As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.

 

This week, we’re taking a closer look at Google Tag Manager (GTM).

What Is Google Tag Manager?

Google Tag Manager, or GTM, is a powerful tool that allows you to track user activity on your website or mobile app with minimal coding knowledge required. By putting one snippet of code on a website, GTM creates a container that can manage all of the various tracking codes on your website. GTM is also a great way to improve your website analytics, track conversions, and retarget visitors (when compliant) from and to a variety of platforms. It’s also a valuable tool for businesses of all sizes, from small businesses to large enterprises.

Here are some of the benefits of using Google Tag Manager:

  • No coding required: You don’t need to be a developer to use GTM. The user interface is intuitive and easy to use for users with basic technical knowledge.
  • Increased security: GTM helps to protect your website from security risks by preventing unauthorized access to your tag code.
  • Improved collaboration: GTM makes it easy to collaborate with other team members on tag management. You can share tags and permissions with other users, and you can track changes to tag configurations.
  • Scalability: GTM can be scaled to meet the needs of businesses of all sizes. You can add as many tags as you need, and you can manage multiple websites and mobile apps from a single account.

What Data Does Google Tag Manager Collect?

GTM is probably unique in your tech stack in that it itself does not collect any data – instead, it provides a container with easily configurable tags, triggers, & variables that allow you to control exactly what tracking tools are on your website and how they send information back and forth. Common tags to have in GTM include:

  • Google Analytics: The most popular analytics tool in the world, GA ties directly into GTM with minimal setup.
  • Conversion Tracking Pixels: Google Ads, Meta Ads, LinkedIn Ads, and most other digital advertising platforms can use a conversion tracking pixel on your site to improve ad performance. At Hedy & Hopp, we consider these pixels to be a high risk in terms of HIPAA-compliance, since they share user data with third parties.
  • Engagement/UX tools: Heatmapping tools like Lucky Orange, A/B testing tools like Optimizely, and countless other tools are routinely installed via Google Tag Manage

Is Google Tag Manager HIPAA-Compliant?

A good way to look at GTM through the lens of HIPAA-Compliance is that it can be the vehicle for compliance issues, and that it completely depends on how a specific site is using their tagging setup. A GTM container can manage tags for everything from a Google Search Console verification tag (completely HIPAA-compliant) to a Facebook Pixel that is gathering personal data about users who may be visiting sensitive pages on a site (completely non-compliant!). 

PRO TIP: As a general rule, conversion pixels are concerning in terms of HIPAA-compliance and should be avoided. Learn more about the recent updates in HIPAA guidance by listening to our HIPAA & FTC 101 podcast.

Risk Mitigation

While Google Tag Manager supports some obfuscation options that grant some level of increased data privacy and protection, this is not a watertight approach. Often, the obfuscated data is still being shared with some third party processors. Server-side Google Tag Manager (sGTM) can be a much safer approach, offering more options for data privacy and allowing users to completely control which data is shared (and not shared) with each platform. 

If you want to assess your GTM risk in it’s current set up, a great place to start is by extensively documenting the functionality of each tag in your account. From there, you can assess the risks of each tag and make a plan to improve data privacy. 

PRO TIP: While server-side tagging is not for everyone and does not eliminate issues associated with third party tracking tags, this approach puts more power in the hands of your team to ensure that you are protecting your users’ data.

Not sure how to get started?

Hedy & Hopp’s Analytics experts can help by auditing your GTM account for you, so reach out if your team is struggling with how to approach what can be quite the can of worms! Our team has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!

As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.

 

This week, we’re taking a closer look at LinkedIn.

What Is LinkedIn Advertising?

A healthcare marketer can leverage LinkedIn advertising in several ways to effectively reach their target audience and promote their healthcare products, services, or brand. Here are some strategies and tips:

Targeting Healthcare Professionals: LinkedIn allows precise targeting based on job titles, industries, and functions. Healthcare marketers can target specific healthcare professionals, such as doctors, nurses, pharmacists, administrators, and executives, based on their job titles or industry affiliations. This ensures that the ads are reaching the right audience.

Thought Leadership and Content Promotion: Healthcare marketers can use Sponsored Content and Sponsored InMail to share valuable content, such as articles, research papers, case studies, or educational materials related to their field. This positions the marketer as a thought leader and helps build credibility and trust with the audience. Promoting webinars, conferences, or speaking engagements can also be effective in establishing expertise.

Job Postings and Recruitment: Healthcare organizations often have specific talent acquisition needs. LinkedIn provides targeted options for promoting job openings and reaching qualified healthcare professionals who are actively seeking employment opportunities. Healthcare marketers can use Sponsored Job Ads to attract top talent to their organization.

Brand Awareness and Reputation Management: LinkedIn advertising can help healthcare marketers increase brand visibility and manage their online reputation. Display Ads and Dynamic Ads can be used to create visually appealing brand messages and reach a broad audience. Marketers can also target specific industries, organizations, or regions to raise awareness of their brand and build positive associations.

Industry Events and Conferences: Healthcare marketers can utilize LinkedIn advertising to promote industry events, conferences, or webinars. Sponsored Content, Sponsored InMail, and Display Ads can be used to drive registrations, highlight keynote speakers, and generate buzz around the event. Targeting options ensure that the ads reach professionals interested in the healthcare industry.

What Data Does LinkedIn Collect?

LinkedIn collects a variety of personal and technical data from its users, including:

  • Profile Data: LinkedIn collects information from user profiles, including job titles, industries, company affiliations, educational background, skills, and interests. This data is used to target ads to specific professional audiences based on their profile information.
  • Demographic Data: LinkedIn may collect demographic information such as age, gender, location, and language preferences. This data helps advertisers target specific demographics for their campaigns.
  • Engagement Data: LinkedIn tracks user engagement with ads, including impressions, clicks, likes, comments, and shares. This information helps advertisers assess the effectiveness and impact of their campaigns.
  • Website and Conversion Data: If advertisers use LinkedIn’s conversion tracking or retargeting features, LinkedIn collects data related to website visits, conversions, and actions taken by users on their website. This data helps measure the success of advertising campaigns in driving desired outcomes.
  • Ad Interaction Data: LinkedIn collects data on how users interact with ads, such as ad views, interactions, video views, and form fills. This information helps advertisers understand user behavior and optimize their ad creative and messaging.
  • Pixel Data: LinkedIn provides a tracking pixel called the Insight Tag that can be placed on advertiser websites. This pixel collects data on website visits, page views, and conversions, enabling better ad targeting and measurement.
  • Third-Party Data: LinkedIn may also use third-party data sources to supplement its own data and provide additional targeting capabilities. These sources may include data providers that offer insights on professional attributes, interests, or intent.

Remember – just because a targeting option is available does mean that you should use it. In fact, taking advantage of features that could make your campaigns more effective could be what compromises your HIPAA compliance. 

Is LinkedIn Advertising HIPAA-Compliant?

After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, it really depends on how you use the platform – specifically the Insight Tag. Conversion pixels can compromise HIPAA compliance in a few ways. 

  • First, they can collect PHI without the user’s knowledge or consent. This is because conversion pixels can track users across multiple websites, even if they are not logged in. 
  • Additionally, conversion pixels are often used to retarget users with display ads. This can be a serious violation, as it can expose sensitive content that individuals have been viewing about specific diseases, illnesses, or conditions.

While LinkedIn only keeps personal data collected from the Insight Tag for 180 days, there is a lot that can be done with this data in that time period. The HHS is also very specific that the sharing of, or even the ability to access any personal health information is a violation.

Pro Tip:

LinkedIn is somewhat unique in that healthcare marketers may be using the platform to reach a different audience than prospective patients. For example, if a healthcare marketer is using LinkedIn to reach HCPs (healthcare professionals) HIPAA may not even apply to those efforts.

That being said, there are also some tactics available in LinkedIn Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing, lookalike audiences and uploading target lists. It is also important to consider other tools that have access to your LinkedIn data, including optimization and data visualization software.

Risk Mitigation

As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.  

 

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!

As a healthcare marketing agency, we get a lot of questions about whether or not certain tools are HIPAA-compliant. That’s why we at Hedy & Hopp decided to create a blog series that specifically dives into common marketing tools and software in order to determine whether or not it poses a HIPAA concern.

 

This week, we’re taking a closer look at YouTube – both the advertising side and embedding videos on a website.

What Is YouTube Advertising?

YouTube is a powerful tool that can be used for marketing in a variety of ways. It has over 2 billion active users, making it a great way to reach a large audience with your messages. You can target your YouTube ads to specific demographics, interests, and behaviors, ensuring that your messages reach the right people.

YouTube is a visual platform, so it’s a great way to create engaging content that will capture people’s attention. By creating high-quality, informative videos, you can build trust and credibility with potential patients. You can also use YouTube to drive traffic to your website by embedding your videos on your website or by linking to your website in your video descriptions.

Here are some specific ways that healthcare businesses can use YouTube for marketing:

  • Create educational videos to educate potential patients about your services or about health topics in general.
  • Share patient testimonials to show potential patients that your services are effective and that they can trust you.
  • Host Q&As to connect with potential patients and answer their questions about your services or where to find support.
  • Promote your YouTube channel on other channels to encourage new audiences to subscribe.

This type of advertising, outbound marketing, is often used in conjunction with search ads, a form of inbound marketing from Bing or Google, which we have gone over the compliance of in previous posts. 

 

Pro Tip:

YouTube does have specific guidelines around advertising in healthcare. Most notably, companies promoting pharmaceuticals & addiction services must be verified through LegitScript in order to advertise on YouTube’s platform.

What Data Does YouTube Advertising Collect?

Similar to Google Ads, YouTube relies heavily on the user being signed into their Google Account (which automatically becomes their YouTube account) in order to track behavior across a wide range of touchpoints. This means that YouTube collects the following data on its users:

  • Device information: This includes your device’s IP address, operating system, and browser type.
  • Search history: This includes the keywords you’ve searched for and the websites you’ve visited.
  • Ad interactions: This includes whether you’ve clicked on an ad, how long you’ve viewed an ad, and whether you’ve taken any other action after seeing an ad.
  • Location data: This includes your approximate location based on your IP address.
  • Session data: This includes your web browsing history.

 

Additionally, even just embedding a YouTube video on a website could be cause for concern, as the iframe sends information back to DoubleClick, the base advertising platform that Google uses. This means that users watching a YouTube video embedded on a third party site could have that video’s contents tied to their Google profile, which could potentially reveal sensitive health information about that user.

Is YouTube Advertising HIPAA-Compliant?

After the updated guidance from the Department of Health and Human Services was released, things haven’t exactly been black and white as far as whether or not this crosses a line, but from our perspective, YouTube advertising is certainly one that your team should think critically about, especially when you consider the long list of Google’s subprocessors, who could potentially have access to any and all data collected. This is especially true if you’re adding a Google tracking pixel to your website. 

Furthermore, there are also some tactics available in YouTube Advertising that aren’t unique to that platform but are never HIPAA-compliant, such as remarketing and lookalike audiences. It is also important to consider other tools that have access to your YouTube data, including optimization and data visualization software.

Risk Mitigation

As with most advertising platforms, there are steps that can be taken to mitigate risk and to protect your users’ data as much as possible. Some good rules of thumb are to limit conversion pixels as much as possible, consider a server-side tagging strategy, and to ensure that you are not using predatory tactics to reach people with a specific condition or disease.

As with anything HIPAA-related, compliance tends to lie on a spectrum of your risk tolerance as well as the steps you take to mitigate as much risk as possible.

 

Pro Tip:

It’s important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. Give us a call – we’d love to help!