Posted on 
July 25, 2023

Balancing Digital Promotion and Privacy for Healthcare: Freshpaint's Webinar Q&A Followup

A quick note before you read: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.

Our webinar, Balancing Digital Promotion and Privacy for Healthcare, with healthcare legal experts from Faegre Drinker and Accelerated Digital Media (ADM) covered A LOT of information surrounding HIPAA and digital marketing. But, we weren't able to get to all the questions during our 1-hour session, and we didn't want to leave anyone waiting for a response.

So, if you asked a question on our webinar and it wasn't answered, or you're just curious to learn more about HIPAA compliance and digital marketing, read on to get all the answers.

Table of Contents

What do you think is the future of healthcare advertising as digital channels become more and more expensive and restricted from a data standpoint?

ADM: We don’t think that data will be the blocker in continuing to use digital channels effectively. Faegre Drinker pointed out that HHS left an opening for healthcare marketers to balance promotion with privacy, and innovators like Freshpaint have already stepped in to help. These changes (and those to come) mean marketers must form strong partnerships with their legal and compliance colleagues and find full-service technology solutions that help them manage data flow across their entire marketing stack.

About those channels becoming more expensive - that’s a more complex question. Yes, the per-click or per-lead cost has increased as more money is spent on a finite number of consumers in digital advertising. But those are still the primary channels for us to reach healthcare consumers. It’s less a question of rising prices by itself and more a question of unit economics. As long as your customer acquisition cost (CAC) to Lifetime Value (LTV) ratio gets a thumbs up from the CFO, we see digital advertising as a powerful lever. And there are ways that you can influence your cost per lead and CAC. Focusing on understanding your consumers and using that to influence ad copy and creative as well as post-click experience can have outsized impacts on things like conversion rates. We have a long way to go before we walk away from digital advertising.

One of the main areas of concern revolves around web tracking on pages that are dedicated to specific health conditions. How specific does a website need to be before it exposes PHI?

Faegre Drinker: This is one of those areas that OCR needs to refine. It’s not entirely clear right now. In our interpretation, simply viewing a website does not constitute PHI. But, taking a more specific action on that website, such as signing up or scheduling an appointment, could constitute PHI.

If you’re operating a website, or working for a company, that focuses on one specific area of health, we would recommend you run a risk-based assessment. From a practical perspective, the risk is pretty low, but it’s not zero. So the question is, “Is the risk to your company greater from not acquiring new customers, or from a HIPAA violation?”

Can you go into specifics on what is considered a covered entity vs. a non-covered entity? For instance, would GoodRx (coupon site) be a non-covered entity if you separate it from the telehealth offerings?

Faegre Drinker: Really, it comes down to this: if you are a healthcare provider, health plan, or healthcare clearinghouse AND you’re transmitting any health information in connection with the transaction for which HHS has adopted standards, you are a covered entity. 

So practically that means if you bill health insurance companies for the services you provide or if you are a health insurance company yourself, then you are considered a covered entity.

Remember, HIPAA stands for Health Insurance Portability and Accountability. So it was really set up for transactions with health insurance companies.

In the GoodRx scenario from the question, if the company is only providing coupons, and not performing any services that relate to billing insurance companies, then it is not a covered entity under HIPAA.

 But, it’s important to note, even if you’re a non-covered entity under HIPAA, you still must protect consumer privacy as stated by the FTC. 

Introducing Freshpaint's Healhcare Privacy Platform

What’s your perspective on URLs as identifiers?

Freshpaint: Page URLs typically fall into the bucket of what’s considered health information and not identifiers. There is one exception where a page URL would be considered an identifier. To improve the experience, some marketers will include a “deep link” in an email, text message, or mobile push notification. This deep link can have a unique identifier linked to a specific user so that when clicked on, it will take them directly to their account or a particular page customized for them. 

Where do you envision companies like Google/Facebook going in the future with these regulations? If companies pull their funding, will they take action?

ADM: Google and Facebook earn more than $250B a year in digital advertising thanks to highly targeted ad platforms that rely heavily on consumer data to remain effective. We don't see any of these advertisers rushing to signal to the market that they would be willing to restrict the collection of that data in the future because it could put their advertising models and revenue at risk. And even though healthcare spends heavily on digital advertising, it's still only 2.5% of all digital advertising spend. So even if healthcare spends less on digital advertising, Google and Facebook will still have massive revenue outcomes from the rest of the market.

Is a "booked appointment with a doctor" considered PHI? If so, does that mean you can't track this as a conversion event in Google/Meta?

ADM: Booking a doctor's appointment by itself is considered health information, not PHI, by HHS. For it to be considered PHI, it must be associated with one of the eighteen HIPAA identifiers, like the patient's name, email, or IP address.

From an analytics perspective, you can still track this conversion in a tool like Google Analytics if you don't send any identifiers. 

When it comes to advertising platforms like Google Ads or Facebook Ads, you have to be careful not to share health information in the conversion event name. That's because ad platforms will also have the ad click ID, which often contains identifiers about the person who clicked on the ad. Sharing that identifier AND health information ("booked appointment with a doctor" would be considered health information) constitutes PHI.

So what do you do?

The good news is that ad platforms don't need to know the actual name of the conversion. Facebook has a bunch of standard conversion events like "lead" that you can use. Tools like Freshpaint can transform the event name "booked appointment with doctor" from your website into "lead," so a platform like Facebook gets no health information. 

Of course, you could do this manually by just creating random names for conversions like "conv1xb" and keeping a sheet of paper on your desk that tells you what that conversion is!

Is there any circumstance in which placing a pixel is allowed for healthcare companies?

Faegre Drinker: Pixels are allowed on pages where there is no risk of PHI being exposed. If there is a risk of PHI being exposed, then your next step is to make sure that you have a BAA in place with all destinations that might receive PHI.

In a situation where PHI is exposed and the destination will not sign a BAA, which we see often in the ad ecosystem, you have to find a different path forward through different technology, or just removing the pixel altogether.

What is your take on GA4 on an unauthenticated webpage? You can access health information services from that page, but it's not granular information.

Freshpaint: A lot about what these tracking technologies capture and what they do with it is a bit of a black box. While limiting the pages that GA4 runs on could work, we think it’s safer to remove the native tracking technologies entirely and replace them with a collection tool that is HIPAA compliant and has a layer that allows you to govern the data that ultimately flows to GA4.

Some people are saying GA4 collects IP addresses, so you need a tool like Freshpaint (or to replace the tool). Others are saying GA4 collects IP addresses but doesn't log or store them, so it's fine. What’s your take?

Freshpaint: GA4 does claim to not store IP addresses but nothing in the HHS guidance talks about storage. The issue they call out is about sharing PHI in the first place. If you’re using GA4 with the native tracking technology, you’re still sharing IP addresses with Google. We also know that Google uses IP addresses to determine granular location information about visitors to your healthcare website. HHS also refers to narrow zip codes as personal identifiers, so even if they don’t store the IP address, they are likely storing other identifiers.

How do you advise your clients on the possible paths for HIPAA compliance when using analytics tools like GA, Meta, Hotjar, etc.?

Freshpaint: For tools that won’t sign a BAA and don’t need PHI to work effectively, we recommend removing the native tracking technologies and using a tool like Freshpaint that signs a BAA and then can safely govern the data that is ultimately shared with those tools. 

For tools like Hotjar and Salesforce that cannot function without receiving PHI, we recommend signing a BAA with those tools or looking for alternatives that will sign one. Freshpaint can still help get data to those tools, but you’ll need BAAs to keep you safe.

Any recommendations for keeping compliant with HIPAA and international data laws?

Faegre Drinker: Different laws require different things. So if you’re compliant with GDPR, that doesn’t automatically make you compliant with HIPAA and vice versa. 

We typically recommend starting with the most stringent data privacy laws, complying with those, and then evaluating the other laws you need to comply with to fill in the missing pieces from your compliance package. 

How should providers think about the requirements of different data privacy regulations, especially state-level laws?

Faegre Drinker: This goes back to the previous question where we said, “different laws require different things.” HIPAA doesn’t supersede Washington state’s My Health, My Data Act. So if consent management is a requirement of that law, and you need to comply with it, then you should plan for a way to manage consent from website visitors.

Is this preliminary guidance? Also, do we think the upcoming election (and who's elected) will play a role in finalizing this rule?

Faegre Drinker: This isn't preliminary guidance. This is the guidance. There could be clarifications on the guidance but we don’t think it’s imminent. 

As far as upcoming elections are concerned, privacy is a very bipartisan issue. We saw modifications to HIPAA under the Trump administration, and the Biden administration carried those through. So don’t count on upcoming elections changing this guidance.

What if I am logged into Google with my Gmail account, does Google collect that information when someone visits a website?

Freshpaint: Google will collect and store a user's entire search history but if you are not running the native Google tracking technology website it will have no way of collecting information about what they do on your healthcare website.

What is the legal take on the storing of data versus sharing of data? Is storing the data itself a PHI conflict within Google Analytics, or is the data share the "only" issue?

Faegre Drinker: HIPAA defines a business associate as a person or entity who's receiving, creating, transmitting, or maintaining PHI. 

So with Google Analytics, even if it’s just receiving, and not storing, PHI, there is risk.

Does ad content play into preserving privacy under HIPAA?

Faegre Drinker: Keep in mind here, Facebook and Google are non-covered entities. So anything that originates on their platforms is not part of PHI. So an ad click ID is not part of PHI. 

What matters is what a covered entity shares back to Facebook and Google. So it’s fine to share the ad click ID, but if a covered entity enriches it with an IP address, the buttons people clicked on your website, and the pages they viewed, then it is PHI.

How does Freshpaint differ from Segment or Customer.io?

Freshpaint: Customer.io is a tool marketers use to engage their visitors and customers through email. It doesn’t offer any way to collect and manage data flow to advertising and analytics tools. 

Segment is a generic customer data platform that does help you collect data from your site but doesn’t offer the specialized privacy tools Freshpaint has built for healthcare. For example, Segment has no prebuilt way to allow you to report the complete customer journey in Google Analytics. You’d only be able to see individual sessions. Additionally, when using Segment to connect to Google Analytics server-side, you lose a lot of the functionality you need for reporting, like source data, new vs return visitors, and time-on-page.

With Freshpaint, if you don’t send identifying information to Google Analytics, does that mean we won’t get data like geographic location and mobile/desktop devices from GA?

Freshpaint: The only data that you won’t be able to access in Google Analytics when using Freshpaint is granular geolocation data. Freshpaint provides visitor locations as small as by state. This is because HIPAA considers narrow zip codes (in some cases, small cities) as a personal identifier. We block Google from receiving that level of reporting to keep you safe.

Faegre Drinker: The HHS guidance left the door open to find an acceptable middle ground between removing all tracking and ignoring all privacy laws. But working through these issues is different at every company. Often the best approach is having a third party in the room to facilitate the conversation and to help each side recognize that finding an acceptable middle ground is crucial. 

If you're perfectly compliant with the legal system and you have no risk whatsoever, but your business goes under because you're not advertising, that’s not an acceptable middle ground. On the flip side, if you're advertising like crazy and bringing in all of this business, but you're constantly getting sued or fined because of privacy violations, that's not an acceptable middle ground. 

Sometimes a third party can help each side see the other’s perspective. 

What's next?

HHS recently revised the guidelines on PHI for regulated entities, especially those using tracking technology from Google, Facebook. If you fall into that category, you'll want to download our eBook, The Ultimate Guide to PHI and Tracking Technology.

Mark Rogers
Director of Content Marketing
view All Posts
Featured Posts
HIPAA COMPLIANCE
Direct Response, Remarketing, and Programmatic Advertising: The HIPAA Pitfalls You Didn't Know
HIPAA COMPLIANCE
IP Addresses and HIPAA Compliance: Unpacking the Risks for Healthcare Websites
USE CASES
Don't Remove It! Make Google Analytics HIPAA Compliant Instead
HIPAA COMPLIANCE
Staying HIPAA-Compliant: How to Detect Web Tracking Risks on Your Website
HIPAA COMPLIANCE
A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites
HIPAA COMPLIANCE
Cut the Jargon: A Look at the FTC-HHS Privacy Warning and What It Means For Your Healthcare Org
USE CASES
How To Make Facebook Ads HIPAA Compliant and Still Get Conversion Tracking
USE CASES
What HHS Has to Say About Tracking Technologies in Latest HIPAA Guidance
GROWTH & STARTUPS
Two Chairs Journey to a HIPAA Compliant Growth Stack
Stay Connected
Tweet this post: 
© 2024 Perfalytics, Inc.
Crafted in San Francisco