How the FTC’s Recent Rulings Affect Healthcare Marketing

Announcer: Welcome to the Ignite podcast, the only healthcare marketing podcast that digs into the digital strategies and tactics that help you accelerate growth. Each week, Cardinal’s experts explore innovative ways to build your digital presence and attract more patients. Buckle up for another episode of Ignite.

Ashley Petrochenko: Welcome to the Ignite Healthcare Marketing Podcast. We have a special episode for you today. My name is Ashley Petrochenko. I am head of Cardinal’s brand marketing team. I’m filling in for Alex today, and I’m joined by Cardinal’s SVP of Media Analytics, Rich Briddock. We’re here to discuss the recent FTC, BetterHelp, and GoodRx complaints, what that actually means, and how it impacts digital advertising in the healthcare industry. Rich is going to share a few recommendations, but I’ll help you remain compliant. Rich, welcome.

Rich Briddock: Hi, Ashley. How’s it going?

Ashley: Hi, Rich. It’s going great. I think there’s been a little bit of anxiety and concern in the healthcare and marketing world right now. People aren’t really sure what this means and they’re not sure if they’re violating HIPAA in sharing protected information. I first wanted to set the stage and dig into what happened with BetterHelp and GoodRx to have a baseline here.

Rich: I think it’s important to start there because this has been part of a trend that has been brewing for a while now. Essentially what happened in the most recent case, in the most high profile, the biggest settlement was BetterHelp recently, which was an $8 million settlement that was paid out because of an FTC ruling. The FTC found that BetterHelp was not compliant because essentially, they were utilizing patient data to build look-like audiences, to find similar patients on social media advertising profiles.

They were also remarketing to lapsed patients, so people who had been getting treatment with BetterHelp and then had ceased treatment and they were using that patient data to then essentially try and reengage them and reactivate those patients. They were doing this across both social platforms, but also from across some display platforms. Essentially, what the FTC, I think really took umbrage with was the fact that BetterHelp had said explicitly on a number of occasions when you were signing up to become a better help patient, that they would not leverage your data for anything outside of the standard. Just communication between you and the doctor or you and the provider, et cetera, and that even the provider would not be given your real email address.

Then to find out that they’d actually been uploading all of these emails addresses up into Facebook and into display platforms like Criteo, obviously that was completely misleading in terms of the claims that they’ve made when patients were signing up to become part of the BetterHelp Network.

Ashley: It wasn’t just what they were sharing, it was their privacy policies and the agreements that they were putting forth when people signed up with the apps?

Rich: Yes, exactly right and misleading patients on how their data would be leveraged by BetterHelp, essentially. I think there’s two parts to the issue with BetterHelp though. It was what they were doing, but then how they were representing what they would do with your data that was the issue. BetterHelp has claimed that this is standard advertising practice that everybody utilizes their own customer list, their own patient data to create lookalikes and sends us data into Facebook and whichever other platforms they utilize, build custom audiences and that remarketing is perfectly acceptable behavior in terms of, all advertisers do it, everybody does it in the digital world.

That was their defense, but they did agree to settle with the FTC and make the payment. Yes, it’s part of a large trend. Obviously, GoodRx was also a pretty high-profile case where they were doing the same thing using patient data to target people more effectively via social media then other clients or other companies like Cerebral just came out that they were also utilizing this practice as well. Unfortunately, I think what’s happened is as Facebook, and certainly, Facebook in light of the Cambridge Analytica piece has restricted the number of third-party audiences that are available for targeting.

Advertisers have relied more and more heavily on first-party audiences, which in this case is their existing patient base. So, you now have this situation where advertisers are spending millions off the back of this patient data they’re using primarily for the majority of their targeting.

Ashley: How can people still reach these audiences if they’re not allowed to use their first-party data and the demographic audiences are shrinking on these platforms, how can you still reach them on the platforms that they use most?

Rich: I think a couple of things to consider here is firstly, what is a HIPAA violation. Obviously, there’s been recent updates to what is deemed a HIPAA violation by HHS, but in a nutshell, it’s essentially where you’re combining personal identifiable information. That’s going to be things like name, IP address, phone number, email with health information on that user. That can be explicit health information they’ve given you, like I’m submitting a form that I’m interested in this service, or I have this condition, or it can be implied health information where a user goes and visits a specific condition page.

Maybe they are on a page about ADHD, and then it can be presumed that that user has ADHD because why else would they be on that page? It’s the confluence of those two things like knowing something that could identify that user, what potentially their condition could be, but then also sending that data to a non-HIPAA compliant destination. This is a big issue with Google ads, Facebook ads, or any social platform for that matter. Even Google Analytics is that there aren’t BAS that you can put in place with these platforms. They’re essentially deemed to be a non-HIPAA compliant destination.

What a lot of these platforms have done historically is, they’re essentially sucking up all this data about users as they come to your website and start browsing around. In the case of something like Google Analytics, you’re permitted, even if it’s not actively going out and seeking out data that might be personally identifiable, you are permitted to send data to Google Analytics that would be personally identifiable, so there is nothing to stop you from sending an IP address as an example, into Google Analytics.

Essentially then what you could have in Google Analytics is the combination of some of these IP address where potentially you could identify who that person is or a device ID, which is even more specific to that person and the pages of the website that they visited. From that data, you can infer what their health condition might be. Those two things together will be considered a HIPAA violation. In order to get around that, essentially what you need to do to be completely safe is to use a third-party technology solution that sits in between your data and these platforms that you can have a BAA agreement with.

On our side, there’s a company that we’re looking into for our clients. It’s a customer data platform, CDP called Freshpaint. Freshpaint specializes in healthcare and specializes in data governance compliance layer whereby our clients have an ABAA agreement with Freshpaint. Then essentially how Freshpaint works is it will house your patient data in a [unintelligible 00:08:04] and it will send only certain bits of information to the advertising platform or to the analytics platform to make sure that you are in compliance with HIPAA. In the case of Google Analytics, it can ensure that you send data on the browsing behavior, which is what you really need Google Analytics for. That’s the stuff like which pages did they go to, where you could infer, potentially what their health condition is.

It will ensure that you never send anything that is personally identifiable about that user. On the flip side of the advertising, you can send personally identifiable information back to Facebook or to these display platforms, so they know who you are. What this CVP can do is it can restrict which pages you went to and make sure that that data is not sent back into the app platforms. By essentially bifurcating those two groups of data that need to be combined to lead to a HIPAA infringement or a HIPAA violation, you’re protecting yourself whereby you can still utilize the same advertising practices that you did before which you’re limiting the types of data that these platforms can see so that they’re not putting the whole pitch together which would like I said, end up constituting a violation on HIPAA.

That’s one route that you can go down is the point of technology layer that will essentially protect you. Obviously, another route that you can go down is you can look at your advertising practices right now, you can review those, and you can say, which of these do we think might not be HIPAA compliant. Certainly, things like utilizing patient lists for lookalike audiences or retargeting on a last patient list, as is the case that BetterHelp did. Those would definitely not be HIPAA compliant. If you were doing pixel-based retargeting against anonymized users where you are doing a general retargeting, where you’re not doing condition-based messaging like, “Hey, we think you’ve got this condition, so this is why we are the solution.” That may be deemed to be HIPAA compliant because you’re not leveraging any healthcare data on that user, to target them specifically for advertising purposes.

Again, I think you’re going to have to have a good compliance team here who can help you navigate these waters or an expert on HIPAA and advertising who can help you stay compliant. I would say the focus should be that if you are unsure, I would steer clear from it in the moment. If you feel like this is going to create a material disadvantage in terms of your advertising effectiveness, then at that point you should be looking for a technology solution that can help you remain compliant and keep the avenues that you were previously using open for reaching the right consumer.

Ashley: As a first step. If people are feeling concerned right now, take a pause, audit their existing landscape, see what they currently have running campaigns that may be questionable. Pause, take a look at everything to make sure that they’re not using any customer list, old customer list. Take a look at what pixel tracking they’re doing on their website. Maybe is there any tracking technologies that they are okay to keep in place or things that they want to just immediately eliminate?

Is that something maybe you can speak to a little bit there in terms of auditing, looking for things that might be a concern if they’re trying to just assess where they’re at?

Rich: That’s a really difficult question to answer. Because there’s so many pixels out there and trying to gain understanding of exactly what data points each pixel is collecting is very difficult to know because, unfortunately, we just don’t have insight into all the data that Google or Facebook as an example, are gathering in that session when that pixel fires. It’s hard to know exactly what data is being collected. I think that’s the benefit of a CDP solution like Freshpaint where you can actively opt into the data that you are sending to the pixel, which I think is the key piece of their solution.

By default, you’re not sending any data to that pixel, but then you can activate certain parameters that you are willing to send that will allow you to remain in compliance but also get some effectiveness out of the data that’s being sent to the ad platform so that you can leverage it as a channel. I would say, the main thing though in the first place that I would start in terms of vetting everything is, making sure that you are not uploading existing patient lists into any of these platforms and that you are not doing anything with that. You’re not building lookalike audiences and you are not remarketing based off that patient list. That would be the first place that I would go through everything.

Just making ensure that that is not happening because we know from the judge notes that unless you have actively sought consent from your patient base to use their data in that way, we know that that’s a violation. That would be the first place that I would start. In terms of trying to understand data being used by the pixels. I think that’s going to be more difficult from the judgements that I’ve looked at, it doesn’t seem that the FTC is particularly taking umbridge with standard pixel data collection. That’s not to say that they won’t start to look at companies with advertising practices that are based just around data that’s gathered by the pixel.

I’m not saying that that’s not going to come along, but it seems more about the use of lists that really seems to be the issue right now. To be extra safe, yes, you’re going to want to look at that technology solution that helps you gauge what data goes back to the pixels. I think for now it’s more around what are you doing with your patient lists and that data and how are you sharing them without platforms.

Ashley: That makes sense. That’s the first thing that people are concerned about right now. Then if they really want to continue marketing to existing patients or past patients, they need to look at some kind of solution, CDP solution if they want to continue. I think probably, like you mentioned, involving their legal counsel and running things by with them and collaborating on what policy and disclaimers that they are having.

How they collect information and how they use it would probably be another good stuff in terms of doing their due diligence here.

What are your recommendations for healthcare groups who are trying to reach prospective patients? How do they go about building these audiences and targeting them on social display advertising? How can they reach them now without using customer list, without using remarketing?

Rich: If you want to engage effectively with prospective patients and you can’t use first party patient lists anymore. One way that you can do that right is through what we call a full-funnel strategy. Essentially, what that means is you would utilize broad targeted video campaigns at the top of the funnel. Just to let them know about your business, drive some awareness, and you might use 15-second to 30-second video clips to just explain the business to those consumers.

Build a little bit of brand rapport, convey your value, perhaps your USPs. Essentially, what’s going to happen is you can track what percentage of users view a certain percentage of more of that video, and then you can remarket to those video engages based on who has consumed that video content. Now, you don’t know anything about these people, they haven’t even been to your website yet. Chances are, but you know that they’re interested in your solution. You don’t have any personally identifiable information about these folks.

Ashley: They just liked your video enough to watch it for 15 seconds.

Rich: Just watch a video enough to watch it. That is a perfectly safe audience to retarget because you don’t know anything about them other than that they’re interested in your video. Then that way, once you retarget to them in the middle of the funnel, you can then drive into the website and then potentially again you have to think about this with your own compliance team. Once they’ve been to the website you could then remarket to them and to try and drive them back for a conversion for a lead. Or if you feel like that step is now essentially going to put you in a place where maybe you are not being compliant, you can essentially use the video, reengage your audience as your bottom-of-the-funnel conversion audience and essentially just try and drive those guys to the website to drive a conversion.

Essentially, you’ve got an audience that you know is compliant because you all you’ve done is serve a video to them and they’ve consumed some of that video. Then you’re trying to drive them to the site to convert, which should have no issues in terms of remaining compliant. You can deploy that tactic both on social and through display. We use certain DSPs where you can run video campaigns. Then again, the exposure of that video and then you can market to people who have consumed a percentage.

I think that’s a completely valid tactic that you can utilize potentially while your compliance team is figuring out whether or not you can do other things in terms of site sitewide remarketing and while you’re looking at potential technology solutions that could help you circumnavigate some of these compliance issues.

Ashley: Rich, that initial audience that you are building. That’s all based on demographic information that you know about your ideal patient that you’re trying to reach, location, age, gender, all of that. It’s where your starting audience is, then from there you’re just engaging the people who are most interested in pushing them down to a conversion on your site.

Rich: That’s exactly right.

Ashley: Great. That sounds like a great interim solution while trying to figure out how to go forward with different technologies to make sure that there’s no violation of HIPAA. Do you think it’s the people, non-healthcare marketers moving into the healthcare space that is leading to some of these issues? Because you mentioned like we use email lists for all of our advertising targeting. I buy a list from ZoomInfo and so I’m just thinking like these are common practices like you mentioned and the rest of the world, like rest of the digital marketing world, people get customer lists to market to them.

That’s best practice. Everyone knows to do that, that’s what you’re supposed to do. Then you move into the healthcare world and there’s growing scrutiny and concern of sharing protected information. Do you think that’s where some of these breaches and misunderstanding of how data is being used is happening?

Rich: I think a lot of it is stemming from the thought, especially in the behavioral health space. I think there’s a lot of advertisers in the game. Compared to five years ago, you’ve got so many advertisers, the market has become so fragmented. You’ve got companies spending millions on paid social and I just think it’s become more and more of a– you can’t ignore it anymore. If you read the BetterHelp complaint, one of the major things that the FTC called out is that the person who was in charge of the social campaigns was like an intern. They had an intern [unintelligible 00:19:13] [crosstalk].

Ashley: There’s no possibility of scrutiny of knowing what’s right or wrong. They’re just doing.

Rich: Yes, they had an intern who was running it, who had no compliance training, who was just doing whatever they wanted. This was the gripe, it’s the wild west out there. The people who are making the advertising decisions are not trained, are not HIPAA. To your point, they don’t know that these things are not what they should be doing. They have no concept of how would– I don’t think they are maliciously doing these things. They’re just not trained to know you can’t do that with patient data.

Ashley: If they’re untrained, they don’t know better. They’re following recommended practices that they read on other people’s blogs like, “Sure, I’ll do that.” They don’t really understand that it’s actually not okay in the healthcare world and that they’re going to be putting their company at risk. There needs to be a lot more training, both internally from a compliance standpoint, and it sounds like working with a partner that actually understands the nuances of healthcare and what you can and can’t share. To make sure that you’re not at risk.

Rich: Yes. I think if you’re a major advertiser and you’re spending, tens of thousands of dollars, especially if you’re doing that on social media. You should look into a technology solution, right? Because the chances are that is a vital part of your marketing mix. If your options are lose that or spend a bit of money to make it compliant, then I think the latter option is definitely the better option. Right?

Ashley: Yes, for sure. It’s definitely the way to go. Thank you for sharing these recommendations. If you have any questions, do not hesitate to reach out. We’re happy to help you guide you through this process. Rich is always available to share a little bit of information here.

Rich: This is a constantly evolving situation. As, and when we know more, I’m sure we’ll be doing follow up podcasts where we discuss different solutions and different ways to stay compliant.

Ashley: Great. Thanks, Rich. Looking forward to sharing more information on this.

Announcer: Thanks for listening to this episode of Ignite. Interested in keeping up with the latest trends in healthcare marketing? Subscribe to our podcast and leave a rating and review. For more healthcare marketing tips, visit our [email protected].