Also known as the Kennedy–Kassebaum Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines and regulates individuals’ medical records and other individually identifiable health information, collectively known as patient healthcare information (PHI). HIPAA aims to protect patient privacy, safeguarding their entire medical history, information about medical services and treatments they may seek, and other related data. HIPAA also limits how this information is used and disclosed without a patient’s authorization.
In the Internet age, HIPAA has taken on a new level of importance, with digital products flooding the consumer healthcare and pharmaceutical industries. For digital marketers in the healthcare space, staying compliant is a constant challenge, requiring them to rigorously inspect all websites and marketing materials to ensure safe, appropriate handling of PHI.
Over the years, online bodies have developed a wealth of resources to help guide teams on juggling privacy, tracking, and analytics. As such, for healthcare digital marketers, the challenge of separating PHI from marketing behavioral data and other non-PHI patient data was manageable. Until now.
New tracking guidance as of November 2022
Last fall, the U.S. Department of Health and Human Services released new guidance on the use of online tracking technologies that overhauled the definition of digital analytics and products in relation to PHI. It’s fair to say that it surprised the industry with stark changes.
The new guidance is complex and should be read and acted upon with appropriate legal counsel. But in a nutshell, capturing an IP address with any interaction is now under the umbrella of personally identifiable information (PII), and casually viewing information on healthcare topics (even investigating potential physicians and specialists) is considered PHI. Together, these items are now legally considered HIPAA-protected information. In other words, they must be protected with the same level of security as a patient’s correspondence with doctors and other health professionals.
Critics were quick to point out particularities in the HIPAA changes. For one, according to the new guidance, an IP address now qualifies as the definition of a unique individual. However, a single IP address can often represent hundreds of unique visitors. This definition also leaves no room for instances where an individual may be researching information online for someone other than themselves.
Nonetheless, the redefinitions are here to stay, and healthcare digital marketers must abide.
Rewriting the healthcare digital marketing playbook
Since healthcare marketers widely use its analytics tools, Google didn’t waste any time coming forward with its own declaration on HIPAA and Google Analytics (now Universal Analytics), stating:
“Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI).”
For those looking for a quick fix, IP masking in Universal Analytics was quickly deemed a dead-end. Even with IP anonymization, Google is briefly given access to IP addresses and, therefore, unwilling to sign a Business Associate Agreement (BAA) promising to secure PHI and assume liability in the event of a breach.
But it’s not just Google adding to marketers’ challenges. Following HIPAA’s updated guidance, many other tracking and analytics platforms have found themselves in the same boat. For healthcare digital marketers, these upheavals spell difficult times. In fact, many have simply shut down (or severely limited) their tracking activities as teams scramble to find a solution provider who can not only meet their digital operational needs but also be willing to take on part of the HIPAA protection risks and sign a BAA.
The search for new analytics solutions
Though Google may have seemed like a no-go for healthcare digital marketers, the tech giant now offers a potential solution with its SaaS-hosted sGTM application. Since it’s willing to sign a BAA, this is one solution that can remove identifying information before passing it on to Universal Analytics. It’s worth noting, however, that this solution does not store an audit of the changes, so it doesn’t check all the boxes for most marketers.
Outside of Google, there are other options for teams seeking a solution to remove IP addresses and reestablish analytics and personalization programs. In fact, HIPAA changes have presented new business opportunities for some companies who are willing to fill in the gaps Google is missing.
Since the 2022 announcement from HHS, many little-known “Data Clean Room” applications have come out of the woodwork. Not only can they remove IPs and store audit changes before passing them to Google, but they’re also willing to sign BAAs. Unfortunately, their prices for sanitizing behavior tracking may present a barrier to entry for some healthcare digital marketing teams.
CDPs rise to the top
Among the many “Data Clean Room” options and Google’s own SaaS-hosted sGTM application, a more promising offering is rising to the surface: Customer Data Platforms (CDPs).
CDPs provide the sanitizing behavioral tracking teams need to comply with HIPAA’s updated definitions of PHI: IP address removal, audit and storage of changes, transfer to Google, and BAA signature. But they also go a step further, offering teams the chance to take advantage of identity resolution, auto-segmentation, and personalization functions.
These extra features have long tempted the consumer healthcare industry in North America, whose organizations would like to expand their customer data practices beyond the mainstays of customer relationship management (CRM), electronic medical records (EMR) systems, and custom-built data lakes. But CDPs usually come with a hefty price tag, and most organizations haven’t been able to justify the added expense and staffing required to take this step in digital maturity.
At least, up until now.
In light of the new HIPAA guidance, CDPs have quickly become the top choice for healthcare digital marketers who need sanitizing behavioral tracking to achieve compliance. Although still relatively resource-intensive to implement, CDPs offer a whole-package solution to the industry’s quest for a BAA-signed platform that can reestablish analytics and personalization programs within a legally secure framework. The chance to capture other advantages, like unified user records and streamlined targeting and personalization, is an attractive bonus.
A necessary push for positive change
Initially an upset to the world of healthcare digital marketing, 2022’s HIPAA changes are quickly becoming a driver for positive change for both individuals and healthcare providers. As organizations overcome industry challenges and find new solutions to achieve compliance, patients can expect their digital healthcare interactions to become more efficient and secure. And that’s a win for everybody.
About John Berndt
John Berndt is the SVP of Valtech Health, a global agency focused on digital business transformation, with a special focus on consumer healthcare in North America. The practice is staffed by a global team of experts, is broad and includes consulting, technology platforms and integrations, strategy, user experience, analytics, operations, managed services, custom applications, and more