Decoding the HHS Bulletin: Navigating HIPAA Compliance in Healthcare Marketing with Ray Mina of Freshpaint

Announcer: Welcome to the Ignite Podcast, the only healthcare marketing podcast that digs into the digital strategies and tactics that help you accelerate growth. Each week, Cardinal’s experts explore innovative ways to build your digital presence and attract more patients. Buckle up for another episode of Ignite.

Rich Briddock: Hello, everybody, and welcome back to the Ignite Podcast by Cardinal Digital Marketing. We have an old-old friend of the podcast joining us today, Ray Mina from Freshpaint. We are going to talk about the latest update to the HHS Bulletin that dropped on March 18. A little bit more of HIPAA compliancy and how that impacts marketers in the health care space. Ray, first of all, we feel like we’ve been talking about this for months, years at this point, actual years at this point. Give us a little bit of the backstory. Essentially, OCR/HHS dropped a bombshell on marketers at the end of 2022. What happened there, what did that mean, and how has that impacted us up until this point?

Ray Mina: Yes. By the way, you said we’ve been talking about this for a while. I just had a birthday. When you said old-old, it really hit close to home. I can’t believe this is December, 2022, when you and I first started talking. Before that, everyone in health care was pretty concerned about what are they doing on patient portals, on authenticated pages, where you have a whole bunch of patient information. You’ll probably agree, pretty much everyone I’ve talked to, nobody was putting web trackers into that kind of environment because they know it was a risk.

In 2022, what HHS called out was, “Hey, by the way, that website that every single health care organization has, those unauthenticated pages, those landing pages, those could also be a risk of sharing PHI. Therefore, web trackers that don’t sign business associate agreements, the legal framework that protects you sharing data, you can’t do that anymore.” That could be highly problematic. That was something that nobody had been thinking of, and nobody was operating in that context.

Rich: Obviously, like you mentioned, almost every page on every health care site is either an authenticated page that sits behind a login or a patient portal, but more likely is an unauthenticated page that talks about the provision of health care services. This is what HHS specifically came out and said, “Hey, even if it’s unauthenticated but it’s talking about the provision of health care services, you can’t have these pixels that marketers frankly have become so reliant on.” It’s almost like, I don’t want to say that the people have forgotten how to market, but the algorithm has started to play such a large role in the performance marketing equation.

That was a seismic shift when we were told, “Hey, you don’t get to play with this anymore. It’s not for you. You can’t use it in a compliant way.” Once that happened, what were health systems doing? What was the initial reaction to that bulletin? Just quickly, before we get onto the next thing, give us the 30-second view of the fallout that then happened. Then, obviously, talk a little bit about how you guys, I don’t want to give you too much kudos, but have essentially been driving the way and leading the main solution with the health care privacy platform piece.

Ray: It depends. There were organizations that were sued and caught up in class action lawsuits, and they were literally removing everything. To your point, removing that data feedback loop, and basically making all their tools ineffective. There were organizations that wanted to put their brand in front of this privacy issue that recognized that trust goes beyond the four walls of the clinic or the hospital. Even today, 70% of organizations haven’t done anything. They haven’t actually taken action. It was a mix. There are lots of people getting in front of it, but there’s still a whole bunch of organizations that still today haven’t really changed fundamentally what they’re doing.

Rich: Now, there has been this first update to the HHS Bulletin. It’s not like there was December ’22, and then there was March ’24. There have been these punctuation points in between of either the FTC weighing in on the scenario or lawsuits that have happened, whether it be hospital associations filing suit saying that this is not allowing us to essentially do our jobs effectively at driving new patient acquisition and hampering us. It’s not been this just like, you’ve been here and then all of a sudden, now, the guidelines have changed. Things have evolved since ’22.

I think one of the areas that I found interesting working with you have been in areas around embedded video players, embedded maps. It’s not just pixels. It’s any kind of solution that won’t sign a BAA that may be getting that health context from a HIPAA covered entity’s website.

Ray: Yes, there’s been a lot of maturity in the discussion around this, because I think you’re right here, Rich. It’s like the ship has sailed. This is about consumer privacy. Look, even Google, who has the most vested interest in collecting data is killing third-party cookies. It’s inevitable. They haven’t totally cracked exactly what they’re going to do, but that’s inevitable. I think that’s what people are starting to realize now, is, “Wait a second, there’s a lot of stuff that we’ve been doing on our website that is potentially sharing protected health information with these destinations that don’t have a legal framework in place and frankly, will never put it in place.”

That combination of PHI is like, “Who is it?” “It’s Rich.” “What kind of treatment is Rich pursuing or has he pursued in the past?” That’s just generally a no-no, and that starts to impact tools like embedded videos. You’ve got context about health information in those videos, and it’s sharing an IP address, which is a HIPAA identifier with YouTube. You’ve got embedded maps. If you just embed a Google map on your website, it looks like an image. When I visit that website, it knows the location of that clinic. If it’s a specific enough treatment, like oncology center, it’s capturing my IP address. That’s how it connects to Google Maps over the internet.

That’s also PHI in the eyes of Google, and you do not have a BAA with Google Maps. It goes way beyond just direct response, like Google Search, Ads, and Analytics. You and I have talked about, there’s a growing list of demand-side platforms that you can run full-funnel marketing strategies in programmatic advertising at the top of the funnel. You’re not going to be able to measure that stuff without view-through conversions. In order to measure view-through conversions, you’re going to need a bunch of context about that visitor and their journey. None of those platforms sign BAA.

It’s a pretty growing list of use cases and a pretty big full-funnel advertising stack that is impacted by this guidance.

Rich: Let’s talk a little bit about HHS Bulletin 2, the long-awaited sequel.

Ray: Yes, V2?

Rich: V2, yes. I think a lot of health care marketers were sitting here thinking, “Oh, man, I hope they just renege on V1,” but that was not the case. I think it’s interesting that, what are we now, almost 18 months later, and essentially they haven’t really changed the position massively. There’s been the five major updates, which we’re about to get into, but what’s clear from the updated guidance is they’re not going to renege on this. They’re going to help to provide more clarity around what is a compliant solution and how marketers can take a path forward.

My perception, and I’d love to obviously get your thoughts on this, is the accountability and the onus has very much been put on the HIPAA-covered entity and the marketing teams and the compliance teams of those HIPAA-covered entities by HHS saying, “Yes, we understand that you’ve got to do these things, we understand the world that you operate in, but there is this sort of middle ground, which is to leverage HIPAA-compliant MarTech to essentially achieve some of the things that you were doing before without falling foul of HIPAA compliance. Just give us the brief. What were the five major updates that this bulletin covered off on?

Ray: Yes, let’s get into that because it removes some of the ambiguity. Before I get into that, I want to call out one thing, that we’re not going to spend a ton of time on today, because this is up to you to talk to your legal and compliance team. There’s a section at the end that wasn’t in the original guidance on enforcement. They go to great length to describe what enforcement means. In that enforcement, it’s no longer just about assessing the risk. They actually have a callout for mitigating the risk. The framing that I took from that is like, “Oh, they’re actually signaling to the market that they expect you to do something about this, and that was a new thing.”

Let’s talk about where there’s a lot of points of confusion over the last year and a half that we’ve been talking to people about. I think the most straightforward one, when we’re talking to people about Freshpaint, they bring up consent management. “Do you have a consent management feature? Do you integrate with consent management tools?” We do integrate, but consent management does not help with HIPAA. HHS was really clear in this update. They said that consent managers do not replace written HIPAA authorization. Next time you go to the doctor’s office and you fill out that written form and sign your life away, that’s written HIPAA authorization.

That cute little allow cookies button on a website and a health care organization, that doesn’t count. There was confusion around if that would be helpful. It’s not related to HIPAA, doesn’t mean consent management tools don’t help with consumer privacy in other areas. If you’re doing it to regulate HHS guidance, yes, it’s a waste of time for you, according to the regulators.

Rich: We had clients who were coming to us saying, “Well, I’ll just put it in my privacy policy that I use these tracking technologies.” It’s like, “No, can’t bury it in your privacy policy.” Now, it’s, “Yes, even if they consent, that’s not enough.”

Ray: Not enough.

Rich: That doesn’t meet the threshold, yes.

Ray: It might be a good idea to have a privacy policy and look out for people, but it’s not going to meet these HIPAA regulations that you’re trying to cover. The other one, Rich, that came up a lot, because when we first connected, the whole market was migrating over to GA4. In GA4’s terms of service, they said that even though they may be collecting IP address, that they’re not storing it. That gave everyone the opening that, “Oh, then GA4 must be okay to use because they’re not storing this IP address.” HHS spelled this out and said that the sharing of IP address with a tool where there’s not a BAA is all it takes. It doesn’t matter what they do with the data.

If they delete it, if they don’t store it for a period of time, you just can’t share it if you don’t have a BAA in place. That removes the notion of GA4 not storing an IP is okay. It’s not okay because they got it in the first place.

Rich: Then, not confusingly, but just to avoid any confusion, there was another update around IP as well, which was to say that IP addresses by themselves on unauthenticated pages are not considered PHI. Help me square that circle, Ray. For those of us who are not quite as technologically gifted as you are, my friend-

Ray: [laughs] Nice try.

Rich: -how can it be a problem if GA4 is receiving an IP address, but then at the same time, HHS is saying, “Well, IP addresses by themselves are not PHI”?

Ray: Yes, let’s connect–

Rich: It feels a little contradictory.

Ray: It does. That’s where we have to go back to what is the intent here. Let’s separate the two because I think what caused all the confusion in the original guidance around IP address, because people have been walking around thinking IP address is PHI, is that HHS had two carve outs. They talked about authenticated pages. You’re a patient in a portal. There’s a boatload of health context about you. They talked about unauthenticated pages, which are website visits, not a logged-in state. You don’t necessarily have my history in that context.

What they said was on authenticated pages, IP address alone could be enough to constitute PHI because of all the associated data along with it. On anonymous website visits, on unauthenticated pages, they said you need two things. You need an identifier like IP address, there’s others like email and device ID, and you need context about my health journey. “Am I looking for a doctor?” That’s PHI on an unauthenticated page. You need both. GA4 is clearly getting all of the potential health context because you’re capturing all the page visits. You’re capturing conversions, like where did this person go?

Then, if you combine that with an IP address, you have the identifier plus health context. Now, that’s why you can’t share an IP address with Google Analytics, because you know that they’re always going to have page URLs and form fills and things like that.

Rich: Not to get too technical, but where this potentially helps to clarify some stuff is more around the offline conversion passback if we want to send an IP address to an advertising platform to try and match and add exposure. You were mentioning view-through before, and that exposure to that person on their patient journey, but what it essentially still means is you can’t have any kind of pixel-based technology that could collect IP address and also get the health context on any page that talks about the provision of health care services. You can still use them on your careers’ page, but that’s about it, folks. It can’t be used anywhere else around that is a patient-centric page.

Ray: The good news about what you just brought up though, and I want to say it again, because it’s a big unlock for advertising and health care, which is IP address alone is not PHI. It has to be in combination with your previous health care or seeking new health care. The unlock here is that ad platforms, they do require HIPAA identifiers to work, ad click ID, email for view-through conversions. As opposed to third-party cookies, you could use IP address. You can make those things work without any health context. The ad platform doesn’t need to know anything about that visitor’s journey through your website at all. They don’t need to know any page visits.

In this context, you could make ad platforms. All those sophisticated bidding algorithms that help us really juice our results, you can make those work now because HHS has literally said, “If you just send an IP address, if you just send an ad click ID, if you just send a HIPAA identifier and just no other health context, that’s not PHI.” You are no longer running afoul of the regular. This was a very slippery slope for lawyers as they were trying to read this stuff and interpret it. I think this callout really helps unlock a lot of the things that we need to do in health care, which is reach our consumers.

Rich: It’s probably showing to some extent that HHS and OCR are listening in particular to some of these health systems and their concerns and health platforms, and obviously don’t want them to go out of business or not be able to reach the right patients, et cetera. It feels very much like they’re trying to strike that right balance between people doing a business function of marketing, whilst also ultimately protecting that patient privacy.

Ray: Yes, we don’t need to get into the lawsuit against the government right now that everybody’s anticipating the outcome of, but this is proof that HHS intent isn’t to remove the ability to use these channels and reach these consumers. They’re just trying to help health care organizations strike the balance of how do you deliver those results, but do it in a way that protects the privacy. That’s not a bad thing directionally that we should be aiming for in health care.

Rich: Now, we come on to the most exciting update for you, Ray.

Ray: [chuckles] Not for me, for health care.

Rich: Yes, for health care, which is, and I hate to use the label CDP because I know you guys are a health care privacy platform. Clarification is that CDPs that have a BAA in place with the HIPAA-covered entity and will essentially ensure that data is protected, that the PHI that’s being collected is protected under that BAA, they are acceptable to use as an alternative to those tracking solutions that we were using before. If I install Freshpaint on my website and Freshpaint is collecting all the events, someone schedules an online appointment, someone submits a form submission, et cetera, et cetera. I don’t want to describe your platform better than you can.

Obviously, you can do it much better than I can. Then, essentially, we’re bifurcating the personal identifiable information and the health information, and then only sending one or the other to those downstream platforms. HHS is saying, “Yes, that’s great. That’s fine. This is a compliant path forward that will allow you to do those things that you were doing before.”

Ray: I swear we didn’t spend any lobbying dollars in Washington to get HHS to put this into– I honestly, in all my career marketing, I’ve never seen a regulator build a marketing funnel for a brand, but here we go. I think the big takeaway is for folks in health care. We have a whole bunch of customers. We have some joint customers using Freshpaint and your services. They made a choice to use a platform like Freshpaint to replace native pixels and shift from this world of third-party data, where you just ship everything away to a world of first-party data, where you collect it safely, then choose how to best use that data to improve results.

It’s a huge validation for all those legal and compliance teams within those organizations, that they made the right call. Now, they’re way ahead of the curve. If you just step away from product for a second and you just look at a framework of doing this, the main takeaway is there’s validation of a way to do this. There’s not really an excuse to continue to just use these native pixels that are freely sharing data.

Whether you use Freshpaint or not, HHS is giving you the clue, that remove those pixels and put in a tool that safely collects the data through a BAA-supported platform, and then gives you ability to govern the flow of that data so that you can choose to not send PHI to Google Ads or Google Analytics. You have to break apart those pieces and make sure that these platforms don’t get both components. This is a huge unlock for health care because people have been like, “What are we supposed to do? The lawsuit literally says, ‘We’re not able to do our jobs without these tracking technologies.’ It’s a BS lawsuit now because HHS has given away to go do that.'”

Like, “Keep doing what you’re doing. Just don’t use the native trackers.”

Rich: Obviously, that could be one significant reason why HHS has done that, which is to mitigate the potential impacts of that lawsuit without asking a contentious question. Do you feel like this could also be opening the door to more vociferous enforcement. That, and this in conjunction with the clause that you were mentioning earlier around the burden around mitigation now, is this HHS saying, “Okay, guys, we’ve had the last 15 months to react to this, figure it out. Yes, there’s been some high-profile cases.” In reality, it’s really been class action attorneys on their own volition who have been going after these systems.

Is HHS potentially now sounding the alarm and saying, “We’ve given you a path forward. Now, we are going to start to get serious around enforcement”?

Ray: I have two thoughts here. I think you’re onto something in that enforcement section that’s in the guidance when they call out that you need to mitigate this. That did come across to me. I can’t read their minds, I wasn’t in the room, and they won’t talk to me.

Rich: Even though you were lobbying them?

[laughter]

Ray: Even though I was lobbying with all my packs of bubblegum, my big lobbying dollars. We have no money to lobby regulators, that’s for sure. That’s for the bigger boys and gals. I think that enforcement section was a little bit of a signal, what their expectations are. My second thought is, does it even matter? Because like you just called it out, lawyers are activated, class action lawsuits. I’m even seeing really small clinics and systems that I never thought the lawyers would go after. They’re going after them. We know, we have a couple of customers who are caught up in multiple class action lawsuits.

One of which I know is involved with 5 at the cost of about $3 million a pop. Even if no damages are assessed, even if a regulator never does anything, they’re spending $15 million to defend themselves. What if they could use that money to promote access to health care or promote better outcomes? There’s probably a lot more they could do with those dollars. I think that doesn’t really matter anymore. The class action lawsuits are coming. I think HHS is probably more interested in having health care mitigate this and prevent these PR nightmares than in actually punishing people with fines and damages.

That enforcement section does raise the question for me if they’re sending a signal.

Rich: It’s interesting too. As you mentioned, some of the cost to defend these class action lawsuits exceed some of the major fines and penalties that we’ve seen handed down by FTC. FTC and OCR and HHS is certainly not the only threat. Actually, they don’t even seem to be the largest threat although, obviously, you should be aware of the fact that that is a potential threat. Just to wrap this up then, it feels like there’s definitely been some clarification, but not much has changed from the recommended path forward, which is get the right MarTech in place to continue doing what you’re doing previously in a HIPAA compliant way.

What do you think, just as a final sign off, were the motivations then around this clarification, what do you think HHS was trying to achieve with this clarification, and what is the key takeaway that marketers should be deriving from this as they move forward?

Ray: Yes, I think the charitable take here is what you said, that HHS– I know this because I’ve talked to organizations that talk to HHS, that their teams have talked to the regulators. I’m guessing they took a lot of that feedback of where these points are confusing. Like, “The way you wrote this, we don’t understand that.” It’s not perfect by the way. There’s probably even further clarification they can make to shore this up. Where they clarified the points, those were the areas that people had the most questions. We’ve been involved with like 500 of these conversations, so we’ve heard about them. We literally scratched our head for three months around consent management.

Like, “Should we build this right away? How is this helping with HIPAA?” Because we didn’t get it. I think their intention here is really to listen to the health care organizations and continue to advance the conversation to try to improve people’s ability to take action. I think that’s the call to action. “Okay, we spelled it out for you a little bit more clearly. It’s not true that you can’t move forward. Here’s some ways that you can interpret this more accurately. Here’s some solutions that you can leverage. We are expecting that you’re going to mitigate it.”

I would say that if you’re in the 70% of people that haven’t taken action yet, probably a great time to start having a serious conversation with your legal compliance, IT team. At least do an audit of your website. At least understand what tools you have that are putting you at risk. At least talk internally about, are you willing to spend $15 million this year to defend yourself? If you are, and some could choose that because this is risk mitigation, fine. If you’re not, you should be aware that that’s a potential thing you’ll be faced with.

Rich: You should weigh the fact that the implementation of these MarTech solutions cost a tiny-tiny fraction of that amount. Even if the lawsuit was six figures instead of seven, it’s still a tiny-tiny outlay compared to that. Ultimately, this is what’s going to set you up for success and allow you to get back to doing what you were doing so well before, which is connecting with patients, driving them to high-quality care-

Ray: That’s right.

Rich: -getting people healthy, which is the purpose of these organizations.

Ray: The way to think about this differently is if you do get sued or you do get fined by a regulator, there’s an actual cost that you can measure. It’s going to be way-way more than investing in software. Number two, the PR disaster behind it is immeasurable. I don’t know how do you assess that, but it’s going to be pretty costly to you. Your health care brand trust is paramount, and trust is declining for health care brands. Be careful there. Then step back a second and say, “Wait a second, I’m a marketing leader. It’s super hard for me to get approval to do anything and buy any new tooling. What are all the strategic plays?”

Like, “You guys are pros at building these full-funnel marketing strategies for health care . I know a bunch of marketing leaders want to do that.” You’re going to need some better tooling to feed that stuff. You’re going to need to harvest first-party data and be able to get it to the right tool in a meaningful way to actually make that work. Think about it as a strategic opportunity. You can get the budget approval by telling legal you’re going to save them potentially $5 million a year on lawsuits.

It’s going to deliver those long-term strategic results that you haven’t been able to get in the past because you couldn’t get the tooling approved from a budget standpoint, and you couldn’t get it through legal and compliance review. I think it’s an actual strategic opportunity for marketers.

Rich: Sounds like a killer cost saving exercise.

Ray: Right.

Rich: [laughs] All right, Ray, well, this has been awesome. By the way, if anybody from OCR is listening, HHS is listening, please add a TL;DR section to your [unintelligible 00:25:58].

Ray: [laughs]

Rich: It’s just a lot of words in there. Some of them are very long, have many syllables in. For us, more simple folks, it’s hard to keep up. Thanks again, Ray, for your insight.

Ray: Always.

Rich: It’s a pleasure to have you back on the podcast as always, and we will chat soon, I’m sure, about all these compliance. Maybe, the next bulletin will be out in the next 13 months, and we can reconnect again.

Ray: We’ll be back. Hopefully, before then, we can get back to doing marketing.

Rich: Exactly. All right, thanks, Ray. Appreciate you.

Ray: Thanks for having us, Rich.

[music]

Announcer: Thanks for listening to this episode of Ignite. Interested in keeping up with the latest trends in healthcare marketing? Subscribe to our podcast and leave a rating and review. For more healthcare marketing tips, visit our blog at cardinaldigitalmarketing.com.