Healthcare marketers are in a bind like no other in the marketing profession. There’s a huge tension between what’s required of the role–educating your audience and generating leads–and what’s required of the industry–strict adherence to privacy rules.
Table of Contents
This means healthcare marketers are doing marketing in hard mode. The types of data and marketing methods available to your peers aren’t an option for your companies. HIPAA guidelines have to be taken seriously, as the myriad fines and lawsuits of the past few years have shown.
But marketing in a HIPAA world isn’t impossible. You have to be careful and professional, but by using the right techniques and the right tools, you can continue to use analytics (almost) as before and, though it is harder, continue to get high-quality leads for your business.
The False Dichotomy of HIPAA Regulations and Good Marketing
As a digital marketer, you’re programmed to leverage data. You want to use it to understand your audience, to build the best campaigns, and to continuously optimize every facet of your customer journey.
Turn that data off, and your entire funnel can collapse, along with any new patient signup or revenue targets you had.
That’s effectively what has to happen if you are relying on Google Analytics or Facebook data in your marketing. With the recent Health and Human Services “Use of Online Tracking Technologies” update to the HIPAA guidelines, it’s now clear that most website tracking falls foul of the HIPAA privacy rules.
This is because of the inherent way tracking technologies work. To be able to track people on your site, you have to be able to track identifiable information about them–their IP address, their email, a user id, or a device identifier.
But this information is specifically what the updated HIPAA guidelines prohibit. Why? Because, when combined with some health information, it becomes easy to associate a medical or health issue with a single individual–exactly what HIPAA is supposed to prevent
Let’s take an example–say you have a public website that gives information about conditions and allows users to connect with a medical professional. On that site, you use Google tags and Facebook pixels to capture information about the users visiting your websites. Both of these, by default (and concealed from analytics users), send the IP address of that user to Google/Facebook.
This is a straightforward HIPAA violation and will get you fined. Because, with that information, someone can say that “the person with IP address 250.171.49.205 has sought advice from an Obstetrician.”
This is individually identifiable health information. From HHS:
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”
You are permitted to disclose this data under specified conditions, and to tools equipped to protect this data. These tools must agree to a Business Associate Agreement (BAA) that outlines the safeguards in place for PHI. Neither Google nor Facebook sign BAAs. They don’t want this data.
If you can’t pass this information on to Google or Facebook, that means you can’t use any of their ad targeting technologies that usually rely on this data–no lookalike audiences, no remarketing, no campaigns optimized around conversions.
So, how can you navigate this?
Despite these challenges, it is possible for marketers to generate high-quality leads in a HIPAA-compliant manner. Compliance with HIPAA doesn’t eliminate marketing, it refines it. It necessitates thought about the information you track, share, and employ. It necessitates a privacy-first approach and a willingness to adapt. We identify three pillars for this:
- Optimize what you have. While access to data is restricted, you aren’t entirely cut off. How can you most effectively utilize the data you do have access to? And what data do ad platforms really need to be effective?
- Enhance your marketing skills. The limited data access requires you to harness your creativity more effectively. By acknowledging the significance of privacy in healthcare, and how critical it is to your audience, you’ll also start to understand your audience better.
- Focus on the benefits. Understand the inherent value of your product or service, and let that guide your marketing efforts.
Getting High-Quality Leads in a HIPAA-Compliant Environment
What does this “refined” marketing look like in a HIPAA world?
Control the Data Shared with Platforms like Google and Facebook
Despite Facebook and Google’s appetite for data to feed their advertising platforms, they can still function optimally with less. By controlling what information is sent to these platforms–ensuring identifiers and health information aren’t shared simultaneously–you can still utilize them effectively.
In order for ad platforms to leverage their powerful machine learning algorithms and serve marketers more high quality leads they require identifiers. Ad platforms need to know who is responding to those ads and successfully “converting.”
And once we know that those ad platforms need identifiers then we also know they can never receive health information. Remember how we shared that the two combined are PHI? But the native ad pixels try to capture as much information as they can about your website visitors. So how do we limit what Facebook and Google Ads receive?
HIPAA-compliant CDPs like Freshpaint serve as intermediaries, receiving raw data, then blocking or de-identifying data before forwarding it. Freshpaint empowers marketers by:
- Replacing native tracking pixels: Freshpaint replaces untrusted native tracking pixels with a safe tracking snippet backed by a BAA.
- Server-side only connections: Freshpaint offers robust server-side connections with ad platforms, so those ad tools have no access to visitor data without it going through Freshpaint first.
- Offering default protection: Freshpaint by default does not share any data to ad platforms. This allows you to govern the data and limit ad platforms to only the data they need to function like ad click ID, an identifier, and that a conversion happened.
Secure User Consent
When marketing to existing patients, ensure you have their explicit consent, acquired, for example, during their registration process. The information used should be relevant to their care. For instance, promoting pulmonary services to a patient with asthma is acceptable, provided you have their agreement. Importantly, how you market matters: a private email might be suitable, while ad overload on Facebook might not. Clear consent is crucial to keep patients content and to avoid FTC penalties.
Emphasize Brand Marketing
Personalization isn’t always necessary.
Instead, talking about your broader brand, services, and aims is still a legitimate channel of marketing. The primary aim should be to highlight the overarching value of your product or service. Although brand-centric campaigns may not yield immediate, measurable results like performance marketing channels, their long-term benefits are substantial.
Consider Nike’s global brand success: was it primarily through paid ads or brand cultivation? This reflects the core (and enjoyable part) of marketing–understanding your audience, delivering clear and engaging messages, fostering emotional connections, and implementing creative ideas.
Here are a few other channels:
- Educational Content Marketing: Content marketing (optimized for search) is a powerful way to attract and nurture leads. By providing valuable, educational content such as blog posts, e-books, webinars, and whitepapers, healthcare marketers can attract a targeted audience and build trust over time. This approach is entirely compatible with HIPAA regulations, as it does not require the use of PHI.
- Patient Testimonials and Reviews: Positive reviews and testimonials from existing patients can be a powerful way to attract new leads. While these must be handled carefully to ensure that PHI is not disclosed without consent, they can be an excellent way to build trust with potential leads.
- Social Media Engagement: Social media can be a valuable channel for healthcare marketers, as long as PHI is not disclosed. By sharing valuable content, engaging in discussions, and answering questions, healthcare providers can build their reputation and attract new leads.
- Partnerships and Sponsorships: Building relationships with other healthcare providers and organizations can also be an effective way to generate referrals and attract new Leads.
- Webinars and Online Events: Hosting informational webinars and online events about relevant health topics can attract a wide audience and generate high-quality leads.
The key to effective lead generation in a HIPAA-compliant environment is to provide value, build trust, and ensure that all marketing activities are conducted in a manner that respects privacy and adheres to all relevant regulations.
The Challenge of Marketing Within HIPAA Guidelines
Navigating the landscape of healthcare marketing amidst strict HIPAA regulations is undeniably complex, but it also presents an opportunity. It challenges you to innovate, to leverage your creativity, and to engage with your audience on a deeper level. It forces you to not just sell a service but to truly uphold the value it brings to those who need it.
In a HIPAA world, you have the chance to redefine marketing norms. By mastering this careful balance between lead generation and privacy compliance, you can not only safeguard your organization against legal complications, but also instill a greater sense of trust in your potential patients. The journey might be tough, but remember, the most rewarding endeavors often are.
