How Healthcare Marketers Can Succeed in a HIPAA-Compliant World

min read
How Healthcare Marketers Can Succeed in a HIPAA-Compliant World

In December 2022, healthcare marketers were rocked by new guidance released by The Department of Health and Human Services (HHS). The message was clear: common analytics and tracking technologies could improperly reveal protected health information to tech vendors, and that’s a clear violation of HIPAA regulations. This left many marketers without the tools they’d relied on, like Google Analytics, practically overnight.

This sudden change left everyone scrambling. Without clear direction from HHS on what to do next, healthcare marketers found themselves navagating a new landscape. Costs for acquiring customers and leads went up because they couldn't see what was working and what wasn't. Some looked for alternatives and found them in healthcare-specific customer data platforms (CDPs), which could fit into their marketing plans while keeping things compliant with HIPAA. Others invested in building homegrown solutions from scratch.

Fortunately, we’re seeing the light at the end of the tunnel now. In early 2024, HHS updated its guidance to clear up much of the confusion. The good news for healthcare marketers is that there is now a clear path to stay compliant and build high-performing marketing programs. 

We recently sat down with the healthcare marketing professionals at Freshpaint, the leading HIPAA-compliant CDP provider for healthcare marketers, and the director of digital marketing and consumer engagement at Nemours Children’s Health to discuss how healthcare marketers can succeed in this new regulatory environment. Here’s what they had to say.

Check out our webinar, How Healthcare Marketers Can Succeed in a HIPAA Compliant World, to hear their full conversation.

The 5-Step Plan for High-Performing and Compliant Healthcare Marketing

To figure out how healthcare marketers can continue to grow patient acquisition and revenue in a tougher regulatory environment, we laid out this six-step strategy that takes you from diagnosing your current tech stack, understanding the impact of losing access to the tools you need, why you need first-party data, and how to get buy-in for new technologies and processes across your organization. Here’s Invoca’s Director of Healthcare Account Management Lyndey Brock with more on what that looks like. 

Healthcare Compliance Terms You Need to Know

Before we dig into the strategy, you need to be familiar with a lot of alphabet soup and industry-specific terminology. Even if you’re steeped in healthcare marketing and compliance, there have been several changes to how HHS and HIPAA define these terms in the last few months. Here are the definitions:

PHI: Protected Health Information that includes any of the 18 identifiers defined by HIPAA. These identifiers include: 

  • Name
  • Address - all geographic subdivisions smaller than the state, including street address, city county, and zip code
  • All elements (except years) of dates related to an individual including birthdate, admission date, discharge date, date of death, and exact age if over 89
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security Number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or license number
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URL
  • IP Address
  • Finger or voice print
  • Photographic image - Photographic images are not limited to the face.
  • Any other characteristic that could uniquely identify the individual

PII: Personally Identifiable Information that is defined as data used in research is not considered PHI and is therefore not subject to the HIPAA rules. However, since it’s almost impossible to separate which website users are researching and which are actual patients, it’s safest to treat it all as PHI that is subject to HIPAA.

HIPAA: Health Insurance Portability and Accountability Act. A 1996 federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. 

BAA: Business Associate Agreement. An agreement that outlines the permissible and impermissible uses of Protected Health Information (PHI), each party’s liabilities, consequences of failing to comply with stated requirements, and more.

HHS Memo: 2022 Reminder Bulletin issued by HHS outlining the use of online tracking as it relates to HIPAA. In response, many marketers were forced to take the drastic measure of removing conversion tags and turning off automated solutions like Google Smart Bidding.

To dig a little deeper, Ray Mina, VP of Marketing at Freshpaint will break it down for you in this video. 

Step 1: Ensuring Compliance Across Your Healthcare Marketing Tech Stack 

To ensure that you’re using patient data in a compliant manner, you have to first understand what data is being shared with these platforms. Secondly, and most importantly, you must have a BAA in place with any vendor that you may send PHI that falls under the 18 HIPAA identifiers. The problem that healthcare providers are encountering is that some of the biggest tech vendors like Google and Facebook will not sign a BAA. That means you can’t send any of this data to these platforms without running afoul of the current guidelines and regulations and you can’t even use any of their tags on your website without a BAA. 

It makes sense — companies like Google and Facebook have a vested interest in gathering as much data on users as possible, not reducing how much of it they can access. But not all is lost. 

There are ways that you can continue to utilize valuable first-party patient data in a compliant and privacy-friendly way. This is an important step and you have to get it right. There are not only regulatory implications to violating the rules, there are already healthcare and health insurance providers embroiled in class-action lawsuits stemming from these compliance issues and it’s costing them tens of millions of dollars to defend against them.

Here is David Chase, Director of Digital Marketing and Consumer Engagement at Nemours Children’s Health, and Ray Mina from Freshpaint with the details you need to create a compliant tech stack.

Step 2: Understanding the Value of Missing Marketing Data

In the past, many healthcare marketers were focused on increasing the volume of leads they drove from their campaigns and websites. The more calls they drove and the more form fills they got, the better. The problem is that they relied too heavily on digital conversions from form fills and some even removed phone numbers from their landing pages because that would cause them to lose track of conversion data. 

Others relied on counting the number of calls a web page or campaign drove, but without insights into the lead quality and outcomes of those calls, they had to lean into driving higher volumes. Unfortunately, that often does not equate to acquiring more patients and new appointments. 

Here are Lyndey and David with more insights into how this missing data impacts business outcomes.

Step 3: Moving from 3rd-Party Data to First-Party Data

With Google fully deprecating third-party cookies in Chrome this year, it is forcing every marketer’s hand to move to first-party data instead. While there are some technical challenges to doing this, using first-party data will ultimately provide a performance advantage. First-party data tends to be more accurate since it is sourced directly from your audience and your patients. It gives you more control over the data that you use, and significantly reduces the privacy implications of passing around potentially sensitive data from third-party sources. 

Here are Lyndey, David, and Ray with some of the advantages of moving to a first-party data-based strategy. 

Step 4: Building Relationships With Internal Teams

The best way to get your new healthcare marketing strategy off the ground is to make friends with the good folks in your legal and compliance departments. It’s better to have them involved from the beginning instead of dropping a fully assembled program on them only to have it picked apart. Both you and your legal and compliance teams will be much happier for it, and you can rest assured that you won’t get dinged down the line from some small piece that doesn’t meet today’s standards. 

Here’s David and Ray again with how to navigate creating an alliance with legal and compliance teams. 

Step 5: Overcoming Internal Roadblocks

So you’re trying to onboard a new technology vendor. You had legal and compliance behind you during the vetting process, but you’re still getting resistance from the higher-ups or other stakeholders. The best way forward is to clearly demonstrate the business and the financial impact of bringing this new partner on board, demonstrate the ROI and the negative impacts of sticking with the status quo.

Compliant Healthcare Marketing Success Stories

The moment you’ve all been waiting for — what kind of results can healthcare marketers achieve in a HIPAA-compliant world? Pretty impressive ones, I’d say! In the next video, you’ll see how Nemours Children's Health was able to achieve a 45% increase in marketing-driven leads and how Vybe Urgent Care used Freshpaint’s Healthcare Privacy Platform to unlock high-performing marketing while still maintaining patient privacy and remaining compliant. 

Want to learn more about how to navigate today’s healthcare privacy landscape? Watch the full webinar, How Healthcare Marketers Can Succeed in a HIPAA Compliant World.

To learn more about Invoca for Healthcare, click here to schedule a consultation with one of our experts

Subscribe to the Invoca Blog

Get the latest on AI and conversation intelligence delivered to your inbox.

Get expert tips on marketing, call tracking, and conversation intelligence AI delivered straight to your inbox every two weeks. Join thousands of marketing and contact center professionals and subscribe today!

Invoca Webinar: 6 Killer Strategies To Transform Your Social Ad Campaigns
Calling all digital marketers!
Join us on September 24 for an exclusive webinar to discover how AI-driven first-party data can transform your social ad campaigns into a revenue-generating machine.
Register Now!
white arrow
Close