Balancing Healthcare Marketing & HIPAA Compliance: Insights from Ray Mina of Freshpaint

Announcer: Welcome to the Ignite podcast, the only healthcare marketing podcast that digs into the digital strategies and tactics that help you accelerate growth. Each week, Cardinal’s experts explore innovative ways to build your digital presence and attract more patients. Buckle up for another episode of Ignite.

Rich: Hello everybody and welcome back to another episode of the Ignite Podcast. Very excited today to be talking about CDPs and HIPAA compliancy with a friend of the show, Ray Mina from Freshpaint. Ray, if you wouldn’t mind, just maybe give it as a quick sort of introduction, a little bit about your background and what you do at fresh paint and then we’ll get into the meat and bones of the podcast.

Ray: Yeah. Thanks, Rich. Thanks for having me on. Yeah, I’m the Serial Head of Marketing at early-stage start-ups and I’m doing the same thing at Freshpaint. And what’s really interesting is that in my entire career, I’ve spent a lot of time using tools like Facebook and Google ads and Google Analytics to help get an early-stage startup off the ground. And that has a lot of context to what healthcare marketers are facing with some of these new HIPAA regulations we’ll talk about today.

Rich: Yeah, absolutely, so I guess the obvious place to start, right, like even not even thinking about HIPAA yet and compliance and all the changes with HHS, just a really obvious place to start for some of our clients who may have never heard of the acronym CDP or not know what a customer data platform is, right? 

Like just give us a little bit of a of a background in terms of what, what is a CDP and and yeah, how does that fit into the other technology that our clients might be using for their marketing needs?

Ray: Yeah, it’s a great question. And you know, well, I think you and I’ll do our best today to like stay. We might have to bring up an acronym, but we’ll do a really good job of making sure we keep it in, like simple language because acronyms drive me crazy. Let’s just start with like, what? Why do these things even exist? 

You’re a marketing team. You probably are going to have CRM, you’re going to have some marketing automation software. You’re definitely going to use something like Google Analytics for web analytics. I think everyone I talked to in Healthcare is using that. You’re running some ads, so you’ve got like pixels and things like that. You’ve suddenly got all these different tools that you want to connect to your website or if you have some kind of product facing consumers and those people, those visitors, those customers, those users, they’re doing a bunch of stuff, they’re doing behavior and you want to track that behavior. 

Well, every single tool you hook up, you’ve got to like, you’ve got to get engineers to get in and start like coding things and you’ve got to like connect directly that tool, it becomes, it becomes a ton of work, right? And the promise of customer data platforms is that.

You use one snippet of code and then you can basically then send that data to hundreds of different destinations. And the advantage here is that in one centralized platform, you’ve now made it easier to capture the behavioral data from the site of your product and then get it to all those tools we just talked about.

And for us marketers, we are the lowest person with the priorities of getting engineering resources. Like I’ve been in this role many, many times where I have to go to a founder who’s the engineer and ask for more data and it’s you’re always waiting in line. So sometimes you’re waiting in line for two or three Sprint cycles, sometimes you’re waiting in line for quarters at a time. And this is really the opposite of moving fast and being agile, which is marketing. We’re trying to run experiments, we’re trying to prop up new things.

We’re trying to launch things, customer data platforms, help marketing teams move faster, and get the data they need to those tools that you know they want to utilize to run their business.

Rich: Right. And the other things that customer data platforms do or at least that Freshpaint does, which we’re going to talk about here. Which is really put to our healthcare clients is that they add a data governance layer, right?

Because they essentially allow you to control what they sort of act as like a gatekeeping where it allows you to control what data you decide to then send to those end destinations and what data you decide to keep locally or not do anything with is. Is that correct?

Ray: Well, this is, this is the interesting kind of like split in the road because let’s call, let’s call it a generic customer data platform. What I just said before was a generic customer data platform, right? This is like all of the customer data platforms up until now, the promises they make it easy to get the whole payload to any tool you want, right? And if you’re working at a high, high growth startup or you’re like you’re working at Uber or Lyft and like you don’t have these compliance concerns that someone like healthcare and some other industries would have.

And so that’s all you want. You just want, hey, I’ve got all this behavioral data, I just want to pop it over to my CRM so I can use, utilize all that. But now what we’re finding out is like that paradigm is highly problematic for regulated industries because suddenly you’re concerned that like you can’t send the whole payload to certain tools. And so that’s what you know. And I know we’ll get into this a little bit, but unlike generic CDPs that make it easy to get everything to every tool.

Freshpaint has this extra layer for those regulated industries that give people more control around what data goes to which tool. And this is the really, this is the really big shift away from generic CDPs. And I know we’ll talk about healthcare today, but we think this privacy thing is going to become an even bigger thing outside of healthcare down the road.

Rich: Yeah, and it’s really important. That’s a really important point you make right? Because some people might be thinking well.

You know, I already have a customer data platform and there’s a few out there. But what they might not realize is that there are only, you know, a lot of these customer data platforms will only sign BAAs and be sort of HIPAA compliant once you’re at a certain tier in terms of like their price point, their tier offerings. And then even then, you know they may not, even if they sign a BAA with you, that doesn’t necessarily mean that you’re in compliance, right, because.

That you may still be sending information via your customer data platforms to the endpoint that is the data that you should not be sending that is it is in breach of HIPAA compliancy. So, so I think and I know we’re going to get into the detail here, but I think that the short takeaway is.

Just because you have a customer data platform does not necessarily mean that you are HIPAA compliant. There’s a there’s a lot more to it than that and a lot of things, a lot of details that need to be uncovered and discovered before you are good to go.

Ray: You nailed it. You nailed it Rich, right? Because and thanks for teeing it up in this way because you know. First, you ask what, what, what even is a customer data platform. And our answer is it’s a, it’s a way to make it very easy to get this rich behavioral data to other tools. So yes, table stakes is, and I think almost all of the different companies out there will sign a BAA. Now that’s table stakes because you’re going to be collecting a bunch of rich behavioral data.

So in the customer data platform, so you have to have a BA with that company, like you have to get a BA. But remember that’s just where it starts because the purpose of the customer data platform is to share data with other tools. And that becomes the more complex part of this conversation.

Rich: Yeah. OK. So let’s get into it a little bit right because I and I know we’ve sort of touched on this before in some of our other podcasts. But obviously you know I will, I will admit to our listeners that it was you and the freshman team that did a lot of education for me initially on some of the HHS changes and FTC and this is becoming more and more pertinent you know even though.

Now we’re seeing more and more of the effects downstream of these changes that were made in December. So talk to me a little bit about what is the, you know, the backdrop that we are now that the marketers like us, digital marketers and you know just even traditional marketers are facing in terms of the HIPAA compliancy landscape.

And then how has Fresh Pain built a solution or modified its solution to, you know, provided a way forward for marketers that doesn’t involve them essentially having to get rid of all of the advanced tracking capabilities that they have become so accustomed to?

Ray: Yeah, I mean, let’s start with like the current context, which is. And I think between the two of us, we’ve probably talked to hundreds of marketing teams at healthcare providers in America. And almost all of those providers are using some combination of Google Analytics and a number of ad tools to help reach, you know, measure and reach their consumers, right? It’s consumer marketing. You’re trying to reach future patients and consumer marketing like what are the greatest channels in the history of marketing?

Google ads and Facebook ads like they are some of the best, you know, targeting tools ever created in the history of the world. And then Google Analytics is a free analytics tool that measures like the performance like how what’s the journey look like once we bring them in and how successfully are we acquiring them. So that was the state of affairs in December, like every healthcare provider is using these tools, and then the government organization HHS that kind of regulates HIPAA.

They updated the market. I think it was based off of a bunch of class action lawsuits against Facebook and other you know, hospital systems that you know there were there was data privacy breaches. So I feel like HHS probably felt like they had to create some kind of updating guidance and they basically said these tools, the tracking tools that connect to like Google Analytics, the pixels that connect to like Facebook ads and Google ads.

Are soaking up the right data set? That means it equals PHI, right? Was PHI or is it another acronym? It just means like you, you know health information about me as an individual. And that’s something that HHS says like you can’t do. And those pixels and tracking tools are out-of-the-box doing that.

Rich: And Ray, give the example because I think, yeah, it was kind of blown where, the example that you provided to me about how these pixels are gathering PHI, it’s as simple as the page of the website that we visit, right? Like if that page has content on it that is around a specific condition it’s that’s all it takes for you know it to be deemed that we’re gathering Phi on these people. It’s it’s not it’s not anything that’s right. More than that it’s really just a page view on a website right?

Ray: Yeah, that’s right. Like basically if you have the Facebook Pixel or Google Analytics tracking technology running on a healthcare website, that tracking technology by default is grabbing a bunch of identifiers like IP address and device ID. And then they’re also grabbing page visit information, so like URLs and titles. So if I suffer from diabetes, and I go to a healthcare website and I go to a diabetes treatment page or some blog articles specifically about diabetes that tracking Pixel already has personal identifiers like HIPAA calls these things identifiers. 

The combination of the two, sending it to a destination that is not HIPAA compliant like Facebook ads, Google Analytics, that’s all it takes. And so many healthcare, many healthcare marketing teams, they didn’t even know like it wasn’t like they were being.

They weren’t intentionally sending data. They weren’t uploading lists to like Facebook. They were just running these standard pixels on their site and they didn’t even know they were confused that why their legal and compliance team was coming to them telling them that they’re like potentially leaking PHI. They’re like, what do you mean? So it’s something that’s affecting every single like every single healthcare provider that has a website and is using any of these tools. They’re being impacted by this.

Rich: Yeah, I think that’s the key, right? It’s not, oh, you were taking sensitive patient data and downloading it in an insecure environment and uploading it into Facebook and building all kinds of look-alike audiences off that for monetization. Yes, Some of those things have certainly been happening in some of the high-profile cases. I mean, obviously, that was one of the things that better help got in trouble for. But that is not the end of the story, right? It doesn’t have to be as egregious as that for you to be, you know, in breach of some of these compliancy laws and that’s why this is such a hot topic right now.

Ray: You, you nailed it, Rich. Like I’ve been personally, I’ve been on the call with over 100 major hospitals in the US with both marketing and legal, and compliance teams. And that what you just described is exactly the Senate. Nobody, none of them are like uploading lists. They’re very careful about all of that stuff and they’ve been very intentional about protecting privacy.

But they thought that just using the standard pixels and tracking tools were not causing any problems. Now they’re suddenly like stepping back saying, my gosh, we have to adjust everything here.

Rich: And the landscape is very complicated out there, right? And I think without Tooting our own horns, we’re pretty steeped in this and we are pretty heavily involved in it.

But even for us, you know, especially for me on the agency side, you know, every time I reach out to a technology provider, I get a different, I get an answer that basically conflicts with another answer that I’ve heard right. So I’ll talk to somebody and they’re like, well, you know, the way our pixels set up, we really don’t think that we’re in breach of compliance or Google themselves will be like, hey, no, these things aren’t PII or this isn’t PHI. So Google in itself does not agree with what HHS is deeming to be Phi, right? And then, you know, you’ll talk to other people who will say things.

You know, give you a completely different things like Oh yeah, well, you know actually you can use it for this kind of measurement that that’s not what the HHS means meant or we’re inferring when they said this thing, right. So you get all kinds of different guidance wherever you go, which makes it incredibly complex than to cut through that noise and really understand how to protect yourself. So why don’t we now talk a little bit about what you guys are doing to create?

That data-sharing environment should be compliant in almost all circumstances. Give us a little bit about what you guys do.

Ray: Yeah, I love that you said that too because we were very closely with compliance officers and general counsel at a lot of these hospitals and healthcare providers. And it’s not our job to tell them how to interpret the law like that’s up to them. So it it first starts with you have to create a durable way, like what’s a durable solution?

That will allow you to continue and you’re on this side of things, Rich. Like you’re helping healthcare providers reach consumers so that they can become aware of health services. Like that’s a good thing. Like there are health services out there that can improve quality of life. Where do we reach them? We’re reaching them in these channels like Google and Facebook. So it’s not necessarily a bad thing to be able to like inform these consumers, but you need to be able to control the flow of data to those tools.

In a way that’s durable, meaning that a compliance team at one healthcare provider wants to only send a certain set of data, and a compliance team in another healthcare provider wants to send a different set of data. So they need to be able to have control of their own data. It has to be very flexible. And so that’s what we’ve done like we’ve created a way to continue to use these advertising tools and all different types of tools that may be HIPAA compliant.

And then be able to very easily, not through engineers but through marketing teams and compliance teams be able to control what data can go to which tool. Now there are a couple things that are really important because now we’re we’ve moved away from generic customer data platforms and we’re talking about a customer data platform that puts privacy 1st. And there are a couple things you have to do to make that true. So yes, you have to have a BAA, but everyone’s going to do that, and that’s great.

The next thing you have to do is you have to be able to remove all the other pixels. So you need to be able to remove the pixel, Google ads, the tracking tech. You remove those all those pixels and you replace it with the Freshpaint pixel. Now that removes the ability for Facebook and Google and these other advertisers to scrape things from your website. They no longer have access to data unless it goes through Freshpaint first. So then the second piece is you can Only Connect to those tools.

Via server-side connections. Server-side connection just means that Google Now can only get data that Freshpaint shares with it directly, cannot go back around to the website.

Rich: And so would a server-side connection also be known in marketing parlance as an offline conversion?

Ray: Not exactly. I mean that what we’re talking about is the difference between a pixel that sits on your website and has access to any of the data at once. It’s like a greedy little pig it wants to like, take every single piece of data that can get to a server-side connection, which means it only has access to data through a server connection. It doesn’t have access to IP address and device ID and any information can scrape from the site. It only has access to information that’s sent via Freshpaint. 

That’s kind of the first component to be able to have this layer of data governance passed through before it gets to those tools. And so the other part with this is a lot of those server-side connections that Google Analytics creates out-of-the-box, they’re not very robust. You actually end up because you want to continue to use these tools in the way you were using them before. 

You don’t want to suddenly lose a bunch of data you suddenly don’t want to lose, like UTM parameters, or not know the difference between a new visitor or a return visitor. So, we also have to build these more robust server-side connections that actually like send all that data down. We’ve done that at Freshpaint specifically for this tooling. And then the last piece which is really this is the really important part, right? We talked about generic CDP that sends everything you need to be in a world where you send nothing to these ad destinations by default when you connect to Facebook for example, you don’t want any data going through.

The reason this is important is it’s a better scenario to choose what data to send versus a world where you have to filter out stuff right. We learn this the hard way because filtering out stuff is where human errors come in. If for every event that you create, you have to go in and look at the metadata to make sure, let me just double check there’s no IP address here. Let me just double check there’s no device ID here. You will eventually make mistakes and that stuff will eventually slip through.

We approach the world in a safe by default way, which means when you connect Freshpaint to Facebook Ads Now or Google Analytics, no data is going through. Therefore, compliance and marketing teams can choose, hey, we’re OK with sending this particular data set to this tool. We’re going to opt in to choose where that data goes.

It’s not an opt-out scenario and that’s very different from the way CDPs work. The major CDPs out there, do have ways where engineers can get in there and spend a bunch of time working on filtering stuff out, but like how do you guarantee that over the next two years you don’t miss a bunch of stuff doing that. This puts that power into the marketing and legal and compliance teams where without engineering help they can go into an interface.

They can choose what data is safe to send to Facebook or Google Analytics, and you can avoid any of those human errors that are inevitably going to come up in this kind of engineering paradigm.

Rich: That’s yeah, that’s great. So if healthcare companies are out there and they’re thinking, man, I need to get myself Freshpaint, I need to get this solution stood up, who internally in their business needs to be involved in making this decision? Who are the relevant stakeholders that you typically bring together in order to get, you know, help these folks get this implemented and who should they be trying to reach out to, to try and coordinate to get something like this understood and then potentially stood up?

Ray: It’s a great question. Yeah. The way that this normally works is the marketing team has an advertising component, someone who’s basically handling the ad budget and there’s an analytics component team that’s like building analytics. So that’s a great starting point. You know, we need to make sure everybody there is on the same page and understand how this would work. And then right after that you definitely need to get legal and compliance involved because there’s going to be a security review. We sign a BA, there’s going to be a review of that. There’s an MSA, there’s all, there’s a bunch of legal and compliance review that will go through with every single provider.

And then once everything is approved and this is something they decide that they would move forward with, we have our own internal implementation team. We have a CS customer success team that will help with implementation. Usually on the healthcare provider side, there’s an IT component, there’s an IT team that would be involved. So once marketing and legal have kind of given their thumbs up, we very quickly after that set up a pre-implementation call.

To make sure that both of our teams are aligned on, like what? What would need to happen, you know? And then once we kick off, it’s usually about a two to three-week process to get someone completely spit up on Freshpaint, having those teams that you know working in coordination.

Rich: That sounds great. So I guess the last question from me is, what do you say to marketers who say, OK you know, sending events server-side sounds great, it’s compliant. But now that, you know, I don’t have my ad platform sucking up all this extra data that they’re using in their smart bidding algorithms and, you know, ways to target the, the best people in the auctions and the best audiences, How is my marketing going to perform versus the world that I have been used to right? Where all this information was flowing into Facebook, all this information was flowing into Google ads? What is the performance implication going to be? To moving towards this service-side approach.

Ray: Yeah, it’s a great, I mean because at the end of the day what we’re trying to do for people is, is help them continue to drive those same CPAs that they were driving before they removed the Pixel with fresh Bane, you know so get the best of both worlds safe from a HIPAA standpoint but effective as far as a lead acquisition standpoint. And so the good news is like we’re able to manage the data in such a way.

That we have customers now who have CPAs at or below what their cost was before they removed like the Facebook Pixel and replaced it with Freshpaint. So we can see all the way downstream with customers who are actually like spending real dollars in the wild. Now that this is an effective way to do both, if people want to learn more, I’m happy to go deeper into like, what exactly what does that data set look like, and how do we handle it? But the outcome is exactly what people are looking for. It’s the best of both worlds.

Rich: And the alternative of course is you don’t have pixels or you’re not in compliance. So neither of which are great alternatives. So even you know, I think even if you’d said well there might be a slight performance thing, it would still be way better than the alternatives. But the fact that you guys have actually validated that.

Facebook and Google are able to perform at or around the same levels. Host switch is fantastic news for digital marketers out there.

Ray: Yeah, you like the easy answer here from a privacy standpoint is just remove all the pixels. But we know what’s going to happen there. You will definitely have a very severe negative impact on that efficacy. And the good news is we’re doing consumer marketing, so you know there’s going to be enough data points.

Where you’re going to be able to feed that reinforcement loop to get those really good conversions. So yeah, this is, this is like for people who want to continue to grow their business and utilize these tools like this is the best approach that we’ve seen out there. And you know there’s definitely point solutions that we’ll solve for analytics by itself, but.

If you’re working in the AD ecosystem and you want to continue to use those tools, and you want to make the switch really quickly, this is the way to do it.

Rich: Well, Ray, this has been absolutely fascinating. I really appreciate your time today talking through you know CDPs that benefits the differentiation of Freshpaint and how it fits into the healthcare tracking infrastructure. If you guys have questions about Freshpaint and want to talk to Ray and his team, we are more than happy to put you in touch with Ray. And I’m sure Ray you’ll be more than happy to field some questions from some of our listeners about how they can stay compliant and not lose the performance that they’re used to. 

And so, yeah, thanks again, Ray. We really appreciate it. I hope you guys enjoyed this episode of the Ignite Podcast and we look forward to speaking to you again soon.

Ray: Thanks, Rich.

Announcer: Thanks for listening to this episode of Ignite. Interested in keeping up with the latest trends in healthcare marketing? Subscribe to our podcast and leave a rating and review. For more healthcare marketing tips, visit our [email protected].