquisition or customer retention.
    • If they do, there are HIPAA-compliant solutions (read on).
  • Implement a Customer Data Platform (CDP).
    • If you do think they’re a vital component,  you need to implement a third-party Customer Data Platform (CDP) solution.
    • This technology sits between your data and marketing platforms and can anonymize user information and site usage so that there is no combination of data sources that would allow someone to discover health data about a specific user.
    • Unlike other marketing platforms, many CDPs form a BAA with HIPAA-covered entities. 
    • We are using Fresh Paint, which specializes in healthcare and this type of data governance. It houses your data in a walled garden and only sends specific information to the advertising or analytics platform.

Finally, these issues highlight the need to work with an agency that has healthcare experience. 

Outsourcing to contractors or working with agencies that don’t specialize in healthcare opens you up to risk. Ensure you’re vetting partners thoroughly and asking them how they approach advertising in the healthcare space.


Conclusion: HIPAA-Compliant Advertising Solution: Full-Funnel Strategy

The best choice you can make to ensure HIPAA compliance? Partnering with an experienced healthcare marketing agency. You’ll also want to leverage a CDP, as mentioned above, for full safety and compliance. 

If you can’t use a CDP, then implement a full-funnel advertising strategy that starts by building top-of-the-funnel (TOF) audiences using platform-available demographic targeting. Video campaigns powered with compelling creative are the first step in a full-funnel strategy. Engagers, or those who have watched more than 15 seconds, are subsequently shown a new ad campaign that builds on the offering, sharing more information, resources, etc., and pushes the user towards conversion. This approach doesn’t use PHI. 

In a world of increasing data restrictions, you need to build a differentiated healthcare brand. Hone your brand’s unique selling proposition and make sure to build an exemplary patient experience and reputation. Leveraging strong messaging and ad creative will allow you to stand out in crowded marketplaces and help you reach and engage your ideal patients—without compromising their data.  

Get Started

Ready to Grow?

Great partnerships start with great discoveries. We start with your business goals and budget, and then help you find the right digital marketing strategy to fuel growth.

Fill out the form to get started!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.