MARKETING & DIGITAL ENGAGEMENT

Shifting Patient Privacy Landscape Challenges Marketing Efforts

The constantly evolving landscape of patient privacy laws and regulations poses significant challenges to professionals interested in maximizing health care marketing opportunities while ensuring the safe handling and protection of patient data. Although there is no one-size-fits-all solution, understanding key concerns and developing detailed strategies to address current and anticipated privacy regulations will ensure that teams are building an effective, protected digital ecosystem.

“If you are in health care marketing, you have to be an expert in this,” says Jenny Bristow, Founder and CEO of Hedy & Hopp, a health care marketing agency based in St. Louis, during a session held at the SHSMD Connections Conference in October 2024.

While Bristow describes herself as a “reluctant privacy expert,” she stresses that addressing issues of patient privacy are essential—as is understanding how the changing tides of federal and state regulations affect the work of marketers.

“You need to talk to the legal and compliance teams within your organization, and [have an] understanding of what to ask them and what to be concerned about,” she notes. “A lot of the legal teams we’re talking to either don’t know what regulatory changes have happened, or don’t truly understand the different lenses that you need to be looking at the situation.”

In the past few years, major changes to patient privacy regulations have resulted in both innovation and chaos, according to Bristow. This will likely continue as new regulations and laws are developed, and technologies such as artificial intelligence continue to revolutionize the marketplace.

In December 2022, HIPAA requirements were upended by the release of a bulletin from the Department of Health and Human Services Office for Civil Rights (OCR), which redefined IP addresses and device IDs as Protected Health Information (PHI), even among non-patients.

“You could no longer use analytics tools out of the box,” Bristow explains. Furthermore, the bulletin created confusion regarding what exactly was still allowed.

“It was very gray about what we could and couldn’t do with IP addresses,” Bristow adds. “A lot of systems ended up stripping all tags from their sites, while others decided to ride it out and see what happened.”

In June 2024, a court vacated part of the OCR’s original ruling, stating that an IP address combined with health-related content was no longer considered PHI. However, in some ways the ruling only added to the confusion, allowing some health care organizations to falsely believe that they were safe to continue the use of analytics and pixel tracking software.

“If your legal team is saying they are not worried about privacy issues anymore because the ruling was vacated, you still need to be thinking about privacy,” Bristow says. “The issue is not going away.”

Concerned that organizations were selling data to companies such as Facebook, the Federal Trade Commission also got involved. They targeted the use of Meta Pixel tracking and levied significant fines against health care organizations they determined had shared unauthorized PHI from consumers. In total, 130 hospitals and telehealth providers received warnings from the FTC and OCR regarding what they considered the inappropriate use of online tracking technologies.

While 20 U.S. states have existing patient privacy laws, they vary considerably and often are at odds with federal regulations. This can result in even greater confusion for health systems that work with consumers in multiple states.

“It’s a patchwork right now because some states say that if you comply with HIPAA guidelines you can ignore state laws, but others say you need to comply with state regulations,” Bristow notes. “There is no blanket approach.”

While a national patient privacy law may eventually be passed, there is no timeline as to when such legislation would be enacted.

Further complicating the issue, law firms took notice of the confusion, leading to a spate of class action lawsuits being pitched to consumers who have done business with hospitals and other health care organizations.

So, how bad is the current situation regarding patient privacy, and what can health care organizations do to ensure they are abiding by current laws while keeping abreast of changes?

“The good news is all of this is fixable,” Bristow explains. “It can feel scary and overwhelming, but having the data and making a plan to fix it is all you have to do.”

The key to doing this, she said, involves five core steps:

  1. Conduct a thorough audit of all tools being used in your digital ecosystem. “This is a hard but good step and, in the audits we conduct, we typically find anywhere from 100 to 300 tools,” Bristow says.
  2. Clarify what patient and user information is being captured, where it is stored and who has access to it.
  3. Identify and address any areas of immediate concern related to patient privacy. This, according to Bristow, involves removing red-hot items such as Meta Pixel tracking that are being targeted by lawsuits. “Remove those items immediately,” she says. “You will go dark for some time—for most of our clients this period can mean four to six months of darkness from marketing analytics—but the reduction in the likelihood of a lawsuit is absolutely worth it.”
  4. Develop marketing initiatives to be successful while remaining HIPAA-compliant.
  5. Use developing technologies such as marketing automation and AI in ways that will ensure compliance.

Moving forward, Bristow says, there are three paths: “You can do nothing and hope for the best; you can switch analytics providers to companies such as FreshPaint or Matomo; or you can set up a server-side Google Tag Manager (sGTM) to filter out unwanted variables before your data hit Google Analytics 4.” Companies also have the opportunity to sign a Business Associate Agreement for their Google Cloud account, which provides additional protection for those working with PHI, she adds.

For Jenny Bradley, an executive with one of Hedy & Hopp’s clients, working with the marketing agency allowed her organization to clean up its digital engagement in a way that allowed for safely navigating conflicting regulations while strengthening a dedication to patient privacy. On Hedy & Hopp’s advice, Bradley’s company took multiple steps such as removing pixels from their website, evaluating options for safe marketing tracking and ultimately deciding to move forward with sGTM.

The new analytics setup has allowed staff members at Bradley’s company to feel confident that they are compliant while still being able to accurately measure campaigns, she notes. During the open enrollment period, the company saw the results of their 2023 paid media strategy, which resulted in a 51% increase in year-over-year actions on their website, a 25% increase in individual and family enrollment actions, and a 12% increase in Medicare Advantage apply actions.

Such success can be expected if organizations give due attention to the complicated, yet important, particulars of the PHI landscape. They key is to dedicate effort to addressing privacy concerns, and accept that setting your company up for a protected, successful future takes time.

“If you come to legal and compliance teams with a comprehensive audit, sorted by the tools you are most concerned about, your level of credibility is going to skyrocket,” Bristow notes. “Become a leader within your organization in how you want to address this.”