As technology and digital marketing continue to evolve at a rapid pace, so too must the guidelines that protect user privacy. Perhaps no industry needs to protect this right to privacy more so than healthcare. While GDPR and CCPA may be old news, the more recent HHS guidelines around what type of ad tracking constitutes a HIPAA compliance violation is more likely to be causing some sleepless nights at the moment.
These guidelines have introduced new challenges that require some effort on our part as marketers, but Amsive is here to help navigate these challenges while also providing the additional benefits that come along with a proper solution to make it an advantage as opposed to a burden. Here’s how to tackle it.
How “Old School” Tracking Works
#1. Identification of User Characteristics
Identify or classify a website visitor through a number of determining factors in order to confirm where a user came from, whether they are a new user, etc.
#2. Track User Activity on the Website
Track various conversions, behaviors, or events a user takes, such as clicking a link, viewing certain content, filling out a form, or placing an order. This data is used to track results but also to optimize campaigns in real-time by identifying the common traits (from number 1 above) in those who complete one of these desired actions and subsequently serve ads with a bias towards people who match these profiles.
#3. Capture Different User Values
Capture certain values such as the dollar amount of an order placed by a customer, an email address typed by a user, or other data that is displayed on the screen during a user’s session on a website.
This type of tracking is referred to as client-side tracking because the information collected is sent from the user’s device (AKA the client) to third-party platforms such as Facebook or Google.
If you’re wondering, it’s called a pixel because many tracking scripts load a 1×1 pixel transparent (essentially invisible) image on your website, and the server tracks when that image loads. For example, if that image is loaded on your order confirmation page, the server knows that an order (or conversion) has taken place.
Challenges with Traditional Client-Side Tracking
It’s clear the method of pixel-based tracking has been around for so long because of its effectiveness, although that too has been a challenge as companies like Apple have introduced privacy-focused measures to reduce how and what can be tracked on their platforms such as iOS. Since the data is captured by the third-party script and sent directly to the third-party server, this method of tracking poses a number of challenges, especially under the new HIPAA guidelines:
You are responsible for the data collected, but it is typically difficult or impossible to see everything that is ingested by these platforms. This is where the sleepless nights may come into play. Read through the privacy policies for your ad platforms and you’ll likely find language about attempting to identify and omit sensitive data, however you are unlikely to find an indemnification or guarantee of any sort.
There are features that enable you to deliberately collect more data about a user than the default, but there are few that enable you to collect less. Even if you attempt to reduce what’s collected, once the script is loaded on the site, you lose a lot of control.
Users are visiting your website through ads you paid for, and the ad platforms are collecting the data. Data is more valuable than oil, and that’s only going to increase with the rise of AI, so first-party data will continue to be hugely important for effective marketing experiences. Shouldn’t you have the rights to the data that you paid to collect?
There is a massive difference between general privacy and HIPAA compliance (especially when it comes to the consequences of a violation). At a 30,000-foot level, digital ad tracking can lead to a HIPAA violation when the ad tracking technology captures information that is protected health information (PHI) regulated by HIPAA, which is then improperly used, shared with, or disclosed in a non-compliant manner (for example, via ad platforms like Facebook or Google). New guidance from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) – the regulator responsible for enforcing HIPAA – has complicated matters by broadly interpreting the circumstances in which tracking data will be considered PHI.
Under OCR’s new guidelines, the tracking data generated by a user reading a condition-specific article on a public-facing website is generally considered PHI. This includes identifiers like the user’s IP address. Since Meta, Google, and many similar vendors have not signed business associate agreements (BAAs) in connection with their ad platforms, the transfer of tracking identifiers to such vendors, or the use of the identifiers by those vendors, may be non-compliant.
HIPAA Compliant Solutions for Healthcare Advertising
While a knee-jerk reaction to this by your compliance team may be to remove all forms of tracking from your website, you can hardly call this a fix. It will render most of your marketing efforts ineffective (no real-time optimization), impossible (say goodbye to retargeting altogether), and unmeasurable since you’ll have no attribution or performance reporting to reference.
Similarly, you can choose to work with only platforms that will sign a BAA. On the ad platform side this is essentially non-existent, however there are a few Google Analytics alternatives for analytics platforms that are HIPAA compliant. Nonetheless, this would be a partial solution at best.
It may sound counterintuitive, but healthcare companies don’t need to stop collecting all this beneficial data to ensure their ad tracking is HIPAA compliant – they just need to restrict what they share with others. Intercepting the data by collecting it in a first-party location that is HIPAA compliant and then sharing only the pieces of that data. Because this is not considered PHI, those third-party platforms will allow you to have transparency, control, and ownership of the data collected.
One option to achieve this is to switch from client-side tracking to server-side tracking. In this type of setup, the data is sent to a first-party “container” that you set up, manage, and own on a HIPAA-compliant server. From there, an application can be created to manipulate the data and send only what is deemed acceptable to the various platforms, which are then connected to that container through APIs. Effective? Yes. Complicated? Well, there’s definitely a lot of overhead and some custom coding involved.
What Does this Mean for Marketers?
So, what’s the best option in our opinion? Our preferred approach to achieving compliance in a way that also makes it easy to audit and manage is to implement a Customer Data Platform (CDP). CDPs were actually not originally designed for this particular challenge; however, as a nice added benefit, they are highly effective at solving it. The reason for this is that the CDP acts as a middleman to pass data through, and it is also a HIPAA-compliant location to store it in (BAA included).
While similar in architecture to the custom server-side tracking approach mentioned above, CDPs are typically SaaS-based (software as a service), which makes them much more turnkey and low-risk since you’re not managing servers where data is stored. What CDPs were designed for is to allow companies to accumulate first-party user data and be able to act on that data by mapping patient journeys, personalizing experiences, triggering communications, leveraging AI and predictive analytics, etc.
Choosing the right CDP will allow you to collect data from multiple sources (websites, apps, portals, CRMs, ESPs) and transmit it to multiple destinations (analytics platforms, ad platforms, CRMs, EMRs). A full view of interactions from those sources will be available at a glance in the CDP’s user interface. For example, you might see that a given user clicked an email you sent, visited the website, and then checked in for an appointment at a physical location.
Step two is to connect the CDP to the various destinations. Typically, a good CDP will already have prebuilt apps to connect most major ad platforms and analytics tools, which eliminates the need for a custom integration. In addition to connecting to the platforms, the CDP will allow you to see all the data that has been collected and, more importantly, decide what data you want to share with each platform. This is where we use the CDP to create rules to ensure data governance. PHI or PII can be removed or hashed before sharing with any third platforms that are not HIPAA compliant.
Auditing access to data is a main component of HIPAA compliance. A CDP will also serve as a way to review what data was shared and with whom.
Other Noteworthy Points
- Process is important. Proper CDP implementation and documentation are critical to maintaining compliance over time. For example, governing who at your organization has permission to add new destinations is important to ensure that a violation doesn’t occur in the future.
- Not all CDPs are created equal. The feature set, the integrity of the infrastructure, and UX are all things to consider. We have vetted the top-tier CDPs and partnered with one that rose above the rest to ensure the best implementation experience for our clients.
- Centralized tracking will improve performance. Traditional tracking requires adding a separate pixel for every ad platform you want to connect to. When a user visits your site, every single one of those scripts is going to load, inevitably slowing down the website considerably. In the case of a CDP, only one tag for the CDP needs to be added to the website and all the other connections happen “behind the scenes” and with no impact to the user or the website. This is not the same as a platform like Google Tag Manager, which centralizes the management of the pixels but injects them all into the website and still requires them to be loaded individually.
- We’re marketers, not attorneys. Every case is different, and we are not providing legal advice here. Instead, we work hand-in-hand with our client’s legal counsel and compliance departments to identify their unique requirements and architect solutions to achieve them.
Take the Next Step
Maintaining appropriate privacy measures should be an important initiative for every healthcare company in 2024, not only because it’s required and violations carry hefty fines, but because it’s the right thing to do. Providing exceptional digital experiences and relevant advertising to potential patients or customers doesn’t need to be achieved by sacrificing the right to browse sensitive health-related topics anonymously on the internet. By properly implementing CDPs for our client partners, we are assisting them in effectively solving privacy concerns while adding to their marketing abilities instead of restricting them.
If you’re one of the many healthcare marketers trying to navigate these ad tracking restrictions and need some clarity, feel free to reach out and set up a time to speak with our experts.
Kickstart your 2024 marketing strategy with more insights, including how to cut through the noise with your CTV campaigns.