Why Shutting Down Advertising Tracking Technologies is Impacting Your Marketing Team

A quick note before you read: On June 20, 2024, a federal judge vacated a narrow part of the OCR web tracker guidance that an individual’s IP address combined with a visit to a public healthcare website triggered a HIPAA violation. However, the rest of OCR’s web tracking tech guidance remains intact. To keep track of the latest updates, head over to the Freshpaint healthcare privacy hub.

When legal and compliance teams learn about the new HIPAA guidelines on tracking technologies, their direct message to their marketing teams is:

Turn this off. Now.

This is understandable. If you're using native Google or Facebook tracking, you will likely share HIPAA-protected data with non-compliant vendors. But what's also understandable is the frustration from the marketing team when they realize they have to remove them. That's because these technologies are vital to the success of their acquisition strategy. Suddenly switching off native trackers throws everything they are working on into chaos.

But the legal teams are right–as it stands, these native tracking technologies have gone from asset to liability. Marketers can't just walk away from these platforms, though. They need the data to find the right audience, generate leads at stable costs, and help grow their healthcare organization.

We will cover why your marketing teams rely on these platforms, how they are helping your company grow, and how legal and marketing can find the right balance between privacy and promotion.

Why your marketing team relies on digital advertising channels to reach modern consumers

In marketing, you want to meet people where they are. In the modern world, that means the internet. 46% of product searches begin on Google. 72% of internet users in the US are actively engaged on Facebook. This is the main reason marketing teams want to use these channels–their ability to reach most of the consumer market.

In a market such as the US, people are always online–for work, entertainment, or random searching and scrolling. These channels are the first place most people will seek out information about healthcare information and services. By advertising on digital channels, marketers can reach patients and users where they are already spending their time.

• With Google Search Ads, a marketing team can reach a vast audience by actively searching for specific keywords related to healthcare services.
• Facebook Ads provides targeting options based on user interests, demographics, or behavior related to healthcare issues (such as searching for a support group or even being in an at-risk demographic).
  

These channels are an effective lever for marketing teams tasked with driving the adoption of healthcare services. Your marketing team wants to:

1. Increase brand awareness, introduce your services to potential patients, and differentiate from competitors.
2. Capture leads in the form of scheduled appointments and new member sign-ups.
3. Ensure the cost for those leads is stable and aligns with the value of the services those consumers ultimately pay for.
   

How digital advertising channels use data to improve performance

Google and Facebook are powerful lead-generation tools. Both companies earn more than $100B annually thanks to precisely targeted advertising that produces high-quality leads at a highly predictable cost per lead.

Both advertising platforms ultimately help marketers generate more revenue because of the measurement and experimentation loops built in. When your marketing team releases an ad on Facebook or Google, they aren't just taking a shot in the dark–they are working within an experimentation loop that automatically works to continue improving those ads' targeting.

Traditional media doesn't have the data feedback loops available to digital marketing. Digital advertising allows powerful machine learning models to continue optimizing so the right ad finds the right audience. Unlike traditional media, digital ad channels provide analytics, so your marketing team can measure key metrics like impressions, clicks, conversions, and return on ad spend (ROAS), providing insight into what's working and what's not.

Your marketing team sets up conversion tracking on the ads they put up on Google and Facebook. This means the platforms will track when a user performs a specific action, such as scheduling an appointment or becoming a member. By setting up this conversion tracking, marketers can measure the effectiveness of their ads and understand which ones are driving valuable customer actions.

But conversion tracking does much more than just measuring success. It helps drive that success. That's because both Google and Facebook use machine learning algorithms to analyze past conversion data and predict future conversion possibilities. These predictions inform automated bidding strategies, such as Google's Target CPA (Cost Per Acquisition) or Facebook's Conversion Optimization delivery option. These strategies automatically adjust bids in real time to prioritize showing your ads to people who are more likely to convert.

The final piece of the puzzle is who gets to see the ads. Facebook and Google can target new users who share characteristics with their existing converters. The platforms use machine learning to find patterns in the behaviors and characteristics of your converting users and then target new users who exhibit similar behaviors and characteristics.

Digital advertising platforms leverage conversion data to improve campaign performance, enhance audience targeting, and achieve better ad spend ROI.

How HIPAA guidance negatively impacts advertising performance

What we've described so far is how almost every marketing team leverages digital advertising channels. To use those ad platforms effectively, you will use data and information about your users to better target ads to others that have the same behaviors online or fit in the same demographic.

But doing this using native tracking technologies is no longer an option for marketers in healthcare. As legal and compliance professionals, this line from the OCR guidance probably made you wince:

This means that the platforms will track what a user does in response to an ad (e.g., click on it), and track them onto your website to see if they perform a conversion event, such as scheduling an appointment.

The HIPAA guidelines on tracking technologies make it clear you cannot do this. Tracking a particular user making an appointment will be considered personal health information (PHI). The way Google and Facebook work is that they track what someone does on your website and several unique identifiers associated with that person, such as their IP address. This combination of the IP address as an identifier and health information like an appointment being scheduled is consistently tripping up healthcare marketers.

This is the problem when it comes to using the native tracking tools of Google and Facebook (and other platforms). Without necessarily knowing it, you are always sharing users' personally identifiable information with these platforms. They are not HIPAA compliant when coupled with health information because you can associate health information with a single individual.  

Failure to comply with HIPAA regulations can result in significant penalties, including hefty fines and potential reputational damage. Each of these has already happened to numerous healthcare organizations over the past two years as federal regulators have started clamping down on HIPAA breaches.

Healthcare systems, ad platforms, and healthcare apps have all been sued or fined in the past two years.

How to restore the data feedback loop and also protect patient privacy

But there is a ray of hope for marketing and legal teams looking to strike a balance between privacy and promotion. Even though the native tracking technologies that power digital advertising tools like to capture as much information about your website visitors as possible, they don't need all of it to perform.

Native tracking technologies, by default, capture information like the names of web pages visited, the text on button clicks, and identifiers like IP addresses. But none of that information is required to run effective advertising on those platforms.

A better option for conversion tracking is to severely limit the data being shared to advertising platforms like Google and Facebook. Say your marketing team's goal is to capture leads in the form of visitors scheduling an appointment. Google and Facebook only need the Ad Click ID (from the native ad platform when the user clicks the ad), and a conversion happens. That conversion needs to be generically named (like "lead") so that it doesn't contain any health information.

By limiting the data set sent to Facebook/Google servers, you can avoid sharing PHI.

This is how Freshpaint can help healthcare marketing and legal teams run effective advertising campaigns while protecting patient privacy. Freshpaint replaces all native advertising tracking technologies and sits between your website and Facebook and Google Ads. Freshpaint helps keep consumer data safe by:

• BAA For Full Protection. Freshpaint signs a BAA and is purpose-built to collect, store, and manage sensitive data across your tech stack (Facebook & Google do not sign BAAs for their ad platforms).
• Safe by Default. Freshpaint's default state is never to send ANY data to non-compliant tools. This prevents things like IP addresses and health information from accidentally being shared. Healthcare marketing and legal teams must opt-in to send any data.
• Forced Allowlists. You choose the data and events you want to continue to send through an easy-to-use user interface, eliminating the risk of accidentally sending PHI. By doing this through a UI vs. in the codebase, legal and compliance teams always have complete visibility to what data is being shared to which tool.
  

By using these practices, healthcare organizations can use digital advertising channels effectively while maintaining strict compliance with HIPAA regulations. It's a delicate balance, but with careful planning and execution, organizations can reach their target audiences, drive conversions, and avoid issues with the regulators.

Learn More: A Privacy-First Framework for HIPAA Compliance: Managing Third-Party Tracking on Healthcare Websites