In the ever-evolving world of digital marketing, healthcare faces unique challenges. The regulations of the Health Insurance Portability and Accountability Act (HIPAA) have increasingly impacted every aspect of marketing, including analytics and campaign performance measurement. And in an era of data protection, adding to that burden are sensitivity of location data and the complexities of email marketing.
These threats pose significant hurdles for healthcare marketing. In this article, we will deep dive into these looming threats, exploring their implications and offering potential solutions to navigate these choppy waters.
Imagine a world where every click, every scroll, every interaction on your website is scrutinized under the stringent lens of HIPAA regulations. Welcome to the reality of healthcare marketing post-December 2022. The Office of Civil Rights (OCR) under the Department of Health and Human Services issued a bulletin that redefined the scope of HIPAA, explicitly expanding protection to include future patients (not just current and past), as well as extending it to online tracking technologies like pixels or analytics.
This new guidance deemed that these technologies disclose electronic protected health information (ePHI), a term that now includes datapoints like IP addresses, device/advertising IDs, and geographic locations. What does this mean? Nearly anyone visiting your website could be considered a current, past, or future patient, and therefore their personal data must be protected.
Fast forward to March 2024, and the OCR reiterates its stance on tracking technologies. They also alleviated some pressure on pages unrelated to an individual’s healthcare, like jobs/careers or visiting hours, which would not indicate that the user has a patient relationship with the provider.
However, under both guidance releases, the OCR has stated that these technologies can still be used, as long as entities comply with HIPAA rules. But here’s the trouble — tech giants like Google and Facebook won’t sign a Business Associate Agreement (BAA), which is a contract that states both parties will appropriately safeguard the protected health information being handled and keep unauthorized users from accessing the sensitive data they receive. Without a signed BAA, any disclosure of protected health information is a no-go.
With warning letters, breaches, and lawsuits, the OCR and Federal Trade Commission (FTC) have demonstrated that they are serious. For example, the OCR and the FTC jointly sent warning letters in July 2023 to 130 hospitals and providers about the tracking technologies found to be present on their site. Then in April 2024, Kaiser Permanente announced a breach for having tracking pixels on their site that impacted 13.4 million individuals across multiple states. Lawsuits are even coming at state levels, with New York State Attorney General suing NewYork-Presbyterian Hospital for trackers.
The healthcare industry is in a conundrum. So, what’s the solution? Four main options have emerged for measuring campaign performance:
- Run an internal site-side server to contain all data and analysis in-house.
- Invest in a HIPAA-compliant analytics platform willing to sign a BAA.
- Use CDPs and privacy filter platforms (with BAAs) as “middlemen” to deidentify user data before analysis.
- Remove analytics altogether and rely on raw data reported by the media platforms.
The key takeaway? If you don’t have A, B, or C in place, get those pixels off your site! No matter how many times Google Ads, Facebook, or any media platform encourage you to track for conversions or say they can “help you find similar audiences by uploading your customer list,” they aren’t trustworthy with users’ data without a BAA in place.
In a post-Dobbs world (the overturning of Roe V. Wade), sensitive locations have taken on a new importance. And it’s not just about where you physically are, but also where you are on the internet.
“Browsing and location data are sensitive. Full stop,” the FTC recently stated in a post discussing the privacy lawsuits it has been bringing. Even when stripped of traditional personally identifiable information (like name, date of birth, etc.), web browsing data is still considered sensitive. This has led to a slew of lawsuits against companies like Avast anti-virus software, location data brokers X-Mode and InMarket, and mobile mental health app Cerebral.
For healthcare marketers and advertisers, the OCR’s announcement in December 2022 expanded HIPAA-protected data to include unique identifying characteristics, numbers, or codes, which could encompass device IDs, which are used in retargeting and geofencing campaigns.
For those who aren’t familiar, geofencing is a hyper-targeted advertising strategy that uses GPS, Wi-Fi, or other location-based data points to set up virtual perimeters around a location and deliver ads to users who cross into that space. It has been highly effective for reaching new audiences based on their location behavior.
To this point, states are creating their own regulations around geofencing, even when it isn’t specifically related to a user’s healthcare. In July 2023, New York State passed a law that prohibits the establishment of a geofence or similar virtual boundary smaller than 0.35 miles around a healthcare facility to deliver digital advertisements to a person in that location, unless the advertiser is that healthcare provider.
This law, while intended to protect patients, has far-reaching implications on recruitment marketing, continued medical education promotions, business-to-business sales, and more. Other states like Connecticut, Nevada, and Washington have similar laws, and it’s only a matter of time before more states follow suit.
The FTC has stated they are even considering issuing privacy rules to restrict online behavioral advertising as a form of commercial surveillance. As advertisers, this raises concerns about reaching new audiences efficiently and effectively.
Email, a cornerstone of many marketing plans, surprisingly makes it to our list of threats. Given the recent changes in HIPAA compliance and data privacy, it’s very important to be sure your email marketing is up to date. We have identified four main questions to review your internal processes and practices.
Are you CAN-SPAM compliant?
The FTC enforces the “Controlling the Assault of Non-Solicited Pornography And Marketing” Act of 2003. The basics of the rule are:
- The content cannot be misleading to the recipient. All emails must contain an accurate representation of the sender in the name and body copy, as well as a clear, nondeceptive subject line.
- It also must provide an unsubscribe link. The Act requires an obvious link for recipients to unsubscribe from ALL of the sender’s emails.
- It must include a physical mailing address in the body of the email. Yes, an address (a PO box is acceptable) where unsubscribe requests can be mailed is a requirement even in this digital age.
Fortunately, most email service providers (ESPs) have built-in enforcement mechanisms to avoid the most common mistakes, but it doesn’t hurt to double-check that everything set up years ago is still accurate. Both agencies and senders are responsible for compliance, so protect yourself by making sure your agency or partners have appropriate agreements (BAAs) and by thoroughly reviewing all tests for compliance in order to avoid fines.
Is your ESP and/or Customer Relationship Management (CRM) HIPAA-compliant with a BAA in place?
Your first-party email list includes HIPAA-protected ePHI such as email addresses and names, and the platform can identify the content users interact with, so ensuring compliance in this area is crucial.
For instance, Mail Chimp, a popular ESP, is not HIPAA compliant. Constant Contact does offer HIPAA compliance, but only at certain subscription levels. Similarly, Campaign Monitor and Active Campaign are HIPAA compliant, provided you make the effort to get a signed BAA.
Do you follow best practices such as having double opt-ins and segmented lists?
These two practices ensure a balance between effective marketing and user privacy.
Double opt-ins, a method of obtaining explicit and unambiguous consent from users, have grown in popularity since the introduction of the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA). This practice of having the user confirm their sign-up for an email list via a confirmation link or code sent to their email is now considered a standard setup for email sign-ups. This will help reduce your reports of spam emails, increasing your chances of making it into the user’s inbox.
Another common practice is segmented lists, which allow users to subscribe to multiple “newsletters” or topics based on their interests. There are a number of ways to facilitate this — from service line, stage of life, or geographic location/region to a general monthly update or a recipe of the week from your dieticians and nutritionists — the options for engagement are endless. This approach allows for semi-personalized emails in a compliant manner and keeps users within your network, even if they opt out of one list because it no longer suits them. However, it’s important to remember that providing an easy way for users to opt out of ALL messages is a requirement of the CAN-SPAM rule, so remember to include that on your subscription management page.
Are you making it out of their spam filters in Google and Yahoo?
In February 2024, Google and Yahoo mandated increased email authentication rules, including implementing SPF/DKIM/DMARC email authentication for the domain, ensuring valid forward and reverse DNS records, using TLS connections for email transmission, formatting messages according to the Internet Message Format standard, and maintaining spam rates below 0.10%.
Aside from taking the verification steps, maintaining low spam reporting rates is going to be key to remaining visible in users’ inboxes. We recommend doing list maintenance regularly, including running bounce reports, removing catch-all/no-reply emails, duplicates, and obvious misspellings.
The world of marketing is evolving, especially for healthcare, and we must adapt to it. Don’t let these threats hinder your progress. Equip yourself with the right tools and strategies to navigate the ever-changing digital landscape. We at Martin Communications are here to guide you every step of the way.
For more detailed guidance on how to elevate your strategies, enhance your image, or expand your reach, we’re just a click or a call away. Connect with us at martincommunicationsinc.com/work-with-us/ or dial 717.712.0980.