Introducing Freshpaint’s Healthcare Privacy Platform: Unlocking HIPAA-Compliant Performance Marketing

Today, we’re launching the Freshpaint Healthcare Privacy Platform. It’s the only technology in the industry that’s designed to help healthcare marketers balance performance marketing and HIPAA compliance.

Balancing privacy and performance is hard

Privacy and performance marketing don’t always go hand-in-hand. Performance marketing relies on data feedback loops – data from user actions needs to be sent to analytics tools and ad platforms for further analysis. That feedback loop gives marketers the ability to optimize their performance to get the best ROI on their marketing efforts. 

The problem, however, is that web trackers powering those feedback loops often default to collecting sensitive data, like protected health information, which can often lead to HIPAA violations and other consumer data privacy concerns. And that’s only the surface-level problem with those feedback loops. If we zoom in further, we see four specific problems that healthcare organizations run into when trying to balance performance and compliance.

Problem 1: Protected health information (PHI) is inadvertently shared with non-compliant marketing tools

PHI is often inadvertently shared with the tools healthcare marketers rely on, but marketers often don’t know this is happening because the tracking tools don’t disclose what data they collect from website visitors. It’s not easy to figure out what data each tracking tool is collecting without a deep technical understanding of how web trackers function.

Regardless of the fact that marketers don’t know what data the tracking tools are collecting, it’s still happening, which means it’s a HIPAA violation.

This is the exact situation that led to the class action lawsuits against WakeMed, Advocate Aurora, and other large healthcare providers. Those lawsuits were a result of those organizations unknowingly sharing PHI with Facebook through the Meta Pixel. 

And it’s not just Facebook’s web trackers that are the problem. There are dozens, possibly even hundreds, of other commonly used web trackers that collect PHI without marketers realizing it.

Problem 2: Marketers have no control over which data third-party tools extract

Even if a marketer is aware of the data a web tracking tool collects, they rarely have any ability to turn on or off aspects of the data collection.

Take Google Analytics as one example. It’s used by over 4 million organizations across all industries, including plenty of healthcare providers. It is, without a doubt, the most-used analytics tool. 

But, Google Analytics collects PHI through user location data and information about the pages users visit. Marketers have no control over that. If they want to use Google Analytics, they can’t pick and choose which data Google Analytics collects. It just collects everything.

As healthcare marketers wake up to these risks, they’ve been looking for ways to control the data that Google Analytics collects, but it’s just not possible without spending hundreds of hours on engineering-intensive solutions. Most healthcare organizations don’t have the time or budget for that type of project.

Problem 3: Marketers have no transparency into the data that is passed to third-party tools

When marketers are trying to figure out if the web trackers they use are risky for HIPAA compliance, they often look at two things:

1. The user dashboard of the tool to see what data exists there
2. The tool’s documentation to find explanations of what data is collected

The problem is that neither place provides a clear explanation of what data is collected by the web tracker. User dashboards rarely show the full picture of what data is collected, and documentation is often confusing or simply neglects to explain what data the web tracker collects. 

Google Analytics is, again, an offender here. In their documentation, Google claims they don’t log or store IP addresses in Google Analytics 4. At first glance, it seems like GA4 is safe for HIPAA compliance. But their phrasing raises a lot of questions:

• If Google is not logging or storing IP addresses, is Google still collecting them?
• Why doesn’t Google mention that they’re not collecting IP addresses either?
• Does that mean they are collecting IP addresses?
• If they are collecting IP addresses, are they extracting data and discarding it? 
• If they’re extracting and discarding that data, is it still a HIPAA violation?

Google won’t answer those questions because they benefit from this ambiguity. Being vague about what data Google’s products collects allows them greater flexibility and less accountability.

It’s not just Google either. Very few web trackers explain exactly what they collect and what they do with that data.

This lack of transparency isn’t a problem for Google, Facebook, or other common web trackers because they’re not covered by HIPAA. However, it is a problem for healthcare providers that use those tools because they are covered entities. 

Problem 4: Web trackers are added to websites without due diligence or HIPAA expertise

If we ignore the consumer privacy concerns, web trackers can be extremely useful tools. As a result, marketing agencies, in-house marketers, IT teams, and more often add web trackers to websites without much thought into the functionality of those tools.

A common scenario is when healthcare organizations hire a web development agency to build a brand-new website. The web development agency might implement a web tracker to understand user behavior on the new website they just built. The agency may mention the web tracker in passing, or they might just use it in the background without mentioning it because it’s a standard operating procedure for them. Regardless, the web tracker is on the healthcare organization’s new website collecting data.

Time passes, the agency’s project is done, employees leave the healthcare organization, and everyone forgets about that web tracker. But it’s still sitting there, collecting data, just waiting for someone to realize the data it's collecting could lead to a HIPAA violation.

Internal teams and employees are just as likely to be responsible for adding new trackers without due diligence. Lack of visibility into who is changing what on a website is a common problem for companies in all industries, including healthcare organizations.

Freshpaint’s Healthcare Privacy Platform puts the balance back in your favor

Those problems are not unique to healthcare organizations. Any company that’s worried about data privacy (really that should be all of us), runs into those issues. But few industries have data regulations as tight as HIPAA.

That’s why we developed the Healthcare Privacy Platform. Healthcare organizations need the power to solve these four problems. By solving privacy problems for healthcare providers, Freshpaint allows your organization to unlock the same great marketing tools and tactics that other industries use, while still maintaining HIPAA compliance. 

Here's how we're solving those problems:

Solution 1: Freshpaint’s industry-best integrations

Freshpaint’s Healthcare Privacy Platform has integrations with the most-used ads, analytics, and engagement tools. 

With industry-leading integrations, healthcare marketers can choose which data is shared with platforms like Facebook, Google, and popular call-tracking and demand-side platforms (DSPs). Each integration is purpose-built to support each specific use case out of the box. Take, for example, analytics: Freshpaint’s Google Analytics integration supports de-identification by default. This functionality ensures that PHI doesn't end up in unauthorized tools.

These integrations allow healthcare marketers to use their preferred, well-loved marketing tools without the threat of HIPAA violations.

Solution 2: Freshpaint’s Allow List

Freshpaint’s Allow List functionality allows healthcare marketers to control the flow of data through a visual interface. Marketers have the ability to choose which events they send to a given destination without requiring engineers to manually filter each event.

Since marketers in healthcare rarely have engineering teams at the ready, Freshpaint’s Allow List is an absolute game changer.

This approach of showing every event and then giving marketers the ability to opt in or out flips the script from how data is traditionally shared with end destinations. Traditional data routing tools, like Customer Data Platforms, take an “always on” approach to data sharing – meaning that ALL data is shared with end destinations. 

Our Healthcare Privacy Platform takes the reverse approach by going “always off” until marketers choose to share a piece of data through their Allow List dashboards. This prevents data from inadvertently being shared with end destinations to help ensure HIPAA compliance. 

Solution 3: Freshpaint’s Event Verification

Earlier in this article, we talked about how web tracking tools aren’t transparent about what data they’re collecting. Freshpaint’s Event Verification gives healthcare organizations the power to see exactly what information is being sent to third-party tracking tools.

Event Verification shows a before/after of the data Freshpaint collects and sends. Users see exactly what information Freshpaint collects, exactly what is sent to the end destination, and in what format it is sent. 

For example, if Freshpaint, which is a BAA-protected platform, receives the IP address of your website visitors, but you don’t want to share that information with Google Analytics, you can use Event Verification to see definitive proof that Google Analytics has not received an IP address.

Event Verification can also prove that sensitive data, like Device ID, is cryptographically hashed before it is sent to an end destination. This gives healthcare organizations peace of mind, and proof, that PHI is not shared with any unauthorized end destinations.

‍Read more: Event Verification: Providing More Transparency Into Your Data 

Solution 4: Freshpaint’s Web Tracker Monitoring

Freshpaint's Web Tracker Monitoring gives marketers visibility into third-party web trackers that may be running on their websites without their knowledge. With this information at their fingertips, companies can swiftly identify and address any potential privacy risks, ensuring consumer data remains protected at all times.

It doesn’t matter if an agency or employee installed the web tracker, or even when it was installed. With Web Tracker Monitoring, we catch it, flag it, and give healthcare organizations the knowledge to do something about it. 

Ready to unlock high-performance healthcare marketing?

Unlocking high-performance healthcare marketing requires a privacy-first approach. Being a privacy-first healthcare marketer is all about understanding the technology you use for marketing and having the ability to do something about it. 

Freshpaint’s Healthcare Privacy Platform gives healthcare organizations the transparency they need to understand their tools and the governance abilities they need to prevent PHI from being shared with those tools.

Ready to see it in action? Request a demo here.