HIPAA, marketing and advertising: How to run compliant campaigns in healthcare

Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.

Healthcare organizations deal with tons of sensitive information concerning people’s health. It needs to be handled with proper care. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).

Unfortunately, many companies are still unaware of the provisions of the law and the potential consequences of breaching its rules. The recent scandal around the use of Facebook pixels inside the patient portals of renowned medical institutions is sad proof of that.

In this article, we explain which marketing practices are unlawful under HIPAA and why. We also present some practical measures you could take to make your retargeting campaigns HIPAA-compliant.

Finally, we provide you with more privacy-friendly alternatives to retargeting that can help you do effective marketing and engagement campaigns without violating patients’ privacy.

Healthcare providers continue to misuse patient data

The recent lawsuit filed against the UCSF Medical Center and the Dignity Health Medical Foundation has caused a stir in the world of healthcare. According to the lawsuit, the healthcare providers collected sensitive health information from patient portals and used it for retargeting ads on Facebook, transmitting the data to Facebook without patient consent.

Healthcare data breaches, although alarming, are neither new nor rare. As of July 2023, healthcare organizations reported 330 breaches of sensitive health information affecting 41.4 million individuals to the HHS Office for Civil Rights, compared to 52 million affected in all of 2022. Many breaches involve cyberattacks and ransom demands, but some involve the inadvertent disclosure of private health data through tracking technologies, known as pixels, utilized by social media companies. Last year, The Markup found that 33 of the top 100 US hospitals used Facebook pixels on their websites. Seven of them used tracking codes on patients’ portals behind login walls.

New guidance on using tracking technologies

Many healthcare companies remain unaware of HIPAA provisions and ways to comply with them. One of the factors affecting the increased number of HIPAA breaches is HHS’s bulletin from December 2022 that provides strict guidance on the use of third-party cookies, pixels and other tracking technologies by healthcare companies. This bulletin did not change HIPAA law itself, but rather provided an interpretation from HHS of how existing HIPAA rules apply to these technologies. This interpretation broadened what the HHS considers to be protected health information (PHI), which has sparked many controversies. 

Earlier in 2023, numerous healthcare organizations submitted breach reports, acknowledging they had violated the December guidance from HHS. Telehealth provider Cerebral filed a data breach notification with HHS, admitting to having disclosed PII to other parties without sufficient HIPAA-protective measures. In July 2023, the FTC and HHS sent a joint letter to approximately 130 hospital systems and telehealth providers to alert them to the risks of tracking technologies on sites and apps that can impermissibly disclose consumers’ sensitive personal health data to third parties. 

The AHA lawsuit against the HHS bulletin

The American Hospital Association (AHA) filed a lawsuit against the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in November 2023, challenging its guidance on the use of online tracking technologies. This lawsuit, joined by several hospital associations and health systems, aimed to block the enforcement of OCR’s December 2022 bulletin, which expanded the definition of PHI to cover metadata such as IP addresses combined with webpage visits collected through tracking tools like pixels on hospital websites and apps. 

In June 2024, a judge ruled in favor of the AHA, declaring that the OCR had exceeded its statutory authority under HIPAA. It is crucial to understand the narrow scope of this ruling. The court specifically addressed the use of IP addresses and website visit data from unauthenticated web pages. The ruling does not invalidate other parts of the HHS guidance, particularly those relating to authenticated pages or the use of other types of data. The fundamental responsibility of healthcare organizations to protect PHI remains unchanged. Practices allowed under HIPAA concerning the use of tracking technologies like analytics platforms are still subject to interpretation. Consequently, healthcare providers should err on the side of caution and choose an approach to analytics that will ensure security and compliance. 

What happens if you don’t comply with HIPAA

The unauthorized use of protected health data for marketing and advertising may have some serious consequences. HIPAA breaches lead to the harshest and most direct penalties, including fines of up to $1,806,757, and in some cases, even criminal sanctions.

Malpractice concerning healthcare data can also damage patients’ trust and affect their relationship with their healthcare provider. As a recent study shows, patients who worry about their electronic health records being compromised in a breach are three times more likely to withhold information from their physicians.

Marketing and HIPAA: The problem goes beyond Facebook

Under HIPAA, marketing is defined as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service”. An example of marketing includes sending promotional emails about new medical devices or services that encourage purchases. 

HIPAA generally requires covered entities to obtain written authorization from individuals before using or disclosing protected health information (PHI) for marketing purposes. The increased costs and complexity in obtaining these authorizations can hinder targeted marketing efforts.

It’s worth noting that communications related to treatment, case management, care coordination, or recommendations for alternative therapies are not considered marketing and don’t require patient authorization. 

Examples include:

• Prescription refill reminders.
• Information about health-related services included in a health plan.
• Communications aimed at improving patient care without promoting specific products.

It’s vital for healthcare organizations to clearly differentiate between permissible healthcare-related communications and those classified as marketing. They must also ensure that any tools or methods used for marketing (like email campaigns) are HIPAA-compliant.

The issue of defining PHI

Marketers must stay updated on what constitutes PHI in the digital age to avoid using data that could be considered protected without proper authorization. 

PHI includes any individually identifiable health information, which is a category that can be interpreted broadly. This means that even seemingly innocuous data, such as IP addresses or contact information, could be considered PHI if linked to health-related information. 

HIPAA’s definition of protected health information lists 18 types of data, including names, addresses, and medical records, but also user IDs and IPs often used to recognize visitors across channels. Even data collected from marketing pages and used in retargeting campaigns may constitute PHI.

Some publishers, such as Facebook, serve ads on social platforms available after logging in. Data that doesn’t include health information may become PHI when combined with user data from social networks.

Consider employing data aggregation or anonymization to remove individual identifiers, which makes it no longer PHI. Another method involves using a limited data set that can be used for marketing purposes with a data use agreement.

Signing a BAA

BAAs are essential tools for ensuring HIPAA compliance and protecting sensitive patient information when covered entities work with third-party vendors. By signing a BAA with a marketing or advertising vendor, a HIPAA-covered entity can securely share PHI with them. 

Popular advertising platforms, including Facebook, Google, and LinkedIn Ads, don’t give you the option to sign a business associate agreement (BAA). The same issue applies to many other products used by marketers, like analytics. Most of the platforms available on the market, including Google Analytics 4 and Adobe Analytics, don’t offer BAAs and forbid the use of PHI data in their products. 

These platforms cannot be configured in a HIPAA-compliant manner without significant customization, such as the lengthy and complex process of de-identifying PHI. A covered entity can’t just use GA4 or Adobe Analytics and expect to be compliant. The most future-proof approach involves switching to a marketing or analytics provider that will sign a BAA and help you process patient data with the proper safeguards. 

All these factors limit the ways you can do marketing in healthcare, especially when it comes to retargeting and other practices relying on user identifiers. That said, running retargeting campaigns is not impossible under HIPAA.

How to run compliant ad campaigns under HIPAA

Using retargeting in healthcare is possible but requires some serious precautions. 

Here are some tips for HIPAA-compliant advertising:

• Remove marketing pixels from your password-protected apps and websites, such as patient portals. Consider limiting their use to your homepage. Some subpages of your website, such as blog posts about a specific disease or treatment, may still contain health information and can pass it to advertising platforms. 
• Strip your data of any traces of PHI before you push it to ad networks. Make sure to get rid of any unique identifiers and pieces of data that would allow an individual to be identified. Follow the privacy guidelines of your chosen ad platform. 
• Create remarketing campaigns based on simple and broad targeting, for example, website visits. This way, instead of targeting individuals, you create broad remarketing campaigns that don’t involve PHI.
• Consider using a safe tag management system for better control over the information you send to the ad platforms. This way, you will control where and when pixels are allowed to run.

These campaigns will be less effective than traditional remarketing, since stripping your data from user identifiers removes the layer of personalization. However, they are still a good choice if you want to continue using ad platforms in your marketing.

That said, the compliance of your retargeting ads will depend on the type of healthcare business you’re in. The narrower and more sensitive the subject is, the greater the risk of disclosing PHI to a publisher.

Let’s consider three scenarios:

1. You want to prepare a remarketing campaign for a health insurance provider. Hence, you create a general campaign that targets users who have visited your website and presents them with non-personalized ads that promote your offer. In this case, you don’t rely on PHI, and the message of your ad doesn’t contain information about the visitor’s condition or health issues. Given that you’ve gotten rid of all potential user identifiers, your advertisement is most probably HIPAA-compliant.
2. You’re running a fertility clinic and plan to create a retargeting campaign based solely on page visits without using demographic data. Unfortunately, displaying ads related to sensitive issues, such as infertility, might still violate user privacy and bring compliance risks. By using data about a visit on a highly specialized website, you disclose information about a person’s potential health issues and share it with an ad platform.
3. You’re in charge of digital marketing for a dermatological clinic. A person has visited your website in search of dermatitis treatment. Retargeting them with an ad promoting a treatment for the skin condition they looked up would violate the patient’s privacy. But an ad that promotes your clinic without mentioning any particular health issues should be a safe choice.

Keep in mind that these are only general guidelines and examples. Each ad campaign must be carefully assessed to ensure that it does not directly or indirectly reveal protected health information.

Consider implementing search engine advertising (SEA) or contextual advertising, which do not rely on PHI or sensitive patient data but instead use keywords. 

You can also integrate data from your ad platforms with a secure analytics platform, such as Piwik PRO Analytics Suite. This will allow you to evaluate the performance of your ads without sending this data back to Google or Facebook and adjust your campaigns accordingly.

How to run compliant marketing campaigns under HIPAA

HIPAA-covered entities can engage in compliant marketing by following these strategies:

Content marketing

• Create educational content that does not require PHI, such as blog posts on health topics, videos about common medical conditions, and infographics on preventive care.
• Focus on general health information rather than specific patient cases.

Social media engagement

• Use social media to share general health tips and wellness advice, avoiding discussions of specific patient cases.
• Implement disclaimers to clarify that direct medical advice is not provided on social platforms.
• Educate staff on HIPAA-compliant social media practices.

Email marketing

• Obtain proper consent for marketing emails and use secure, HIPAA-compliant email platforms.
• Focus on general health information and practice updates rather than personalized health data.

Onsite retargeting and personalization

• Reengage patients directly on your website or inside your app and serve them special offers, discounts, or recommendations. 
• Get upsell and cross-sell opportunities, which may often not require patient authorization.

Creating a first-party data marketing strategy

Despite your best efforts, marketing campaigns run on popular advertising platforms always pose some compliance risks. These platforms weren’t built for such privacy-sensitive industries as healthcare.

For greater peace of mind, consider investing in a safe first-party data ecosystem to use the potential of PHI in a way that fully respects HIPAA.

The benefits of a first-party data marketing strategy include:

• Better compliance – Operating on first-party data helps you comply with data protection laws such as HIPAA. First-party data stays in the hands of those who collect it, and that gives more control and transparency over what happens with the data.
• Data accuracy – First-party data is more accurate because you obtain it directly from your patients, unlike third-party data that is often aggregated from various data sets. Also, this data comes from your audience, making it more relevant to your business.
• Patient trust – As you gather data first-hand from users and inform them about all processing purposes, you build trust and solid relationships with them.
• Enhanced personalization and segmentation – First-party data enables targeting content recommendations and messages at a more granular level. Relying on PHI in a safe data ecosystem will allow you to create detailed segments of users based on characteristics such as demographics or subscribed health plans. This wouldn’t be possible or permitted with third-party data.
• Increased customer engagement – The direct relationships built with site visitors and previous customers create many opportunities for customer experience optimization. As you gather data on customer engagement with the site and different digital assets, you gain key insights into what it needs to do better.

Customer data platforms (CDPs) and HIPAA compliance

You can use a customer data platform (CDP) to establish and manage a first-party data strategy. CDPs are not HIPAA-compliant by default, so you must carefully choose the right tool.

When evaluating a CDP for HIPAA compliance, look for the following security features:

• Data encryption at rest and in transit.
• Role-based access controls to limit PHI access.
• Audit logs for tracking PHI access and modifications.
• Consent management to track patient consent for marketing communications.
• Vulnerability scanning and conducting penetration tests.
• Incident response plan for data breaches.
• Physical security measures.

A HIPAA-compliant CDP lets organizations combine data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, consent managers, offline sources, and more.

This helps companies connect siloed data to create unified patient records and opens up many possibilities for effective marketing activities to improve users’ digital experiences. CDPs can store consent centrally and use it to ensure compliance across all connected downstream systems.

One of the key features of a CDP is data activation, which allows you to target users with relevant content or recommendations.

Here are some ideas for activations that healthcare organizations can employ:

• Creating tailored treatment or medication plans and sharing them with patients via secure portals or apps.
• Showing real-time on-site banners to encourage users to learn more about your services.
• Sending emails reminding users to finish booking a test or a doctor’s visit.
• Providing recommendations for higher treatment plans for frequent users.

How to find a HIPAA-compliant marketing vendor

What makes a MarTech vendor the right partner for a HIPAA-covered organization? As mentioned, a willingness to sign a business associate agreement (BAA) is essential.

A BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect PHI and comply with the guidelines provided by HIPAA. This means ensuring the proper standards of data encryption, private hosting, data minimization options, and other safety measures required by the act.

Keep in mind that signing a BAA is not a universal solution – evaluate the marketing platform’s agreement, terms of service, and data management processes diligently.

There are also additional security features that you can look for in your chosen marketing tools, such as:

• User authentication methods to ensure unique login credentials to access the platform for each authorized employee. For increased security, the platform should enable two-factor authentication (2FA).
• Access controls limit access to sensitive data and should be set based on an employee’s job function. Not all employees should have full access to the platform – they should only be granted access to the data that they need to perform their job. 
• Audit logs help ensure that data is only accessed when it should be. Audit logs can be used to determine access patterns for each employee, enabling administrators to identify when an employee is accessing data excessively. This can help quickly detect breaches.
• End-to-end encryption enabled when electronic PHI is created, stored, transmitted, or received using a software platform.
• Storage of PHI on an encrypted offsite data backup server.

If the vendor you choose won’t sign a BAA with you, you need to de-identify all data that can be considered PHI before sharing it with the vendor. Such data is deprived of any identifiers, so it is no longer viewed as PHI, removing it from the scope of HIPAA. At the same time, de-identified data lacks a lot of valuable information that would make your marketing campaigns more effective.

Alternatively, find a MarTech platform that offers on-premises hosting. If the vendor doesn’t have access to your infrastructure, they won’t be considered your business associate, so you won’t have to sign a BAA with them. However, maintaining such infrastructure requires extensive resources and time, so not every company will be able to use this option. You can also look into other secure, less resource-heavy options developed over the years, such as a private cloud.

Marketing and HIPAA: A summary

Using popular ad platforms or non-compliant marketing platforms in a highly regulated sector such as healthcare puts organizations at risk of data breaches and issues with regulatory compliance. Consider employing alternative marketing strategies that don’t involve products from Big Tech. 

A first-party data strategy can bring many benefits to your organization and help you build a trust-based relationship with your patients. Opt for HIPAA-compliant marketing and analytics platforms that employ the highest security safeguards and offer business associate agreements (BAAs).