This is a guest post from our partners at Freshpaint
In December 2022, the healthcare marketing world hit a major roadblock. The Department of Health and Human Services (HHS) released new guidance about the use of online tracking technologies, and the message was clear: using these tools could improperly reveal protected health information (PHI) to vendors — a clear violation of HIPAA. This left many marketers without the tools they’d relied on, like Google Analytics, practically overnight.
This sudden change left everyone scrambling. Without clear direction from HHS on what to do next, healthcare marketers found themselves trying to navigate a new landscape. Costs for acquiring customers and leads went up because they couldn't see what was working and what wasn't. Some looked for alternatives and found them in healthcare-specific customer data platforms (CDPs), which could fit into their marketing plans while keeping things compliant with HIPAA. Others decided to invest time and money into building their own solutions from scratch.
Fast-forward to March 2024 and there's finally some good news. HHS updated its guidance to clear up much of the confusion left by the previous guidance. This clarity also opens up new possibilities for healthcare marketers looking for ways to stay compliant while keeping their marketing effective.
This most recent guidance contains five significant updates. Each update closely tracks a commonly asked question that healthcare marketers have been asking since the original guidance was released.
When HHS released its original guidance, it wasn’t clear if unauthenticated webpages, like a page describing treatment for a health condition, were a risk to HIPAA compliance.
Now, it is clear. In its updated guidance, HHS states, “Tracking technologies on unauthenticated webpages may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors.” HHS then gives some examples.
If a student visits a healthcare website for research purposes, tracking their behavior isn’t PHI. But, if “an individual were looking at a hospital’s webpage listing its oncology services…the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI.”
The problem for healthcare marketers is that there’s no simple way to distinguish between the student and the individual researching oncology.
The best approach is to play it safe and assume anyone visiting healthcare-specific pages is looking for health services. This means you shouldn’t use any online tracking technologies on those pages without a BAA.
Previous guidance made it clear that healthcare marketers couldn't use website trackers without getting direct permission from the people visiting their websites. Because of this, using consent managers, tools already in use for getting permissions under GDPR (General Data Protection Regulation), seemed like a natural next step for HIPAA compliance.
Healthcare organizations thought that since consent managers ask website visitors for their permission to be tracked, this method would also be acceptable for obtaining HIPAA authorization. HHS has clarified that consent managers do not work for HIPAA authorization. Here’s the quote from the updated guidance: “Website banners that ask users to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization.”
To be clear, consent managers can be useful tools for complying with other regulations, such as the General Data Protection Regulation (GDPR), Video Privacy Protection Act (VPPA), California Consumer Privacy Act (CCPA), and others. However, they do not work for HIPAA compliance.
Ever since that original guidance was released, IP addresses have been a hot topic. Some healthcare organizations view them as PHI, even without any additional health information.
HHS’s updated guidance has made it clear that IP addresses are not PHI alone. Here’s the passage: “For example, where a user merely visits a hospital’s webpage that provides information about the hospital’s job postings or visiting hours, the collection and transmission of information showing such a visit to the webpage, along with the user’s IP address, geographic location, or other identifying information showing their visit to that webpage, would not involve disclosure of an individual’s PHI to a tracking technology vendor.” The takeaway is that using a web tracker that collects IP addresses on an unauthenticated web page without any health information is not a HIPAA violation.
The challenge is it’s difficult to be precise about which pages your tracking technologies appear on and which pages they don’t appear on. So, if you’re using a tracking technology, make sure you have a Business Associate Agreement (BAA) in place.
Another point of confusion over the last year is whether or not tracking technologies that capture but don’t store PHI would put healthcare organizations at risk. Google Analytics is a prime example of this. Google claims that it collects, but doesn’t store, IP addresses. HHS clears this up by saying:
“Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information. Any disclosure of PHI to the vendor without individuals’ authorizations requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure.”
HHS explains that if a healthcare website uses technology that collects PHI (like Google Analytics does with data), it's a HIPAA issue right when the data is collected. It doesn't matter if the company says it'll remove or hide the data later. The problem is collecting this information in the first place.
The most significant update from HHS offers a clear solution for healthcare marketers who find themselves unable to get a BAA with a particular marketing tool yet wish to keep using it.
HHS says that using a customer data platform (CDP) with a BAA is the approach to take when your chosen tracking technology provider won’t sign a BAA. This helps to ensure PHI is protected.
Healthcare-specific CDPs, like Freshpaint's Healthcare Privacy Platform, are best because they will agree to sign a BAA and include features that automatically remove PHI before sending data to an end destination.
Using a Customer Data Platform (CDP) designed for healthcare lets you have the most control over your organization's data and enables you to embrace Privacy-First Marketing.
With privacy as a priority, every piece of your organization's data is managed under strict data controls: either it's covered by a Business Associate Agreement (BAA), or it's controlled through specific governance measures for Protected Health Information (PHI). Using both of those controls in different situations ensures that data privacy is at the center of your marketing.
The situation in which you use each control comes down to how they operate with PHI. PHI on unauthenticated web pages is made up of two components:
Tools like call tracking, CRMs, EHRs, and more need PHI to function. These tools require both personal identifiers and health information to help users fully understand their audiences. Removing one piece of PHI, as you can do with ads and analytics platforms, only gives you a partial picture.
Some tools, like ads and analytics platforms, won’t sign a BAA at all. But there’s a twist: Many of these tools don’t need PHI to function.
Ads tools, for example, don’t need to know anything about the context of visits to healthcare websites for people who converted; they just need to know that a conversion happened. Sending only a personal identifier like an advertising click ID back to an ad platform to optimize performance without also sharing any of the context of the visit does not constitute PHI.
You can govern the data sent to tools in this category without signing a BAA with them.
For tools in these categories, you can often remove PHI without affecting their performance:
It’s this second category of tools that you can’t get a BAA with, but HHS has said you can govern data to those tools with a CDP.
A call tracking tool like Invoca will always get a HIPAA identifier in the form of the phone number being tracked. Invoca is such a powerful tool for healthcare marketers because it stitches together the online journey someone took before successfully making an appointment on the phone. That data could inevitably have context about that person’s health. Health context plus the phone number equals PHI.
While most call tracking and conversation intelligence platforms are HIPAA compliant, some achieve that with caveats. Namely, they require that you turn off features like phrase spotting, call recording, and AI-powered speech analytics, which enable you to automatically analyze and classify calls.
Invoca’s conversation intelligence platform provides HIPAA, GDPR, and CCPA compliance without the compromises. Invoca can record and transcribe inbound calls in a secure and privacy-friendly way— including automatic redaction of sensitive caller information like social security and credit card numbers—to enable marketers to uncover new sources of customer data and insight. With improved visibility into these important customer interactions, healthcare marketers can drive cost savings from their media spend, and deliver improved customer experiences.
For tools in this category, you need to have a BAA in place. Invoca requires all HIPAA-covered entities to execute a Business Associate Agreement (BAA). This establishes a legally binding relationship that ensures Invoca’s collection of PHI is permissible and will not violate HIPAA. Invoca can provide and will sign BAAs with its healthcare customers to ensure compliance. Call tracking data governance and compliance can be further assured by sending the resulting data through Freshpaint's Healthcare Privacy Platform before it’s used in other platforms like Google Ads or Analytics.
Navigating the complex landscape of healthcare marketing in compliance with HIPAA has been a challenge, but the latest guidance from HHS offers a clear way forward.
By leveraging healthcare-specific Customer Data Platforms (CDPs) and adhering to stringent data control practices, marketers can ensure privacy-first strategies that respect patient information while achieving their marketing goals.
Embracing these changes not only aligns with legal requirements but also builds trust with patients by prioritizing their privacy.
To learn more about HIPAA-compliance healthcare marketing, watch our on-demand webinar: How Healthcare Marketers Can Succeed in a HIPAA Compliant World.
Healthcare Marketing Compliance with Conversation Intelligence
Healthcare Marketing Benchmark: Are Your Competitors Outperforming You?
Case Study: How Banner Health uses Invoca to drive more appointments at a lower cost