View All Blog Posts

OCR’s HIPAA Bulletin – What it means for healthcare marketers (a marketer’s POV)

Is your team scrambling trying to figure out how to make your marketing analytics setup HIPAA-compliant with the new bulletin? Yep, everyone else is too.

Today, Mark Brandes, Hedy & Hopp’s Director of Analytics and Decision Science joins the podcast to talk about the huge impact this bulletin from OCR has on healthcare marketers (as well as the FTC’s ruling against GoodRX). 

Mark talks about tools and processes that were considered best practices prior to the OCR bulletin and how our approach to HIPAA-compliant marketing has changed. He talks about the reason why third-party marketing pixels are causing so much concern and are difficult to control. 

Jenny and Mark wrap up the episode by talking about the three-step process Hedy & Hopp are using to help clients become HIPAA-compliant – Audit, Educate, and Recommend. We’re working as a middle ground between marketing and legal teams, making sure both groups get what they need! Listen in to learn more.

This (episode 17) is part two of a two-part series (part 1 is available here)

Jenny: Hi, friends. Welcome to today’s episode of We Are, Marketing Happy, a Healthcare Marketing Podcast. I am thrilled today to welcome one of Hedy & Hopp’s own team members, Mark Brandes. He is our Director of Analytics and Decision Science, and this is part two of a two-part conversation about the crazy bulletin that is shaking up analytics in the healthcare marketing space.

Last week we chatted with Drew, an attorney that specializes in digital health, and has a very deep understanding of HIPAA and the implications of the bulletin. And this week we’re gonna be talking with Mark about real world [00:01:00] implications. How are marketers responding and, what changes and shifts are we seeing today and plan to see over the next coming months. So welcome Mark. Happy to have you. 

Mark: Thanks, Jenny. Glad to be on. 

Jenny: So you’ve been in analytics for a long time. and I say that with love, not calling you old, but I, very much appreciate the perspective of people that have been in marketing analytics for a decade because then you really have seen the shifts over time. 

But specifically, let’s say over the last couple of years, what are some standard things that we see when we begin working with a healthcare system or a healthcare provider? Really any covered entities that we work with. What are some standard things that you have seen, up until now that they’ve been using from an analytics perspective?

Mark: Yeah. So over the past few years, things have definitely shifted on us. I think the first big domino was probably when [00:02:00] GDPR hit. There was already talk about privacy and patient confidentiality. Before that, when GDPR hit over in the EU, that’s when really people started to really take it seriously that, hey, there’s something going on with this privacy stuff and we need to be careful of what we do.

And so in the states here, it wasn’t our law, so it doesn’t necessarily affect us, but there still was the ripple effect of, well, we should be thinking about this too. And a lot of places already started to proactively kind of take some of those steps, putting up some cookie banners, asking people for consent before they go on the website, letting them know how the cookies are being used.

Some of that already was changing, which was a good step. And then you had some other litigation that, or not litigation, I’m sorry, some other legislation that came in like the CPPA in California. Then there’s a few others that are, in the process of getting put into law now across several different states.

And so all of those are gonna have very similar kind of things where you’re gonna need consumer consent, you’re gonna have [00:03:00] to let people know what you’re doing with their data and their information.

Jenny: So that was an excellent overview. Thank you. 

So in general, I will say that if you think about all of the covered entities that we work with across the country, regardless of size, we work with some of the largest hospital systems in the country, all the way down to single or perhaps multilocation, groups.

Almost all of them are using Google Analytics. Almost all of them are using Google Tag Manager. A lot of them are using call tracking software. I mean, one of the things that we all believed to be appropriate – we had received a legal opinion that we were using to implement according to the perceived HIPAA best practices – was that if you obfuscate or do not allow the tool to collect the IP address, that would be considered compliant.

With HIPAA’s new guidance and this bulletin, that’s not the case anymore. And so can you walk through a little bit what that implication is as far as how the [00:04:00] tools are leveraged or why that’s gonna be very difficult to continue using something like Google Analytics? 

Mark: Yeah, definitely that OCR guidance that just came out was definitely the next seismic shift for us in the digital marketing landscape.

One of the big things they said was really, it was even about passing personal health information. So not only identifiable stuff, but just passing health information seem to be a HIPAA violation based on this guidance. So one of the things that we’ve really focused on was, on some of our clients’ websites even a page that talks about a specific ailment or a specific diagnosis, trackinga page view could be seen as a HIPAA violation now based on this guidance. and so that’s a really interesting shift. Before now it was kind of common to just, you put the page view tag on the website across all the pages so you can track them all and see how people are looking at them, what the volume is.

And now, you’re probably gonna have to be a little more careful about what pages you’re putting on these. It’s specifically called out things like login pages, anything, [00:05:00] after a login. So anything after a user’s been authenticated. Those definitely seem to be off limits at this point. But even some of the non authenticated pages, like I mentioned, you’re gonna have to be careful where you’re putting stuff.

So certain forms that get submitted if they’re on a certain page, even if you’re not collecting what’s on those forms, like what’s in them, the fact that they were put on that page, would indicate that the user was interested in that information and therefore that could be seen as, some PHI that you’re providing that other software.

So that’s one of the big shifts that’s happened. And I think the biggest thing is it came kind of outta nowhere. It was kind of a surprise to us. There was legislation that we were seeing moving through the system, and we were watching it and seeing what the impact was and we could prepare for it.

Because HIPAA was already in place and this guidance has just kind of adjusted how we look at that and what it applies to. I think everybody was taken by surprise a little bit. So I think there’s been a lot of scrambling. So some of the softwares that we’ve been really comfortable with, like Google Analytics [00:06:00] software, has been comfortable with like Google Tag Manager or even some CRM tools, right?

Or some of our platforms that we use, Facebook, Google Ads, Twitter, things like that. Those pieces of software that we were kind of comfortable using, passing data to them, using that to optimize our own campaigns. A lot of that has become a little hazy now about what we can and can’t do. 

Jenny: Yeah, let’s talk about third party pixels, because we saw the FTC leveraged a huge fine against GoodRx, who is not a covered entity, by the way, but they are still in the healthcare space. 

So it again, calls out the importance of paying attention to the safety and concern of patient data, regardless if you’re a covered entity or not. But they got in trouble for having meta pixels on their website. And they actually, in the settlement of it, said that they believed still that they were willing to pay the fine, but they still believed they were following marketing best practices by having those pixels on.

Jenny: Talk to me a little bit about how third party pixels work. Like if you’re [00:07:00] explaining it to a super non-technical person, which I think is one of the big difficulties that marketers have when working with their internal legal teams is explaining how pixels work. So give that to us a little bit, if you don’t mind.

Mark: Yeah, definitely that the GoodRx one in particular was quite interesting to me. Because if you were to read what GoodRx’s response was to that, it sounded like any company you could pick across the states, that’s exactly what they would be saying as well, right? Like, we did this was best practice, we didn’t do anything out of the normal.

It’s just all of a sudden you’re telling us it isn’t okay to do that anymore. So, it was really interesting seeing that. What’s tough is that if you look at the way, I can’t remember what the name, what’s the name of this? The entity, not the OCR?

Jenny: The FTC.


Mark: FTC. Yeah. So if you look at what came across and what they said was that GoodRx had shared all this private information. They’ve done all this and what’s tough is that it’s tough to find out where’s the truth in that, [00:08:00] because I don’t think GoodRx was intending to do that, at least based on their response.

But because of the way some of these pixels work, they almost feel like black boxes, so to speak. You put that pixel on and your intention is that you’re sharing, hey, this random user clicked on my ad. They did my conversion. That’s great. Let Facebook know that, or let Google ads know that so that Google Ads can then optimize your campaigns.

But what’s interesting is when you actually think about, well, what does that optimization means, typically it means, well, that person did it, so I’m gonna find more people like that. And in order to do that, then the service has to know something about those people, about what they’ve been doing, what sites they’ve been on, who they are.

And so once you start thinking about kind of the mechanics that go into that, it’s like, oh, I guess they are providing some information. And again, I think most places are doing that with the intention of just, I wanna make sure that I get to the people that want my [00:09:00] stuff. I don’t wanna just be spraying it out and spamming people.

Mark: I want to get to the people I that really need it. I think about a place like an addiction treatment service or something like that. Sure, you’re trying to send out some information, some marketing to let people know, hey, this service is out there. If you’re struggling, we’re here to help you, but without the kind of data that you need to really target in on people that may be struggling, people that may be needing help with that, you could end up spending, sending that message to a bunch of people. 

And a lot of those places, especially some of these small healthcare entities, don’t really have the budget to just spray it out to everyone. Right. it’s not the Mad Men days where we can just kind of have huge unlimited budgets.

So really it was more about us trying to focus in on the people that really need our help. It wasn’t anything nefarious necessarily, but what happened and what we realized was that Facebook could take that innocuous information that we figured and they can turn that into something worse because of what they’re doing on their end.

Mark: And so then unfortunately through that process we have to realize, oh, well maybe we can’t share [00:10:00] this. Maybe we can’t share that. And I think that’s where a lot of this is coming from. Some work has been done. What’s tough is that, like I mentioned, those pixels are really black boxes.

Sometimes it’s just this little tiny one by one pixel that gets sent. But because you open that window, it has access to a lot of other things. What your browser stuff is, the history of your browser. Well, not history. I’m sorry. 

Jenny: If you’re logged into the browser, it would have a lot of information. 

Mark: If you’re like logged into Chrome, then it has all of that history that could be tied to it. Like for Google. Yeah, exactly. What your settings are, those kinds of things. Yeah. We would have access to that kind of stuff.

And so because of that, even opening that window, there is some issues there and some of that is because we have to go through browsers and so because we’re using those browsers, there are some ways around that. Some companies are coming up with APIs where we can pass stuff through APIs instead.

Mark: So we’re kind of bypassing the browser, but that still doesn’t get around the fact that [00:11:00] we’re still providing information to that third party about that user. so there’s all this gray area and what’s tough is we really need some of these software companies to actually help us out. Their best interest is making money for their company, and data is huge business right now.

And so it’s kind of not in their best interest to help us kind of protect those users. Now we have seen some companies trying to help us with that. Recently I heard that LinkedIn is trying to make some updates about their group policy, who they share their ads with, stuff like that.

Mark: So I think, I’m hoping that some companies start to come around and help us out with this. But some of these companies are so big that I don’t think that’s one of their priorities. So then unfortunately that onus shifts to the individual users who are setting this stuff up. And so we have to just figure out how to protect ourselves when we can’t rely on those companies to actually protect us.

Jenny: Yeah, that’s such a great point. And I think it’s interesting too, like we Google so large, but I [00:12:00] think their are days of being the forefront runner in innovation are behind them. So expecting them to respond, as quickly as smaller companies can, to be able to capitalize on this opportunity to begin billing a lot of healthcare organizations that have previously been using their services at no cost, it may take a lot longer for them to respond than, it would have a few years ago. 

So, one of the things I’ve been really proud about at Hedy & Hopp is the way that we’ve been responding to this. So, we like to say Pivot with Positivity because you never know what’s gonna happen next in healthcare marketing.

But we partnered with Drew Westbrook to be our legal counsel and we’ve developed three tiers of risk, and a great three step process that allows our clients to work with us to really bridge the gap between their internal legal teams and what the marketing team wants to do. 

The biggest thing that we hear from people is a general frustration, becuase legal doesn’t wanna be bad guys, right?

Jenny: They don’t wanna come in and say, stop all marketing that you’re doing. But they also need to make sure that they’re [00:13:00] compliant and protecting their organization. And so there’s typically this really big gap within organizations of what legal understands as far as what marketing is doing and what marketing understands as far as what legal’s trying to accomplish.

So with this three step process, we’ve really been able to bridge that gap successfully over the last couple of months since this bulletin came out, and we are really excited to help more organizations do it. 

So it’s a three step process. The first step is audit. We go in and do a full documentation around all of the analytics tools, marketing tactics, CRM databases, anywhere perspective patients are touched or engaged with – all of that’s documented.

We then educate our clients about the three tiers of risks and help their legal team decide where they feel comfortable being within that three tier setup. And then we do a formal recommendations according to their chosen level of risk, based off of the implementation that we recommend and changes to their marketing tactics based off that chosen level of risk.

So I’m really [00:14:00] excited about what we’re doing right now, but can you explain a little bit about those three level or those three tiers of risk? Like why would one organization maybe choose one, whereas another organization might feel comfortable choosing another one? 

Mark: Yeah, definitely. And, I will start off with that audit you talked about.

So that’s a really big one. I think one thing people don’t understand is there are stuff where your website, you may think that it’s not, but it’s passing PHI. That audit will really help you understand that maybe there’s things where people could have a login page or they could have a form submission.

And while you’re not grabbing anything from those forms, there are times where your website is designed that on the next page it passes stuff through the url and like we’ve mentioned, usually we set up page view tags to just grab all page views. So then when that stuff gets put in the url it’s not a good setup. We had this happen with a client not too long ago.

Their site was designed, the stuff got put into the url, so they were capturing actual email addresses and [00:15:00] sending them to Google Analytics without meaning to it all. And so though the audit will catch those kinds of things, and I think that’s really helpful. I think then what that leads into is the tiers you talked about.

Because once we kind of know some of those things, some of those issues you might be having, we can really determine whether you’re kind of high risk, whether you’re low risk. And that’s really what we’re looking for. So for example, in the audit, we may find that you have a lot of content on your site that’s very specific.

It talks about specific diagnoses or specific ailments. And so because of that, we would realize, oh, that may be a little more high risk. We may want to be concerned about passing that and stuff to Google Analytics. And so that’s something we can then bring to those tiers to kind of understand, okay, we might put you guys in this kind of higher risk tier because of all that content, but we may find sites that are a little more, generic, not in a bad way, but more that they’re talking about different plans you can sign up to or some [00:16:00] different information that will be in their newsletter. 

So here’s the types of stuff we give you. Those kinds of things and those pages we believe wouldn’t actually cause any issues. So then that can be kind of a low risk. So it’s us looking through that site, looking through your kind of digital properties to understand where those things are.

And after talking to Drew, using his best judgment on kind of where would that fit.

So if you have pages that are about a lot of specific ailments or diagnoses or, diseases, whatever, that could be seen as that [00:17:00] PHI that we discussed, so then we could kind of put you into that more high risk kind of a bucket. Whereas if you have a more general site, speaking about, general information, so here’s stuff that we can send to your newsletter, stuff that you’d get on a monthly basis, like that kind of general stuff is not going to be seen as bad. 

Are you talking about your different plans you have available? Different features or services for different things? None of that is gonna be seen as, as PHI. So then we can put that kind of stuff in low risk. So depending on what kind of site you have, then we can kind of understand where we should go, where we should not.

The other part of this is you mentioned legal. And so that’s an interesting conversation where there’s going to be a lot of gray area, some room for kind of interpretation, so to speak. I think we’re gonna find that some companies are gonna feel like, oh, we’ve gotta shut this down.

Mark: We can’t do any of this. And then we’re gonna have other companies that are gonna say, well, we’re okay doing this. We’re okay doing that because of how we’re [00:18:00] structured in the way that we work. Really we’ve kind of laid that out so that we give kind of an impression of here’s where we think your risk tolerance would lie.

We’ll also speak to your legal team or to your, leadership and have them understand, well, here’s where we feel like our risk tolerance is, and finding a nice balance there. So what we’d find is on a, high risk tier, or a low risk tolerance, however you wanna put it.

We’d find that like, you’re probably going to not want to just use a general analytics platform like Google Analytics. What we’ve found is that all your analytics platforms, based on the nature of how those work, are really gonna be collecting some of that PHI, the way that they’ve now defined it.

Mark: And so really what you’re gonna have to probably do is find an analytics provider that does sign a BAA with you or allow you to keep your data on your own server so you can protect it, and then really kind of control what goes out the [00:19:00] door. So you can see that with things like server side analytics, some of that may be an option for those kinds of companies.

And then for that low risk tolerance, you’d also probably not do many pixels at all unless you really were confident about what was being passed in that pixel. So we would kind of limit you in what you could do, right? That would be our kind of recommendation and our guidance. Whereas on the higher risk tolerance side, it may be that, okay, we’re all right with using these types of pixels.

But even then we would probably still kind of lean toward, well, let’s not put them on specific pages, right? Let’s not do specific things with those pixels. Let’s just do the bare minimum that we need to really kind of make our marketing work. And what’s gonna be interesting there is that without that official guidelines and with those kind of gray areas and how risk tolerant you are, it’s kind of interesting to determine how your competitive advantage will go up or down based on that, right?

Mark: Because without some consistent enforcement or consistent kind of definition of [00:20:00] some of these things, the companies that feel like they can be more risk tolerant, can kind of maybe have an advantage in the market over some of the others and kind of trying to bridge that gap is gonna be tough. But I think there are creative ways that we can help the low risk tolerance clients still get around and still make it work.

So there’s contextual advertising that we can use. Things like in Google ads where we can look for other things people have searched and then we can give ads based on those things, right? So instead, we don’t really know anything about them but we’re using the information they’re providing us at the time to really help them see that yes, we have some options for you.

Mark: So I think there’s stuff we can still do for those low risk tolerance, but it’s definitely gonna be a little bit harder of a road for sure. And then finally, there’s gonna be, like we mentioned, there’s gonna be gray areas. So there’s low and there’s high, and then there’s gonna be a lot of stuff in between.

And so I think we’re gonna have different points of yes, we’re okay using Google Analytics, but no, we don’t want to use these pixels. Or we’d rather just use, generic click tracking like a Lucky Orange or Crazy Egg or [00:21:00] something like that, which, we’re still not clear about if that’s passing user information, we think it’s probably okay.

But, again, still gray area and we’re all trying to figure it out right now.

Jenny: I think the thing that is exciting for me based off of our organization’s passion about improving patients access to care, is we’re trying to go in and help both groups be successful, right? Like we want legal to feel comfortable in the tools and processes that marketing is using, so they’re comfortable with the level of compliance.

And we want marketing to continue to be able to do their job and be successful. I think what’s gonna be really interesting is over the next year, watching as this continues to shift and evolve as case law does come out to be able to make it a little bit more definitive about how they’re going to be not only truly defining PHI, the importance of BAAs, but then, also, people’s perceived level of risk I think will continue to shift.

Well, thank you so much for being on today, Mark. 

For any of you that are currently [00:22:00] struggling with this and whether you’re on the legal side or on the marketing side, know that we’ll be on your side and we’ll help both sides of the groups feel comfortable with solutions.

We’d love to work with you. Give us a call. We have just a couple of additional slots available over the next couple of months to take on some additional clients for consulting work outside of our normal client workload. 

Would love to work with you, and help you solve this problem.

So have a great day and thank you for tuning in.



About the Author

Jenny Bristow is the CEO and Founder of Hedy & Hopp. Prior to starting Hedy & Hopp, Jenny launched, grew and sold a digital agency in Seattle and worked at Amazon. She was named one of St. Louis Business Journal’s 30 under 30, won a Stevie Award for Female Entrepreneur of the Year in 2018 and speaks regularly at healthcare marketing industry events.

More from this author
Next Blog Post

OCR’s HIPAA Bulletin - What it means for healthcare marketers (a legal POV)

Is your team scrambling trying to figure out how to make your marketing analytics setup…