View All Blog Posts

HIPAA & FTC 101 For Marketers

After Jenny’s two-part series on the new HHS bulletin and movement from the FTC from two experts, she is recapping and giving a broad overview emphasizing the most essential parts you need to know.

She discusses what compliance used to mean, what you could be doing unknowingly that is considered sharing data, and the reasoning around the fines levied at GoodRx and Better Health.

She digs into what shifts organizations can make to their analytics and marketing to become compliant but continue marketing campaigns to service prospective patients.

Finally, the episode wraps up by explaining the three-part program that Hedy & Hopp is using to help healthcare companies across the United States become more confident in their marketing and technical work with these shifting rules.

Interested in working with Hedy & Hopp on a privacy compliance program?

Book time with Jenny today.

Connect with Jenny on LinkedIn

Explore what Hedy and Hopp can do for you

Jenny: [00:00:00] Hi, friends. Welcome to today’s episode of We Are, Marketing Happy, a healthcare marketing podcast. 

I’m Jenny Bristow, and I’m the CEO of Hedy and Hopp, a healthcare marketing agency. We’re a full service agency, but we’re really nerdy and great at marketing and analytics. Our history as an agency has been always be really analytics focused, helping our clients be compliant. 

But as many of you know, the FTC and HIPAA goalposts have recently moved, and so we’ve done a two-part series – an attorney’s point of view and a marketer’s point of view on all of the recent shifts. 

So today I just wanted to do a quick 101. If you only have five minutes (let’s hope I can keep it to five minutes becuase I’m quite verbose) but if you only have five minutes to understand what’s going on and why people are so concerned right now, let this be the five minutes that can help educate you. 

So I’m gonna walk through a couple of things. First of all, let’s talk about what being [00:01:00] compliant used to mean. My agency has been around for almost eight years, and we’ve always been helping healthcare organizations become what at that point, was believed to be HIPAA compliant, following all of the rules and guidelines set forth with HIPAA.

What did that mean? Well, we worked with an attorney and they helped create guidelines, again, based off of the interpretation of what HIPAA was trying to say through the lens of digital marketing. Most of what internal legal teams were focused on were around the clinical settings, not so much around marketing. 

Many marketing teams we began working with eight years ago had never chatted with their internal legal teams about the things they were doing and how to be compliant. So some things that we began doing right off the bat and the things we’ve been doing with our clients up until now:

Number one – Not collecting or obfuscating the IP address whenever possible. So with Google Analytics, for example, turning it where it does not collect the IP address. 

Number two – [00:02:00] not doing super specific retargeting. If an organization wanted to do retargeting, let’s say for example, a local children’s hospital wanted to do it, you could do retargeting at a brand level, but not specific to the pages of the site that they visited.

So not specifically around pediatric cancer, pediatric eye care, etc. It’d have to be at that brand level. 

Our organization also made sure not to capture or touch PHI. Every team member goes through HIPAA training to be able to understand HIPAA as well as identify PHI as we’re doing marketing campaigns for our clients.

And then we also always avoided signing BAAs because again, if we purposefully touching or collecting PHI, our organization didn’t need to do that. 

So what has changed? Two things happened. We’re gonna break it into the FTC and then we’re gonna break it into the HIPAA side. 

So FTC is really going after those healthcare adjacent organizations, so not necessarily [00:03:00] organizations that have to comply with HIPAA, but organizations that are healthcare adjacent. 

With this tech boom, in the healthcare space, there are tons of companies popping up that are dealing with patients, yet are not covered entities. So FTC is specifically going after folks because they are selling data to third parties without consent.

Now, hard stop. 

Many organizations do not realize they are selling data to third parties. The way that this is being interpreted by the FTC is if a Meta pixel is on your website and you’re sharing your patient’s information or user’s information with Meta/Facebook in order to understand conversions for ads, that is consideration legally, that is considered selling the data in exchange for getting something in return, which is that conversion data.

So, they also believe that disclosing that you’re selling the data [00:04:00] to meta in exchange for conversion data, the average consumer would not agree to that. So you can’t slap it onto your new privacy policy saying that, hey, by the way, we’re giving your information to Meta thanks, hit okay. You can’t just add it on there and think that you’re going to be okay.

So that is what is behind both the BetterHealth and the GoodRx fines. So both of them, and you can go online and you can read all of the language. The FTC basically said, hey guys, you sold your customer’s information to Meta. 

And both GoodRx and Better Health said we believed we were following marketing best practices. Everybody does this. It was considered okay, but fine. We’ll pay a fine. 

I actually will second that. Everybody in the industry believed this was okay. So this is a, a goalpost that has been moved. and so it’s really helpful to understand the history behind that. So at this point, third party pixels of any kind should not be on a healthcare website. 

That could [00:05:00] include tools like Lucky Orange, or CrazyEgg or any user testing tools, any form tracking technologies, any advertiser pixels. None of those should be on your website as a result of these FTC fines. Now let’s talk about HIPAA. So OCR and HHS submitted a bulletin in December, not a new law, a bulletin, which is their interpretation of the law, and a little bit of clarification that did a couple of really important key things.

First, it defined an IP address as PHI. It was very vague before and many attorneys that I talked to said, well, if you wanna be conservative, let’s say an IP address is PHI. So that’s what we had always done. But the average marketer and what HIPAA had said before did not say the IP address was PHI.

What they also said is that even if you tell a tool not to collect an IP address, if it CAN collect an IP address, like if the tool has the [00:06:00] ability to do that, then you’re not compliant. So all of my marketer friends out there that are currently using Googled Analytics or Google Analytics along with Google Tag Manager and have it set up not to collect IP addresses, guess what?

You are not compliant with this new bulletin tin and you are consider having a data breach. 

Huge concerns. 99% of the marketers I know in the healthcare space are all using Google Analytics and Google Analytics is not compliant with this new bulletin. The other thing that they clarified is the importance of having a business associate agreement in place with any tech vendor that can see the IP address or device ID or any other individually identifying information, which again, is much more specific in this bulletin.

So Google’s never gonna sign a BAA. Meta is never gonna sign a BAA. And kind of to their credit, if they know that they can’t properly keep data safe with their tech stacks, then good for them, you know, for not just signing one or, [00:07:00] you know, rushing to create a new business unit to serve this. 

So, How can companies be compliant?

How can marketers in healthcare actually be successful with these new guidances from the FTC and with HIPAA? One more thing that I wanna point out is GDPR and state level privacy legislation. So GDPR in general is a European law does not apply to the United States, but the structure of GDPR is really similar to the state level legislation that we’re seeing in California and other states that are proactively pushing state level privacy legislation.

So a lot of our clients are choosing to go ahead and become GDPR compliant, and then just monitor state level legislation. You have to have a certain percentage of your traffic within a state when a state passes state level legislation before you have to be concerned about it. So, it exists and that’s another data and privacy concern. 

But again, we’re really gonna focus on FTC and HIPAA [00:08:00] when we’re talking about how to become compliant with these next couple of minutes. So you really have three options to become compliant. 

Number one – a new analytics tool. Get away from Google Analytics.

Work with an analytics tool that’s willing to sign a business associate agreement. It either can be self hosed. You host it yourself on your own server or they can host it, but again, you can capture IP address and continue to track your conversions as long as you have a BAA with that company that’s willing to make reassurances to you that they will keep that customer and patient data safe. 

So new analytics, platform. 

Number two – server side tag manager. So this is a great easy solution if you’re already having a lot of dashboards or downstream workflows that feed off of Google Analytics. A lot of folks had just invested a lot of money to move over GA4, so to move over to another tool, is just emotionally exhausting for a lot of us to think about. With the server side tag management[00:09:00] solution, you can actually set up Google Tag Manager as a server side solution, which is really great. However, again, you have to have the IT infrastructure internally to be able to manage that. Because that’s not something Google manages. You have to have that server and you have to have a BAA with that server company in order to make that happen.

Number three- you can do, I’ll describe it first, a cloud based tag manager/buffer. So the term they’re using is a CDP – a customer data platform. 

But it’s easier to imagine it as like, here’s your website, here’s Google Analytics, and it’s sort of like a little barrier that goes in between. So all the information you’re tracking on your website goes through this barrier, or CDP, and gets filtered and cleaned out, and you monitor and pull what data you don’t want to go into the analytics tools and then you can continue using Google Analytics. 

Again. This middle company will sign a BAA with you. It will really allow you to continue using a lot of your tech stack and continue tracking those [00:10:00] conversions. So, there’s a couple of different things. 

So we, Hedy & Hopp, we have actually partnered with an attorney, his name is Drew Westbrook.

He was on the episode two weeks ago where we were talking about his perspective on the shifts, and we’ve partnered with him to create this three part process where we do an audit, educate, and recommendations for our clients. 

So if you are stuck in a point where your tech team and your marketing team and your legal team are kind of fighting and your legal wants you to remove all your tags and marketing wants to keep doing their work, and you need to come up with a new analytics and marketing strategy, call us! 

We have become experts in this really quickly and have just immersed ourselves in all of the legalities and the technical solutions. We’re helping folks across the country with this. 

So it’s a three part solution. First audit, you look at every single thing you’re doing from an analytics, marketing and CRM database perspective. 

So where and how are you talking to prospective patients online? [00:11:00] Wherever that is, we’ll include it in our audit and we’ll flag all the areas of concern. 

Next is educate. On the educate side, we’re gonna tell you why those things are of concern, why you can’t do them anymore, or how we may need to change them.

And we’re also gonna Educate you about the legalities. We have a risk tier model that we’re using to help people kind of figure out where within that sliding scale they wanna be. Do they want a gold star from OCR or are they okay kind of being in the middle? Maybe they feel their organization isn’t really high risk so they’re okay being a little bit riskier in their setup and maybe using some current processes they’re using now without overhauling everything. 

Anyway, we work with them, figure out where they wanna be on that sliding scale, and then create a full recommendations deliverable that then walks through and says, here’s all of the things you need to change with your analytics. Here’s all the marketing tactics you either no longer can do, or how you can do them differently. Here’s how you can track your conversions. Using this new setup so you don’t lose that [00:12:00] information you need so desperately in order to do your job. 

We absolutely love this work, and are having so much fun because again, at Hedy and Hopp, we’re a full service marketing agency and our passion is improving patients access to care.

So it pained us watching all of these healthcare organizations have a knee-jerk reaction and just strip all of their analytics off of their website and stop all of their marketing. Because what that means is when that scared patient go to the to Google to be able to find a provider, they’re not gonna be able to find you.

And that for us is really a worst case scenario. So we’d love to be your partner to help make sure your marketing continue and that your legal team feels really comfortable with our recommendations and they understand why we believe they’re compliant, or they are compliant with all of the new and changing landscape.

And then bonus. If you work with us on this program, we will continue to educate you, and inform you as case [00:13:00] law is defined and as the goalposts continue to shift. 

Because again, this is not a once and done conversation, it’s gonna continue changing over the next couple of years. So all of our clients get that added benefit of our education and that existing relationship.

So again, give us a call if you’re struggling with this, we’d love to help you. Again, we’re Hedy & Hopp, a full service woman owned, independent agency. 

We hope to see you again on next week’s episode. Thanks.

Share

Categories

About the Author

Jenny Bristow is the CEO and Co-Founder of Hedy & Hopp. Prior to starting Hedy & Hopp, Jenny launched, grew and sold a digital agency in Seattle, Washington and worked at Amazon.com. She was named one of St. Louis Business Journal’s 30 under 30, won a Stevie Award for Female Entrepreneur of the Year in 2018 and speaks regularly at industry and local events.

More from this author
Next Blog Post

OCR’s HIPAA Bulletin - What it means for healthcare marketers (a marketer’s POV)

Is your team scrambling trying to figure out how to make your marketing analytics setup…