Like many industries, healthcare has been undergoing significant change and is under immense pressure. Patients expect personalized healthcare experiences, but are increasingly aware of their privacy rights and demand that their data is safe and not misused. Healthcare providers have been seeking ways to connect, scale, and leverage customer data more effectively to meet consumers’ demands.
The healthcare industry has been slow to embrace digital transformations. Patient data is extremely sensitive, and privacy regulations compel the industry to scrutinize any new marketing or sales strategy. At the same time, regulations like HIPAA require providers to comply with strict standards when managing protected health information (PHI).
Customer data platforms (CDPs) offer a unique opportunity to unify patient data from disparate sources and act on it to improve communication with patients. CDPs allow companies to activate their data to provide integrated experiences across all channels, including appointments, account management, and telehealth.
In this blog post, we will examine how CDPs and data activation can help healthcare organizations integrate and activate their data while remaining privacy-compliant.
What are customer data platforms (CDPs)
CDPs help integrate and manage information about your future and existing patients from multiple sources and points of contact. In healthcare, these can include electronic health records (EHRs), patient portals, mobile applications, social media, and call center interactions.
A CDP offers a unified view of your patients and allows you to use the gathered data to automate processes leading to improved patient acquisition, engagement and retention.
You can use the data to:
- Send timely reminders or follow-ups to patients based on their recent activity.
- Share relevant health information or recommendations matched to patient interests or needs.
- Re-engage patients who started but didn’t finish online forms or bookings.
- Group patients for targeted health campaigns or outreach.
- Notify care teams when patients show signs of needing urgent attention.
Benefits of using a CDP in healthcare
Using a customer data platform (CDP) by HIPAA-covered entities offers several benefits, particularly enhancing patient experiences while ensuring compliance with regulations.
Here are some key advantages of CDPs:
- Data unification: CDPs help unify patient data from various sources, creating a comprehensive view of each patient. Single customer views (SCVs) enhance the ability to provide personalized care and experiences.
- Data silo elimination: By integrating data across different systems, CDPs eliminate data silos, ensuring that all relevant information is accessible and usable for healthcare providers.
- Real-time data management: CDPs often support real-time data management, providing call centers and telehealth agents with up-to-date patient information. With timely insights and responses to patient interactions, call center agents can immediately focus on finding solutions to their issues.
- Integration: CDPs enable seamless integration between various systems and data sources, which improves operational efficiency and provides access to integrated data in one platform.
- Data activation: Healthcare organizations can transform data into actionable insights, improving patient care and decision-making by identifying care gaps, predicting risks, and personalizing treatment plans.
- Enhanced segmentation and targeting: CDPs offer better segmentation and audience targeting by connecting patient data, allowing healthcare providers to tailor services and communications to individual patient needs.
- Improved marketing effectiveness: Use a CDP to unlock healthcare marketing insights to maximize the effectiveness of your campaigns and create personalized experiences.
Customer data platform (CDP) and HIPAA compliance
HIPAA-compliant CDPs provide technical and physical safeguards to protect the PHI they store and process. Such vendors can help them protect patient data with enhanced security features like encryption, safe data storage, access controls, data management, incident response and others.
When looking for a HIPAA-compliant CDP, focus on evaluating the following key areas:
Data security and encryption
Ensure that all patient data is encrypted and hashed immediately upon collection. This includes using protocols like SSL or TLS for data transmission. CDPs also provide identity resolution and data masking to protect patient data.
Compliant hosting
Keep all customer data on a HIPAA-ready public or private cloud with secure backup storage. Private cloud is more optimal due to granular control over the infrastructure and security features.
Minimum necessary principle
HIPAA restricts the scope of collected and disclosed data to what is strictly needed. A CDP should allow granular role-based access controls and data segmentation.
Data retention and deletion
CDPs can automate the implementation of clear policies for retaining and safely disposing of PHI when it is no longer needed.
Auditing and monitoring
Maintain detailed audit logs of data access and modifications for compliance purposes. This will allow you to track who accessed PHI and when, reducing the risk of unauthorized data exposure.
Consent management platforms (CMP)
Many CDPs offer seamless integrations with CMPs. These tools are designed to streamline obtaining, managing, and tracking patient authorization to guarantee all data exchanges contain relevant consents.
Business associate agreement (BAA)
Signing a business associate agreement (BAA) with the CDP vendor allows you to process PHI in a HIPAA-compliant manner. It helps ensure joint compliance and liability for the provided services and establishes clear responsibilities concerning PHI protection.
Patient authorization and HIPAA compliance
Under the HIPAA Privacy Rule, collecting valid patient consent involves specific requirements to ensure the security of protected health information (PHI).
A covered entity must obtain patient authorization before using or disclosing PHI, except for specific exceptions like treatment, payment, and healthcare operations (TPO).
TPO includes, among others:
- Appointment reminders
- Preventive actions
- Individualized recommendations
- Scheduling optimizations
- Telemedicine prompts
- Medication adherence messages
- Basic health campaigns
Another exception to authorization is verbal consent, which is allowed in limited cases, such as hospital directories or notifying family members. Still, disclosures must be minimal, such as name, condition, or location.
If the organization wants to use PHI for purely commercial or marketing purposes unrelated to care, HIPAA requires formal written authorization from patients before their data is used. Such purposes include promoting external or unrelated services, retargeting ads or sharing data with third parties.
You can manage authorization through a HIPAA-compliant consent management platform (CMP) that tracks and enforces consents. A CMP allows healthcare providers to create electronic forms that patients can sign digitally, ensuring a clear and documented authorization record.
Elements of a valid HIPAA authorization
A valid authorization must include the following elements:
- Clear description: The PHI to be disclosed must be clearly defined.
- Patient identification: The patient’s printed name must be included.
- Recipient details: The individuals or entities authorized to use or disclose the PHI must be specified.
- Purpose of disclosure: The purpose of the use or disclosure must be detailed.
- Expiration date: The authorization must include a date after which it is no longer valid.
- Patient signature: The patient must sign the authorization, and a copy must be provided to them.
Patients can revoke their authorization in writing at any time, and covered entities must respect this revocation.
Data de-identification
HIPAA names two valid de-identification methods: Safe Harbor and Expert Determination.
De-identified data can be used for statistical analyses, predictive modeling, or marketing that doesn’t require identifying specific patients. Once PHI is de-identified, the restrictions of the HIPAA Privacy Rule no longer apply because the data contains no individually identifiable health information.
HIPAA also allows using a limited data set under a data use agreement. A limited data set contains identifiable healthcare information that HIPAA-covered entities can share with certain parties for research purposes, public health activities, and healthcare operations without prior authorization from patients. However, if you want to take advantage of this method, ensure you meet the conditions specified by the HIPAA Privacy Rule.
Learn more about HIPAA compliance in marketing and analytics:
Data activation use cases in healthcare
CDPs can help improve patients’ exposure to providers, including onboarding, finding care, and post-care adherence.
You can create audiences of users matching specific demographic or behavioral conditions, such as their preferences, browsing or treatment history, symptoms, subscription, and more. Then, you can activate the audience by providing them with easy access to relevant information and services. Your activations can include showing on-site banners and sending emails or SMS, push notifications, in-app messages, and more.
You can combine data activation with other platforms, such as tag management systems. You’re also able to enrich data in a CDP with information imported from different sources, like ad platforms or CRMs.
Here are some suggestions for data activation use cases in healthcare:
Personalized treatment plans
- Create audiences of users based on their individual health records, browsing and purchase history, and contact preferences.
- Activate the audience by generating tailored treatment recommendations or medication plans and sharing them with patients via secure portals or apps.
Real-time appointment optimization
- Create audiences of users based on their patient preferences and provider availability. You should integrate the CDP with appointment scheduling systems to make this possible.
- Activate the audience by automating scheduling and sending pre-appointment reminders to reduce no-shows.
Enhanced telemedicine experiences
- Create audiences of new patients before their first appointment or a specific type of test.
- Activate the audience by encouraging them to use self-service tools and provide details of their conditions and preferences before their appointment. With this information, clinicians will have access to patient details that will allow them to personalize telemedicine consultations.
- After the appointment, you can request the audience to leave feedback, which you can use to improve future telehealth sessions.
Medication adherence monitoring
- Create audiences of users based on the available prescription data and patient adherence.
- Activate the audience by sending automated refill reminders or alerts for missed doses.
- You can also provide pharmacists and doctors with adherence reports for follow-ups.
Population health management
- Create audiences using aggregated data from diverse populations based on demographic data and identify care gaps and high-risk groups.
- Activate the audience by implementing targeted interventions for underserved communities, such as preventive care campaigns for different age groups.
Acquiring new patients
- Create audiences of users who haven’t used your services before but have been browsing pages about them.
- Activate the audience by showing on-site banners in real-time to encourage them to learn more about your offer, book an appointment, or test.
Cross-promotion campaigns
- Create audiences of users based on their current usage of your services, such as treatment history, health conditions, or subscription plan.
- Activate the audience by recommending related services they might be interested in or higher treatment plans for frequent users.
Let’s go through two step-by-step examples of data activation using Piwik PRO CDP:
Preventive care
1. In Piwik PRO CDP:
- Create an audience based on user/patient attributes indicating they may be at risk of chronic diseases like diabetes or heart disease, as well as web behavioral data like interaction frequency and recency.

2. In Tag Manager:
- Add a custom tag or content tag with banner styling and text content.
- Add an audience detection trigger.
3. Activate the audience in the CDP by showing an on-site banner with personalized care instructions or recommendations for taking preventive measures.

Patient engagement campaigns
1. In Google Ads:
- Run a campaign promoting cardiovascular disease screenings covered by Medicare Part B.
- Drive users to a landing page with educational content and screening eligibility details.
Note: Such screenings are often covered under government or government-sponsored programs (such as Medicare Part B every 5 years). According to HHS guidance, this type of communication is not considered marketing under HIPAA.
2. In Piwik PRO CDP:
- Create an audience of users who came from the Google Ads campaign and have shown high interest via their web behavior.

3. Activate the audience in the CDP via a webhook or API by sending the attribute indicating the user’s interest in cardiovascular screening to an appointment portal like Phreesia. You must sign a BAA with the platform.
4. In the appointment portal:
- Check if the user already has an appointment.
You can skip this check if you’re feeding data into the CDP from the appointment portal and include a ‘no-appointment-yet’ condition in Step 2.
- If not, send the following text message to the user: “You may be eligible for a free heart screening. View your secure invitation here”.
Piwik PRO and HIPAA compliance
If you want to start activating your data, choose a HIPAA-compliant platform that will let you do it safely yet effectively.
Piwik PRO offers an integrated platform consisting of analytics, tag management, consent management, and a customer data platform.
With an intuitive UI, easy-to-use, customizable reports and dashboards, and seamless integrations with other tools, you can adjust data processes to your needs. Throughout this, we offer personalized support, onboarding and training.
On top of functionality, you can count on a range of features to support your organization in complying with HIPAA. These include:
- Compliant hosting: Piwik PRO offers hosting on HIPAA-compliant Microsoft Azure data centers based in the US, allowing organizations to know how and where their data is being stored.
- Business associate agreement (BAA): Piwik PRO offers a customizable BAA, helping clients ensure sensitive health information is handled following HIPAA standards. If you prefer, you still have the option to de-identify all PHI before sending it to our platform. Either way, you can ensure compliance with HIPAA.
- Encryption: Data is encrypted at rest and in transit using secure protocols like 256-bit AES encryption, ensuring that sensitive health information remains safe.
- Advanced user permissions: Piwik PRO provides granular access controls, allowing organizations to restrict access to sensitive data to authorized personnel only.
- No sharing of ePHI: Piwik PRO does not share electronic protected health information (ePHI) with third parties or reuse it for other purposes, maintaining data privacy.
- Regular security audits: The platform undergoes regular privacy and security audits by external bodies to ensure high-security standards.
- ISO 27001 and SOC 2 Type II certifications: Holding these certifications, including a HIPAA compliance assessment, demonstrates Piwik PRO’s commitment to robust security and compliance standards.
Read more about Piwik PRO and HIPAA compliance.
Final thoughts
Patients expect personalized interactions with their providers, but achieving this on a large scale is challenging. Using customer data platforms (CDPs) in healthcare is a way to provide better experiences at every stage of the patient journey. User expectations are ever-changing, and organizations that are willing to adapt can better meet their needs. Healthcare is personal, and with a strategic application of CDPs and data activation, healthcare organizations can deliver the right message when it matters most.
Reach out to us and learn how your healthcare organization can benefit from data activation with Piwik PRO: