Disclaimer: This blog post is not legal advice. Piwik PRO provides privacy-friendly analytics software, but doesn’t provide legal consultancy. If you’d like to make sure that you comply with HIPAA guidelines, we encourage you to consult an attorney.
Healthcare organizations deal with tons of sensitive information concerning people’s health. It needs to be handled with proper care. In the US, safe parameters for using this kind of data in different contexts, including marketing, are set by the Health Insurance Portability and Accountability Act (HIPAA).
Unfortunately, many companies are still unaware of the provisions of the law and the potential consequences of breaching its rules. The recent scandal around the use of Facebook pixels inside the patient portals of renowned medical institutions is sad proof of that.
In this article, we explain which marketing practices are unlawful under HIPAA and why. We also present some practical measures you could take to make your retargeting campaigns HIPAA-compliant.
Finally, we provide you with more privacy-friendly alternatives to retargeting that can help you do effective marketing and engagement campaigns without violating patients’ privacy.
US hospitals sued for using Meta pixels inside their patient portals
The recent lawsuit filed against the UCSF Medical Center and the Dignity Health Medical Foundation has made a stir in the world of healthcare.
According to the lawsuit, the healthcare providers collected sensitive health information from the patient portals and used it for retargeting ads on Facebook. This was done without the patient’s knowledge or permission.
This situation, although alarming, is neither new nor rare. In an investigation by The Markup, Facebook pixels were found on the websites of 33 out of the top 100 US hospitals. Seven of them used tracking codes on patients’ portals behind the login walls.
The unauthorized use of protected health data for marketing and advertising may have some serious consequences. The harshest and most direct are penalties resulting from breaches of HIPAA – fines of up to $1,806,757, and in some cases even criminal penalties.
This kind of malpractice can also damage patients’ trust and affect their relationship with their healthcare provider. As a recent study shows, patients who worry about their electronic health records being compromised in a breach are three times more likely to withhold information from their physicians.
Marketing and HIPAA: The problem goes beyond Facebook
The use of Facebook tracking pixels on patient portals is a flashy example of mishandling confidential health information. But this is not the only marketing activity through which healthcare organizations may unknowingly violate patients’ privacy.
To give you a broader perspective, let’s discuss some important provisions of HIPAA:
- HIPAA’s definition of marketing concerns interaction between a covered entity and an individual, no matter their patient status. It means that health data about your website visitors who came through ads should be protected the same way as it would come from your paying customers.
- Even data collected from marketing pages and used in retargeting campaigns may constitute PHI. HIPAA’s definition of protected health information lists 18 types of data, including names, addresses, and medical records, but also user IDs and IPs often used to recognize visitors across channels. Using this information for marketing, in most cases, requires the patient’s authorization (for example, a signature) and an advertising platform that allows PHI, and provides enough data protection.
That’s not the case with any popular advertising platform, including Facebook, Google, and LinkedIn Ads. None of these give you an option to sign a business associate agreement (BAA), a special kind of contract with a third party having access to PHI that is required by HIPAA.
- Some publishers, such as Facebook, serve ads on social platforms available after logging in. In this case, you must be especially careful about the information you share. Even data that doesn’t include health information may become PHI when combined with user data from social networks. Due diligence is then advised.
The same issue applies to other products used by marketers, for example, analytics. Most of the platforms available on the market, including Google Analytics, forbid the use of PHI data in their products.
It means you have to either take extra effort to avoid passing any trace of PHI to your analytics, or switch to an analytics platform that will help you process patient data with the proper safeguards.
Read more about it here: Is your analytics project HIPAA-compliant? A handy checklist
All these factors limit the ways you can do marketing in healthcare, especially when it comes to retargeting and other practices relying on user identifiers. That said, running retargeting campaigns is not impossible under HIPAA.
How to run compliant ad campaigns under HIPAA
You need to make sure to clean up any PHI traces that are being sent to the publisher’s platform and remember a few important steps.
Instead of targeting individuals, create broad remarketing campaigns that don’t involve PHI. To do so:
- Remove marketing pixels from your password-protected apps and websites, such as patient portals. On top of that, consider limiting their use to your homepage. Some subpages of your website, such as blog posts about a specific disease or treatment, may still pass health information to the advertising platform.
- Strip your data of any traces of PHI before you push it to the ad networks. Make sure to get rid of any unique identifiers and pieces of data that would allow an individual to be identified. Follow the privacy guidelines of your chosen ad platform.
- Create remarketing campaigns based on simple and broad targeting, for example, website visits. That said, the compliance of your ads will depend on the type of healthcare business you’re in. We’ll address this later on.
- Consider using a safe tag management system for better control over the information you send to the ad platforms. This way, you will control where and when the pixel is allowed to run.
Taking care of all these things should help you create lawful retargeting campaigns. They will be less effective than traditional remarketing. But if you’re interested in promoting your brand through popular ad platforms, they will be better than nothing.
Also, remember that this configuration might still be non-compliant in the case of some healthcare providers.
Let’s consider three scenarios:
- You want to prepare a remarketing campaign for a health insurance provider. Hence, you create a general campaign that targets users who visited your website and presents them with non-personalized ads that promote your offer.
In this case, you don’t rely on PHI and the message of your ad doesn’t contain information about the visitor’s condition or health issues. Given that you’ve gotten rid of all potential user identifiers, your advertisement is most probably HIPAA-compliant.
- You’re running a fertility clinic and plan to create a retargeting campaign based solely on page visits without using demographic data. Unfortunately, displaying ads related to sensitive issues, such as infertility, still might violate user privacy and bring compliance risks. By using data about a visit on a highly specialized website, you disclose information about a person’s potential health issues and share it with an ad platform.
- You’re in charge of digital marketing for a dermatological clinic. A person has visited your website in search of dermatitis treatment. Retargeting them with an ad promoting a treatment for the skin condition they looked up would violate the patient’s privacy. But an ad that promotes your clinic without mentioning any particular health issues should be a safe choice.
To sum things up: The compliance of your retargeting ads will depend on your area of specialization. The narrower and more sensitive the subject is, the greater the risk of disclosing protected health information to a publisher. Assess your case carefully before employing any remarketing campaign.
A different option is to capitalize on other types of advertising that don’t involve retargeting and PHI, for example, contextual targeting and simple ads based on keywords.
Search engine advertising (SEA), which largely relies on keyword searches, is mostly allowed under HIPAA. You can also consider contextual advertising on portals related to your specialty.
Compliance with the ad will depend on the type of information you include in it. Read carefully the policies of the ad platforms for ads related to healthcare to see what’s permitted.
Marketing and HIPAA: Effective and compliant alternatives to popular ad platforms
Despite your best efforts, marketing campaigns run on popular advertising platforms always pose some compliance risks. These platforms weren’t built for such privacy-sensitive industries as healthcare.
For greater peace of mind, consider investing in a safe first-party data ecosystem to use the potential of PHI in a way that fully respects HIPAA. Combining data from multiple touchpoints, including your analytics, email marketing software, customer management platforms, and offline sources opens up many possibilities when done with full respect for patient privacy.
The benefits of a first-party data marketing strategy include:
- Better compliance – Operating on first-party data helps you comply with data protection laws such as HIPAA. First-party data stays in the hands of those who collect it, and that gives more control and transparency over what happens with the data.
- Accuracy – First-party data is more accurate because you obtain it directly from your patients, unlike third-party data that is often aggregated from various data sets. Also, this data comes from your audience, making it more relevant to your business.
- Trust – As you gather data first-hand from your customers and inform them about all processing purposes, you build trust and solid relationships with them.
- Enhanced personalization and segmentation – First-party data enables targeting content recommendations and messages at a more granular level. Relying on PHI in a safe data ecosystem will allow you to create detailed segments of users based on characteristics such as demographics or subscribed health plans. This wouldn’t be possible or permitted with third-party data.
- Increased customer engagement – The direct relationships built with site visitors and previous customers create many opportunities for customer experience optimization. As you gather data on customer engagement with the site and different digital assets, you gain key insights into what it needs to do better.
There are many types of compliant marketing activities you could use PHI for, such as:
- Onsite retargeting and personalization – These help you reengage patients directly on your website or inside your app and serve them special offers, discounts, or recommendations. You get great upselling and cross-sell opportunities.
- Email campaigns – Here’s another channel for promoting your offer and recommending new products to the existing customer base. In most cases, using patient data for email campaigns will require authorization.
- Improving the performance of your ad campaigns – You can also consider integrating data from your ad platforms with a secure analytics platform, such as Piwik PRO Analytics Suite. This will allow you to evaluate the performance of your ads without sending this data back to Google or Facebook and adjust your campaigns accordingly.
Some of these activities, such as email campaigns, might require patient authorization. Others, such as onsite retargeting and personalization, can be done without such consent.
All of them require trusted business partners ready to meet the requirements of HIPAA.
- To assess if your marketing use case requires patient authorization, read the guide on marketing by the US Department of Health and Human Services (HHS).
- To learn about the elements of compliant patient authorization, look into the resources provided by the HHS.
How to find a HIPAA-compliant marketing vendor
What makes a MarTech vendor the right partner for an HIPAA-covered organization? A willingness to sign a business associate agreement (BAA) is essential.
A BAA is a contract between a HIPAA-covered organization and its business associates. It obliges both sides of the contract to protect PHI and comply with the guidelines provided by HIPAA. This means ensuring the proper standards of data encryption, private hosting, data minimization options, and other safety measures demanded by the act.
HIPAA business associates automatically become subject to audits performed by the HHS and can be held accountable for any data breaches or improper handling of data. Because of that, not many companies want to sign this agreement. But some do. See how Piwik PRO approaches HIPAA compliance.
Are there any alternatives? Yes. You can find a MarTech platform that offers on-premises hosting. Since the vendor won’t have access to your infrastructure and won’t be considered your business associate, you won’t have to sign a BAA with them.
You must apply these high standards to all platforms that interact with your patients’ PHI – CRMs, marketing automation tools, email marketing platforms, customer data platforms and analytics alike. Thanks to this, you will be able to collect granular data and use it to promote your services within the limits allowed by HIPAA.
Marketing and HIPAA: A summary
Using standard methods of retargeting in healthcare is not impossible, but requires some serious precautions. It’s also less effective, since stripping your data from user identifiers removes the layer of personalization.
To steer clear of the potential risks involved in using popular ad platforms in a highly regulated sector such as healthcare, think of employing marketing strategies that don’t involve big tech products. A first-party data strategy can bring many benefits to your organization and help you build a trust-based relationship with your patients.
If you’d like to learn more about data activation under HIPAA, contact us. We’ll be happy to present some compliant use cases to you.