View All Blog Posts

Our Take: AHA’s Response to Senate RFI on Health Data Privacy

Welcome back! Jenny is here today to present the impact of OCR’s December 2022 Bulletin on healthcare marketing. She starts off discussing how the bulletin categorized IP addresses as PHI, causing panic among many marketers, and why she disagrees with the American Hospital Association’s stance to fully withdraw the guidance. She advocates for patient privacy and supports OCR’s guidance. Jenny welcomes the opportunity to be a leader and example to other industries in the safety of personal information. She emphasizes the importance of technology companies’ understanding and protecting patient data, highlights affordable and effective solutions to do so, and calls for a standardized approach to protect patient privacy, even if it means reallocating some marketing budget.

Connect with Jenny:

Listen to our other episodes on healthcare privacy:

Jenny: Hi friends. Welcome to today’s special episode of We Are Marketing Happy, A Healthcare Marketing Podcast. I am Jenny Bristow. I am the CEO and founder of Hedy & Hopp, a full service, fully healthcare marketing agency. And we have been really leading the way as far as  publicly discussing OCR’s December 2022 bulletin, the huge impact it has had on the way marketers and healthcare can really do their jobs.

We have also really been leaning in as far as all of the movement with FTC for healthcare adjacent organizations, as well as a lot of state laws. We have episodes specifically dedicated to each of those topics, which we’ll link to in the show notes, But, you know, there aren’t really many moments in healthcare where we really have the tea, right?

Like let’s share the tea and talk about some gossip and some super controversial things, right? Like we’re healthcare marketers. It usually doesn’t happen. Well, my team has really been digging into a lot of the publicly shared responses to OCR’s bulletin. They actually put out an RFI. You know, we want to hear from the public about your thoughts about our bulletin.

And we had a client actually ask us to give our perspective on AHA’s response, American Hospital Association’s. And we actually had an in-person coffee session this morning and it got heated with all of my team members. They were so frustrated at American Hospital Association’s perspective and their position on the bulletin that I just felt so compelled to come on and actually share Hedy & Hopp’s stance.

So let’s back up a little bit as most of you should know the December 2022 bulletin effectively began categorizing IP addresses on the marketing front end of websites as PHI. So before it was only once you were actively within say a patient portal within an Epic instance, whatever, was the only time that marketers really had to think about HIPAA.

This bulletin completely changed everything. All of the technologies that we knew, liked, and loved suddenly were no longer able to be used. Things like Google Analytics were no longer compliant. And there was a huge moment of panic. Right? Like all of us, including us at Hedy & Hopp kind of stepped back and was like, well, now what do we do?

What do we do now? We, if we can’t use these things that all of these other organizations and companies and other industries are using to provide a great consumerization experience, how are we going to continue to serve patients in a positive way? So we had our little moment, our little pity party. But then we buckled down and we figured it out and, turns out it’s not that hard.

It’s not that hard and it’s not that expensive. So I want to step back and talk about this a little bit, because myself and the rest of the team at Hedy & Hopp strongly disagree with AHA’s stance. Them saying, let me actually quote this, “AHA recommends that Congress should consider exploring how to better require entities not covered by HIPAA to protect patient privacy, especially those third party entities that decline to sign BAAs, and they urge Congress to make clear to OCR that the agency should withdraw this guidance immediately”.

And that it is, this part is in separate, “It is onerous and it is impossible for marketers to continue doing their jobs. Not only does this OCR rule violate HIPAA, it inflicts meaningful harm on patients and public health. Congress should urge OCR to withdraw the rule immediately.”

Really, American Hospital Association? Really? Oh, I love when zoom does that to me. I was not giving AHA a thumbs up by the way. So ever since 2018 Congress has been fumbling its way through understanding how technology works, right? Like I remember whenever Zuckerberg was on stand and then all of these memes came out because basically it felt like all of these old people were asking Zuckerberg why their grandchildren weren’t accepting their friend requests, right?

Memes galore really showcase the questions they were asking, totally showed a lack of understanding about how the technology worked. That’s scary, right? People that are legislating not understanding what they are legislating is scary. But does that mean we’re going to leave it to the technology companies to decide what information should be captured and stored?

So we have been attending all of these healthcare conferences and we’ve really been going on a speaking tour. I spoke at SHSMD, next week I’m at SMASH. We attended Becker’s and talked with a lot of participants about it. And then I’m going to HCIC. The list goes on and on, right? Because this is such a hot topic.

Well, as a follow up, we actually decided to audit all of the provider websites for those folks that were at SHSMD. You would be astounded, out of hundreds, I think there were over 450 provider groups, that only 70 had removed scary tags. Vast majority of them had Meta tags. Some of them had TikTok conversion tags.

I’ll tell you if I’m searching for care – I’ve been very public about a lot of my healthcare stuff that’s been happening beginning of this year. I’ve had to seek out and research lots of care. TikTok knowing that I was doing, that Meta knowing that I was doing that is terrifying. I guarantee they are not going to be taking care of my information and data. So, I do not like government stepping in and legislating and telling us how to do our jobs. But if we are not the ones, but if they are not the ones doing it, nobody is going to do it. So let me just give you a couple of examples. Since that bulletin was put out a couple of really cool things happened. A lot of ad platforms are now putting out APIs that allow you, if you do server side tag management on a server, that’s willing to sign a BAA.

For example, the Google Cloud Platform is willing to sign a Business Associates Agreement. Awesome. So, LinkedIn, just a couple of weeks ago, released the LinkedIn cAPI. It’s a conversion API. So you can pull all of the information from your ads and so you don’t lose any of that conversion information.

Google just launched the Google Ads Data Manager, which we highly anticipate will be rolled into the Google Cloud Platform, which means it’s protected by a BAA. All of these groups are actually doing things now that are protecting patient data, visitor data, right. If you step outside of healthcare, this is a super positive step.

They’re allowing the marketers and technology folks to be able to truly control what information is shared versus just thinking we’re redacting it or anonymizing it on the platform without actually doing it. And all of this has happened since the bulletin. It is not super expensive to roll out a new solution, server side Google Tag Manager or a platform like there’s a large number of them.

So I know I just mentioned Google Cloud Platform, but there’s a lot of other ones that are willing to sign a BAA, really easy solution. You can still use Google Analytics, don’t have to change your processes at all, but it’s going through a filter that’s protected and protected by a BAA. And you’re all safe.

That’s not very expensive. It really isn’t. It’s not onerous. It’s not putting undue pressure on marketers, but you know what is really scary in the audits that we’ve been conducting since this bulletin came out. Two things that terrify me as a patient. First, one person we did, organization we did an audit for had built their web forms in such a way that whenever you submitted an inquiry, all of that form data was put up in a URL parameter and every single tool or pixel that was put on that website could then capture the person’s full name, date of birth, email address, home mailing address, everything was being captured. Terrifying.

We have audited and found a lot of systems have call tracking. And they are not implementing a HIPAA safe version. So the entire call is being recorded and shared with all of the agency partners that they’ve given access to that tool. So “Hi, this is Jenny. Yeah, I have this, I’m calling a doctor to make an appointment. Yeah. I have this really weird rash that won’t go away. Yeah. Oh yeah. Here’s my date of birth. Yeah. When can I get in for an appointment? Yeah. Here’s my home mailing address.”

Those recordings are then available to dozens of people that have access to that platform. Terrifying as a patient. I don’t want my personal information shared with Joe from Rando IT company.

And I’m sure you don’t either. And then also again, like, TikTok tags being on some very, like, providers that we hold in such high regard as far as the types of care that they provide. And they’re sharing all of this information with Meta and TikTok and all of these other organizations.

American Hospital Association, I appreciate that you’re trying to reduce the administrative burden. You’re trying to reduce cost, but this is not a hill that’s hard to climb. This is in the patient’s best interest. As a patient, I want this to become standardized. And for all of the audits and implementations we have done, it’s not that expensive.

It is not that hard. You have to understand technology, but it’s absolutely doable. And if healthcare has to implement this so that way the rest and all the other industries end up protecting consumer privacy as much as we should be protecting patient privacy, I consider that a win. So, would I rather see our clients budgets going towards more marketing campaigns for the little budget that has to be done to redo all of their analytics tech stacks?

Of course, every dollar that we could eke out to help patients in the marketing budget to help them find better care, buy a health insurance plan that gives them the coverage that they need, whatever it may be, I would always prefer that be done. But if we have to sacrifice a small little bit of budget in 2023 and 2024 in order to make sure that patient information is correctly stored, you bet that’s the right call.

And I really hope that American Hospital Association changes their position and I, for one, do hope that OCR does not change their position. And instead, we end up being the bright, shining light that other industries begin following because we paved the way to make sure that individuals’ information. is safe.

So with that, thank you for tuning in. And I hope to see you on a future episode of We Are, Marketing Happy. If you agree or disagree, whatever it is, catch me on LinkedIn, share your comments and thoughts in the chat. I’d love to hear from y’all. Have a great day. 



About the Author

Jenny Bristow is the CEO and Founder of Hedy & Hopp. Prior to starting Hedy & Hopp, Jenny launched, grew and sold a digital agency in Seattle and worked at Amazon. She was named one of St. Louis Business Journal’s 30 under 30, won a Stevie Award for Female Entrepreneur of the Year in 2018 and speaks regularly at healthcare marketing industry events.

More from this author
Next Blog Post

Top Takeaways from Becker's HIT + DH + RCM 2023 Conference

Today Jenny is bringing you the inside scoop from the Becker’s HIT + DH +…