HIPAA Compliance Archives | Page 2 of 3

In this episode, Jenny welcomes Hedy & Hopp’s own Director of Marketing, Julia Pitlyk. Reflecting on their latest discussions around changes to patient data privacy, Jenny and Julia discuss what healthcare marketers should expect from their marketing tactics and analytics. They focus on two main areas of change: marketing activation and analytics, and specifically discuss how those two areas will be impacted by implementing server-side Google Tag Manager to address new privacy guidelines. They also discuss how other solutions, like new analytics tools and CDPs (Customer Data Platforms), differ in terms of how they impact these areas. Jenny and Julia also recommend ways to reset the benchmark of marketing performance and emphasize the importance of making sure marketing and legal/compliance leadership develop a shared point-of-view on how to move forward with new guidelines.

Jenny: [00:00:00] Hi friends, welcome to today’s episode of We Are, Marketing Happy – a healthcare marketing podcast. My name is Jenny Bristow. I am the CEO and owner of Hedy & Hopp, a full service, fully healthcare marketing agency. And I am so excited today to have Julia Pitlyk join the call. So I’m very excited to announce that Julia has officially joined Hedy & Hopp as our Director of Marketing.

Julia: Hello. So happy to be here. Second time on the podcast now in a different capacity. So excited. Thanks for letting me jump in on this really exciting topic.

Jenny: Oh, it’s so exciting. We did a webinar earlier this week and we had really strong attendance. It was really kind of heartfelt for me to be able to see the number of healthcare marketers that want to get this analytics and patient privacy issue right.

Now, nobody’s doing bad things on [00:01:00] purpose, right? They’re just taking things from other industries and putting them into healthcare. We didn’t as an or as an industry really realize the overall repercussions. So the webinar was fabulous. Side note, if you want to receive a copy of it, shoot me an email. We have it recorded.

Happy to share. Jenny at hedyandhopp .com. But today, let’s talk about execution because a lot of the Q&A, we did an extended Q&A, really just stayed on the line for folks to ask any questions. A lot of it was around like, “And then what?”

Julia: “Yeah, what now?” Yeah, absolutely. I love that you said in the webinar, like, we are problem aware at this point, right?

We’ve been dealing with this OCR guidance for almost a year. So the need to change is known. And we’ve heard so many people at all the conferences we’ve been to this year say, okay, we stripped off our analytics. We’re kind of in this. “What are we going to implement?” and then the next bucket is “And then how are we going to get back to marketing and what’s that going to look like for us and our patient acquisition [00:02:00] efforts in this sort of new paradigm of analytics and activation changes?”

Jenny: Yeah. So in this podcast episode, we’re not going to talk about the different journeys and ways you can fix your tracking. We have plenty of content on that. And like I said, the webinar is a great crash course if you want a recording of it, send it to me. What I want to talk about today is the path that we see most systems and providers and payers moving towards, which is server side tag manager, right?

They’re choosing not to do a CDP like FreshPaint. They’re choosing not to move over to a new analytics platform like PiwikPro, though, at the end of the session, I want to chat with you a little bit about the what ifs if they do that. But for those folks that are moving over to server side tag manager, I want to talk a little bit about kind of what that looks like. First of all, give me your thoughts. Like if you’re moving over, because you were on the client side really recently, like what kind of conversations are people having at the leadership level or what should they be having at the leadership level?

Julia: Yeah, absolutely. My [00:03:00] brain is always going to two big buckets.

It’s the analytics and the activation. And of course, they go hand in hand, especially over the past, what, decade and a half as marketers have become more and more data driven. We’re so used to looking at the data, making decisions, changing our tactics. Rinse and repeat. So I’m thinking about, okay, if I’m sitting on the client side, I’ve implemented server side Google Tag Manager to address the OCR bulletin and some of these guidelines that have come out, what are my analytics going to look like? And what’s my activation going to look like?

So I think first and foremost, I like to think about, like, what is just wholesale off the table? And we talked about this in our webinar a bit, and it’s hard to say but things like list buying, of course, list uploads, building lookalikes, like those are all things that you’re taking your data, you’re giving it to an ad platform, you’re feeding the beast as we say, like, no more.

That, very clear, put that in a bucket, that’s off the table. Then it’s okay, What tactics and activation [00:04:00] strategies are on the table in a different way?

So for us, that’s a lot of, like, the retargeting piece, right? You can do retargeting with data in the platform. So all of these, like, walled gardens we used to talk about Facebook, Google, they’ve got their data. You can use things like a consumer who clicked on an ad as an action that you can retarget on.

So that for me is, like, looking at that activation bucket first, because server side GTM is going to handle a lot of the analytics issues that are coming up from this bulletin. But it’s looking at that activation bucket and first and foremost saying like, okay, what do we put on the table? What are things we kind of need to tweak?

And then some of those bigger questions that come out of it for me are, Okay, we took some tactics off the table. We changed some things from our retargeting and our conversion attribution. What is our data going to look like? Because so many of these marketers are saying, well, leadership’s not changing our growth expectations after this bulletin came out.

[00:05:00] We still need high performing digital marketing and the tactics we were doing were getting us there. For me, it’s that next step is how to proactively talk to leadership about, w’re changing tactics because of these reasons, what should we all expect to come from it? And sort of giving some runway to really learn from the tactical change.

Jenny: Absolutely. It’s sort of like whenever thinking back, whenever folks switched from Google Analytics to GA4, right. It went from session to event targeting. That’s not apples to apples, right? And so this is that same kind of situation. It’s a line in the sand, not apples to apples anymore. Our goal is still the same efficacy of spend, but it’s, it’s not the same.

One thing I heard in a webinar I did yesterday with a hospital specific group in the afternoon I did one, is one of the people actually said, “I feel like we need to go back to strictly analog marketing tactics” and it hurt my heart. I was like, No. No, do not do that. [00:06:00] Digital is still 100 percent possible.

You just have to stop putting data into these platforms. Like you said, walled garden, use what’s in Facebook. You can use Facebook’s targeting if they have specific targeting set up based off of age, occupation, interest, whatever. You can still use all of that, right? You just can’t upload your list into Facebook to make it more specific.

Julia: Yeah, exactly. Exactly. So I think like a very specific example that we see a tactic, kind of a journey that we see a lot of our clients doing is patient acquisition marketing goes to a landing page. The goal is to fill out the form, right? Like, I love that. Cause we want that, that email address, something to have more of that one to one communication with, making sure that you’re doing it in systems that are compliant.

So that journey makes perfect sense. So I look at that and say, okay, what in this new world order needs to change. And it’s optimizing the ads to that conversion of filling out that form because you’re taking a thing that’s happening in your world and you’re sending it back to the ad platforms and [00:07:00] saying, optimize for this.

So, if that’s being taken off the table, what can we expect to see in our campaign performance data because of that? Those tactics were on the table because they worked, right? Like, we’re performance marketers. They made the ads perform better. They brought down CPAs. So if I’m in that seat and what we’re telling our clients in that seat is that needs to be treated as, you need to look at it as sort of a new benchmarking period, telling your leadership.

What do you think the next two to four weeks, maybe even a couple of months. Like, yeah, we are making a technical change. I would literally like in the measurement plan documents that we have and in your analytics tools, like on this date, we changed these things for any optimization and say, okay, now we have this line in the sand.

And for the next two, four, six, whatever weeks, we’re looking to see what’s happening to our CPA. Like we heard at some conferences, the numbers are going to go in a direction that [00:08:00] you probably don’t want, you don’t want them to go in. It doesn’t feel good. It doesn’t feel good. This isn’t a marketing optimization tactical change.

It’s a regulatory and compliance one. But I think really running through that thought experiment of, what are we expecting to see, starting to see that with leadership and really start to say, like, we need to have this X amount of weeks as a learning period to see what performance we can get with this new type of compliant marketing and then use that to inform some updated projections and budget needs.

And I know all of that sounds very, those aren’t ideal conversations to have. I think again, like we said, to any client any year of doing this, it’s, bring the data to the table and have an informed conversation based off of that.

Jenny: And I think it’s really important to highlight that we’re not stripping away all data, right?

We’re not going into a blind world where we don’t understand anything anymore. If you choose a server side Google Tag Manager implementation, which again, most people that we’re talking to [00:09:00] are choosing that path from an annual cost savings, speed of implementation, et cetera, you still can use UTM parameters.

To be able to track and understand the success of campaigns, keywords, creatives, a lot of platforms like LinkedIn just two weeks ago came out with the LinkedIn conversion API that you can actually tie in to pull conversion data in to be able to understand how to optimize. The part we’re missing though, for people to understand is that automated feedback loop where it’s automatically optimized completed conversions.

You’re still going to get conversion information. You’re just going to have to pay a little bit more attention to the way that your team chooses to optimize or your agency, whatever chooses to optimize those campaigns. Right. But it’s not the end of the world.

Julia: I think this is also one of those periods of time where it’s, let’s roll up our sleeves and really get into the data. Yes, we’re going to, we’re going to lack some of that automated sort of I would say I would also challenge like this, this is an opportunity, to paint it nicely, to roll up your sleeves and look at, even when [00:10:00] you have, before you make some of these tactical changes really look at the patient acquisition, let’s see as far down the funnel as you can.

And I think, we really push a lot of our clients to do this when we do that full ROI analysis, but let’s take it beyond that form fill, which is a wonderful marketing conversion, but how many of those patients, or prospective patients, we should say, how many of them pulled through to schedule an appointment?

How many of them pulled through to actually show up to an appointment, right? And that’s definitely a, again, a roll up your sleeves data exercise, but I would be really curious to know, are you seeing certain trends in certain channels where maybe you’re getting a lot of volume form fills, but not quite the pull through lower funnel.

And maybe this is a way to inform some adjustments to your marketing mix spend, too.

Jenny: Oh, I love that. That’s such a positive way to go into it as an opportunity versus simply feeling like you’re having things stripped away from you. So I love that. Pivot with positivity, as we say at Hedy & Hopp. [00:11:00] Agreed.

Julia: Agreed. I think this puts us in a little bit of like, a last touch attribution world. I’m curious what you think about that. Google ‘marketing attribution models’ and you’ll find so many complex custom implementations. I feel like this pushes us to a last touch, but maybe helps us get a little bit away from chasing that holy grail of the perfect attribution model at the same time. What do you think?

Jenny: Yeah, no I agree with that. I think it’ll be interesting once we see more full implementations and more time with those implementations. I’d love to have somebody from our activation analytics team on a future podcast and talk about the data. Like what have our clients seen?

Because right now I feel like it’s going to be mostly speculation. I think there are still ways that you could do a multi-touch attribution model. But I don’t know with real world execution what that’s going to look like. So I think that’s kind of like a TBD, totally agree. Yeah. So let’s talk a little bit about, so that’s the solution if somebody is going the path of server side tag manager.

Or the, [00:12:00] not solution, that is the expectation of experience. You know what I’m saying? If they choose a CDP or a new analytics tool, which are the other two journeys that we talk about in our webinar and our overall education process around this they don’t, it doesn’t necessarily change it. You know what I’m saying?

Like on the tactic execution, you can’t do remarketing just because you chose to go with PiwikPro or you can’t do, you can’t upload lists to Facebook simply because you chose to go with FreshPaint. It doesn’t change tactical execution, but it may change the way that you view data and the way that data is presented to your leadership team, right?

Julia: Yeah, absolutely. And that’s where, like, looking at some of those other journeys, I just keep pulling my brain back to analytics and activation because exactly that. If you implement PiwikPro, like the tactical stuff still needs to be put back on the shelves and the things we mentioned earlier. So that’s, there’s just definitely two big buckets to navigate really through.

I think CDPs, uh, for an organization that’s ready [00:13:00] for it. And by ready, there’s a data maturity, there’s resources on tech and marketing, there’s budget. I think those are better positioned to be a solution that helps tackle both the analytics and the activation because it sits kind of right on top of your, your world and it takes your data and sends it to the, the analytics and the activation platforms.

So that’s something that I think could be a really good path forward. But again, got to be ready for it. Your organization’s got to be ready for it. So that’s why we focus so much on the server side GTM because it’s something that we’re just, has a lower barrier to entry to get that, get the analytics to get the data back. But you’re, you’re exactly right. It’s not, there’s no one perfect, easy switch to flip on or off. That’s going to address the complications in all of these buckets.

Jenny: So it’s really interesting to me that nobody yet is talking about marketing tactic changes based off of this.

I feel like we’re the only ones raising this. So far, so when we think about like [00:14:00] problem or versus solution aware, when you think about marketing analytics, most organizations are solution aware, but the number of questions in our webinar yesterday or on Wednesday about tactical changes as a result of all of this was kind of astonishing to me.

I feel like most people aren’t even problem aware yet on that side of the house. So it’s going to be interesting. I feel like over the next six months, as people start figuring out, Oh, wow, my agency is trying to do media buys as normal and they aren’t bringing anything new to the table, but they’re not the ones that are going to get the big OCR fines.

Julia: And that, I think that a lot of that comes from, in the problem aware period, right? What we’ve been saying, audit everything, go to Builtwith.com, scrape every tag you may know or not know is on your site. Look at your entire martech stack. And I think where some of that is coming from is that, if you read the bulletin, it’s, you can very clearly when you read it, kind of ascertain, okay, we’re talking Google Analytics, we’re talking about Meta. But then you start to see all of these other tools that [00:15:00] work based off of some semblance of like seeing an IP address or a device. And it really, you start to turn over all those rocks and think about all the ways that you, communicate, distribute content on your site, and it really opens up this kind of this hornet’s nest of activation.

So I think that’s where again even though you may know at a high level, okay, we can’t feed the beast with our data, IP is PHI, like, still doing that audit because it really helps you kind of block and tackle and look at what solutions in your tech stack you may need to change in addition to tactics.

Jenny: Exactly. Exactly. Oh, I feel like this has been a really helpful overview and hopefully it’s going to spark some really good conversations within organizations about how, uh, they want to approach it better setting expectations, kind of creating a level of calm around it, right? Like we can’t change this.

So we might as well lean in a way that is healthy for our organization and not create unnecessary chaos within our conversations and expectations. So [00:16:00] I like that. Any parting words?

Julia: Well, I love that because I find calm and spreadsheets, taking the data and saying, okay, what, what might be worst case scenario, middle case scenario, best case scenario, like, just again, finding a little bit of clarity through taking your, taking your mind to what could happen to your marketing next, I think is going to just help, uh, keep ripping the bandaid off and keep setting those expectations.

Jenny: And knowing it’s not just their organization, right? Everybody in healthcare is experiencing this. And I had one person push back whenever I was chatting with them and they said like, well, what’s enforcement look like if other people in our niche part of the healthcare world are not yet doing this, that means their marketing is going to be more successful than ours over the next year to two years.

And we are private equity backed. So that means our performance will be worse. Right? And then it’s like a spiraling conversation of like, how long could we keep doing this until we’re fined? And I just think, that is a different way to approach the problem because Hedy & Hopp, in our hearts, we just want to protect patients data.[00:17:00]

Right. So like, yeah, it’s difficult, but like, is that extra 2 percent growth that you’re going to experience going to be worth the potential liability down the road? I don’t know that your private equity firm would think that’s true.

Julia: It does come down to some POVs. Ours is out there and it’s always on the side of the patient privacy, but that is definitely something for every organization’s marketing leadership, organizational leadership, and legal and compliance leadership to have equal seats at the table to discuss.

Jenny: I love it. Well, for our loyal listeners, I want to make sure that you follow us on all of the social channels because we have a really fun micro content series we’re going to be launching in the coming weeks called “Hit of Happy.” It’s going to be hosted by Julia and she’s going to be covering a lot of information that we get asked really often by prospects and clients and really digestible short series.

So we’re going to put links to our socials in the show notes. Please go and follow us there if you haven’t already, [00:18:00] because I guarantee it’s going to be worth your time. So thank you again for tuning in today to We Are, Marketing Happy, and we’ll see you on a future episode.

Welcome back! Jenny is here today to present the impact of OCR’s December 2022 Bulletin on healthcare marketing. She starts off discussing how the bulletin categorized IP addresses as PHI, causing panic among many marketers, and why she disagrees with the American Hospital Association’s stance to fully withdraw the guidance. She advocates for patient privacy and supports OCR’s guidance. Jenny welcomes the opportunity to be a leader and example to other industries in the safety of personal information. She emphasizes the importance of technology companies’ understanding and protecting patient data, highlights affordable and effective solutions to do so, and calls for a standardized approach to protect patient privacy, even if it means reallocating some marketing budget.

Jenny: Hi friends. Welcome to today’s special episode of We Are Marketing Happy, A Healthcare Marketing Podcast. I am Jenny Bristow. I am the CEO and founder of Hedy & Hopp, a full service, fully healthcare marketing agency. And we have been really leading the way as far as publicly discussing OCR’s December 2022 bulletin, the huge impact it has had on the way marketers and healthcare can really do their jobs.

We have also really been leaning in as far as all of the movement with FTC for healthcare adjacent organizations, as well as a lot of state laws. We have episodes specifically dedicated to each of those topics, which we’ll link to in the show notes, But, you know, there aren’t really many moments in healthcare where we really have the tea, right?

Like let’s share the tea and talk about some gossip and some super controversial things, right? Like we’re healthcare marketers. It usually doesn’t happen. Well, my team has really been digging into a lot of the publicly shared responses to OCR’s bulletin. They actually put out an RFI. You know, we want to hear from the public about your thoughts about our bulletin.

And we had a client actually ask us to give our perspective on AHA’s response, American Hospital Association’s. And we actually had an in-person coffee session this morning and it got heated with all of my team members. They were so frustrated at American Hospital Association’s perspective and their position on the bulletin that I just felt so compelled to come on and actually share Hedy & Hopp’s stance.

So let’s back up a little bit as most of you should know the December 2022 bulletin effectively began categorizing IP addresses on the marketing front end of websites as PHI. So before it was only once you were actively within say a patient portal within an Epic instance, whatever, was the only time that marketers really had to think about HIPAA.

This bulletin completely changed everything. All of the technologies that we knew, liked, and loved suddenly were no longer able to be used. Things like Google Analytics were no longer compliant. And there was a huge moment of panic. Right? Like all of us, including us at Hedy & Hopp kind of stepped back and was like, well, now what do we do?

What do we do now? We, if we can’t use these things that all of these other organizations and companies and other industries are using to provide a great consumerization experience, how are we going to continue to serve patients in a positive way? So we had our little moment, our little pity party. But then we buckled down and we figured it out and, turns out it’s not that hard.

It’s not that hard and it’s not that expensive. So I want to step back and talk about this a little bit, because myself and the rest of the team at Hedy & Hopp strongly disagree with AHA’s stance. Them saying, let me actually quote this, “AHA recommends that Congress should consider exploring how to better require entities not covered by HIPAA to protect patient privacy, especially those third party entities that decline to sign BAAs, and they urge Congress to make clear to OCR that the agency should withdraw this guidance immediately”.

And that it is, this part is in separate, “It is onerous and it is impossible for marketers to continue doing their jobs. Not only does this OCR rule violate HIPAA, it inflicts meaningful harm on patients and public health. Congress should urge OCR to withdraw the rule immediately.”

Really, American Hospital Association? Really? Oh, I love when zoom does that to me. I was not giving AHA a thumbs up by the way. So ever since 2018 Congress has been fumbling its way through understanding how technology works, right? Like I remember whenever Zuckerberg was on stand and then all of these memes came out because basically it felt like all of these old people were asking Zuckerberg why their grandchildren weren’t accepting their friend requests, right?

Memes galore really showcase the questions they were asking, totally showed a lack of understanding about how the technology worked. That’s scary, right? People that are legislating not understanding what they are legislating is scary. But does that mean we’re going to leave it to the technology companies to decide what information should be captured and stored?

So we have been attending all of these healthcare conferences and we’ve really been going on a speaking tour. I spoke at SHSMD, next week I’m at SMASH. We attended Becker’s and talked with a lot of participants about it. And then I’m going to HCIC. The list goes on and on, right? Because this is such a hot topic.

Well, as a follow up, we actually decided to audit all of the provider websites for those folks that were at SHSMD. You would be astounded, out of hundreds, I think there were over 450 provider groups, that only 70 had removed scary tags. Vast majority of them had Meta tags. Some of them had TikTok conversion tags.

I’ll tell you if I’m searching for care – I’ve been very public about a lot of my healthcare stuff that’s been happening beginning of this year. I’ve had to seek out and research lots of care. TikTok knowing that I was doing, that Meta knowing that I was doing that is terrifying. I guarantee they are not going to be taking care of my information and data. So, I do not like government stepping in and legislating and telling us how to do our jobs. But if we are not the ones, but if they are not the ones doing it, nobody is going to do it. So let me just give you a couple of examples. Since that bulletin was put out a couple of really cool things happened. A lot of ad platforms are now putting out APIs that allow you, if you do server side tag management on a server, that’s willing to sign a BAA.

For example, the Google Cloud Platform is willing to sign a Business Associates Agreement. Awesome. So, LinkedIn, just a couple of weeks ago, released the LinkedIn cAPI. It’s a conversion API. So you can pull all of the information from your ads and so you don’t lose any of that conversion information.

Google just launched the Google Ads Data Manager, which we highly anticipate will be rolled into the Google Cloud Platform, which means it’s protected by a BAA. All of these groups are actually doing things now that are protecting patient data, visitor data, right. If you step outside of healthcare, this is a super positive step.

They’re allowing the marketers and technology folks to be able to truly control what information is shared versus just thinking we’re redacting it or anonymizing it on the platform without actually doing it. And all of this has happened since the bulletin. It is not super expensive to roll out a new solution, server side Google Tag Manager or a platform like there’s a large number of them.

So I know I just mentioned Google Cloud Platform, but there’s a lot of other ones that are willing to sign a BAA, really easy solution. You can still use Google Analytics, don’t have to change your processes at all, but it’s going through a filter that’s protected and protected by a BAA. And you’re all safe.

That’s not very expensive. It really isn’t. It’s not onerous. It’s not putting undue pressure on marketers, but you know what is really scary in the audits that we’ve been conducting since this bulletin came out. Two things that terrify me as a patient. First, one person we did, organization we did an audit for had built their web forms in such a way that whenever you submitted an inquiry, all of that form data was put up in a URL parameter and every single tool or pixel that was put on that website could then capture the person’s full name, date of birth, email address, home mailing address, everything was being captured. Terrifying.

We have audited and found a lot of systems have call tracking. And they are not implementing a HIPAA safe version. So the entire call is being recorded and shared with all of the agency partners that they’ve given access to that tool. So “Hi, this is Jenny. Yeah, I have this, I’m calling a doctor to make an appointment. Yeah. I have this really weird rash that won’t go away. Yeah. Oh yeah. Here’s my date of birth. Yeah. When can I get in for an appointment? Yeah. Here’s my home mailing address.”

Those recordings are then available to dozens of people that have access to that platform. Terrifying as a patient. I don’t want my personal information shared with Joe from Rando IT company.

And I’m sure you don’t either. And then also again, like, TikTok tags being on some very, like, providers that we hold in such high regard as far as the types of care that they provide. And they’re sharing all of this information with Meta and TikTok and all of these other organizations.

American Hospital Association, I appreciate that you’re trying to reduce the administrative burden. You’re trying to reduce cost, but this is not a hill that’s hard to climb. This is in the patient’s best interest. As a patient, I want this to become standardized. And for all of the audits and implementations we have done, it’s not that expensive.

It is not that hard. You have to understand technology, but it’s absolutely doable. And if healthcare has to implement this so that way the rest and all the other industries end up protecting consumer privacy as much as we should be protecting patient privacy, I consider that a win. So, would I rather see our clients budgets going towards more marketing campaigns for the little budget that has to be done to redo all of their analytics tech stacks?

Of course, every dollar that we could eke out to help patients in the marketing budget to help them find better care, buy a health insurance plan that gives them the coverage that they need, whatever it may be, I would always prefer that be done. But if we have to sacrifice a small little bit of budget in 2023 and 2024 in order to make sure that patient information is correctly stored, you bet that’s the right call.

And I really hope that American Hospital Association changes their position and I, for one, do hope that OCR does not change their position. And instead, we end up being the bright, shining light that other industries begin following because we paved the way to make sure that individuals’ information. is safe.

So with that, thank you for tuning in. And I hope to see you on a future episode of We Are, Marketing Happy. If you agree or disagree, whatever it is, catch me on LinkedIn, share your comments and thoughts in the chat. I’d love to hear from y’all. Have a great day.

On this episode, Jenny is again joined by Shelby Auer, Account Manager at Hedy & Hopp as they bring even more insights from their time at SHSMD 2023. Today she and Shelby discuss the evolving landscape of healthcare marketing regulations, pointing out changes in marketing practices driven by HIPAA, FTC, and state laws. Jenny highlights the importance of understanding GDPR, even for U.S.-based businesses, as opt-in policies and the “right to be forgotten” become more relevant. They also break down the growing complexity of state laws and emphasizes the need for collaboration between marketing, legal, and compliance teams to navigate these challenges.

Jenny: [00:00:00] Hi, friends. Welcome to today’s episode of We Are Marketing Happy, a Healthcare Marketing Podcast. My name is Jenny Bristow. I’m the CEO and founder at Hedy and Hopp, a healthcare marketing agency. I am so excited to be here today. We just got back from SHSMD. I’m joined with Shelby Auer on my team, and we presented on, um, HIPAA, FTC, and state laws.

So, as most of y’all know, or you should know, the rug was basically pulled out from all of us. Um, a year ago today at SHSMD, there were many events talking about best practices for marketing technologies and your tech stack. All of those recommendations are now wrong. So I have a whole other episode that we’ll link to in the show notes that’s a 101 on HIPAA and FTC, but a lot of the questions I received were specifically related to GDPR and state laws.

So we wanted to talk a little bit about that first, and then [00:01:00] Shelby and I are going to dig into some of the feedback we received, because one of the cool things is we, as a result of being the first session on the one of the first sessions on the first day, is we ended up having dozens of folks coming and chatting with us about their individual team’s response, their legal team’s perspective, etc.

So we’re excited to share some of that. So first of all, I want to talk a little bit about GDPR and state laws. So first GDPR, most folks that are within the United States are probably thinking, Oh, I don’t need to worry about GDPR. We don’t sell to or do business with anyone in Europe. Well, maybe not. But here’s 2 key things about GDPR you need to know exist.

GDPR has 2 things that are very different from the way we operate within the United States. The first one is they are opt in versus opt out, which means, you know, how on your website, the cookie preferences loads, um, and you hit accept, um, you actually, if you hit do not accept, um, [00:02:00] or no, well, you have to hit, yes, give it to me, give the cookie me in Europe.

Whereas in the United States, you have to say, no, please do not put cookies on my computer and track me. And so it’s just a completely different perspective. And they’re tracking, um, percentages that are way, way smaller in Europe because most folks do not choose to opt in, whereas in the United States, most folks stay opted in and they don’t choose to opt out.

So that’s the first one. The second one is right to be forgotten. So pause for a minute and think about your marketing tech stack and think about if Jenny from St. Louis called you and said, Hey, I would like for you to delete me from all of your databases. Do you have any idea how you would actually do that?

That thought alone probably scares you, as it should, but again, that exists in GDPR and the United States, we mostly don’t have that. But there are four state laws that are currently online, California, Virginia, Colorado, and Connecticut, and California [00:03:00] is likely soon going to require data brokers to allow consumers to submit a right to be forgotten request.

So this is creeping into the United States. So it’s important to know how GDPR functions because we’re starting to see it show up in many other states. Um, we’re not going to go through all of the different state regulations because they are really intense. We actually have a couple of summary slides that I do in actual presentations just to give you a high level like cliff notes version, but your attorneys absolutely need to look at each state law and figure out how you need to comply.

Um, the other one that is really crazy is in Florida. Um, there are regulations around, um, having data stored outside of the country. So for example, if you use an offshoring company, uh, finding out where your servers are actually physically located, there are some repercussions related to anything [00:04:00] actually physically, um, or digitally outside of the United States.

Utah, Iowa, Indiana, Montana, and Tennessee are two that are scheduled to come online in the next about 12 to 18 months. And there are many, many more states that are scheduled to come online shortly after or are currently in legislative conversations and review.

So even if you’re a covered entity and you are, uh, complying with all things HIPAA, there’s still likely maybe some things that you need to think about at the state law level. And if you are not a covered entity, and you’re really just thinking about FTC, you also need to be thinking about state laws.

Washington, for example, has a regulation that says if you are a covered entity and you’re treating data like PHI, then that law does not apply to you, the regulations do not apply. But if you are not a covered entity and you are or are not treating data like PHI, it does apply to you. So for example, there are a [00:05:00] lot of what we call healthcare adjacent organizations that think they don’t have to really be thinking about this, or if they treat their data like PHI, they don’t have to worry about state law.

And again, that just isn’t true. These things are changing rapidly. Shelby, what are your thoughts on state laws? You’re working with a few different client projects right now from an audit and recommendations perspective and state laws get pretty hairy, right?

Shelby: Yes. Oh my goodness. All and figuring out how to approach the state laws because there’s a lot of conversation of, oh, is California the most strict?

Well, if we’re okay in California, are we okay in all of these other states? And it’s so, so important. I heard multiple people when we were at SHSMD say this, but to become BFFs with legal and privacy, legal and compliance. That is so true. So, so true. As much as it can be a little bit of a battle, making sure that there’s open lines of communication, that your [00:06:00] digital team is comfortable helping legal and privacy, understand the technicalities behind the changes in these laws and vice versa. Because that’s, that’s a lot of what I’ve, I’ve been working with clients is making sure that all of these different groups are talking to each other and help each other speak the same language because all of these state laws coming on are so hairy.

There is not a stop in sight. It’s just continuing to come down the pipeline with more and more states or additions to current state laws that are out there. So that’s, that’s really the biggest thing that that I’ve been working through lately and just making sure that everyone’s talking to each other and on the same page.

Jenny: Absolutely. Uh, the audit process that we talk about, not only in that first episode that again, we’ll link to in the show notes, but also that I presented at SHSMD is really doing that due diligence to show your legal and compliance teams that, Hey, I’m taking this seriously too. I am not putting my head, you know, down and trying to [00:07:00] ignore that all of this is happening.

We’re doing the work right now. I want to do the work alongside you, um, on the same side of the table, not opposite sides of the table. We both want the same thing for the benefit of our customers and patients 100%.

Shelby: And I think one of the things Jenny said, you said in your presentation that I think was really important for a lot of people to hear is right, this isn’t just your marketing, advertising and analytics platforms, but there are so many other things on your tech stack that are in the code of your site that are collecting things like IP address that so many people, you just don’t, you don’t even think about it. Right. And we didn’t have to up until late last year.

And so I think, yeah, that audit process is so incredibly important to have one place where, you know, exactly everything that is touching your site and what information it has access to.

Jenny: And not just your site, your entire digital footprint, right? Like there were some audible gasps in the room when I walked through some [00:08:00] examples of things our team has found during audits.

For example, I’ll just name a couple of them just to kind of help you help our listeners think about the broadness of this audit and the level of patient care that we need to have from a data angle. So one, for example is we have found on one site we audited that when forms were filled out on the website, that then field variables were then put up into the URL parameters.

So that means then things like Google or any other tool or software on the website are then indexing those URLs and all of that information, the person’s name, email address, whatever information they put in about the, um, you know, state of health, their health or any questions they entered is all now available free on the internet for all these tools to scrape.

Um, another thing is a lot of video players that are embedded on websites are actually behind the scenes pulling in IP and device ID information, which as [00:09:00] we all know now is no longer allowed. And then other examples are things like your call tracking tools or your advertising platforms.

Oftentimes we already know pixels can’t be on the site, right? We talked about that a lot. But what about the data that’s being in those platforms as far as, for example, call tracking tools has the phone number and then they have the recording of the call of them calling to make an appointment.

Advertising platforms, maybe, um, you’re maybe somebody in the past uploaded a patient, uh, list and they have lookalike audiences that they have built based off of that. There are all these different ways that you may inadvertently have been sharing this patient information. Audits need to be way more comprehensive than simply looking at your analytics setup.

So let’s dig in and talk a little bit about things that we heard folks doing. So we literally had a line at our booth almost the entire time, which was awesome to see, right? Like we love those conversations. And it [00:10:00] also is kind of disheartening sometimes because the number of people that came up to me and said, Oh, we thought we had it figured out, but everything you talked about just made me realize all of these other things that I need to look at now.

Um, and I, I hate that I started their conference in that way, but what are some of the things that you heard? How are folks approaching this?

Shelby: Oh, yes it’s, it’s interesting because there are definitely some folks that said, Oh, we took off everything. We went cold turkey and we are in this, you know, sixty to eighty day range of not really having much to be able to look at in regards to what we’re tracking until we get something else in place.

Uh, but again, this, I, I talked to individuals who, who were super on the defensive, right? Took everything off their site and yet there’s still issues popping up. They thought they had gotten everything and then they’re, oh, oh, yep, we got a video embedded on the site. [00:11:00] And I didn’t realize that that’s an issue, right?

So it’s, it’s, it’s been interesting to hear from the folks who, who were taking that stance that, yes, there are these things that are hidden that are hard to find, it’s not as easy as just, Oh, here are the 10, uh, platforms that we utilize in our week to week and, oh, we’re taking those off and we’re good.

Jenny: Totally agree. Some of the things that I heard is there were a variety of, um, orgs that came up to us that were in the middle of an implementation of either a CDP or a completely new analytics platform. And a large percentage of them actually had paused the work before coming to the conference in order to learn more about best practices and what other systems are doing before fully implementing them.

So those were some good conversations. We were able to share some insights about the tools they were looking to partner with some watchouts, um, and just some best practices about, which I think was really helpful. Um, other [00:12:00] things is, um, some folks did not realize that sometimes forms are actually implemented by third parties.

They just assumed it was part of the website database. So a lot of folks are going home, checking on that. Um, we have a lot of folks that are, um, going and checking on their advertising platforms. What else Shelby?

Shelby: There was, I will remember that, like, this was such a vivid memory, uh, in one of the sessions, someone asked such a great question about the video tools, right?

And they had said, you know, say we have a video on a page talking about West Nile Virus and tips and tricks when you’re dealing with somewhere where there’s going to be a lot of mosquitoes. What should you keep in mind? Right? So it’s, it’s more of a news story. It’s more of a tool. It’s not exactly a specific health condition.

And they’re like, [00:13:00] what do we, you know, is that worrisome? Should we not be, you know, utilizing those web posting services or having that type of video or any sort of tracking? And again, it was a panel discussion and everyone’s like, okay, you know, this is a gray area, right? You need to be talking to your legal and compliance, but at the end of the day, they could be researching, maybe they think they have West Nile.

Maybe they’re going to go talk to their PCP about some symptoms that they’re having. And so that’s how they got there. That really, the safest route is to make sure that you’re not utilizing any tools that’s going to be pulling in that patient information about what the content of the video is, even if it’s something that might even seem like, well, this is just educating the community.

This isn’t a specific health condition, which I thought was really important to think about.

Jenny: I agree. Um, a couple of examples we gave are, um, you know, if you’re a cancer center or if you’re [00:14:00] a, uh, breast health center or, um, whatever, if, if you’re not a large system where from your homepage, you’re listing out 12 different service lines our POV, again this is gray. Your own attorney needs to make this call. That our POV is you need to treat the entire website with care. You need to make sure that you’re not collecting IP addresses anywhere. Um, so some organizations had been thinking about only removing pixels from symptom specific or a super care specific pages kind of taking that bulletin verbatim.

But our POV is if you’re doing that, why not just fully protect that patient’s data throughout the entire journey, right? If anything, I think it’s easier from a tech stack perspective to treat all of it with the care and consideration that it needs. So, again, that’s something that they have to chat about with their internal legal and compliance teams, but definitely good food for thought.

So awesome. Well, thank you, Shelby, for tuning [00:15:00] in and for all of our listeners. I really hope that the GDPR and state law level information is helpful and guiding you and helping you understand the different questions you should be bringing to your legal and compliance teams again.

Cause if you’re on the same side of the table as them and you’re working together to make sure that patient information is safe and secure, it is such an easier conversation than if you dig your heels in and try to protect what you’re comfortable with. So thanks for tuning in. As always, Hedy and Hopp is here to answer any burning questions you may have.

Reach out to us. Otherwise, we’ll see you on a future episode of We Are Marketing Happy.

Fresh off the road from this year’s SHSMD Conference, Jenny and Shelby Auer, Account Manager at Hedy and Hopp, share their highlights from the conference in Chicago. They discuss various sessions and speakers, including insights on rural healthcare, brand management, internal communications, data-driven decision-making, and improving the patient experience. They also speak about the importance of learning and sharing experiences within the healthcare marketing industry to make a positive impact. (Check out the show notes on YouTube for links to our favorite speakers.)

Jenny: [00:00:00] Hi, friends. Welcome to today’s episode of We Are Marketing Happy, A Healthcare Marketing Podcast. My name is Jenny Bristow. I am the CEO and founder at Hedy and Hopp, a healthcare marketing agency. And I am joined today with an account manager from Hedy and Hopp, Shelby. Auer. So, Shelby and I just got back from SHSMD ‘23 in Chicago.

We had an amazing time and we wanted to do just a quick little recap for any folks that weren’t able to attend or even those who did attend but weren’t able to attend all of the different speaks, uh, talks, speakers. So, what we’re going to be doing is we’re just going to highlight a couple of things that really stood out to us as far as events.

We’re going to link to all of the speakers in the show notes, to their LinkedIn. And we’re going to tag them on LinkedIn. If you have any questions about the presentations, I’m sure they would love to talk to you about it. Everybody was so amazing at the event. So, Shelby, first of all, high [00:01:00] level, tell me about SHSMD.

This was your first ever SHSMD. So tell me a little bit about your, just some big key takeaways.

Shelby: Yes. Oh my goodness. It was so wonderful getting to meet and connect with such wonderful people. Everyone. I mean, Brad, or Bread, as I should call him, who kicked us all off with such a great, uh, keynote, really nailed, nailed it on the head in regard to how wonderful and weird in the best way possible the group at SHSMD is.

And so, it was so wonderful getting to connect with everyone and knowing that a lot of the HIPAA conversations that we’ve been having as an agency is really top of mind across the industry, so it was so wonderful getting to connect with so many people who really just want to protect their patients and figure out what the heck they need to do with everything that’s going on.

And so, it was wonderful getting to brainstorm and talk to such wonderful people.

Jenny: That’s awesome. I completely agree with you, just, healthcare people are the best people. So, let’s jump in and talk a little bit about some of our favorite sessions. So, I will jump in and go first. So, there was a, um, a topic specifically about rural health that I absolutely loved.

So, I grew up in a super rural town, um, there were 11 kids in my class from grades K through 8. So, super, super small. So, I was really interested in attending this one to be able to hear more from different POVs about how folks are actually approaching those communications, understanding what research methodology they’re using to understand their access to, um, internet, um, likelihood to schedule annual exams, those kinds of things.

The speaker was Pauline Hoffman. She was absolutely phenomenal, great speaker. Um, but there was a couple of things that she mentioned. One thing she mentioned, the phrase social listening, but she used it in a different [00:03:00] terminology, which I actually really, really appreciated. She used social listening by actually like using your ears, right?

Not using tools and software, but actually like when you’re sitting in like a PTO event or you’re sitting in a restaurant in your small town, actually listening to hear what people are saying about the physicians and the facilities because in small towns, a lot of folks are going to be talking just through word of mouth versus using digital platforms like you may see in more urban areas.

And then some of the other things that she actually talked about is, um, getting information, um, about your services to first responders, because they’re some of the people that are most trusted in your community and have the ability to share information about access to care.

And then the third thing is, she talked a lot about fighting disinformation. Um, and not only about, um, you know, your physician. and facilities, but also just about the world and care that we want to and [00:04:00] need to offer to help make our communities a healthier and safer place. Um, and she had some really interesting perspectives talking about how PR is generally not as understood and they think it’s more of a spin position versus trying to share her phrase was truth and trust, um, which I thought was really great.

Shelby: Love that. Well, and speaking of PR, one of the last sessions that I got to sit on was with Karen Brodbeck who works with OSF Healthcare. So, based out of Peoria, Illinois, so a lovely Midwest sister over there. And, she talked a lot about their brand management and how they’ve really built a national brand, though they are pretty small and focused in the Midwest space, and it was really, really interesting. She told a wonderful story about how she was at Girl Scouts as a kid and was always told, if you don’t [00:05:00] ask, the answer is no. And so how she’s kind of taken that as a mantra in the work that she’s doing, and she’s constantly reaching out and applying for different awards or speaking opportunities for individuals in the system.

And, specifically, I loved some examples of the great stories that they’ve gotten out about their health care system and I think we saw it all over this conference about not only just consumer focused work, but also stories and how important that is, how stories and data need to co-mingle and work together.

Um, but they had a story that ended up in People Magazine, got picked up in People Magazine about a nurse that cared for a sweet, sweet little baby and ended up adopting, um, this little boy. And how one of their workers on their [00:06:00] government team ended up talking to his daughter about everything that was going on in Ukraine, and they ended up sending over an ambulance filled with a bunch of stuff to Ukraine.

He ended up going and just such, such amazing stories that they have such a good. system of collecting those stories. And that was a lot of what she talked about is how they’ve really built up a space where across all their health systems, they’re sharing those stories because it can be hard to do that when you’re spread across different areas.

And so that one was a really, really great one to get some practical information, but also to get to really celebrate her and her team and how far they’ve come.

Jenny: I love that. Lehigh Valley out of Pennsylvania, they were actually the last session on the last day, but Pamela and Kirsten came in with such amazing high energy.

It was so fun to watch them. They did something really similar, but it was specifically focused on internal comms. So, how do you better communicate, [00:07:00] um, especially, you know, to those frontline people, thinking like nurses, they’re so busy. They’re not going to have time to go log into an intranet. So they, in 2019, they actually launched, um, something, um, they use Sprout, uh, and it’s an employee advocacy tool within Sprout.

So that’s the backend of the system. But it basically is a social media platform for within their internal organization. So they can do everything from talk about new services, they can, uh, feature and highlight employees or amazing cases and outcomes. But the cool thing is they came up with a colleague ambassador program where they actually recruited about 30 highly influential folks across the organization and gave them access to the platform ahead of everyone else, gave them branded swag, all of this fun stuff.

Um, and then that helped really spread usage of this platform. And they said at this point, 88 percent [00:08:00] of their team downloads the app and uses it on a regular basis. One of their biggest spikes in usage is at 3 a. m. in the morning, which you know, is nurses, right? Working shifts. And that was the most difficult group to access before.

And the cool thing is they actually have it, it’s so well loved within their organization that they actually have people submitting and, um, putting content out and engaging with other people’s content all of the time. And they, they shared so many metrics about the number of posts and engagement that they receive on those posts.

It blows away anything else that I’ve seen as far as internal comms and the, the pride that they’ve built up within their internal organization. I mean, they had this tool, you know, during COVID, they used it to be able to make sure that all the communication was clear, it was just, they had the hashtag LVHN proud, and I was so proud for them just sitting there listening to all of their wins, because that’s a huge accomplishment.

Shelby: Love that. And it reminds me of, uh, one of the sessions that I sat in on again, kind of [00:09:00] talking about internal comms, but focused a little bit on when that’s not so easy and when it is really, really hard. And shout out to Jeff Stewart, uh, on the CHRISTUS Health team, because he did such a wonderful job being incredibly vulnerable, sharing very, very, uh, in depth and specific quotes that he received from executive leadership that were really, really difficult to receive when you’re going through a complete website architecture redo.

And some of the biggest takeaways from that discussion were, what do you do when you get that negative feedback, right? So he was really, really struggling with the physicians in their group because they basically had a website where there was so much competing information, the same information on multiple pages across so many different of their specific [00:10:00] health clinics.

And, the session I loved, it was called, Can We Just Put The Old One Back? Because four months after the launch of the new site, after they had data to show how consumers were able to more easily find and set schedule appointments, that was an exact quote that he got via email from someone that was, “You just got the old site and you just put it back up.”

Jenny: And I get that, right? Like these people are so busy. They don’t have time to learn a new site architecture. So that probably was really difficult for him to hear, even though he knew it was doing better.

Shelby: A hundred percent. And I love the way he gave some really practical experience on how do you deal with getting that kind of feedback and showing up with empathy first and understanding where they’re coming from and not going to defensive mode, you know, trying to protect your team has been working so hard on this, [00:11:00] but really trying to understand where they’re coming from and help them really take the data showing, Hey, consumers are utilizing this, but sometimes the data is not everything.

And so one of the biggest takeaways was also pulling in those stories. Here are individuals that haven’t received care in years and now they have a primary care physician. Like, those are the things to celebrate.

Shelby: Yeah. When those physicians voices, and that this was a big takeaway, when those voices are sometimes the largest voice in the room, everyone can agree that the patient’s voice is louder. And so, just figuring out ways to communicate that across your organization and to really help everyone move toward the same goal. It was really inspiring.

Jenny: I love that. So, um, Arkansas Children’s, they did an amazing presentation talking also about the power of using data for internal buy-in. And, um, you know, all organizations, many organizations, have this intrinsic belief that like, [00:12:00] we’re the best, especially if they’re in a space where there aren’t many competitors and they’re really one of the only large providers within your state or your region.

Um, and so what this group did, um, is they actually began using some, um, third party data to pull in to understand not only where the gaps in care are, so where, where are we within the state where there are large groups of pediatric populations where we perhaps don’t have an outpatient center location, or people have to drive more than three hours to be able to access care. And then they also use that data to be able to look at things like birth defects within certain counties of the state to understand what may be coming up as far as specialized services that they perhaps don’t offer right now, or they aren’t offering statewide in a way that can really service their growing population.

And it was really powerful because so many times we talk about data and dashboards and so many times it’s just focused on your own data and the power they had at pulling, um, mostly [00:13:00] free third party data that’s available through your state and county and some meaningful story that then can allow you to be much more comprehensive with your strategic planning was super just impressive for me.

It’s something that so many groups we work with want to get to, and it’s like part of the continuum, and it’s certainly a worthy goal. So kudos, Arkansas Children’s. So I love it.

And then I think, um, one of the other ones that I really loved was, um, Advocate Health. Kelly, Joe and Jamie. Their energy, it was so much fun watching them. So they were talking about, um, being consumer first, which all of us want our organizations to be. Um, but they were talking a little bit about, um, things like, how do you actually measure that?

Right, like, how do you, how do you talk about progress of becoming a consumer first [00:14:00] organization or improving patients access to care? Like what metrics are the metrics that matter? And one of the things that stuck out to me is they actually have developed this internal metric called ease of use. And that’s something that they use to be able to understand how things are progressing within their own org.

And so again, it’s like, um, it’s a made up metric, but it’s one they’ve all agreed upon as something that’s important and valuable to measuring progress. And I think that was a really good reminder that, um, you don’t necessarily have to use these industry standard, um, you know, statistical analysis or processes or formulas within your own organization.

You can decide, what is the metric we want to use to understand if we won or not? And that’s enough, right? Like that’s enough, that aligns all of your team as far as where that, um, you know, finish mark is. So it was really cool to watch them. One other, I want to call out Mary Cronin from St. Luke’s did such a phenomenal job.

She was on a panel of two other people, there are three people total within St. Luke’s. Um, and [00:15:00] they were, um, talking about strategic and design thinking within an organization, but one phrase that she said, um, that really stuck with me and I wrote it down verbatim is, “A way to be able to get organizational buy in is really thinking about that influence on the front end and the empowerment on the back end.”

So, as a strategist, it isn’t really our job to execute the concepts, but really is our job to be able to influence and then empower. So it was a really great takeaway.

Shelby: Oh, love that. And one of the, one of the sessions that I sat in on with Joel and Beth from Columbus Regional Health in Indiana, again, another Midwest friend, but, they talked a lot about this WellConnect system that they developed over the past 10 years.

And I love one of the things that they talked about as kind of a key takeaway was to be a gap filler. That [00:16:00] every system, like, there’s going to be gaps. They have a very diverse population and who’s going to do it if not you to help? And they really, really showed this sense of accountability for the community that they serve, which was incredibly inspiring, reminded me of what Brad said in the keynote about why do you love what you do and how powerful that question is, and it’s really, really neat to see that they have this free offering to their community where you can call a connection specialist and they’re going to help connect you to a PCP.

They’ll help talk you through your insurance if you’ve got questions or concerns and even connect you with other community organizations that can help support you. So if your insurance isn’t covered, oh well we know of this non for profit that will be able to help you. And it was just really really neat to see how they really took this idea that started with, okay, we [00:17:00] need a building downtown that can serve the community and how that just has spiraled over 10 years.

And now, they have all of these connection specialists and they’re looking to grow the team super soon. So kudos to them and all the wonderful work that they’re doing in their community.

Jenny: That is awesome. Um, a session that really reminds me of that is KC Children’s Mercy. They were talking about, um, how to be able to positively impact the patient experience.

So first, how do you decide what patient experience you want to improve? So they made this beautiful, super simple chart with four quadrants and, um, the variables about the quadrants is urgency versus frequency. So, they then mapped all of their different service lines within that chart to be able to figure out, you know, how to make the biggest impact.

And they decided they were going to focus first on, um, patients, pediatric patients that had multiple visits within one day. So it can be super overwhelming for the parent and for the child when they go and they have like five appointments stacked. [00:18:00] And so they began working with client services and a bunch of other groups within the organization.

And they manually executed their ideas to see if it made a difference before actually rolling it out. So my favorite example, and this is near and dear to my heart because so many of the children in my family have had long-term care issues in pediatric hospitals. Um, they began mailing these welcome packets or, um, um, anticipation packets like a week before the day where everything was stacked.

And it not only had a nice letter to the parent saying, here’s the name of your, um, care, what word did they use, it was like a care manager or your friend at the facility that will be waiting for you when you arrive and they’re there to answer questions all day. They would try to pull food vouchers if they were there all day and they met certain income requirements.

They had that information in their database. But then they actually would print out a schedule of the day with all of the appointments. And then they would provide [00:19:00] stickers for the kids to be able to put on the different events to be able to mark the completion of it. And they literally printed these out and mailed them for a period of time manually before they rolled it out formally to see if it works.

So I really like that scrappy initiative of saying like, hey y’all, we think this is going to make a big difference, but before we put tons of resources into it, let’s test and iterate and then we can roll it out. So it was a really great way to think about a physical experience improvement, um, in a, you know, test and iterate formula, because often we just think about doing that in the digital world, but it can still be done in the physical world as well.

So, I love it. So, uh, this was Hedy and Hopp’s second year, um, being at SHSMD. Uh, this year I did a presentation on HIPAA, FTC, and state laws. Super well received, standing room only, had so many good conversations afterwards. Um, but we will definitely be there next year. Next year is going to be in [00:20:00] Denver.

So if you have any questions about any of the sessions that we talked about, please reach out to the folks that we’re linking to in the show notes and tagging on LinkedIn, because the presentations were all just phenomenal this year. And I really look forward to next year to continue learning and meeting more peers.

What Data Does Piwik PRO Collect?

Piwik PRO is a first-party data platform that uses a similar framework to Universal Analytics. The biggest difference between Piwik PRO & other analytics platforms is the data ownership. This means that the owner of the website always retains ownership of the data, which is fairly uncommon in similar products. What the platform collects is entirely dependent on the tool’s setup, but the following are almost always collected:

Site actions: The primary points of data collection, the events that users take on your site. This could be a button click, a form submission, a video view, or nearly any action you’ve defined on your site.
Event properties: The additional information attached to events, such as transaction prices, categories, & other information, which can be defined during setup.
Device information: This can include the model of the device the user is using, the operating system, browser.
Location data: This includes your approximate location based on your IP address.

Is Piwik PRO HIPAA-Compliant?

Every organization’s definition of HIPAA-compliance is dependent on their legal team’s interpretation of the guidelines set by the U.S. Department of Health and Human Services. That being said, Piwik PRO falls pretty low on the risk scale because they offer self-storage and are willing to enter into a Business Associate Agreement (BAAs).

Risk Mitigation

Piwik PRO is a data-forward, privacy-focused product, whose risk mitigation options go beyond entering into a BAA. That being said, it is a good idea to ensure you have the following in place in order to catch some common missteps:

Ensure that you have a current, valid BAA in place. Schedule regular check-ins to verify that your BAA is still current.
Consider any other tools that may be integrated with Piwik PRO – is your configuration sending data to another third party tool? If so, do you have a BAA in place with that vendor? Stay aware of all steps of your data processing, storage, & transmissions and be judicious about integrations that are unnecessary, redundant, or obsolete.
Remember that as the website owner, it is your responsibility to own the data process & determine where this data goes. Are you storing it on a third party server? If so, is this server HIPAA-compliant? Each endpoint introduces another possibility for liability and risk.

It’s always important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

What Data Does Mixpanel Collect?

Mixpanel is a first-party data platform that, much like GA4, operates on an event-based framework. What the platform collects is entirely dependent on the tool’s setup, but the following are almost always collected:

Site actions: The primary points of data collection, site actions are the events that users take on your website. This could be a button click, a form submission, a video view, or nearly any action you’ve defined on your site.
Event properties: The additional information attached to events, such as transaction prices, categories, & other information, which can be defined during setup.
Device information: This can include the model of the device the user is using, the operating system, browser.
Location data: This includes your approximate location based on your IP address.

Is Mixpanel HIPAA-Compliant?

Every organization’s definition of HIPAA-compliance is dependent on their legal team’s interpretation of the guidelines set by the U.S. Department of Health and Human Services. That being said, Mixpanel falls fairly low on the risk scale, largely because Mixpanel is willing to enter into Business Associate Agreements (BAAs) with its customers.

Risk Mitigation

Mixpanel is a data-forward, privacy-focused product, whose risk mitigation options go beyond entering into a BAA. Mixpanel is built on Google Cloud Platform, which is subjected to regular, independent verification of security, privacy, & compliance controls against HIPAA. That being said, it is a good idea to ensure you have the following in place in order to catch some common missteps:

Ensure that you have a current, valid BAA in place. Schedule regular check-ins to verify that your BAA is still current.
Consider any other tools that may be integrated with Mixpanel – is your configuration sending data to another third party tool? If so, do you have a BAA in place with that vendor? Stay aware of all steps of your data processing, storage, and transmissions, and be judicious about integrations that are unnecessary, redundant, or obsolete.

It’s always important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

What Data Does Google Analytics Collect?

Google Analytics, unsurprisingly, collects a lot of data about your user:

User ID: This is a unique identifier that is assigned to each user. GA4 uses this ID to track users across multiple sessions and devices.
User properties: These are additional pieces of information about users, such as their age, gender, location, and interests.
Events: These are actions that users take on your website or app. For example, an event could be a pageview, a download, or a purchase. These events need to be setup by the owner .
Sessions: A session is a group of interactions that a user takes on your website or app within a certain period of time.
Dimensions: These are the different attributes of your data, such as the date, time, and page URL.
Metrics: These are the measurements of your data, such as the number of users, sessions, and events.

Is Google Analytics HIPAA-Compliant?

Google Analytics 4 has made a lot of improvements that make it easier for companies to utilize stronger data privacy standards and move further into the age of cookieless tracking. These changes allow the tool to be used more in line with GDPR, CCPA, & other privacy policies. Despite these changes, however, Google Analytics is not HIPAA-compliant, as it still receives and stores PII/PHI, including device IDs, browser information, and location data, and does not offer a BAA. Google even explicitly states that “Google makes no representations that Google Analytics satisfies HIPAA requirements” and instructs users to refrain from exposing the software from any information that could be considered PII/PHI.

Risk Mitigation

There are several ways to make Google Analytics safer with strong data privacy standards. These are available in the Privacy Controls section of your Google Analytics settings. While enabling these settings will not satisfy HIPAA guidelines, it could help safeguard some user data while you determine a path forward (see our blog, Auditing your marketing plan for HIPAA compliance)

Data collection: You can disable the collection of certain types of data in Google Analytics, such as location data, device information, and user-agent strings.
Data sharing: You can control how your data is shared with other Google products and services, including Google Ads & YouTube.
Consent mode: You can enable consent mode, which allows you to collect data from users who have given their consent.
Data retention: You can control how long your data is retained by Google Analytics.
User-level data access and portability: You can grant users access to their own data in Google Analytics.

PRO TIP: Server-side tagging is a data tracking method that can help organizations protect user data. While it requires a well thought out digital infrastructure, it can give organizations more control over their data and help them comply with privacy regulations while still using Google Analytics.

What Data Does Google Tag Manager Collect?

GTM is probably unique in your tech stack in that it itself does not collect any data – instead, it provides a container with easily configurable tags, triggers, & variables that allow you to control exactly what tracking tools are on your website and how they send information back and forth. Common tags to have in GTM include:

Google Analytics: The most popular analytics tool in the world, GA ties directly into GTM with minimal setup.
Conversion Tracking Pixels: Google Ads, Meta Ads, LinkedIn Ads, and most other digital advertising platforms can use a conversion tracking pixel on your site to improve ad performance. At Hedy & Hopp, we consider these pixels to be a high risk in terms of HIPAA-compliance, since they share user data with third parties.
Engagement/UX tools: Heatmapping tools like Lucky Orange, A/B testing tools like Optimizely, and countless other tools are routinely installed via Google Tag Manage

Is Google Tag Manager HIPAA-Compliant?

A good way to look at GTM through the lens of HIPAA-Compliance is that it can be the vehicle for compliance issues, and that it completely depends on how a specific site is using their tagging setup. A GTM container can manage tags for everything from a Google Search Console verification tag (completely HIPAA-compliant) to a Facebook Pixel that is gathering personal data about users who may be visiting sensitive pages on a site (completely non-compliant!).

PRO TIP: As a general rule, conversion pixels are concerning in terms of HIPAA-compliance and should be avoided. Learn more about the recent updates in HIPAA guidance by listening to our HIPAA & FTC 101 podcast.

Risk Mitigation

While Google Tag Manager supports some obfuscation options that grant some level of increased data privacy and protection, this is not a watertight approach. Often, the obfuscated data is still being shared with some third party processors. Server-side Google Tag Manager (sGTM) can be a much safer approach, offering more options for data privacy and allowing users to completely control which data is shared (and not shared) with each platform.

If you want to assess your GTM risk in it’s current set up, a great place to start is by extensively documenting the functionality of each tag in your account. From there, you can assess the risks of each tag and make a plan to improve data privacy.

PRO TIP: While server-side tagging is not for everyone and does not eliminate issues associated with third party tracking tags, this approach puts more power in the hands of your team to ensure that you are protecting your users’ data.

Conduct an audit of all tactics, tools and softwares

Like most evaluation efforts when a massive change happens, we start with an audit. Document all of the channels you use, plan to use, are investigating using or/and have used in the last 12 months (to account for changes with seasonality).

Supplement this list by using third party tools like Wappalyzer to identify any pixels, code, plugins, etc., that may be on your website.

PRO TIP:

It is important not to skip this part. We cannot tell you how many clients have told us that they removed a software but we still saw live tags in GTM or hard-coded on their website There are also many plugins that our clients didn’t even know existed that we were able to identify (and actually remove if needed) through using these tools.

Understand the core requirements of applicable state laws

At least in the initial stage, it’s important for marketers to know what applies to them. Covered entities are always beholden to HIPAA, but health-adjacent companies and non-covered entities also need to be aware of the FTC and state laws, where applicable. Most states require companies to reach a number of annual visitors or/and meet a specific revenue goal in that state before they are required to comply, but it does vary. IAPP is a great resource for keeping up with those details.

First, conduct a monthly traffic report for the last 12 months, and separate out by state.

Add Europe to confirm if GDPR needs to be included

Under the state(s) that are relevant to your company, review the following:

Are companies who follow HIPAA excluded from compliance? If so, and you are a covered entity, then the state’s laws likely do not apply
How does the state describe “sensitive information”? This can include marital status, sexual orientation and other non-health-specific (but very personal) information.
Is consent required from users before any data can be collected (i.e., before any tags are fired)? If so, how is “consent” defined?

Determine Priority Concerns

You will probably find a lot of softwares that can be excluded from further investigation, like Javascript libraries, fonts and some plugins. But there will be a host of others that, either by nature of the platform or based on your implementation, will cause some issue with privacy – specifically with the “selling” (or sharing) of personal information.

Below is a guide for the kinds of platforms we have seen make the priority list:

Analytics tools (i.e., Google Analytics, Mixpanel, Piwik Pro)
Advertising platforms (i.e., Meta, Google Ads)
User Experience tools (i.e., Optimizely, Medallia, Lucky Orange, Crazy Egg)
Website Servers, Hosts, CDNs (i.e., Kinsta, WP Engine, Cloudflare)
Customer Relationship Managers/CRM (i.e., Hubspot, Salesforce)
Video Embeds (i,e. Wistia, YouTube)
Product Review platforms (i.e., Yotpo)
Data Visualization tools (i.e., Marketing Cloud Intelligence (Datorama), Looker Studio)

If this list freaks you out, we see you. It looks like EVERYTHING is a priority! So we broke it down even further to prioritize based on the intent of how the platform is using that data, which makes the list looks a bit more manageable:

Priority 1: Data shared with additional third parties or/and includes sensitive information

Analytics tools
Advertising platforms
Video Platforms or Embeds
Product Review platforms

Priority 2: Data necessary to perform function

User Experience tools
Website Servers & Hosts)
Customer Relationship Managers/CRM
Data Visualization tools

Ok, that probably still makes your heart race, but what’s important to keep in mind is that the biggest concern for these platforms is based on the information being shared and how. Tools like your Website CMS by nature need to collect IP addresses, so while your company is sharing that “personal” information with a third party, it might not be a big risk for your company since that access is required to work.

Why do we say that? Although an IP address is still considered PII, it’s not nearly as personal (i.e., 1-to-1) as a diagnosis, a name, or an email address. This is why it’s essential to work with your legal team to determine what platforms are riskier than others based on the agreements in place.

Determine Your Must-Haves

As a marketer, your first instinct may be to say that all of these softwares, tools and platforms are necessary. And that might be the case. In our experience, however, there are usually software or tactics that are duplicative or have a more compliant alternative. Think critically about what your marketing is doing for you and embrace the opportunity for refinement that you now have.

Here are some questions to ask yourself while evaluating the priority tools:

Has this tool provided me with information that helped me improve a marketing tactic or initiative?
Has this tool impacted my bottom line? Is it a tool that has generated leads or improved customer experience? What data do I have to prove it?

If you said “no” to either of these questions, definitely consider removing those tools and tactics and you’ll be on your way to a cleaner, more compliant marketing plan and website. If you responded yes to any of these questions, then the next step is an important one – so keep reading!

PRO TIP:

Consider if any of the tools are duplicative. If you can consolidate tools to limit the number of third party tags and tools on your website, we would always recommend doing so.

Remove/Replace/Modify and Evaluate

This is the big one – the future of your marketing activation and evaluation. This last part will take some time and collaboration from your organization and marketing partners. The main question here is how you can modify the implementation or replace the tool to improve compliance. Some tools may offer anonymization, for example, which would be worth exploring.

Each marketer will implement various tools in various ways (too many variables for this post!). Here are a few best practices that helped us get our clients up to par (without losing their minds).

Get Business Associate Agreements (BAA) in place for the platforms that have access to your customer’s PHI. Not all of them will sign one (we’re looking at you, Google and Meta), but those that will sign one should be looked into.
Consider moving to server-side analytics
- Pixels are helpful and make optimization really easy and automated. But they are also a primary culprit in why advertising and analytics platforms can be risky. Moving to server-side analytics or incorporating a Customer Data Platform (CDP) might be the way to go if you have the proper IT infrastructure and resources in place.
- Moving to server-side doesn’t automatically absolve your website of data privacy concerns, but it could be the first step in a privacy-forward approach to data collection and storage.
Remove pixels and rely more on manual UTMs and short links. It might seem like a step back for senior marketers, but ensuring that Meta, Google, Microsoft and other advertising platforms have no access to user data is a critical component to compliance, especially for platforms that don’t have the option of a BAA or updated terms.
Take an extra step in updating tag configurations and settings for tools and platforms that offer such settings, to anonymize or remove specific PII from website visitors
- Be sure to confirm what they mean by anonymization, and that they don’t really mean pseudonymization. Also, be sure to confirm that data is anonymized before it’s shared and that the third party in no way has access to the actual data).
Make sure consent banners and your website’s Privacy Policy have been updated to account for what website data is shared and how (and what privacy regulations you need to follow).

PRO TIP:

If you’ve not done so already, this is the time to make absolutely sure your legal team is aware and involved in these discussions. With the number of nuances with HIPAA privacy, it’s critical that your company’s legal team has the opportunity to engage and provide input on updates, specifically on privacy policies and the company’s overall data privacy approach.

Activate and Evaluate

Once these changes are in place, consider the next 30-60 days as a trial period. Are you missing any data for evaluation? Any new questions arising with the data you can see? It’s a good reminder that any change that you make will take some adjusting, but that doesn’t mean insights can no longer be found.

PRO TIP:

Don’t forget to update your data visualization dashboards to account for any new placements, accounts or configurations!

What Data Does LinkedIn Collect?

LinkedIn collects a variety of personal and technical data from its users, including:

Profile Data: LinkedIn collects information from user profiles, including job titles, industries, company affiliations, educational background, skills, and interests. This data is used to target ads to specific professional audiences based on their profile information.
Demographic Data: LinkedIn may collect demographic information such as age, gender, location, and language preferences. This data helps advertisers target specific demographics for their campaigns.
Engagement Data: LinkedIn tracks user engagement with ads, including impressions, clicks, likes, comments, and shares. This information helps advertisers assess the effectiveness and impact of their campaigns.
Website and Conversion Data: If advertisers use LinkedIn’s conversion tracking or retargeting features, LinkedIn collects data related to website visits, conversions, and actions taken by users on their website. This data helps measure the success of advertising campaigns in driving desired outcomes.
Ad Interaction Data: LinkedIn collects data on how users interact with ads, such as ad views, interactions, video views, and form fills. This information helps advertisers understand user behavior and optimize their ad creative and messaging.
Pixel Data: LinkedIn provides a tracking pixel called the Insight Tag that can be placed on advertiser websites. This pixel collects data on website visits, page views, and conversions, enabling better ad targeting and measurement.
Third-Party Data: LinkedIn may also use third-party data sources to supplement its own data and provide additional targeting capabilities. These sources may include data providers that offer insights on professional attributes, interests, or intent.

Remember – just because a targeting option is available does mean that you should use it. In fact, taking advantage of features that could make your campaigns more effective could be what compromises your HIPAA compliance.

Is LinkedIn Advertising HIPAA-Compliant?

After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, it really depends on how you use the platform – specifically the Insight Tag. Conversion pixels can compromise HIPAA compliance in a few ways.

First, they can collect PHI without the user’s knowledge or consent. This is because conversion pixels can track users across multiple websites, even if they are not logged in.
Additionally, conversion pixels are often used to retarget users with display ads. This can be a serious violation, as it can expose sensitive content that individuals have been viewing about specific diseases, illnesses, or conditions.

While LinkedIn only keeps personal data collected from the Insight Tag for 180 days, there is a lot that can be done with this data in that time period. The HHS is also very specific that the sharing of, or even the ability to access any personal health information is a violation.

Pro Tip:

LinkedIn is somewhat unique in that healthcare marketers may be using the platform to reach a different audience than prospective patients. For example, if a healthcare marketer is using LinkedIn to reach HCPs (healthcare professionals) HIPAA may not even apply to those efforts.

That being said, there are also some tactics available in LinkedIn Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing, lookalike audiences and uploading target lists. It is also important to consider other tools that have access to your LinkedIn data, including optimization and data visualization software.

Risk Mitigation

As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

What Is Piwik PRO?

What Data Does Piwik PRO Collect?

Is Piwik PRO HIPAA-Compliant?

Risk Mitigation

Not sure how to get started?

What Is Mixpanel?

What Data Does Mixpanel Collect?

Is Mixpanel HIPAA-Compliant?

Risk Mitigation

Not sure how to get started?

What Is Google Analytics?

What Data Does Google Analytics Collect?

Is Google Analytics HIPAA-Compliant?

Risk Mitigation

Where do you go from here?

What Is Google Tag Manager?

What Data Does Google Tag Manager Collect?

Is Google Tag Manager HIPAA-Compliant?

Risk Mitigation

Not sure how to get started?

Conduct an audit of all tactics, tools and softwares

Understand the core requirements of applicable state laws

Determine Priority Concerns

Determine Your Must-Haves

Remove/Replace/Modify and Evaluate

Activate and Evaluate

Need more support for your specific marketing plans?

What Is LinkedIn Advertising?

What Data Does LinkedIn Collect?

Is LinkedIn Advertising HIPAA-Compliant?

Risk Mitigation

Not sure how to get started?