View All Blog Posts

GDPR, State Laws & How Healthcare Marketers Are Navigating New Privacy Guidelines

On this episode, Jenny is again joined by Shelby Auer, Account Manager at Hedy & Hopp as they bring even more insights from their time at SHSMD 2023.  Today she and Shelby discuss the evolving landscape of healthcare marketing regulations, pointing out changes in marketing practices driven by HIPAA, FTC, and state laws. Jenny highlights the importance of understanding GDPR, even for U.S.-based businesses, as opt-in policies and the “right to be forgotten” become more relevant. They also break down the growing complexity of state laws and emphasizes the need for collaboration between marketing, legal, and compliance teams to navigate these challenges.

Connect with Jenny:

Connect with Shelby:

Interested in working with Hedy & Hopp on a privacy compliance program?

Book time with Jenny today:

Jenny: [00:00:00] Hi, friends. Welcome to today’s episode of We Are Marketing Happy, a Healthcare Marketing Podcast. My name is Jenny Bristow. I’m the CEO and founder at Hedy and Hopp, a healthcare marketing agency. I am so excited to be here today. We just got back from SHSMD. I’m joined with Shelby Auer on my team, and we presented on, um, HIPAA, FTC, and state laws.

So, as most of y’all know, or you should know, the rug was basically pulled out from all of us. Um, a year ago today at SHSMD, there were many events talking about best practices for marketing technologies and your tech stack. All of those recommendations are now wrong. So I have a whole other episode that we’ll link to in the show notes that’s a 101 on HIPAA and FTC, but a lot of the questions I received were specifically related to GDPR and state laws.

So we wanted to talk a little bit about that first, and then [00:01:00] Shelby and I are going to dig into some of the feedback we received, because one of the cool things is we, as a result of being the first session on the one of the first sessions on the first day, is we ended up having dozens of folks coming and chatting with us about their individual team’s response, their legal team’s perspective, etc.

So we’re excited to share some of that. So first of all, I want to talk a little bit about GDPR and state laws. So first GDPR, most folks that are within the United States are probably thinking, Oh, I don’t need to worry about GDPR. We don’t sell to or do business with anyone in Europe. Well, maybe not. But here’s 2 key things about GDPR you need to know exist.

GDPR has 2 things that are very different from the way we operate within the United States. The first one is they are opt in versus opt out, which means, you know, how on your website, the cookie preferences loads, um, and you hit accept, um, you actually, if you hit do not accept, um, [00:02:00] or no, well, you have to hit, yes, give it to me, give the cookie me in Europe.

Whereas in the United States, you have to say, no, please do not put cookies on my computer and track me. And so it’s just a completely different perspective. And they’re tracking, um, percentages that are way, way smaller in Europe because most folks do not choose to opt in, whereas in the United States, most folks stay opted in and they don’t choose to opt out.

So that’s the first one. The second one is right to be forgotten. So pause for a minute and think about your marketing tech stack and think about if Jenny from St. Louis called you and said, Hey, I would like for you to delete me from all of your databases. Do you have any idea how you would actually do that?

That thought alone probably scares you, as it should, but again, that exists in GDPR and the United States, we mostly don’t have that. But there are four state laws that are currently online, California, Virginia, Colorado, and Connecticut, and California [00:03:00] is likely soon going to require data brokers to allow consumers to submit a right to be forgotten request.

So this is creeping into the United States. So it’s important to know how GDPR functions because we’re starting to see it show up in many other states. Um, we’re not going to go through all of the different state regulations because they are really intense. We actually have a couple of summary slides that I do in actual presentations just to give you a high level like cliff notes version, but your attorneys absolutely need to look at each state law and figure out how you need to comply.

Um, the other one that is really crazy is in Florida. Um, there are regulations around, um, having data stored outside of the country. So for example, if you use an offshoring company, uh, finding out where your servers are actually physically located, there are some repercussions related to anything [00:04:00] actually physically, um, or digitally outside of the United States.

Utah, Iowa, Indiana, Montana, and Tennessee are two that are scheduled to come online in the next about 12 to 18 months. And there are many, many more states that are scheduled to come online shortly after or are currently in legislative conversations and review.

So even if you’re a covered entity and you are, uh, complying with all things HIPAA, there’s still likely maybe some things that you need to think about at the state law level. And if you are not a covered entity, and you’re really just thinking about FTC, you also need to be thinking about state laws.

Washington, for example, has a regulation that says if you are a covered entity and you’re treating data like PHI, then that law does not apply to you, the regulations do not apply. But if you are not a covered entity and you are or are not treating data like PHI, it does apply to you. So for example, there are a [00:05:00] lot of what we call healthcare adjacent organizations that think they don’t have to really be thinking about this, or if they treat their data like PHI, they don’t have to worry about state law.

And again, that just isn’t true. These things are changing rapidly. Shelby, what are your thoughts on state laws? You’re working with a few different client projects right now from an audit and recommendations perspective and state laws get pretty hairy, right? 

Shelby: Yes. Oh my goodness. All and figuring out how to approach the state laws because there’s a lot of conversation of, oh, is California the most strict?

Well, if we’re okay in California, are we okay in all of these other states? And it’s so, so important. I heard multiple people when we were at SHSMD say this, but to become BFFs with legal and privacy, legal and compliance. That is so true. So, so true. As much as it can be a little bit of a battle, making sure that there’s open lines of communication, that your [00:06:00] digital team is comfortable helping legal and privacy, understand the technicalities behind the changes in these laws and vice versa. Because that’s, that’s a lot of what I’ve, I’ve been working with clients is making sure that all of these different groups are talking to each other and help each other speak the same language because all of these state laws coming on are so hairy.

There is not a stop in sight. It’s just continuing to come down the pipeline with more and more states or additions to current state laws that are out there. So that’s, that’s really the biggest thing that that I’ve been working through lately and just making sure that everyone’s talking to each other and on the same page.

Jenny: Absolutely. Uh, the audit process that we talk about, not only in that first episode that again, we’ll link to in the show notes, but also that I presented at SHSMD is really doing that due diligence to show your legal and compliance teams that, Hey, I’m taking this seriously too. I am not putting my head, you know, down and trying to [00:07:00] ignore that all of this is happening.

We’re doing the work right now. I want to do the work alongside you, um, on the same side of the table, not opposite sides of the table. We both want the same thing for the benefit of our customers and patients 100%. 

Shelby: And I think one of the things Jenny said, you said in your presentation that I think was really important for a lot of people to hear is right, this isn’t just your marketing, advertising and analytics platforms, but there are so many other things on your tech stack that are in the code of your site that are collecting things like IP address that so many people, you just don’t, you don’t even think about it. Right. And we didn’t have to up until late last year.

And so I think, yeah, that audit process is so incredibly important to have one place where, you know, exactly everything that is touching your site and what information it has access to. 

Jenny: And not just your site, your entire digital footprint, right? Like there were some audible gasps in the room when I walked through some [00:08:00] examples of things our team has found during audits.

For example, I’ll just name a couple of them just to kind of help you help our listeners think about the broadness of this audit and the level of patient care that we need to have from a data angle. So one, for example is we have found on one site we audited that when forms were filled out on the website, that then field variables were then put up into the URL parameters.

So that means then things like Google or any other tool or software on the website are then indexing those URLs and all of that information, the person’s name, email address, whatever information they put in about the, um, you know, state of health, their health or any questions they entered is all now available free on the internet for all these tools to scrape.

Um, another thing is a lot of video players that are embedded on websites are actually behind the scenes pulling in IP and device ID information, which as [00:09:00] we all know now is no longer allowed. And then other examples are things like your call tracking tools or your advertising platforms.

Oftentimes we already know pixels can’t be on the site, right? We talked about that a lot. But what about the data that’s being in those platforms as far as, for example, call tracking tools has the phone number and then they have the recording of the call of them calling to make an appointment.

Advertising platforms, maybe, um, you’re maybe somebody in the past uploaded a patient, uh, list and they have lookalike audiences that they have built based off of that. There are all these different ways that you may inadvertently have been sharing this patient information. Audits need to be way more comprehensive than simply looking at your analytics setup.

So let’s dig in and talk a little bit about things that we heard folks doing. So we literally had a line at our booth almost the entire time, which was awesome to see, right? Like we love those conversations. And it [00:10:00] also is kind of disheartening sometimes because the number of people that came up to me and said, Oh, we thought we had it figured out, but everything you talked about just made me realize all of these other things that I need to look at now.

Um, and I, I hate that I started their conference in that way, but what are some of the things that you heard? How are folks approaching this? 

Shelby: Oh, yes it’s, it’s interesting because there are definitely some folks that said, Oh, we took off everything. We went cold turkey and we are in this, you know, sixty to eighty day range of not really having much to be able to look at in regards to what we’re tracking until we get something else in place.

Uh, but again, this, I, I talked to individuals who, who were super on the defensive, right? Took everything off their site and yet there’s still issues popping up. They thought they had gotten everything and then they’re, oh, oh, yep, we got a video embedded on the site. [00:11:00] And I didn’t realize that that’s an issue, right?

So it’s, it’s, it’s been interesting to hear from the folks who, who were taking that stance that, yes, there are these things that are hidden that are hard to find, it’s not as easy as just, Oh, here are the 10, uh, platforms that we utilize in our week to week and, oh, we’re taking those off and we’re good.

So a lot, heard a lot of that out there. 

Jenny: Totally agree. Some of the things that I heard is there were a variety of, um, orgs that came up to us that were in the middle of an implementation of either a CDP or a completely new analytics platform. And a large percentage of them actually had paused the work before coming to the conference in order to learn more about best practices and what other systems are doing before fully implementing them.

So those were some good conversations. We were able to share some insights about the tools they were looking to partner with some watchouts, um, and just some best practices about, which I think was really helpful. Um, other [00:12:00] things is, um, some folks did not realize that sometimes forms are actually implemented by third parties.

They just assumed it was part of the website database. So a lot of folks are going home, checking on that. Um, we have a lot of folks that are, um, going and checking on their advertising platforms. What else Shelby?

Shelby: There was, I will remember that, like, this was such a vivid memory, uh, in one of the sessions, someone asked such a great question about the video tools, right?

And they had said, you know, say we have a video on a page talking about West Nile Virus and tips and tricks when you’re dealing with somewhere where there’s going to be a lot of mosquitoes. What should you keep in mind? Right? So it’s, it’s more of a news story. It’s more of a tool. It’s not exactly a specific health condition.

And they’re like, [00:13:00] what do we, you know, is that worrisome? Should we not be, you know, utilizing those web posting services or having that type of video or any sort of tracking? And again, it was a panel discussion and everyone’s like, okay, you know, this is a gray area, right? You need to be talking to your legal and compliance, but at the end of the day, they could be researching, maybe they think they have West Nile.

Maybe they’re going to go talk to their PCP about some symptoms that they’re having. And so that’s how they got there. That really, the safest route is to make sure that you’re not utilizing any tools that’s going to be pulling in that patient information about what the content of the video is, even if it’s something that might even seem like, well, this is just educating the community.

This isn’t a specific health condition, which I thought was really important to think about. 

Jenny: I agree. Um, a couple of examples we gave are, um, you know, if you’re a cancer center or if you’re [00:14:00] a, uh, breast health center or, um, whatever, if, if you’re not a large system where from your homepage, you’re listing out 12 different service lines our POV, again this is gray. Your own attorney needs to make this call. That our POV is you need to treat the entire website with care. You need to make sure that you’re not collecting IP addresses anywhere. Um, so some organizations had been thinking about only removing pixels from symptom specific or a super care specific pages kind of taking that bulletin verbatim.

But our POV is if you’re doing that, why not just fully protect that patient’s data throughout the entire journey, right? If anything, I think it’s easier from a tech stack perspective to treat all of it with the care and consideration that it needs. So, again, that’s something that they have to chat about with their internal legal and compliance teams, but definitely good food for thought. 

So awesome. Well, thank you, Shelby, for tuning [00:15:00] in and for all of our listeners. I really hope that the GDPR and state law level information is helpful and guiding you and helping you understand the different questions you should be bringing to your legal and compliance teams again.

Cause if you’re on the same side of the table as them and you’re working together to make sure that patient information is safe and secure, it is such an easier conversation than if you dig your heels in and try to protect what you’re comfortable with. So thanks for tuning in. As always, Hedy and Hopp is here to answer any burning questions you may have.

Reach out to us. Otherwise, we’ll see you on a future episode of We Are Marketing Happy.



About the Author

Jenny Bristow is the CEO and Founder of Hedy & Hopp. Prior to starting Hedy & Hopp, Jenny launched, grew and sold a digital agency in Seattle and worked at Amazon. She was named one of St. Louis Business Journal’s 30 under 30, won a Stevie Award for Female Entrepreneur of the Year in 2018 and speaks regularly at healthcare marketing industry events.

More from this author
Next Blog Post

Top Takeaways from SHSMD 2023

Fresh off the road from this year's SHSMD Conference, Jenny and Shelby Auer, Account Manager…