Google Tag Manager, or GTM, is a powerful tool that allows you to track user activity on your website or mobile app with minimal coding knowledge required. By putting one snippet of code on a website, GTM creates a container that can manage all of the various tracking codes on your website. GTM is also a great way to improve your website analytics, track conversions, and retarget visitors (when compliant) from and to a variety of platforms. It’s also a valuable tool for businesses of all sizes, from small businesses to large enterprises.
Here are some of the benefits of using Google Tag Manager:
GTM is probably unique in your tech stack in that it itself does not collect any data – instead, it provides a container with easily configurable tags, triggers, & variables that allow you to control exactly what tracking tools are on your website and how they send information back and forth. Common tags to have in GTM include:
A good way to look at GTM through the lens of HIPAA-Compliance is that it can be the vehicle for compliance issues, and that it completely depends on how a specific site is using their tagging setup. A GTM container can manage tags for everything from a Google Search Console verification tag (completely HIPAA-compliant) to a Facebook Pixel that is gathering personal data about users who may be visiting sensitive pages on a site (completely non-compliant!).
PRO TIP: As a general rule, conversion pixels are concerning in terms of HIPAA-compliance and should be avoided. Learn more about the recent updates in HIPAA guidance by listening to our HIPAA & FTC 101 podcast.
While Google Tag Manager supports some obfuscation options that grant some level of increased data privacy and protection, this is not a watertight approach. Often, the obfuscated data is still being shared with some third party processors. Server-side Google Tag Manager (sGTM) can be a much safer approach, offering more options for data privacy and allowing users to completely control which data is shared (and not shared) with each platform.
If you want to assess your GTM risk in it’s current set up, a great place to start is by extensively documenting the functionality of each tag in your account. From there, you can assess the risks of each tag and make a plan to improve data privacy.
PRO TIP: While server-side tagging is not for everyone and does not eliminate issues associated with third party tracking tags, this approach puts more power in the hands of your team to ensure that you are protecting your users’ data.
These changes may seem daunting (and even a bit terrifying) at first, but remember that dealing with change is what marketers are designed to do. We constantly need to adjust based on the information received and this challenge is no different. Marketers can either embrace this new world as an opportunity to improve trust with their audience, or keep doing the same thing until they’re forced to make a change (which is inevitable).
At Hedy & Hopp, we prefer the former, and want to share with you how we’ve helped our clients make sense of the changes and set themselves up for success in the long-term.
Want more details on these steps? Please keep reading!
Got a case of “TLDR”? Please get in touch – we’d love to help!
Like most evaluation efforts when a massive change happens, we start with an audit. Document all of the channels you use, plan to use, are investigating using or/and have used in the last 12 months (to account for changes with seasonality).
Supplement this list by using third party tools like Wappalyzer to identify any pixels, code, plugins, etc., that may be on your website.
PRO TIP:
It is important not to skip this part. We cannot tell you how many clients have told us that they removed a software but we still saw live tags in GTM or hard-coded on their website There are also many plugins that our clients didn’t even know existed that we were able to identify (and actually remove if needed) through using these tools.
At least in the initial stage, it’s important for marketers to know what applies to them. Covered entities are always beholden to HIPAA, but health-adjacent companies and non-covered entities also need to be aware of the FTC and state laws, where applicable. Most states require companies to reach a number of annual visitors or/and meet a specific revenue goal in that state before they are required to comply, but it does vary. IAPP is a great resource for keeping up with those details.
First, conduct a monthly traffic report for the last 12 months, and separate out by state.
Under the state(s) that are relevant to your company, review the following:
You will probably find a lot of softwares that can be excluded from further investigation, like Javascript libraries, fonts and some plugins. But there will be a host of others that, either by nature of the platform or based on your implementation, will cause some issue with privacy – specifically with the “selling” (or sharing) of personal information.
Below is a guide for the kinds of platforms we have seen make the priority list:
If this list freaks you out, we see you. It looks like EVERYTHING is a priority! So we broke it down even further to prioritize based on the intent of how the platform is using that data, which makes the list looks a bit more manageable:
Priority 1: Data shared with additional third parties or/and includes sensitive information
Priority 2: Data necessary to perform function
Ok, that probably still makes your heart race, but what’s important to keep in mind is that the biggest concern for these platforms is based on the information being shared and how. Tools like your Website CMS by nature need to collect IP addresses, so while your company is sharing that “personal” information with a third party, it might not be a big risk for your company since that access is required to work.
Why do we say that? Although an IP address is still considered PII, it’s not nearly as personal (i.e., 1-to-1) as a diagnosis, a name, or an email address. This is why it’s essential to work with your legal team to determine what platforms are riskier than others based on the agreements in place.
As a marketer, your first instinct may be to say that all of these softwares, tools and platforms are necessary. And that might be the case. In our experience, however, there are usually software or tactics that are duplicative or have a more compliant alternative. Think critically about what your marketing is doing for you and embrace the opportunity for refinement that you now have.
Here are some questions to ask yourself while evaluating the priority tools:
If you said “no” to either of these questions, definitely consider removing those tools and tactics and you’ll be on your way to a cleaner, more compliant marketing plan and website. If you responded yes to any of these questions, then the next step is an important one – so keep reading!
PRO TIP:
Consider if any of the tools are duplicative. If you can consolidate tools to limit the number of third party tags and tools on your website, we would always recommend doing so.
This is the big one – the future of your marketing activation and evaluation. This last part will take some time and collaboration from your organization and marketing partners. The main question here is how you can modify the implementation or replace the tool to improve compliance. Some tools may offer anonymization, for example, which would be worth exploring.
Each marketer will implement various tools in various ways (too many variables for this post!). Here are a few best practices that helped us get our clients up to par (without losing their minds).
PRO TIP:
If you’ve not done so already, this is the time to make absolutely sure your legal team is aware and involved in these discussions. With the number of nuances with HIPAA privacy, it’s critical that your company’s legal team has the opportunity to engage and provide input on updates, specifically on privacy policies and the company’s overall data privacy approach.
Once these changes are in place, consider the next 30-60 days as a trial period. Are you missing any data for evaluation? Any new questions arising with the data you can see? It’s a good reminder that any change that you make will take some adjusting, but that doesn’t mean insights can no longer be found.
PRO TIP:
Don’t forget to update your data visualization dashboards to account for any new placements, accounts or configurations!
A healthcare marketer can leverage LinkedIn advertising in several ways to effectively reach their target audience and promote their healthcare products, services, or brand. Here are some strategies and tips:
Targeting Healthcare Professionals: LinkedIn allows precise targeting based on job titles, industries, and functions. Healthcare marketers can target specific healthcare professionals, such as doctors, nurses, pharmacists, administrators, and executives, based on their job titles or industry affiliations. This ensures that the ads are reaching the right audience.
Thought Leadership and Content Promotion: Healthcare marketers can use Sponsored Content and Sponsored InMail to share valuable content, such as articles, research papers, case studies, or educational materials related to their field. This positions the marketer as a thought leader and helps build credibility and trust with the audience. Promoting webinars, conferences, or speaking engagements can also be effective in establishing expertise.
Job Postings and Recruitment: Healthcare organizations often have specific talent acquisition needs. LinkedIn provides targeted options for promoting job openings and reaching qualified healthcare professionals who are actively seeking employment opportunities. Healthcare marketers can use Sponsored Job Ads to attract top talent to their organization.
Brand Awareness and Reputation Management: LinkedIn advertising can help healthcare marketers increase brand visibility and manage their online reputation. Display Ads and Dynamic Ads can be used to create visually appealing brand messages and reach a broad audience. Marketers can also target specific industries, organizations, or regions to raise awareness of their brand and build positive associations.
Industry Events and Conferences: Healthcare marketers can utilize LinkedIn advertising to promote industry events, conferences, or webinars. Sponsored Content, Sponsored InMail, and Display Ads can be used to drive registrations, highlight keynote speakers, and generate buzz around the event. Targeting options ensure that the ads reach professionals interested in the healthcare industry.
LinkedIn collects a variety of personal and technical data from its users, including:
Remember – just because a targeting option is available does mean that you should use it. In fact, taking advantage of features that could make your campaigns more effective could be what compromises your HIPAA compliance.
After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, it really depends on how you use the platform – specifically the Insight Tag. Conversion pixels can compromise HIPAA compliance in a few ways.
While LinkedIn only keeps personal data collected from the Insight Tag for 180 days, there is a lot that can be done with this data in that time period. The HHS is also very specific that the sharing of, or even the ability to access any personal health information is a violation.
Pro Tip:
LinkedIn is somewhat unique in that healthcare marketers may be using the platform to reach a different audience than prospective patients. For example, if a healthcare marketer is using LinkedIn to reach HCPs (healthcare professionals) HIPAA may not even apply to those efforts.
That being said, there are also some tactics available in LinkedIn Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing, lookalike audiences and uploading target lists. It is also important to consider other tools that have access to your LinkedIn data, including optimization and data visualization software.
As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.
As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.
Pro Tip:
It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.
YouTube is a powerful tool that can be used for marketing in a variety of ways. It has over 2 billion active users, making it a great way to reach a large audience with your messages. You can target your YouTube ads to specific demographics, interests, and behaviors, ensuring that your messages reach the right people.
YouTube is a visual platform, so it’s a great way to create engaging content that will capture people’s attention. By creating high-quality, informative videos, you can build trust and credibility with potential patients. You can also use YouTube to drive traffic to your website by embedding your videos on your website or by linking to your website in your video descriptions.
Here are some specific ways that healthcare businesses can use YouTube for marketing:
This type of advertising, outbound marketing, is often used in conjunction with search ads, a form of inbound marketing from Bing or Google, which we have gone over the compliance of in previous posts.
Pro Tip:
YouTube does have specific guidelines around advertising in healthcare. Most notably, companies promoting pharmaceuticals & addiction services must be verified through LegitScript in order to advertise on YouTube’s platform.
Similar to Google Ads, YouTube relies heavily on the user being signed into their Google Account (which automatically becomes their YouTube account) in order to track behavior across a wide range of touchpoints. This means that YouTube collects the following data on its users:
Additionally, even just embedding a YouTube video on a website could be cause for concern, as the iframe sends information back to DoubleClick, the base advertising platform that Google uses. This means that users watching a YouTube video embedded on a third party site could have that video’s contents tied to their Google profile, which could potentially reveal sensitive health information about that user.
After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, YouTube advertising is certainly one that your team should think critically about, especially when you consider the long list of Google’s subprocessors, who could potentially have access to any and all data collected. This is especially true if you’re adding a Google tracking pixel to your website.
Furthermore, there are also some tactics available in YouTube Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your YouTube data, including optimization and data visualization software.
As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.
As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.
Pro Tip:
It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.
Meta, the parent company of Facebook, Instagram, and WhatsApp, is a leading force in social media. Its platforms are used by billions of people around the world, making them a valuable tool for marketing in nearly all industries, including healthcare.
While Meta offers several services for businesses including business pages, groups, and other options to expand organic reach, this article will focus on the advertising side of Meta.
Meta’s advertising platforms offer a variety of features that make them well-suited for marketing, including:
As a result of these factors, Meta’s platforms are a popular choice for marketing in a wide range of industries, including healthcare. Healthcare businesses can use Meta’s platforms to reach a large audience, or a more refined, targeted audience.
This type of advertising, outbound marketing, is often used in conjunction with search ads, a form of inbound marketing from Bing or Google, which we have gone over the compliance of in previous posts.
Pro Tip:
Meta does have specific guidelines around advertising in Healthcare. Most notably, companies promoting pharmaceuticals & addiction services must be verified through LegitScript in order to advertise on Meta’s platform.
Of all of the platforms you may be using, it’s possible that Meta is the one collecting the most information about your users. This is largely because users who see your ads are already registered users of Meta’s platforms, meaning that Meta has extensive profiles on each customer, even before they may view your ad.
More data can be collected if you have a Meta Pixel installed on the site that your ads are driving to. This pixel links events and conversions on your website to specific ads, as well as specific user profiles. Some of that data can even be passed through the click-through URL, meaning that data is shared with your analytics platform, such as Google Analytics.
After the updated guidance from the Department of Health and Human Services was released, there were two notable companies that faced scrutiny from the FTC, both of which were using Facebook marketing tactics. BetterHelp and GoodRx both settled for large sums after these allegations surfaced. The scariest part? They were using Facebook and Instagram ads in very common use cases. And while compliance isn’t really a black & white concept, from our perspective, Meta is a very risky platform that should be among the first platforms marketers evaluate.
Furthermore, there are also some tactics available in Meta Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your Meta data, including optimization and data visualization software.
Some risks can be mitigated in Meta ads by taking advantage of options to enhance data privacy. These options include never using remarketing audiences and foregoing the Meta Pixel. This could disrupt how you’re currently evaluating marketing effectiveness, so if Meta is a platform you must keep to grow your business, there are ways to still leverage this channel with limited data sharing risks.
As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.
Pro Tip:
It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.
Google Ads is a pay-per-click (PPC) advertising platform that allows businesses to display their ads on Google’s search engine results pages (SERP) and other Google properties, such as YouTube and Gmail. When someone searches for a keyword that is relevant to your business, your ad may appear at the top of the search engine results page. You only pay when someone clicks on your ad, so you can control your advertising budget. Google Ads offers a variety of ad formats, including text ads, display ads, video ads, and shopping ads. You can also target your ads to specific demographics, interests, and even locations.
Healthcare marketers can use Google Ads to reach the following audiences:
Pro Tip:
Google does have specific advertising policies that apply to some Healthcare products and services including pharmaceuticals, speculative and experimental medicine, clinical trial recruitment, health insurance, and addiction services. In order to advertise pharmaceutical products or addiction services, a LegitScript certification is required. In order to advertise health insurance, a G2 certification is required.
Google Ads collects a variety of data about its users, including:
Additionally, Google Ads can collect personal information, including names, email addresses, phone numbers, and location data when using Enhanced Conversions and Customer Audience Data Imports.
According to the updated guidance from the Department of Health and Human Services, there isn’t a clear yes/no answer. However, knowing that Google Ads will not sign a Business Associate Agreement (BAA), we think using Google Ads, specifically when using conversion tags, does pose a risk.
Furthermore, there are also some tactics available in Google Ads that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your Google Ads data, including optimization and data visualization software.
As with anything HIPAA related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible. Some risks can be mitigated in Google Ads by taking advantage of options to enhance data privacy. These options include using server-side tagging, never using audience imports, remarketing audiences, or enhanced measurement, and not tagging pages that could potentially pass PII/PHI in URL parameters.
Pro Tip:
It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.
Similar to Google Ads, Microsoft Ads is a pay-per-click (PPC) advertising platform that allows businesses to reach their target audience on the web, on mobile devices, and in apps. Microsoft Ads offers a variety of ad formats, including text ads, display ads, and video ads.
Healthcare marketers can use Microsoft Ads to reach a variety of audiences, including:
Microsoft Ads collects a variety of data about its users, including:
Microsoft uses this data to serve ads that are relevant to your users, track the performance of ad campaigns, and improve its own ad platform’s performance.
You can see a full list of the data collected and accessed through the UET tag in their privacy section (“What data does UET collect once I install it on my website?), but that list will get longer with the new UET update set for June 29.
Additional Considerations
There are some tactics available in Microsoft Ads that aren’t unique to that platform but are never HIPAA-compliant. These include remarketing and lookalike audiences. Conversion pixels also may render your ads non-compliant, depending on their usage. It is also important to consider other tools that have access to your Microsoft Ads data, including optimization and data visualization software.
The updated guidance from the department of Health and Human Services, there isn’t a clear yes/no answer. However, knowing that Microsoft Ads will not sign a Business Associate Agreement (BAA) and doesn’t have the same kind of privacy configurations you can leverage in Google Ads platform, we think using Microsoft Ads, specifically placing their UET pixel on your website, does pose a risk.
As with anything HIPAA related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible. It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.
With the new HHS/OCR bulletin surrounding HIPAA guidelines, healthcare marketers who use Google Analytics for measuring digital tactics have had to shift focus from the impending Google Universal Analytics (UA) data retirement (on July 1, 2023) to considering how their current (and future) data is being collected and stored. While Google will keep all UA data for at least 6 months after this date marketers cannot lose sight of what their plan is for storing this data before it’s gone forever.
The challenge: The HHS/OCR bulletin has many marketers questioning whether they should continue using Google Analytics as their third party tracking technology at a time when they may still be working on their full migration to GA4 (especially now that Google is automatically installing GA4 for Google Ads conversion tracking) and their plan to store UA data. What do they prioritize? What precautions do they need to take? Who else needs to be involved in the decision?
The bottom line: Regardless of what tracking platform marketers plan to use, UA data IS going away in a few months, and a plan to save and store relevant data must be made and started as soon as possible.
Our recommendation is to take your UA data storage plan into consideration as you plan to safely and compliantly store and track your future data.
Deciding to keep everything will likely be a challenge for most marketers, unless you have an in-house data engineering team who can store and organize all past UA data into a data lake of sorts. Depending on how large your website is and how far back you want to review data, you could be exporting (literally) millions of rows of data, spread across multiple spreadsheets, making data retrieval and analysis incredibly difficult (if not impossible).
We recommend first determining what data you want to look at on a regular basis, and how it needs to be analyzed to make this data storage process as seamless (and as useful) as possible. For example, if you use mobile vs. desktop traffic to inform your advertising spend, you’ll want sessions by device saved by week or month. However, if you really only reference mobile vs. desktop traffic to understand trends over time, you likely only need sessions by device by year. Moving a dimension to yearly will likely save you thousands (if not tens of thousands) of rows of data to later have to sort through and aggregate.
Doing this step first will also help you better evaluate your options for tracking and storing data in the future – it’s a good exercise (and discipline) to root your organization on the data that really matters and have a plan in place to retrieve it easily.
Where do I begin?
When considering what’s important, always begin with your business objectives and the website KPIs you’ve established to measure success. If you have not done so already, start this discussion today and include your marketing, sales, IT teams and leadership if needed, to ensure you’re not leaving out any core metrics that other departments require to determine success or opportunities.
Since this data will no longer be available in your Google Analytics account, the data you want to keep will need to go somewhere. This is where your technical and IT teams come into play. As long as it’s useful and works for what you need, we recommend sticking with whatever system you have in place for future data tracking and storage (see Step 3!)instead of building something separate.
A few options for storing this data include Google’s BigQuery, Amazon Web Services (AWS), or even spreadsheets with pivot tables, if you don’t have a lot of data.
Next, think about how you want to access this data (and who else will need access). Tools like Looker Studio, Tableau or Power BI can be really helpful in aggregating and visualizing your core metrics, as they are straightforward and more user-friendly than complex servers that may require a more technical or experienced hand. Setup and maintenance is fairly simple once you have your core metrics and KPIs established (remember Step 1!).
Finally, test, test, test! Once your data has been stored and accessible, it’s important that you play around with it to make sure you have the right dimensions and filters available. Do this before the deadline to avoid any gaps or issues in future reporting and analysis!
Not sure if you have the right data? Here’s a tip: find a recent request from a colleague and try finding the answer in an older time frame from the UA data you stored. Were you able to access that data? Any missing information? Was there any additional or manual work you needed to do to find the answer?
You can learn more about Hedy & Hopp’s guidance for understanding the new guidelines and ways to make tracking compliant here. But the key things that matter for storing and accessing UA data relate to where your data can be stored moving forward in consideration of your success metrics (see Step 1).
For marketers currently using Google Analytics, we see a few options:
Throughout the decision making process it’s important to consider how your new setup can account for past analytics data storage, too, if possible. Ideally, the quicker solution for UA data will also be a compliant one.
Where do you go from here?
If this seems doable, great! Our hope is that this 3-step guide will help you stay on top of what’s coming and feel confident that you know what needs to happen and who to involve in your organization.
However, there is a LOT to think about, and we know that you may need to shift focus to other priorities. If you are feeling overwhelmed, don’t have the time, or are just not sure how to start, please reach out to us! We’d love to help you evaluate your current set up and get you on the right path forward.
After Jenny’s two-part series on the new HHS bulletin and movement from the FTC from two experts, she is recapping and giving a broad overview emphasizing the most essential parts you need to know.
She discusses what compliance used to mean, what you could be doing unknowingly that is considered sharing data, and the reasoning around the fines levied at GoodRx and Better Health.
She digs into what shifts organizations can make to their analytics and marketing to become compliant but continue marketing campaigns to service prospective patients.
Finally, the episode wraps up by explaining the three-part program that Hedy & Hopp is using to help healthcare companies across the United States become more confident in their marketing and technical work with these shifting rules.
Interested in working with Hedy & Hopp on a privacy compliance program?
Book time with Jenny today.
Connect with Jenny on LinkedIn
Explore what Hedy and Hopp can do for you
Jenny: [00:00:00] Hi, friends. Welcome to today’s episode of We Are, Marketing Happy, a healthcare marketing podcast.
I’m Jenny Bristow, and I’m the CEO of Hedy and Hopp, a healthcare marketing agency. We’re a full service agency, but we’re really nerdy and great at marketing and analytics. Our history as an agency has been always be really analytics focused, helping our clients be compliant.
But as many of you know, the FTC and HIPAA goalposts have recently moved, and so we’ve done a two-part series – an attorney’s point of view and a marketer’s point of view on all of the recent shifts.
So today I just wanted to do a quick 101. If you only have five minutes (let’s hope I can keep it to five minutes becuase I’m quite verbose) but if you only have five minutes to understand what’s going on and why people are so concerned right now, let this be the five minutes that can help educate you.
So I’m gonna walk through a couple of things. First of all, let’s talk about what being [00:01:00] compliant used to mean. My agency has been around for almost eight years, and we’ve always been helping healthcare organizations become what at that point, was believed to be HIPAA compliant, following all of the rules and guidelines set forth with HIPAA.
What did that mean? Well, we worked with an attorney and they helped create guidelines, again, based off of the interpretation of what HIPAA was trying to say through the lens of digital marketing. Most of what internal legal teams were focused on were around the clinical settings, not so much around marketing.
Many marketing teams we began working with eight years ago had never chatted with their internal legal teams about the things they were doing and how to be compliant. So some things that we began doing right off the bat and the things we’ve been doing with our clients up until now:
Number one – Not collecting or obfuscating the IP address whenever possible. So with Google Analytics, for example, turning it where it does not collect the IP address.
Number two – [00:02:00] not doing super specific retargeting. If an organization wanted to do retargeting, let’s say for example, a local children’s hospital wanted to do it, you could do retargeting at a brand level, but not specific to the pages of the site that they visited.
So not specifically around pediatric cancer, pediatric eye care, etc. It’d have to be at that brand level.
Our organization also made sure not to capture or touch PHI. Every team member goes through HIPAA training to be able to understand HIPAA as well as identify PHI as we’re doing marketing campaigns for our clients.
And then we also always avoided signing BAAs because again, if we purposefully touching or collecting PHI, our organization didn’t need to do that.
So what has changed? Two things happened. We’re gonna break it into the FTC and then we’re gonna break it into the HIPAA side.
So FTC is really going after those healthcare adjacent organizations, so not necessarily [00:03:00] organizations that have to comply with HIPAA, but organizations that are healthcare adjacent.
With this tech boom, in the healthcare space, there are tons of companies popping up that are dealing with patients, yet are not covered entities. So FTC is specifically going after folks because they are selling data to third parties without consent.
Now, hard stop.
Many organizations do not realize they are selling data to third parties. The way that this is being interpreted by the FTC is if a Meta pixel is on your website and you’re sharing your patient’s information or user’s information with Meta/Facebook in order to understand conversions for ads, that is consideration legally, that is considered selling the data in exchange for getting something in return, which is that conversion data.
So, they also believe that disclosing that you’re selling the data [00:04:00] to meta in exchange for conversion data, the average consumer would not agree to that. So you can’t slap it onto your new privacy policy saying that, hey, by the way, we’re giving your information to Meta thanks, hit okay. You can’t just add it on there and think that you’re going to be okay.
So that is what is behind both the BetterHealth and the GoodRx fines. So both of them, and you can go online and you can read all of the language. The FTC basically said, hey guys, you sold your customer’s information to Meta.
And both GoodRx and Better Health said we believed we were following marketing best practices. Everybody does this. It was considered okay, but fine. We’ll pay a fine.
I actually will second that. Everybody in the industry believed this was okay. So this is a, a goalpost that has been moved. and so it’s really helpful to understand the history behind that. So at this point, third party pixels of any kind should not be on a healthcare website.
That could [00:05:00] include tools like Lucky Orange, or CrazyEgg or any user testing tools, any form tracking technologies, any advertiser pixels. None of those should be on your website as a result of these FTC fines. Now let’s talk about HIPAA. So OCR and HHS submitted a bulletin in December, not a new law, a bulletin, which is their interpretation of the law, and a little bit of clarification that did a couple of really important key things.
First, it defined an IP address as PHI. It was very vague before and many attorneys that I talked to said, well, if you wanna be conservative, let’s say an IP address is PHI. So that’s what we had always done. But the average marketer and what HIPAA had said before did not say the IP address was PHI.
What they also said is that even if you tell a tool not to collect an IP address, if it CAN collect an IP address, like if the tool has the [00:06:00] ability to do that, then you’re not compliant. So all of my marketer friends out there that are currently using Googled Analytics or Google Analytics along with Google Tag Manager and have it set up not to collect IP addresses, guess what?
You are not compliant with this new bulletin tin and you are consider having a data breach.
Huge concerns. 99% of the marketers I know in the healthcare space are all using Google Analytics and Google Analytics is not compliant with this new bulletin. The other thing that they clarified is the importance of having a business associate agreement in place with any tech vendor that can see the IP address or device ID or any other individually identifying information, which again, is much more specific in this bulletin.
So Google’s never gonna sign a BAA. Meta is never gonna sign a BAA. And kind of to their credit, if they know that they can’t properly keep data safe with their tech stacks, then good for them, you know, for not just signing one or, [00:07:00] you know, rushing to create a new business unit to serve this.
So, How can companies be compliant?
How can marketers in healthcare actually be successful with these new guidances from the FTC and with HIPAA? One more thing that I wanna point out is GDPR and state level privacy legislation. So GDPR in general is a European law does not apply to the United States, but the structure of GDPR is really similar to the state level legislation that we’re seeing in California and other states that are proactively pushing state level privacy legislation.
So a lot of our clients are choosing to go ahead and become GDPR compliant, and then just monitor state level legislation. You have to have a certain percentage of your traffic within a state when a state passes state level legislation before you have to be concerned about it. So, it exists and that’s another data and privacy concern.
But again, we’re really gonna focus on FTC and HIPAA [00:08:00] when we’re talking about how to become compliant with these next couple of minutes. So you really have three options to become compliant.
Number one – a new analytics tool. Get away from Google Analytics.
Work with an analytics tool that’s willing to sign a business associate agreement. It either can be self hosed. You host it yourself on your own server or they can host it, but again, you can capture IP address and continue to track your conversions as long as you have a BAA with that company that’s willing to make reassurances to you that they will keep that customer and patient data safe.
So new analytics, platform.
Number two – server side tag manager. So this is a great easy solution if you’re already having a lot of dashboards or downstream workflows that feed off of Google Analytics. A lot of folks had just invested a lot of money to move over GA4, so to move over to another tool, is just emotionally exhausting for a lot of us to think about. With the server side tag management[00:09:00] solution, you can actually set up Google Tag Manager as a server side solution, which is really great. However, again, you have to have the IT infrastructure internally to be able to manage that. Because that’s not something Google manages. You have to have that server and you have to have a BAA with that server company in order to make that happen.
Number three- you can do, I’ll describe it first, a cloud based tag manager/buffer. So the term they’re using is a CDP – a customer data platform.
But it’s easier to imagine it as like, here’s your website, here’s Google Analytics, and it’s sort of like a little barrier that goes in between. So all the information you’re tracking on your website goes through this barrier, or CDP, and gets filtered and cleaned out, and you monitor and pull what data you don’t want to go into the analytics tools and then you can continue using Google Analytics.
Again. This middle company will sign a BAA with you. It will really allow you to continue using a lot of your tech stack and continue tracking those [00:10:00] conversions. So, there’s a couple of different things.
So we, Hedy & Hopp, we have actually partnered with an attorney, his name is Drew Westbrook.
He was on the episode two weeks ago where we were talking about his perspective on the shifts, and we’ve partnered with him to create this three part process where we do an audit, educate, and recommendations for our clients.
So if you are stuck in a point where your tech team and your marketing team and your legal team are kind of fighting and your legal wants you to remove all your tags and marketing wants to keep doing their work, and you need to come up with a new analytics and marketing strategy, call us!
We have become experts in this really quickly and have just immersed ourselves in all of the legalities and the technical solutions. We’re helping folks across the country with this.
So it’s a three part solution. First audit, you look at every single thing you’re doing from an analytics, marketing and CRM database perspective.
So where and how are you talking to prospective patients online? [00:11:00] Wherever that is, we’ll include it in our audit and we’ll flag all the areas of concern.
Next is educate. On the educate side, we’re gonna tell you why those things are of concern, why you can’t do them anymore, or how we may need to change them.
And we’re also gonna Educate you about the legalities. We have a risk tier model that we’re using to help people kind of figure out where within that sliding scale they wanna be. Do they want a gold star from OCR or are they okay kind of being in the middle? Maybe they feel their organization isn’t really high risk so they’re okay being a little bit riskier in their setup and maybe using some current processes they’re using now without overhauling everything.
Anyway, we work with them, figure out where they wanna be on that sliding scale, and then create a full recommendations deliverable that then walks through and says, here’s all of the things you need to change with your analytics. Here’s all the marketing tactics you either no longer can do, or how you can do them differently. Here’s how you can track your conversions. Using this new setup so you don’t lose that [00:12:00] information you need so desperately in order to do your job.
We absolutely love this work, and are having so much fun because again, at Hedy and Hopp, we’re a full service marketing agency and our passion is improving patients access to care.
So it pained us watching all of these healthcare organizations have a knee-jerk reaction and just strip all of their analytics off of their website and stop all of their marketing. Because what that means is when that scared patient go to the to Google to be able to find a provider, they’re not gonna be able to find you.
And that for us is really a worst case scenario. So we’d love to be your partner to help make sure your marketing continue and that your legal team feels really comfortable with our recommendations and they understand why we believe they’re compliant, or they are compliant with all of the new and changing landscape.
And then bonus. If you work with us on this program, we will continue to educate you, and inform you as case [00:13:00] law is defined and as the goalposts continue to shift.
Because again, this is not a once and done conversation, it’s gonna continue changing over the next couple of years. So all of our clients get that added benefit of our education and that existing relationship.
So again, give us a call if you’re struggling with this, we’d love to help you. Again, we’re Hedy & Hopp, a full service woman owned, independent agency.
We hope to see you again on next week’s episode. Thanks.
Is your team scrambling trying to figure out how to make your marketing analytics setup HIPAA-compliant with the new bulletin? Yep, everyone else is too.
Today, Mark Brandes, Hedy & Hopp’s Director of Analytics and Decision Science joins the podcast to talk about the huge impact this bulletin from OCR has on healthcare marketers (as well as the FTC’s ruling against GoodRX).
Mark talks about tools and processes that were considered best practices prior to the OCR bulletin and how our approach to HIPAA-compliant marketing has changed. He talks about the reason why third-party marketing pixels are causing so much concern and are difficult to control.
Jenny and Mark wrap up the episode by talking about the three-step process Hedy & Hopp are using to help clients become HIPAA-compliant – Audit, Educate, and Recommend. We’re working as a middle ground between marketing and legal teams, making sure both groups get what they need! Listen in to learn more.
This (episode 17) is part two of a two-part series (part 1 is available here)
Jenny: Hi, friends. Welcome to today’s episode of We Are, Marketing Happy, a Healthcare Marketing Podcast. I am thrilled today to welcome one of Hedy & Hopp’s own team members, Mark Brandes. He is our Director of Analytics and Decision Science, and this is part two of a two-part conversation about the crazy bulletin that is shaking up analytics in the healthcare marketing space.
Last week we chatted with Drew, an attorney that specializes in digital health, and has a very deep understanding of HIPAA and the implications of the bulletin. And this week we’re gonna be talking with Mark about real world [00:01:00] implications. How are marketers responding and, what changes and shifts are we seeing today and plan to see over the next coming months. So welcome Mark. Happy to have you.
Mark: Thanks, Jenny. Glad to be on.
Jenny: So you’ve been in analytics for a long time. and I say that with love, not calling you old, but I, very much appreciate the perspective of people that have been in marketing analytics for a decade because then you really have seen the shifts over time.
But specifically, let’s say over the last couple of years, what are some standard things that we see when we begin working with a healthcare system or a healthcare provider? Really any covered entities that we work with. What are some standard things that you have seen, up until now that they’ve been using from an analytics perspective?
Mark: Yeah. So over the past few years, things have definitely shifted on us. I think the first big domino was probably when [00:02:00] GDPR hit. There was already talk about privacy and patient confidentiality. Before that, when GDPR hit over in the EU, that’s when really people started to really take it seriously that, hey, there’s something going on with this privacy stuff and we need to be careful of what we do.
And so in the states here, it wasn’t our law, so it doesn’t necessarily affect us, but there still was the ripple effect of, well, we should be thinking about this too. And a lot of places already started to proactively kind of take some of those steps, putting up some cookie banners, asking people for consent before they go on the website, letting them know how the cookies are being used.
Some of that already was changing, which was a good step. And then you had some other litigation that, or not litigation, I’m sorry, some other legislation that came in like the CPPA in California. Then there’s a few others that are, in the process of getting put into law now across several different states.
And so all of those are gonna have very similar kind of things where you’re gonna need consumer consent, you’re gonna have [00:03:00] to let people know what you’re doing with their data and their information.
Jenny: So that was an excellent overview. Thank you.
So in general, I will say that if you think about all of the covered entities that we work with across the country, regardless of size, we work with some of the largest hospital systems in the country, all the way down to single or perhaps multilocation, groups.
Almost all of them are using Google Analytics. Almost all of them are using Google Tag Manager. A lot of them are using call tracking software. I mean, one of the things that we all believed to be appropriate – we had received a legal opinion that we were using to implement according to the perceived HIPAA best practices – was that if you obfuscate or do not allow the tool to collect the IP address, that would be considered compliant.
With HIPAA’s new guidance and this bulletin, that’s not the case anymore. And so can you walk through a little bit what that implication is as far as how the [00:04:00] tools are leveraged or why that’s gonna be very difficult to continue using something like Google Analytics?
Mark: Yeah, definitely that OCR guidance that just came out was definitely the next seismic shift for us in the digital marketing landscape.
One of the big things they said was really, it was even about passing personal health information. So not only identifiable stuff, but just passing health information seem to be a HIPAA violation based on this guidance. So one of the things that we’ve really focused on was, on some of our clients’ websites even a page that talks about a specific ailment or a specific diagnosis, trackinga page view could be seen as a HIPAA violation now based on this guidance. and so that’s a really interesting shift. Before now it was kind of common to just, you put the page view tag on the website across all the pages so you can track them all and see how people are looking at them, what the volume is.
And now, you’re probably gonna have to be a little more careful about what pages you’re putting on these. It’s specifically called out things like login pages, anything, [00:05:00] after a login. So anything after a user’s been authenticated. Those definitely seem to be off limits at this point. But even some of the non authenticated pages, like I mentioned, you’re gonna have to be careful where you’re putting stuff.
So certain forms that get submitted if they’re on a certain page, even if you’re not collecting what’s on those forms, like what’s in them, the fact that they were put on that page, would indicate that the user was interested in that information and therefore that could be seen as, some PHI that you’re providing that other software.
So that’s one of the big shifts that’s happened. And I think the biggest thing is it came kind of outta nowhere. It was kind of a surprise to us. There was legislation that we were seeing moving through the system, and we were watching it and seeing what the impact was and we could prepare for it.
Because HIPAA was already in place and this guidance has just kind of adjusted how we look at that and what it applies to. I think everybody was taken by surprise a little bit. So I think there’s been a lot of scrambling. So some of the softwares that we’ve been really comfortable with, like Google Analytics [00:06:00] software, has been comfortable with like Google Tag Manager or even some CRM tools, right?
Or some of our platforms that we use, Facebook, Google Ads, Twitter, things like that. Those pieces of software that we were kind of comfortable using, passing data to them, using that to optimize our own campaigns. A lot of that has become a little hazy now about what we can and can’t do.
Jenny: Yeah, let’s talk about third party pixels, because we saw the FTC leveraged a huge fine against GoodRx, who is not a covered entity, by the way, but they are still in the healthcare space.
So it again, calls out the importance of paying attention to the safety and concern of patient data, regardless if you’re a covered entity or not. But they got in trouble for having meta pixels on their website. And they actually, in the settlement of it, said that they believed still that they were willing to pay the fine, but they still believed they were following marketing best practices by having those pixels on.
Jenny: Talk to me a little bit about how third party pixels work. Like if you’re [00:07:00] explaining it to a super non-technical person, which I think is one of the big difficulties that marketers have when working with their internal legal teams is explaining how pixels work. So give that to us a little bit, if you don’t mind.
Mark: Yeah, definitely that the GoodRx one in particular was quite interesting to me. Because if you were to read what GoodRx’s response was to that, it sounded like any company you could pick across the states, that’s exactly what they would be saying as well, right? Like, we did this was best practice, we didn’t do anything out of the normal.
It’s just all of a sudden you’re telling us it isn’t okay to do that anymore. So, it was really interesting seeing that. What’s tough is that if you look at the way, I can’t remember what the name, what’s the name of this? The entity, not the OCR?
Jenny: The FTC.
Yeah.
Mark: FTC. Yeah. So if you look at what came across and what they said was that GoodRx had shared all this private information. They’ve done all this and what’s tough is that it’s tough to find out where’s the truth in that, [00:08:00] because I don’t think GoodRx was intending to do that, at least based on their response.
But because of the way some of these pixels work, they almost feel like black boxes, so to speak. You put that pixel on and your intention is that you’re sharing, hey, this random user clicked on my ad. They did my conversion. That’s great. Let Facebook know that, or let Google ads know that so that Google Ads can then optimize your campaigns.
But what’s interesting is when you actually think about, well, what does that optimization means, typically it means, well, that person did it, so I’m gonna find more people like that. And in order to do that, then the service has to know something about those people, about what they’ve been doing, what sites they’ve been on, who they are.
And so once you start thinking about kind of the mechanics that go into that, it’s like, oh, I guess they are providing some information. And again, I think most places are doing that with the intention of just, I wanna make sure that I get to the people that want my [00:09:00] stuff. I don’t wanna just be spraying it out and spamming people.
Mark: I want to get to the people I that really need it. I think about a place like an addiction treatment service or something like that. Sure, you’re trying to send out some information, some marketing to let people know, hey, this service is out there. If you’re struggling, we’re here to help you, but without the kind of data that you need to really target in on people that may be struggling, people that may be needing help with that, you could end up spending, sending that message to a bunch of people.
And a lot of those places, especially some of these small healthcare entities, don’t really have the budget to just spray it out to everyone. Right. it’s not the Mad Men days where we can just kind of have huge unlimited budgets.
So really it was more about us trying to focus in on the people that really need our help. It wasn’t anything nefarious necessarily, but what happened and what we realized was that Facebook could take that innocuous information that we figured and they can turn that into something worse because of what they’re doing on their end.
Mark: And so then unfortunately through that process we have to realize, oh, well maybe we can’t share [00:10:00] this. Maybe we can’t share that. And I think that’s where a lot of this is coming from. Some work has been done. What’s tough is that, like I mentioned, those pixels are really black boxes.
Sometimes it’s just this little tiny one by one pixel that gets sent. But because you open that window, it has access to a lot of other things. What your browser stuff is, the history of your browser. Well, not history. I’m sorry.
Jenny: If you’re logged into the browser, it would have a lot of information.
Mark: If you’re like logged into Chrome, then it has all of that history that could be tied to it. Like for Google. Yeah, exactly. What your settings are, those kinds of things. Yeah. We would have access to that kind of stuff.
And so because of that, even opening that window, there is some issues there and some of that is because we have to go through browsers and so because we’re using those browsers, there are some ways around that. Some companies are coming up with APIs where we can pass stuff through APIs instead.
Mark: So we’re kind of bypassing the browser, but that still doesn’t get around the fact that [00:11:00] we’re still providing information to that third party about that user. so there’s all this gray area and what’s tough is we really need some of these software companies to actually help us out. Their best interest is making money for their company, and data is huge business right now.
And so it’s kind of not in their best interest to help us kind of protect those users. Now we have seen some companies trying to help us with that. Recently I heard that LinkedIn is trying to make some updates about their group policy, who they share their ads with, stuff like that.
Mark: So I think, I’m hoping that some companies start to come around and help us out with this. But some of these companies are so big that I don’t think that’s one of their priorities. So then unfortunately that onus shifts to the individual users who are setting this stuff up. And so we have to just figure out how to protect ourselves when we can’t rely on those companies to actually protect us.
Jenny: Yeah, that’s such a great point. And I think it’s interesting too, like we Google so large, but I [00:12:00] think their are days of being the forefront runner in innovation are behind them. So expecting them to respond, as quickly as smaller companies can, to be able to capitalize on this opportunity to begin billing a lot of healthcare organizations that have previously been using their services at no cost, it may take a lot longer for them to respond than, it would have a few years ago.
So, one of the things I’ve been really proud about at Hedy & Hopp is the way that we’ve been responding to this. So, we like to say Pivot with Positivity because you never know what’s gonna happen next in healthcare marketing.
But we partnered with Drew Westbrook to be our legal counsel and we’ve developed three tiers of risk, and a great three step process that allows our clients to work with us to really bridge the gap between their internal legal teams and what the marketing team wants to do.
The biggest thing that we hear from people is a general frustration, becuase legal doesn’t wanna be bad guys, right?
Jenny: They don’t wanna come in and say, stop all marketing that you’re doing. But they also need to make sure that they’re [00:13:00] compliant and protecting their organization. And so there’s typically this really big gap within organizations of what legal understands as far as what marketing is doing and what marketing understands as far as what legal’s trying to accomplish.
So with this three step process, we’ve really been able to bridge that gap successfully over the last couple of months since this bulletin came out, and we are really excited to help more organizations do it.
So it’s a three step process. The first step is audit. We go in and do a full documentation around all of the analytics tools, marketing tactics, CRM databases, anywhere perspective patients are touched or engaged with – all of that’s documented.
We then educate our clients about the three tiers of risks and help their legal team decide where they feel comfortable being within that three tier setup. And then we do a formal recommendations according to their chosen level of risk, based off of the implementation that we recommend and changes to their marketing tactics based off that chosen level of risk.
So I’m really [00:14:00] excited about what we’re doing right now, but can you explain a little bit about those three level or those three tiers of risk? Like why would one organization maybe choose one, whereas another organization might feel comfortable choosing another one?
Mark: Yeah, definitely. And, I will start off with that audit you talked about.
So that’s a really big one. I think one thing people don’t understand is there are stuff where your website, you may think that it’s not, but it’s passing PHI. That audit will really help you understand that maybe there’s things where people could have a login page or they could have a form submission.
And while you’re not grabbing anything from those forms, there are times where your website is designed that on the next page it passes stuff through the url and like we’ve mentioned, usually we set up page view tags to just grab all page views. So then when that stuff gets put in the url it’s not a good setup. We had this happen with a client not too long ago.
Their site was designed, the stuff got put into the url, so they were capturing actual email addresses and [00:15:00] sending them to Google Analytics without meaning to it all. And so though the audit will catch those kinds of things, and I think that’s really helpful. I think then what that leads into is the tiers you talked about.
Because once we kind of know some of those things, some of those issues you might be having, we can really determine whether you’re kind of high risk, whether you’re low risk. And that’s really what we’re looking for. So for example, in the audit, we may find that you have a lot of content on your site that’s very specific.
It talks about specific diagnoses or specific ailments. And so because of that, we would realize, oh, that may be a little more high risk. We may want to be concerned about passing that and stuff to Google Analytics. And so that’s something we can then bring to those tiers to kind of understand, okay, we might put you guys in this kind of higher risk tier because of all that content, but we may find sites that are a little more, generic, not in a bad way, but more that they’re talking about different plans you can sign up to or some [00:16:00] different information that will be in their newsletter.
So here’s the types of stuff we give you. Those kinds of things and those pages we believe wouldn’t actually cause any issues. So then that can be kind of a low risk. So it’s us looking through that site, looking through your kind of digital properties to understand where those things are.
And after talking to Drew, using his best judgment on kind of where would that fit.
So if you have pages that are about a lot of specific ailments or diagnoses or, diseases, whatever, that could be seen as that [00:17:00] PHI that we discussed, so then we could kind of put you into that more high risk kind of a bucket. Whereas if you have a more general site, speaking about, general information, so here’s stuff that we can send to your newsletter, stuff that you’d get on a monthly basis, like that kind of general stuff is not going to be seen as bad.
Are you talking about your different plans you have available? Different features or services for different things? None of that is gonna be seen as, as PHI. So then we can put that kind of stuff in low risk. So depending on what kind of site you have, then we can kind of understand where we should go, where we should not.
The other part of this is you mentioned legal. And so that’s an interesting conversation where there’s going to be a lot of gray area, some room for kind of interpretation, so to speak. I think we’re gonna find that some companies are gonna feel like, oh, we’ve gotta shut this down.
Mark: We can’t do any of this. And then we’re gonna have other companies that are gonna say, well, we’re okay doing this. We’re okay doing that because of how we’re [00:18:00] structured in the way that we work. Really we’ve kind of laid that out so that we give kind of an impression of here’s where we think your risk tolerance would lie.
We’ll also speak to your legal team or to your, leadership and have them understand, well, here’s where we feel like our risk tolerance is, and finding a nice balance there. So what we’d find is on a, high risk tier, or a low risk tolerance, however you wanna put it.
We’d find that like, you’re probably going to not want to just use a general analytics platform like Google Analytics. What we’ve found is that all your analytics platforms, based on the nature of how those work, are really gonna be collecting some of that PHI, the way that they’ve now defined it.
Mark: And so really what you’re gonna have to probably do is find an analytics provider that does sign a BAA with you or allow you to keep your data on your own server so you can protect it, and then really kind of control what goes out the [00:19:00] door. So you can see that with things like server side analytics, some of that may be an option for those kinds of companies.
And then for that low risk tolerance, you’d also probably not do many pixels at all unless you really were confident about what was being passed in that pixel. So we would kind of limit you in what you could do, right? That would be our kind of recommendation and our guidance. Whereas on the higher risk tolerance side, it may be that, okay, we’re all right with using these types of pixels.
But even then we would probably still kind of lean toward, well, let’s not put them on specific pages, right? Let’s not do specific things with those pixels. Let’s just do the bare minimum that we need to really kind of make our marketing work. And what’s gonna be interesting there is that without that official guidelines and with those kind of gray areas and how risk tolerant you are, it’s kind of interesting to determine how your competitive advantage will go up or down based on that, right?
Mark: Because without some consistent enforcement or consistent kind of definition of [00:20:00] some of these things, the companies that feel like they can be more risk tolerant, can kind of maybe have an advantage in the market over some of the others and kind of trying to bridge that gap is gonna be tough. But I think there are creative ways that we can help the low risk tolerance clients still get around and still make it work.
So there’s contextual advertising that we can use. Things like in Google ads where we can look for other things people have searched and then we can give ads based on those things, right? So instead, we don’t really know anything about them but we’re using the information they’re providing us at the time to really help them see that yes, we have some options for you.
Mark: So I think there’s stuff we can still do for those low risk tolerance, but it’s definitely gonna be a little bit harder of a road for sure. And then finally, there’s gonna be, like we mentioned, there’s gonna be gray areas. So there’s low and there’s high, and then there’s gonna be a lot of stuff in between.
And so I think we’re gonna have different points of yes, we’re okay using Google Analytics, but no, we don’t want to use these pixels. Or we’d rather just use, generic click tracking like a Lucky Orange or Crazy Egg or [00:21:00] something like that, which, we’re still not clear about if that’s passing user information, we think it’s probably okay.
But, again, still gray area and we’re all trying to figure it out right now.
Jenny: I think the thing that is exciting for me based off of our organization’s passion about improving patients access to care, is we’re trying to go in and help both groups be successful, right? Like we want legal to feel comfortable in the tools and processes that marketing is using, so they’re comfortable with the level of compliance.
And we want marketing to continue to be able to do their job and be successful. I think what’s gonna be really interesting is over the next year, watching as this continues to shift and evolve as case law does come out to be able to make it a little bit more definitive about how they’re going to be not only truly defining PHI, the importance of BAAs, but then, also, people’s perceived level of risk I think will continue to shift.
Well, thank you so much for being on today, Mark.
For any of you that are currently [00:22:00] struggling with this and whether you’re on the legal side or on the marketing side, know that we’ll be on your side and we’ll help both sides of the groups feel comfortable with solutions.
We’d love to work with you. Give us a call. We have just a couple of additional slots available over the next couple of months to take on some additional clients for consulting work outside of our normal client workload.
Would love to work with you, and help you solve this problem.
So have a great day and thank you for tuning in.