Direct Response, Remarketing, and Programmatic Advertising: The HIPAA Pitfalls You Didn't Know
A quick note before you read: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.
Digital advertising is one of the few marketing platforms where marketers can almost guarantee a positive ROI. If you’ve set up your ads correctly, are targeting the right audience, and have engaging creative, you’ll get more money back than you put in. You’ll get your company’s name out into the world, drive traffic to your website, get people to buy products, and more.
Sounds too good to be true, right? Well, it is true. That’s why marketers flock to ad platforms like Facebook and Google. Marketers spent a combined $338 billion on Facebook and Google in 2022.
Unfortunately, for healthcare marketers, it’s not quite that simple. Because of necessary data privacy laws, like HIPAA, healthcare marketers deal with a lot of complexity around how they can use digital ads. Many healthcare marketers are hesitant to use the most common types of digital advertising – direct response, programmatic, and remarketing – because of the tracking technologies that run these types of advertising.
But fear not, healthcare marketers, there are ways to avoid the HIPAA pitfalls of the most common types of digital advertising. It just takes an understanding of how each digital advertising tactic works.
How does direct response advertising work?
Direct Response Advertising is the type of digital ad that, as the name implies, prompts the viewer for a direct response. That means the marketer who set up that ad wants you to take an action right now. These are the ads that say, “Click here to learn more” or “Call now.” The goal is to get the viewer to take an action immediately before scrolling any further on the website they're visiting.
You most often see Direct Response Ads on Google search, Instagram, and other social media websites.
Healthcare marketers use these ads to drive new visitors to their websites, to get visitors to schedule appointments, to prompt them to learn about different services, and more. Each platform has different controls that allow marketers to choose the audiences they want to reach. Then, the platform goes and finds those audiences, puts the ad in front of them, and, if everything has been done correctly, drives the outcome the marketer is looking to achieve.
So far, no HIPAA violations, right? Here’s where it gets tricky…
Marketers need to understand the performance of their ads to report to their bosses and to optimize for the best performance. Ad platforms want to know which users took the correct action on the marketer's website so that the ad platform can serve that ad to similar users. That helps the marketer's ad have positive ROI.
All of that is done through a tracking tool called a cookie, a pixel, a snippet, or any number of other obscure words. Regardless of the word, those tracking tools are usually installed in the head of a website and monitor the actions of users who visit your website from one of the ad platforms.
With that tracking tool, the ad platform reports information back to the marketer so they can use it to optimize performance, and the ad platform also uses this information to improve ad targeting.
Those tracking tools typically receive all sorts of information, but from a HIPAA perspective, they often receive personal identifiers like:
- IP address
- Visitor location
- Device IDs
- Form fill information
They also receive health information based on the pages that the website visitor is viewing. Health information, combined with one of those personal identifiers, is Protected Health Information (PHI), which means if you’re using a tracking pixel, the ad platform is receiving PHI. And that, my friend, is a HIPAA violation.
Is programmatic advertising safer for HIPAA compliance?
Programmatic ads are digital display ads that appear on all sorts of websites, not just social media or search. If you’ve ever scrolled through a news website and have seen ads for your local health system, those were programmatic ads. They’re similar to billboards you see on the highway, but programmatic ads are made for the digital world.
Programmatic ads don’t have direct response expectations. Marketers who use them are simply looking to generate awareness of their products and services. Any direct response that happens from one of these ads is a bonus.
BUT, it’s the digital world, so marketers still need to measure programmatic ad performance. To do this, programmatic ad platforms have created pixels, cookies, and similar tracking tools to what we mentioned in the direct response category above. The difference, however, is that programmatic ad platforms use something called a view-through conversion.
A view-through conversion means someone saw your ad somewhere on the internet, didn’t take immediate action, but then later visited your website and took an action, such as scheduling an appointment or buying something. The tracking tools that monitor view-through conversions can be risky for HIPAA compliance.
When someone views an ad where you’re using a view-through conversion, the ad platform sends a cookie to the ad viewer’s device and notes it with the tracking pixel.
If the ad viewer later visits your website and completes a conversion action (like scheduling an appointment), the tracking pixel logs that action and checks to see if there is a cookie on the visitor's device. If there is a cookie, the tracking pixel logs that, too. Then, it stitches everything together to tell the marketer a view-through conversion has taken place.
In HIPAA terms, those cookies are very clearly personal identifiers, along with the IP address and any other location information the ad platform uses for tracking. On top of that, health information from your website is also shared to the ad platform based on the information on page where the visitor converted. That all means you just shared PHI with the programmatic ad platform. And that, as I wrote above, is a HIPAA violation.
Remarketing is the riskiest, right?
Remarketing is sometimes called retargeting but they’re synonymous. The purpose of remarketing is to get someone who previously visited your website to return to take a conversion action. If you’ve ever visited an e-commerce company’s website but didn’t buy anything and then saw an ad for that company on Instagram, you’ve experienced remarketing.
A lot of healthcare marketers already phased this type of advertising out of their strategies before the December ‘22 guidance, but it’s still worth focusing on because it can be a really effective form of advertising (and healthcare marketers should find a safe way to return to remarketing...more on that later).
Remarketing works by tagging all website visitors with a pixel or a cookie. Ad platforms then create lists of people based on those tags. The lists will be based on the pages they visited on your website, the amount of time spent on your website, or other actions they may have taken on the website. When that visitor goes to another website (like a social media platform), the ad platform checks its remarketing lists and serves ads to that visitor.
These ads are usually highly targeted and based on the specific actions the visitor took on the website, which also makes them highly effective from an ROI standpoint.
You can probably see why this is risky from a HIPAA perspective, but we’ll still explain. To do remarketing, the ad platforms need to know individual website visitors. Ad platforms track these through cookies and pixels. This is a personal identifier. On top of that, the ad platforms also need to know the pages the visitors viewed on your website (which could contain health information), and the actions they took (which could also contain health information), to serve the most relevant ad.
Those two things combined, the personal identifier and the health information, are PHI. And when you do remarketing, that PHI is shared with the ad platform. Which is, once again, a HIPAA violation.
Can you still use digital ads in a HIPAA-compliant world?
Good news: You don’t have to cut any of these types of advertising out of your marketing strategy to remain HIPAA-compliant. But you do have to start viewing marketing and advertising through a privacy-first lens.
That means fully understanding the tracking tech on your website and governing the flow of data to those tools. Once you’ve done that, you’ll actually unlock a whole new world of healthcare marketing and advertising – including personalization, A/B testing, and all the other things that healthcare marketers have previously avoided.
Let’s get back to digital marketing excellence in healthcare. Contact Freshpaint to learn more.
