This article was based on the interview with Ray Mina of Freshpaint by Greg Kihlström for The Agile Brand with Greg Kihlström podcast. Listen to the original episode here:
Healthcare marketers face compliance challenges when it comes to securing protected health information (PHI) as part of the Healthcare Insurance Portability and Accountability Act (HIPAA) while still utilizing marketing technologies effectively. This interview highlights the shift that has occurred in healthcare teams, particularly those responsible for managing healthcare organization websites. These teams are now tasked with considering the potential risks associated with visitors to their sites accessing specific information, such as pregnancy services, which could lead to regulatory issues.
The initial chaos and disbelief that occurred when these compliance challenges were first introduced has since evolved into a better understanding of the requirements. Over the course of 10 to 12 months, healthcare teams have had the opportunity to engage in conversations and gain a clearer understanding of the necessary changes.
One of the major mindset shifts is the realization that compliance is not solely concerned with logged-in patients or visitors. It also extends to anonymous visitors to healthcare websites or users of healthcare products. This broadens the scope of compliance efforts and necessitates a comprehensive approach to protecting PHI.
The podcast transcript suggests that organizations should begin by conducting an audit of their websites, including all pages and subdomains. This audit should identify all web trackers and tools that are integrated into the website. The next step is to determine which of these tools have the legal framework in place to handle PHI. These tools may include data warehouses, customer relationship management (CRM) systems, and personalization tools with which the organization has a business associate agreement (BAA).
However, there are also tools within the marketing stack that do not have a BAA or the necessary legal framework to handle PHI. These tools may include various components of the Google suite, such as Google Analytics, direct response ads, programmatic advertising, and even tools like video and Google Fonts. It is crucial for organizations to address these tools and ensure compliance to continue using them safely.
To maintain compliance while still leveraging these tools, organizations should involve their legal and compliance teams, as well as IT. An audit should be conducted to determine which web trackers and tools pose potential risks. This audit will help identify tools that do not handle PHI and tools that require a BAA or legal framework. It is important to have up-to-date BAAs in place for tools that handle PHI.
The interview emphasizes the need for a step-by-step approach to compliance. It is not a one-time fix, but rather an ongoing process of evaluating and addressing potential risks. Some web trackers may not be a concern if they are not on pages where PHI is present. However, for tools that do handle PHI, it is crucial to determine whether it is acceptable to share PHI with them. For tools that do not have the necessary legal framework in place, organizations must consider alternatives or find ways to replace them.
Healthcare marketers face compliance challenges when it comes to protecting patient health information. By conducting an audit, involving legal and compliance teams, and assessing the legal framework of their marketing stack, organizations can create a HIPAA-compliant environment that safeguards PHI while still allowing for effective marketing strategies. It is essential to prioritize privacy and data protection while leveraging marketing technologies to deliver personalized and engaging experiences to patients and consumers.
