Marketing in healthcare isn’t as straightforward as in other industries. After all, HIPAA compliance is front and center, and it has undergone several significant changes in the last two years. Now more than ever, healthcare marketers need to walk a fine line between doing what’s needed in terms of marketing and adhering to highly important privacy rules. Since the release of an HHS bulletin in December of 2022 and FTC complaints against prominent providers, that line has become even finer.
Table of Contents
- What’s Changed and Where is the Risk?
- Using Non-HIPAA Compliant MarTech in a Compliant Manner
- Customer Database Platforms (CDPs)
- Call Tracking & Analytics Solutions
- Marketing Analytics & Data Visualization
- Secure & Compliant Website Technologies
- Website CMS (Content Management Systems)
- SMS Marketing Platforms
- Reputation Management Tools
- Marketing Automation & Email Marketing
- HIPAA-Compliant CRMs
- Software Integration Tools
- Putting it Together: HIPAA-compliant Advertising Ecosystem
The good news? Effective marketing in a HIPAA-governed world is still doable with the right tools and strategies in place. We’ve put together a list of marketing technologies that can be used in a HIPAA-compliant manner, as well as recommendations on how to build an optimal technology foundation to maximize the effectiveness of your advertising strategy and investment.
What’s Changed and Where is the Risk?
In December 2022, the Department of Health and Human Services released a Bulletin to clarify details on what is considered healthcare information and how it is shared. The big pullout quote? According to the HHS bulletin:
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
What is considered a tracking technology? According to the Bulletin, tracking technology refers to a script or code on a website or mobile app used to gather information about user cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. (A full list can be found at the end of this section).
Following this bulletin, the FTC has accelerated enforcement of the HIPAA Privacy, Security, and Breach Notification Rules. First up, the FTC alleged that GoodRx violated the Health Breach Notification Rule (HBNR) by failing to notify the FTC that it had shared the PHR identifiable health information of millions of users with third-party advertisers and others without the user’s authorization. Since then, other healthcare organizations have faced complaints and lawsuits.
What This Really Means:
First, don’t be scared by recent rulings. Not all data tracking is bad, and not all data tracking will incur a HIPAA violation. It is, however, important to have a thorough understanding of the HHS guidance.
The long and short of it is this: HIPAA violations occur when you combine personal identifying information (i.e., Name, IP Address, Phone Number, Email, Device ID, etc.) with protected health information.
What is “health information” exactly? Well, it comes in two forms: explicit and implied.
What’s an example of ‘explicit’ health information? Think about when a potential patient submits a website form requesting healthcare services. That would be ‘explicit.’ So-called “implied” health information might involve another user simply visiting a specific condition page. It’s “implied” that they are seeking healthcare, but they haven’t taken action and, therefore, haven’t generated “explicit” health information.
It’s at the confluence of those two types of healthcare information—explicit and implied—that your healthcare marketing efforts could possibly result in a HIPAA violation.
Let’s walk through an example. A user visits your website, providing you with an IP address or device ID. While on your site, that user visits a specific page (say, for oncology treatment), and you use that information to infer that the user has that healthcare condition, then market to them accordingly (using their device ID). That would constitute a HIPAA violation under these new guidelines.
In summary, what happens is that analytics platforms like Google Analytics, HubSpot, etc., are designed to capture a myriad of data. Not all data is bad when viewed in a silo. But when viewed together in the platform, it is possible to tie personal identifying information with implied health information.
What Exactly is PHI?
According to the HHS, PHI is “individually identifiable health information,” including demographic data, that relates to:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
- and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
18 PHI Identifiers
- Patient names
- Geographical elements
- Dates related to the health or identity of individuals
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Photographs of a patient’s face
- Other identifying numbers or codes
Using Non-HIPAA Compliant MarTech in a Compliant Manner
Just because a technology isn’t HIPAA compliant doesn’t mean it’s off-limits to you as a healthcare marketer.
Remember, not every marketing tool captures PHI. To ensure that your solution is not capturing PHI, it’s important to understand what PHI is in the eyes of the HHS (as described above).
When implementing new technologies, ensure you fully understand how the tech will be used, what information is being captured, and where (and how) it’s being stored and sent. Train your marketing and operational team to understand data management best practices.
As a counterexample, you never want anyone on your team uploading customer lists to an ad platform like Facebook or Google or an email marketing platform that hasn’t signed a BAA!
You will need to be especially vigilant with staff that comes to you from other industries, such as retail or CPG. Remember, they’ve been using marketing tech and customer data differently and may need special training to ensure they understand how different the stakes are in healthcare.
An important piece of this new puzzle for healthcare marketers is the BAA or Business Associate Agreement. A business associate agreement defines a legal relationship between HIPAA-covered entities, such as doctors and practices, and business associates (i.e., tech tools, software, etc.) that can potentially access PHI during the course of their work for a HIPAA-covered entity. This type of agreement is designed to ensure complete protection of a patient’s PHI.
How do they make technology and apps HIPAA compliant? Well, a BAA alone doesn’t make a technology HIPAA compliant—it’s one component of a broader compliance strategy. Technology providers must also implement technical, administrative, and physical safeguards, including but not limited to data encryption, access controls, and audit controls.
It’s important to know that getting a BAA in place is not always easy, either. Some marketing technologies and ad platforms will not sign them (E.g., Facebook and Google Ads). Moreover, even if they are willing to sign, they may insist on their own agreement, rejecting your organization’s BAA. This often becomes a contentious issue for compliance teams, and reaching a compromise can become elusive.
As we delve into potential marketing tools, it is crucial to remember that a BAA is not a one-size-fits-all remedy, and a potential tool might not be a solution for your organization.
Customer Database Platforms (CDPs)
What do you do when a marketing technology vendor won’t sign a BAA? You can consider implementing a CDP or Customer Database Platform.
Implementing a CDP lets you keep your current technology stack, avoiding expensive switching costs.
CDPs safeguard patient health information and ensure the anonymity of your website users through various mechanisms. Firstly, CDPs employ robust data encryption techniques to secure patient information during transmission and storage. This encryption ensures that the data remains protected even if it is intercepted or accessed by unauthorized individuals. Secondly, CDPs often implement strict access controls, limiting data access to authorized personnel who require it for legitimate purposes. This prevents unauthorized individuals from viewing or manipulating patient health information.
Additionally, CDPs use techniques like data anonymization or de-identification to remove personally identifiable information from the datasets. By anonymizing the data, CDPs help ensure that patient health information is stripped of identifying details, making it nearly impossible to link the data back to specific individuals. These measures collectively safeguard patient privacy, protect health information, and allow marketers to use other technologies in a HIPAA-compliant manner. With identifying information removed, marketers, for example, can pass information between data sources like Google Analytics and Google Ads.
When considering a Customer Data Platform (CDP), there are several established options available. Rudderstack and Tealium are two notable platforms that have proven effective across various industries.
On the other hand, Freshpaint is uniquely dedicated to healthcare, operating as a healthcare privacy platform. It specializes in bridging the gap between patient privacy and digital marketing, ensuring that sensitive data is never shared with tools lacking HIPAA compliance. This focus makes Freshpaint an ideal choice for healthcare-specific digital marketing needs.
Call Tracking & Analytics Solutions
Call tracking and analytics is a vital technology in the healthcare marketing toolkit. It provides insights into where your leads are coming from, what they want, and if they ultimately book an appointment. The most innovative of today’s call-tracking solutions leverage AI to track and analyze phone calls and identify crucial data points, including patient sentiment, conversion barriers, lead quality, and more. With this data in hand, marketers can then identify which campaigns, keywords, and resources are generating calls and form fills, enabling them to allocate spend and optimize strategy more effectively.
While there are a number of options out there, we here at Cardinal see our clients use these call-tracking solutions:
Marketing Analytics & Data Visualization
Analytics tools in marketing can provide marketers with easy ways to access and analyze metrics that, in turn, provide insight into which marketing efforts are working and which are not.
The go-to analytics solution for many marketing teams has long been Google Analytics. While a hugely popular and effective tool, it is not inherently HIPAA-compliant. Google places the onus directly on marketers, stating that users should not pass any data to Google “that Google could recognize as personally identifiable information (PII)” or that could be considered PHI.
Here’s why it’s so difficult for Google Analytics to remain compliant: Say a man in the Cincinnati area is looking for mental health treatment for a particular condition. After googling “treatment for [condition] Cincinnati,” that potential patient clicks on a link to your site on the results page. Google Analytics’ tracking tool will collect your page URL along with the IP address of the potential patient. These two pieces of information put together violate HIPAA regulations because a connection has been made between a piece of PII (the patient’s IP address) and your URL—potentially identifying the patient’s condition.
While a Customer Data Platform (CDP) can solve the problem—more on that below—you can also use other analytics tools.
When it comes to analytics solutions, we turn to the following, all of which will sign a BAA and offer a solid alternative to Google Analytics 4:
Secure & Compliant Website Technologies
Websites remain an essential first point of contact for patients, serving as the foundation of most patient acquisition strategies. For many, research into a condition and/or care starts online, and websites can serve as a way to continue research, evaluate providers, and, of course, schedule initial appointments. On the provider side, websites can include important tools for communicating directly with potential patients, including chatbots, forms, and live chat.
Now more than ever, however, healthcare marketers need to ensure that they are using secure and HIPAA-compliant tools with their websites.
Website CMS (Content Management Systems)
Chances are, if your site is doing its job, it will be “handling” PHI at some point. Whether patients are filling in forms, engaging in live chats, or just viewing condition web pages, there’s the opportunity to transmit PHI. For this reason, whatever CMS you use must be HIPAA-compliant or offer integrations and plugins to meet security and privacy requirements.
Here are our recommendations, along with some details on how they address compliance:
WordPress: Making a WordPress site HIPAA-compliant is possible with the right tools and data management strategies. It involves implementing security controls and protocols that meet the requirements defined by the US Department of Health & Human Services (HHS). The HIPAA Journal recommends that you:
- Host the website on a HIPAA-compliant host or with a hosting company willing to sign a BAA.
- Ensure that any data uploaded to the website (via form) is through a HIPAA-covered plugin (see below).
- Store electronic PHI separately from WordPress and ensure data encryption during transit and at rest.
- Train all website users on privacy and security best practices.
- Implement two-factor authentication for all website administrators and users.
- Use security plugins like WordFence to conduct routine security scans and log CMS user access records.
Joomla: Like WordPress, Joomla has a two-factor authentication plug-in available that can be used to protect HIPAA-controlled data and keep it secure.
Drupal: Things get a bit more complicated with Drupal, as it’s a platform that requires more sophisticated developers and customization. It can get the job done and achieve HIPAA compliance with add-ons.
Patients today want to take action on websites, and one of the main ways they do that is by filling in forms to book appointments. Often, healthcare groups will use these forms to collect PHI, raising the stakes when it comes to compliance. An open text field in a form asking “why are you contacting us” allows a user to enter PHI and exposes you to risk.
As a precaution, we recommend limiting the information you’re collecting.
FormDr: Built for multi-location practices and offers the ability to direct form submissions to appropriate intake locations or providers.
Formstack: Offers mobile-friendly, HIPAA-compliant forms that include data encryption, user-level permissions, audit logging, and security maintenance.
Logiforms: HIPAA and PCI-certified form solutions include SSL, RSA encryption, and two-factor authentication.
MedForward: Submissions are encrypted in transit and at rest and are served over a protected SSL certificate.
Gravity Forms: Gravity Forms is not compliant in it’s free form. You will need to use the HIPAA FORMS plugin to ensure that you are HIPAA-compliant.
JotForm: HIPAA-compliant forms are only available with JotForm’s Gold plan.
FormAssembly: HIPAA-compliant forms are only available with Enterprise and Government plans.
Chatbots + Live Chat
Patients have questions, and they want them answered as soon as possible. That’s where chatbots and live chat come in, providing healthcare groups and marketers with a way to engage patients when they want help.
What are the best options when it comes to these site tools? One chatbot solution is Smartbot360; it’s built specifically for healthcare.
If you want live chat grouped with a chatbot solution, here are several options to consider:
LiveChat: HIPAA compliance is only available with an Enterprise account.
Freshworks: HIPAA compliance is only available with the standalone version of Freshchat.
TeamSupport: HIPAA compliance is only available through an add-on.
Today’s patients want the option of scheduling online; for that reason, many healthcare groups and their marketers turn to online schedulers, which allow patients to initiate the process themselves online. Looking for information is one thing— scheduling an appointment is another that can often capture PHI.
When it comes to online schedulers, check out these options:
Why is NexHealth our top choice?
NexHealth passes data back to Google Ads so you can track campaign performance and train the algorithm on the leads that converted into booked appointments. So not only are you giving patients a seamless booking experience, you’re gaining valuable insights to improve your campaign performance (all in a HIPAA-compliant manner).
SMS Marketing Platforms
Patient no-shows and dropouts are always a concern in healthcare. SMS marketing and communication tools give practices and marketers an easy way to maintain contact with patients and remind patients of upcoming or follow-up appointments.
Here are the SMS solutions we recommend:
Reputation Management Tools
As patients research, they often look into a practice’s reputation online. Reputation management tools can help you stay on top of your online reputation by automating review solicitation, compiling reviews in one place, and allowing you to respond when not-so-great reviews come in.
Marketing Automation & Email Marketing
Ideally, patients and practices have ongoing, long-term relationships. One of the most effective ways to manage patient relationships in the long term is to leverage marketing automation and email marketing tools. You can use these solutions to keep patients up to speed on new services, push out promotions, and engage patients between appointments.
The marketing automation and email marketing tools that we love are:
HubSpot, a widely used marketing automation software platform, is not HIPAA compliant due to its terms of service, which explicitly prohibit users from collecting, storing, and transmitting sensitive health information. Despite this limitation, healthcare marketers can still use HubSpot by implementing effective data management strategies and third-party tools to prevent the platform from being exposed to PHI.
CRMs or customer relationship management solutions serve as a database of patient actions and choices, giving you the information you need to improve patient outcomes and increase patient satisfaction.
We recommend the following CRMs to our clients in the healthcare space:
- Zoho CRM
- Enquire Solutions
- Salesforce – Requires security customizations and add-ons to become HIPAA compliant.
- Freshsales – Requires a signed BAA to become HIPAA compliant.
Software Integration Tools
Zapier is an online automation tool that connects different applications to automate tasks without coding. Healthcare organizations often use Zapier for transmitting form submission data, email campaigns, data aggregation, and CRM updates, thereby streamlining their marketing workflows and improving efficiency.
However, Zapier is not HIPAA compliant because it does not adhere to the security and privacy standards required for PHI. Without these safeguards, using Zapier to process or transmit PHI poses a risk of non-compliance.
So, what’s a viable alternative? Keragon is a HIPAA-compliant automation platform created exclusively for healthcare, including more than 100+ integrations with EHRs, HIPAA-compliant CRMs, and AI medical tools. This makes Keragon an ideal choice for healthcare organizations looking to automate their processes while strictly adhering to HIPAA standards.
Putting it Together: HIPAA-compliant Advertising Ecosystem
Now that you know which technology is HIPAA compliant, it’s time to assemble the right tools in a way that aligns with your business needs. Integrating the proper technology will help you develop more intelligent advertising that reaches the right patients and drives more booked appointments.
Let’s explore the 5 elements of a data-enabled advertising platform that will protect patients privacy:
For effective advertising, you must capture quality signals (site engagement, form submissions, calls, and actual booked appointments) and transfer those signals back to advertising platforms to inform algorithms. HIPAA-compliant solutions that can capture those quality signals include:
- Patient Prism – AI-powered call tracker that can report on booked appointments.
- Liine – AI-powered call tracker that can report on booked appointments.
- Mixpanel – Marketing analytics (GA4 alternative) platform captures onsite activity.
- Nexhealth – Online booking platform that can capture booked appointment data.
Capturing quality data is just the beginning; it’s equally vital to ensure that this data is transmitted back to your advertising platforms in a fully HIPAA-compliant way. It’s possible to pass anonymized conversion actions to advertising platforms manually, but Customer Data Platforms (CDPs) automate this process. CPD options include Tealium, Rudderstack, and Freshpaint, a healthcare privacy platform designed exclusively for healthcare needs.
For a comprehensive view of marketing performance, you need a holistic reporting system that can track all patient activity and normalize it across data points, locations, channels, brands, etc. This can be a tedious, manual process. ETL tools, like Funnel.io, automate the extraction, transformation, and loading (ETL) from various sources into a central data warehouse.
For efficient dashboard and report creation, it’s essential to have a dataset that is not only easy to query but also flexible and rapid, allowing for swift iteration of versions tailored to the needs of various stakeholders. ETL tools can direct data to platforms like:
Having end-to-end measurement enhances your understanding of the patient journey from initial engagement to actual healthcare outcomes and ROI. That means you need an integration with your EHR or PMS, which is something a CPD can help facilitate.
Never fear healthcare marketers; there is a way forward. With the right HIPAA-compliant marketing technologies in place, you can still do your job while protecting the reputation of your providers and ensuring that you are in line with regulations.