View All Blog Posts

OCR and AHA Ruling – Patient Privacy Update for 2024

Healthcare marketers were thrown for a loop again a couple of weeks ago when the final ruling was released for the lawsuit by the American Hospital Association (AHA) against the Office of Civil Rights (OCR). The ruling threw out a key part of the 2022 bulletin but left marketers confused about what, if anything, they should do to modify their marketing analytics setups. 

Listen in to learn:

  1. The details of the AHA and OCR lawsuit and specifics of the ruling
  2. How state privacy laws may change based on this ruling
  3. FTC and civil lawsuit implications
  4. Future privacy considerations, such as AI
  5. Our POV of a brand’s privacy promise

If you’re struggling to answer questions to your leadership about how and what should change with your analytics setup, this is a must-listen-to podcast!

Connect with Jenny:

Connect with Mark:

Jenny: [00:00:00] Hi friends, welcome to today’s episode of “We Are, Marketing Happy,” a healthcare marketing podcast. I am your host, Jenny Bristow, and I am here with Mark Brandes. I am the CEO and founder of Hedy and Hopp, a full service, fully healthcare marketing agency. And Mark is our Director of Analytics and Decision Science.

So welcome Mark. 

Mark: Hey Jenny, thanks for having me. 

Jenny: So first, I have to acknowledge anybody watching the video Mark and I are twinning today. We are both wearing Hedy and Hopp Artist in Residence t-shirts. So that’s a rare occurrence and I almost changed but I think it’s adorable. So we’re going with it.

Mark: It doesn’t happen to me very often, Jenny. 

Jenny: It doesn’t. But here’s the thing. We’re talking about a pretty serious, heavy topic today. So if we can give some levity with matching t-shirts, we’re going to do it. So the topic today we’re going to talk about is the recent AHA and OCR ruling and the impact on patient privacy.[00:01:00] 

As many of you know, in the healthcare marketing space, a ruling came down a couple of weeks ago. With the American Hospital Association lawsuit against OCR around the bulletin that was providing you guidance around HIPAA and the impacts it was having for healthcare marketers and our use or lack of use of marketing analytics tools.

We have been really leaders at Hedy and Hopp around helping healthcare organizations understand the bulletin that came out in 2022. Really making sure that we provided, at first it was just straight guidance and understanding of what tools were on the market. And then we pivoted and we actually created a solution because we wanted to put forward a low price, quick-to-implement solution.

So we did a Server-Side Google Tag Manager implementation offering, which we’ve helped now many healthcare organizations across the country [00:02:00] become compliant with that bulletin. And now, parts of that bulletin don’t matter anymore. So Mark, do you want to give us a rundown around kind of what happened a couple of weeks ago with the ruling and some big findings?

Mark: Yeah, for sure. So yeah the news was interesting. We knew there eventually might be a decision based on the lawsuit that was out there, and really our reading of it and talking to our legal team. Kind of feels like maybe only a small part of the bulletin was really kind of ruled against.

And so I don’t have all the legal terminology, but my understanding is that really, when you look at the part about the guidance that talks about IP addresses, along with specific health information, the ruling really said that that was an extension of HIPAA rules and not necessarily living within those correct rules that were already stated, right? 

And so there’s a process for updating those rules and changing those rules. And that wasn’t really followed for that. And so that’s kind of what, how we look at that. And so [00:03:00] really it’s just that thin part of, if you have IP address, It’s mixed with something like specific health information, like, say, on a web page that has actually been vacated, but there’s still a lot in the bulletin that got kind of saved and still is there.

So it’s kind of interesting that it was only that sliver. And so we’ll see how the government kind of responds if HHS feels like they need to appeal that. But there’s also a sense that maybe they won’t appeal because it is such a sliver of a judgment and not necessarily so broad to take out the whole guidance.

So we’ll have to keep watching and see how that goes. 

Jenny: Yeah, I think an interesting thing that I took away is that in the bulletin, OCR said that regardless of intent, you had to treat that combination of IP address along with a health condition as PHI. So for example, If you are a behavioral health center, your entire website talks about behavioral health problems and symptoms and treatments and services [00:04:00] that you offer.

If anyone goes to your website with that IP address, that should be considered PHI because it’s clear that they were coming to be able to research a behavioral health solution. But what was really interesting is that it said that no. Inference is required. So you have to infer the intent about why they were visiting, that was for themselves or for someone else.

And I think one of the things that’s interesting to me is this again, opens up and creates even more gray area. There was so much gray already, right? In the legal interpretation of the bulletin, but this is even more gray area of like, how do you define intent? And are people going to use that specific language to be able to say, well, we’re just going to begin going back to the old analytics setup and tracking that we had because you know, this is gray enough that we think we can play in that space. 

I think another clarification that I’ve had a lot of questions submitted to me is because it was in the federal district court in Texas. A lot of folks were asking me, does this only apply if we are in Texas? And it does not, this is [00:05:00] nationwide implications, because it is OCR nationwide guidance and enforcement.

And so even though it was the federal state or federal court in Texas, this is a nationwide implication. One thing that I think is interesting is you talking about, you know, will health and human services actually come back and fight this? And try to push it forward. And I think this opens up another question of gray and frustration for marketers because it could take a long time.

I mean, I know we have talked about, we talked with our legal team around what it could look like from a timeline perspective, and it’s years. Right. I mean, could you talk, I would love to hear your perspective, Mark on, you know, from a marketer’s point of view about kind of the pros and cons of backtracking analytics, trying to play in the gray and kind of the weight of waiting years to get a solution.

Mark: Yeah, for sure. Yeah, I feel like the people that have taken steps are ready to put in a compliance solution [00:06:00] or move to a compliance solution. I feel like they’re a step ahead still. And I don’t feel like they’re losing much right now. Some people have turned off their analytics and some of their tracking completely.

So those you know, companies can consider, hey, do we want to put that back on? If that’s your kind of solution needs to have it on or off, then, I mean, you can kind of make those kind of black and white decisions if you need to. However, for ones that have already kind of implemented certain solutions, like SGTM or moving to a compliance software, that’ll sign a BAA with you.

Right? If you move to those solutions, I don’t think you’ve lost anything instead. I think you’ve just allowed yourself to not feel the pressure of some of these decisions, right? So. If you already have that in place, you’re not really feeling like this decision is going to make a huge difference to you.

You might feel like, hey, maybe we didn’t have to do this, but I feel like it’s a different way. I feel like you’ve put the infrastructure in place that you need to then actually make those changes. So if it does get appealed, then we’re right back to this. Right? So, like, that kind of up and down roller coaster.

You might be on if you can put a [00:07:00] solution in place or move to something compliant have BAAs in place. You don’t really have to be concerned anymore. So there’s not like watching, you know, watching on the horizon to see what’s coming down the pike. You can kind of feel comfortable in what you’ve done. And so we’ve talked about there’s other pieces of legislation out there are other entities out there that also affect this. 

And so it’s not just HHS. Now, that was the match that lit the fire in this sense, but I think we now understand how many other things are involved here. There’s civil lawsuits, there’s the FTC, their state laws.

And so I know we’re going to talk a little bit about that too. Jenny. 

Jenny: Yeah, let’s talk actually about state laws. So there are at least I think there’s more than this, but there’s at least 19 state privacy laws on the books now. If I’m a healthcare marketer in you know, let’s say Virginia. And we don’t need to go specifically into state laws, but like, let’s say I’m located just within one state. Like, how should I be thinking about state law now? 

Mark: So Virginia is an interesting one, because it actually talks in there [00:08:00] about how if you’re treating your data like PHI, then you can actually be exempt from Virginia’s law. So however, if, based on this ruling, companies and clients decide to move back to maybe the original way they were tracking stuff.

Well, they might actually now be pursuing under the Virginia law because they aren’t treating all their data like PHI, right? So there could be ways that gets invoked. Now there’s some other states where it doesn’t matter how you treat your data. It just matters how you’re kind of classified. So all that kind of has to be taken into account.

However, a lot of them do have carve outs for HIPAA and covered entities that are following HIPAA rules. And so if you are still following that, putting in a compliance solution, you can actually not really have to be concerned about some of those state laws. However, if you aren’t, and if you leave kind of your site up to the old way of tracking, You actually really need to be careful in how you’re doing that.

Whether you’re following the state laws, you need to be [00:09:00] on the lookout for any new states that are coming. So it’s kind of another one of those things. Where do you want the peace of mind that? Hey, we’re doing things the right way and can kind of just leave it alone. Or do we want to keep kind of jumping every time one of these things pumps up. 

Jenny: Yeah. And a nationwide privacy law was actually introduced. I know it’s still going through the legislative process. It is nowhere near being finalized, but I mean, something that I think is interesting is will we see healthcare entities now need to be compliant and not have a carve out in any sort of national law because of this ruling?

So I think you bring up an excellent point that, you know, I think brands really have two choices. Continue down the path of being privacy forward. Making sure that everything’s compliant, then you have way less concern around watching the legislative landscape, or continue playing in the gray, because you, for some reason, think it’s worth it.

And then you’ll just have to continue staying up to date with all of those different legislative changes. How about the FTC? I know, you know, last year, health and human [00:10:00] services and the FTC kind of like sent a nastygram out to 130 systems saying, hey, we’re watching you. You’re not doing good things with patient data.

Well, how do you think and how is our legal team kind of shared information about how we think the FTC may respond to this? 

Mark: So, the FTC is an interesting one, and it’s still a little unclear how this is going to affect this because they have their own definition of what they mean by health information.

Right? And so they kind of went along with that same definition of HHS, which is if I have an IP address and have specific health information, putting those 2 together is personal health information. So, like, they still, maybe follow that direction? We’re really not clear. But what we do know is the FTC is still very strong in that privacy landscape and basically making sure that companies are following what they say.

So in your privacy policy, if you list that, hey, we’re not sharing any of your personal information with third parties, you better be sure that you’re not doing that. And one way to do that would be to have a privacy solution in [00:11:00] place or BAAs in place that you know that you’re covered there because that’s really where the FTC is going to get you.

If you are doing something and you are being, you’re misleading your users, I think is the way that they put it, that’s when they’re going to start to have a concern. And so still having a good sense of, hey, what are all the softwares on my side and what data are they sharing? I think that’s still a good exercise to go through.

To have an audit and make sure that, you know, all the things that your website is sharing. So you can put those in your privacy policy. Doesn’t mean you have to stop doing some of those things and just make sure you need to be clear with your users. And so with the gray area with HHS, maybe you lean to be more having more data sharing happen, but there are times where if you’re doing that, for example, with Cerebral, I believe that latest lawsuit from the FTC, Cerebral can’t share any data with 3rd parties. Now, they’ve really kind of lock them down. It looks like, based on our reading of that judgment. And so that’s not something companies want to happen.

Right? So you want to make sure that you’re being [00:12:00] clear as possible and still being up front with what you’re doing and what you’re sharing and make sure those privacy policies are up to date. 

Jenny: Yeah, absolutely. And quick plug. We do do those audits. So if you are a new listener and haven’t heard us talk about this yet, one of the things that we began doing immediately upon the bulletin landing is doing really comprehensive marketing and technology stack audits to help you understand every single technology that’s running your digital property website and all of your ad platforms. 

So reach out if that’s a concern. Otherwise, I believe there’s a podcast talking about how to do it yourself. If it’s something your internal team wants to tackle, but you absolutely should be on top of that. Let’s talk about civil lawsuits because that’s another thing that’s been really interesting.

And one of the things I have done in all of the trainings around HIPAA and state law, FTC, et cetera, is encourage people go to the website type in their domain, and you can see every single technology that is powering your website or a large percentage of them at least. Talk a little bit about the [00:13:00] civil lawsuit landscape that healthcare organizations are experiencing right now.

And if you think that’s going to go away or not with this new ruling. 

Mark: I don’t think so. I think that kind of train has already left the station so to speak. Yeah, it’s interesting. You bring up kind of Built With there’s a lot of tools out there like that. There’s some extensions. You can add to web browsers, like Ghostery or Wappalyzer.

There’s some other things that tag checkers you can add. They’re going to see all the things that are happening. Right? And so. We really made this akin to you know, kind of how the legal system moved toward if you have an accident, right? There’s a lot of people willing to kind of, help you out with that, right?

Get your legal case in the system. I think similar things are going to start to happen with data. So you’ve seen a lot of civil lawsuits where people are like, Hey, I just saw in my little web tracker that this website tracked this and send it to there. It’s easy to do and it’s free and they can do it individually.

And so. That one person can then raise their hand and say, Hey this client, this [00:14:00] hospital, this service shared my data with this 3rd party, check your privacy policy out. So, I mean, there’s so many things like that can kind of get you when you’re not really looking or paying attention to that. So that’s why some of this vigilance makes a lot of sense.

And the thing is, with these civil lawsuits. It’s not just stuff with HIPAA. There’s also things with like, the Video Privacy Act, right? There’s some of these esoteric kind of laws out there that we really don’t pay attention to that were put in place a long time ago, and they are coming back now because of the influence of the Internet and all the things we can find on websites now where that data is shared.

So it really need to keep that in mind when that stuff happens. So having again, a good inventory of what data is being shared and then having solutions in place for those, having your privacy policy updated to make sure anything that is in a gray area or things you feel like you still need or don’t want to remove from your system that those are covered under that.

So it’s still great to have that overall policy in [00:15:00] place. And once that’s there, then you can kind of go about your business and you don’t have to be concerned to have it on the back of your mind all the time. Like, oh man, it’s our website doing this? You can feel a lot better moving forward that yes, we feel comfortable with all the things that we’re sharing and what we’re doing.

Jenny: Yeah. I just, a quick anecdote on that. I was flying to Vegas to speak at a conference. And as the plane landed, we were stuck on the tarmac for like 20 minutes. So I pulled up social media to kill some time. And as I pulled up Facebook, I was served an ad by a law firm that said, have you received care at X hospital?

If so, your information may have been shared improperly with third parties, submit this form now. And so it was real life, sort of like the, have you been in a car accident? It’s happening already. And so I think that’s just a really important consideration. Let’s kind of shift a little bit to more fun forward thinking information. 

One of the reasons that I always tell people get your stuff cleared up now is number one, you don’t have to worry about and stay up at night because of the legislative landscape, but also it opens you up to do some [00:16:00] cool stuff in the future. I mean, let’s talk about a little bit about like AI marketing optimization software, and there’s some cool stuff happening right now.

Mark, what’s your POV around, you know, if the organization has already cleaned up their data and they know that they’re safe Could they be more comfortable perhaps leveraging a marketing campaign optimization tool whenever those tools are available and on the market? 

Mark: Yeah, I think so. I mean, we’ve seen SHSMD had an interesting webinar series this last week that we were a part of.

And one of the groups in that, that had a talk talked about implementing an AI within your CRM, right? And having that actually help you. And so if you have that on lockdown, you go with a piece of AI that, you know, is safe and it’s just in your own Personal space, that’s something that could definitely work and can really help you kind of, level up, you know, your marketing in those cases, then there’s also situations where, yeah, with third parties, if you’re sharing data with them, or not sharing data in this case, then, you know, what’s in there isn’t any kind of [00:17:00] concerning privacy data.

So, when you share that with a tool, if you’re comfortable with that, you don’t have to really worry about some of that data getting out there, because you’ve already made sure that what you’re sharing with it is safe and good, and so there’s definitely room there, but that kind of ecosystem having a lockdown on what you’re sharing and where you’re sharing it is so important, because once you start pulling in 3rd parties, especially something like AI, which can sometimes have a mind of its own and start training and doing things on certain data.

You didn’t realize having a lockdown on what is important and what shouldn’t be shared is really good for introducing those kind of tools to your system. 

Jenny: Yeah, I that’s such a great perspective and I agree with you wholeheartedly, and I’m going to end with our sixth category of potential impact and that’s really around brand positioning when it comes to privacy.

I was on site with a client last week and I was so proud of them because we started talking about the implications of this and the first thing they said to me was. Honestly, Jenny, [00:18:00] at this point, now that we know what the data holds and what we may be sharing with meta or whoever by sharing these pixels, it’s a brand promise that we have made to our patients to not share that data.

We care more about a brand promise than about an OCR fine. And I was so proud of them, because that’s the kind of organizations we love working with. And so I sent an email out to all of our clients kind of explaining our POV on this ruling and whatnot. And I kind of said, you know, maybe it’s a Pollyanna worldview, but I think it’s really valuable for a brand to be able to make that brand promise to all of their patients and consumers saying, you know, hey, even if this isn’t the law, we know what’s right and wrong.

We’re going to keep your information as safe as we possibly can. And that’s something that you can expect from us just as a tenant of our ethics and values within our organization. So, definitely something impactful.

Mark: For sure. And I, you know, I think to myself you know, you go and some [00:19:00] user signs up for a bariatric surgery and you share that data with Facebook knows that person, you know, once or needs bariatric surgery.

Like, there’s just a sense of trust there that you’ve kind of broken. Like, how did they find that information out when all I did, it was on this website. And so I agree with you. I think there is that brand promise, but there’s also just there’s kind of a feeling of, you know, GoodRx, I think is going to be all on our minds for forever because of this situation.

Right? And whether or not in that situation, you read their ruling. They didn’t know about some of these things. They didn’t realize this was happening or that was happening, but that didn’t save them in the end, right? They still had to kind of, deal with that situation at the end. So, I think now that we know about it, there’s even less reasons why you would say, oh, we’re still going to keep doing this.

We’re going to still keep doing that. Like your client you talked to mentioned, right? Once they know about it, it’s oh, well, we should be doing something about this. We should make sure that we’re caring for our patients’ privacy the same way that we do everything else. Because I think that’s where digital information is going. 

I think we’re all clear [00:20:00] now. We’ve seen what happens over in Europe with GDPR. Things are getting very strict there and very specific. And I think some of the HHS guidance got us on that road, but I think there’s still more room to do and that’s what we’re seeing with state laws coming through and we’re seeing just with individuals and tech companies are allowing you to block stuff directly.

So, I mean, I think a lot of people are heading down that path. And so the more proactive you can be, yeah, the more you’re going to have your customers appreciate your brand and appreciate what you do, especially because if you can talk about that and say, hey, we’re doing this proactively. I think that makes a big deal to customers.

Jenny: Yeah. I completely agree with you. Well, thank you, Mark, so much for joining us today. I know this is an extremely complex, difficult to understand topic. If this isn’t what people do in the day in, day out, I’ve had almost a dozen people reach out to me on LinkedIn and ask if we would do it. Episode on this topic to help them digest and understand specifically because their senior leadership is asking for answers and it’s difficult to digest all the information and know those answers.

So I [00:21:00] hope for listeners, this was really helpful. I hope it helped you reframe all of the new information coming at you and allow you to create your own POV that you now feel comfortable sharing with your marketing team and senior leadership as needed. As always, if you have questions or want to pow wow about your specific situation, please reach out to us.

You can reach me at We’d be happy to chat with you and give just some advice and recommendations. Again, we’re very proud of the low cost solution we put on the market. Our perspective isn’t to make a ton of money off this solution. It’s really to help folks kind of put this problem behind them and get back to marketing.

But there’s also lots of other great solutions on the market, like FreshPaint. And we’re always happy to refer people over and kind of share the pros and cons. Around each approach. If that’s still an internal question you’re battling with of what is the best approach for your team and your scenario?

So as always, thank you so much for joining us on today’s episode of “We Are, Marketing Happy,” and we will see you on a [00:22:00] future episode.



About the Author

The Hedy & Hopp digital production team is the glue that keeps all activation work running. From auditing websites and tagging, to content strategy and CRM implementation, our digital production unicorns ensure the tiniest detail is reviewed and accurate before it gets to our clients. Their determination in finding solutions for any challenge makes this team marketing happy.

More from this author
Next Blog Post

6 Tips for Presenting to Your Board or Senior Leadership Team

One of the things we love to do at Hedy & Hopp is getting time…