Back to blog

How can healthcare organizations benefit from using a customer data platform (CDP)

, ,

Written by Małgorzata Poddębniak

Published February 08, 2026

Note: This article references our Customer Data Platform, now called Data Activation. All HIPAA compliance features remain the same.

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but does not provide legal consultancy. If you’d like to make sure you’re in compliance with HIPAA guidelines, we encourage you to consult an attorney.

Like many industries, healthcare has undergone significant changes and is under immense pressure. Patients expect personalized healthcare experiences, but are increasingly aware of their privacy rights and demand that their data is safe and not misused. Healthcare providers have been seeking ways to connect, scale, and leverage customer data more effectively to meet consumers’ demands, according to Accenture’s 2024 Life Trends report.

In this blog post, we will examine how HIPAA-compliant CDPs and data activation platforms can help healthcare organizations integrate and act on their data while remaining privacy-compliant.

Understanding HIPAA and its impact on customer data platforms (CDPs)

The Health Insurance Portability and Accountability Act (HIPAA) is a critical U.S. federal law enacted to protect sensitive patient information, known as protected health information (PHI). HIPAA sets national standards for the privacy and security of PHI, which directly impacts how regulated entities – health plans, healthcare providers and clearinghouses – and their technology partners, including customer data platforms (CDPs), manage patient data. 

Compliance with HIPAA ensures that patient information is handled securely. HIPAA violations can result in significant penalties and fines, including civil and criminal penalties. Since 2023, healthcare organizations have paid over $100 million in HIPAA fines for pixel tracking violations.

Handling online tracking information and working with tracking technology vendors

Online tracking technologies, such as cookies, web beacons, and mobile apps, are widely used to collect data on patient interactions. However, when such tracking involves PHI, HIPAA requirements apply. Healthcare organizations must carefully manage their relationships with tracking technology vendors to ensure compliance.

If you are a HIPAA-covered entity using a CDP, apart from signing a BAA, follow these best practices: 

  • CDP must automate the implementation of clear policies for retaining and safely disposing of PHI when it is no longer needed.
  • CDP should maintain detailed audit logs of data access and modifications for compliance purposes.
  • Data minimization tools should automatically filter or mask PHI when routing to non-compliant third-party destinations.
  • Ensure your CDP integrates with consent management platforms if you require patient consent for data usage.

Learn more: 

What is a customer data platform (CDP)

CDPs offer a unique opportunity to unify patient data from various sources and act on it to improve patient communication. CDPs integrate and manage information about your future and existing patients from multiple sources and points of contact, including electronic health records (EHRs), patient portals, mobile applications, social media, and call center interactions. 

These platforms enhance operational efficiency, improve marketing effectiveness, and support better patient outcomes through data-driven insights, all while maintaining HIPAA compliance.

CDPs enable companies to activate data by:

  • Sending timely reminders or follow-ups to patients based on their recent activity.
  • Sharing relevant health information or recommendations matched to patient interests or needs.
  • Re-engaging patients who started but didn’t finish online forms or bookings.
  • Grouping patients for targeted health campaigns or outreach.
  • Notifying care teams when patients show signs of needing urgent attention.

The importance of business associate agreements (BAAs)

Regulated entities must enter into BAAs with their CDP vendors and any other technology vendors that handle PHI on their behalf. A BAA defines each party’s responsibilities and liabilities for safeguarding sensitive health information in accordance with HIPAA guidelines. This agreement is essential for maintaining compliance and ensuring accountability between healthcare providers and their technology partners.

Under the HIPAA Privacy Rule, HIPAA-covered entities must obtain valid patient authorization before using or disclosing PHI for purposes beyond treatment, payment, and healthcare operations (TPO). For example, authorization wouldn’t generally be required to send appointment reminders, provide individualized treatment recommendations, or display telemedicine prompts.

However, regulated entities must obtain patient authorization to use PHI for purely commercial or marketing purposes unrelated to care, such as promoting external services, retargeting ads, or sharing data with third parties. Consent management platforms integrated with CDPs streamline this process by enabling patients to provide electronic consent, which is securely tracked and can be revoked at any time.

Read more: 45 CFR §164.508: Requirements for authorization in marketing and other non-TPO disclosures

Data de-identification and limited data sets

To further protect patient privacy, HIPAA allows the use of de-identified data through Safe Harbor or Expert Determination methods. De-identification removes or masks individually identifiable health information, enabling healthcare organizations to use patient data for analytics, research, and marketing without compromising privacy.

Once data is de-identified, it no longer falls under HIPAA and can be used for analytics or marketing without compromising privacy. HIPAA also permits sharing limited data sets under data use agreements for research and public health activities, which CDPs can facilitate securely.

Benefits of HIPAA-compliant CDPs for healthcare companies

By leveraging a HIPAA-compliant CDP, healthcare providers can unify sensitive health information from different sources, eliminate data silos, and enable personalized communications and engagement campaigns, all while supporting regulatory compliance. 

Here is how CDPs help them achieve it:

  • Seamless integration with healthcare systems and marketing tools: CDPs support secure APIs, like FHIR and HL7, enabling smooth data exchange with EHRs and other health services, as well as data and marketing platforms.
  • Real-time patient engagement: By activating unified patient data, healthcare organizations can improve patient outcomes and operational efficiency through appointment reminders, medication adherence messages, and preventive care campaigns.
  • Improved marketing effectiveness: CDPs enable healthcare marketing teams to leverage web analytics data in a privacy-safe way, optimizing campaigns without risking data breaches.
  • Identity resolution and data masking: These capabilities help ensure that patient data is managed appropriately and securely.
  • Privacy and security measures: HIPAA-compliant CDPs implement robust technical safeguards like end-to-end encryption, strict access controls, audit trails and data backup/recovery.

Learn more about marketing for healthcare: HIPAA, marketing and advertising: How to run compliant campaigns in healthcare

Data activation use cases in healthcare

CDPs can help improve patients’ exposure to providers, including onboarding, finding care, and post-care adherence. 

You can create audiences of users matching specific demographic or behavioral conditions, such as their preferences, browsing or treatment history, symptoms, subscription, and more. Then, you can activate the audience by providing them with easy access to relevant information and services. Your activations can include showing on-site banners and sending emails or SMS, push notifications, in-app messages, and more. 

You can combine data activation with other platforms, such as tag management systems. You’re also able to enrich data in a CDP with information imported from different sources, like ad platforms or CRMs. 

Here are some suggestions for data activation use cases in healthcare:

Personalized treatment plans

  • Create audiences of users based on their individual health records, browsing and purchase history, and contact preferences.
  • Activate the audience by generating tailored treatment recommendations or medication plans and sharing them with patients via secure portals or apps.

Real-time appointment optimization

  • Create audiences of users based on their patient preferences and provider availability. You should integrate the CDP with appointment scheduling systems to make this possible.
  • Activate the audience by automating scheduling and sending pre-appointment reminders to reduce no-shows.

Enhanced telemedicine experiences

  • Create audiences of new patients before their first appointment or a specific type of test. 
  • Activate the audience by encouraging them to use self-service tools and provide details of their conditions and preferences before their appointment. With this information, clinicians will have access to patient details that will allow them to personalize telemedicine consultations.
  • After the appointment, you can request the audience to leave feedback, which you can use to improve future telehealth sessions.

Medication adherence monitoring

  • Create audiences of users based on the available prescription data and patient adherence. 
  • Activate the audience by sending automated refill reminders or alerts for missed doses.
  • You can also provide pharmacists and doctors with adherence reports for follow-ups.

Population health management

  • Create audiences using aggregated data from diverse populations based on demographic data and identify care gaps and high-risk groups.
  • Activate the audience by implementing targeted interventions for underserved communities, such as preventive care campaigns for different age groups.

Acquiring new patients

  • Create audiences of users who haven’t used your services before but have been browsing pages about them. 
  • Activate the audience by showing on-site banners in real-time to encourage them to learn more about your offer, book an appointment, or test. 

Cross-promotion campaigns

  • Create audiences of users based on their current usage of your services, such as treatment history, health conditions, or subscription plan. 
  • Activate the audience by recommending related services they might be interested in or higher treatment plans for frequent users. 

Sample use cases: Step-by-step implementation in Piwik PRO

Let’s analyze two specific activations for healthcare and set them up using Piwik PRO CDP:

Preventive care

1. In Piwik PRO CDP: 

  • Create an audience based on user/patient attributes indicating they may be at risk of chronic diseases like diabetes or heart disease, as well as web behavioral data like interaction frequency and recency.

2. In Tag Manager:

  • Add a custom tag or content tag with banner styling and text content.
  • Add an audience detection trigger. 

3. Activate the audience in the CDP by showing an on-site banner with personalized care instructions or recommendations for taking preventive measures.

Patient engagement campaigns

1. In Google Ads:

  • Run a campaign promoting cardiovascular disease screenings covered by Medicare Part B.
  • Drive users to a landing page with educational content and screening eligibility details.

Note: Such screenings are often covered under government or government-sponsored programs (such as Medicare Part B every 5 years). According to HHS guidance, this type of communication is not considered marketing under HIPAA.

2. In Piwik PRO CDP:

  • Create an audience of users who came from the Google Ads campaign and have shown high interest via their web behavior.

3. Activate the audience in the CDP via a webhook or API by sending the attribute indicating the user’s interest in cardiovascular screening to an appointment portal like Phreesia. You must sign a BAA with the platform. 

4. In the appointment portal:

  • Check if the user already has an appointment.

You can skip this check if you’re feeding data into the CDP from the appointment portal and include a ‘no-appointment-yet’ condition in Step 2.

  • If not, send the following text message to the user: “You may be eligible for a free heart screening. View your secure invitation here”.

Partnering with a trusted HIPAA-compliant vendor

Not all analytics and data activation platforms are HIPAA compliant – vendors must implement strict privacy and security measures to receive this designation. 

Selecting a platform with proven HIPAA compliance, including signed BAAs and secure patient data processing, is essential for modernizing your data processes without risking unauthorized exposure of PHI.

Piwik PRO provides a HIPAA-compliant platform that combines privacy-focused analytics with data activation capabilities, enabling healthcare organizations to collect, analyze, and act on patient data while maintaining full regulatory compliance.

How Piwik PRO supports HIPAA compliance

Piwik PRO helps healthcare organizations meet HIPAA requirements through:

Business associate agreement (BAA)

  • Customized BAAs tailored to your organization’s specific needs
  • Clear contractual obligations for handling ePHI

Advanced data security

  • Data encryption at rest and in transit using industry-standard secure protocols
  • Secure US-based cloud hosting or private cloud deployment options
  • Granular access controls to limit data exposure to authorized personnel only

Data ownership and control

  • Full data ownership with the ability to select your preferred data residency
  • No sharing of ePHI with third parties
  • ePHI is never reused for other purposes

Rigorous security standards

  • Infrastructure undergoes regular, independent third-party security audits
  • ISO 27001 and SOC 2 Type II certifications
  • Ongoing HIPAA compliance assessments

With Piwik PRO, healthcare organizations can leverage advanced analytics and data activation features while ensuring patient data remains protected and compliant with HIPAA regulations. 

Learn more about Piwik PRO and HIPAA compliance.

Final thoughts

Patients expect personalized interactions with their providers, but achieving this at scale is challenging. Utilizing CDPs in healthcare enables the delivery of enhanced experiences at every stage of the patient journey. User expectations are ever-changing, and organizations that are willing to adapt can better meet their needs. Healthcare is personal, and with a strategic application of CDPs and data activation, healthcare organizations can deliver the right message when it matters most.

Reach out to us and learn how your healthcare organization can benefit from data activation with Piwik PRO:

Request a demo
Talk to us

Frequently Asked Questions

What is a HIPAA-compliant customer data platform (CDP)?

A HIPAA-compliant CDP is a data activation platform that unifies patient information from multiple sources (EHRs, patient portals, mobile apps, websites) while meeting HIPAA security and privacy requirements. It must sign a business associate agreement (BAA), provide encryption, maintain audit logs, and enable secure data activation for personalized patient engagement without risking PHI exposure.

Do I need a business associate agreement (BAA) with my CDP vendor?

Yes. Any CDP vendor that creates, receives, maintains, or transmits PHI on your behalf is considered a business associate under HIPAA. You must have a signed BAA in place before sharing any PHI with the platform. Without a BAA, using a CDP with patient data violates HIPAA regulations.

What’s the difference between a CDP and analytics platform for healthcare?

Analytics platforms collect and report on user behavior. CDPs unify data from multiple sources and activate it through real-time campaigns, personalization, and integrations with other systems. Some platforms like Piwik PRO offer both analytics and CDP capabilities through its Data Activation module in one HIPAA-compliant solution.

Can I use a CDP to send marketing emails to patients without their consent?

It depends on the purpose. Under HIPAA, you don’t need authorization for treatment, payment, or healthcare operations (TPO) communications – like appointment reminders or individualized treatment recommendations. However, you must obtain patient authorization for purely commercial marketing unrelated to care, such as promoting external services or retargeting ads.

What data activation use cases work best for healthcare organizations?

Common use cases include personalized treatment plan recommendations, automated appointment reminders to reduce no-shows, medication adherence monitoring with refill alerts, enhanced telemedicine experiences with pre-visit questionnaires, population health management for preventive care campaigns, and cross-promotion of related healthcare services to existing patients.

How does a CDP help with telehealth patient engagement?

A CDP creates audiences of new patients before their first telehealth appointment and activates personalized communications encouraging them to complete pre-visit questionnaires. This gives clinicians access to patient details for more personalized consultations. Post-appointment, the CDP can trigger feedback requests to improve future telehealth sessions.

What’s the difference between de-identified data and PHI in a CDP?

PHI includes any health information combined with identifiable details (names, IP addresses, medical record numbers). De-identified data has all 18 HIPAA identifiers removed using Safe Harbor or Expert Determination methods. Once de-identified, data is no longer subject to HIPAA and can be used for analytics or marketing without patient authorization. However, de-identification limits personalization capabilities.

What security features should a HIPAA-compliant CDP include?

Required features include AES-256 encryption for data at rest and in transit, role-based access controls, comprehensive audit logs tracking all PHI access and modifications, automated data retention policies, data minimization tools to filter PHI when routing to third-party destinations, and integration with consent management platforms.

Małgorzata Poddębniak

Senior Content Marketer

Senior content marketer at Piwik PRO, copywriter, translator and editor. She started as a freelancer, gaining experience with creating versatile marketing content for various channels and industries. Later, she began working as a translator and editor, specializing in academic articles and essays, mainly in the field of history and politics. After becoming interested in SEO, she moved on to work as a content writer for a technical SEO agency. While there, she designed the company newsletter and planned and created in-depth articles, practical guides, interviews, and other supporting marketing materials. She joined Piwik PRO with extensive knowledge of technology, SEO, and digital marketing. At Piwik PRO, she writes about analytics, privacy, marketing, personalization, and data management and explains product best practices and industry trends for different industries. | LinkedIn Profile