Throughout our HIPAA Guidance series, we’ve been discussing the Department of Health and Human Services (HHS) guidance relating to the use of online marketing tracking technologies by HIPAA Covered Entities and its implications for healthcare digital marketing professionals. The topics we’ve covered so far – our overview, our insights on how to manage your analytics under the new guidance, and our recommendations for your MarTech stack – are pretty straightforward as we have several strong approaches to embracing the guidelines.
Things start to get a little messy as we dive into how to track the effectiveness of our digital advertising efforts.
Why You Should Track Ads
Before we explore why the guidance makes tracking digital advertising complicated, it’s worth reminding ourselves why we use the different tracking tools available to us.
For a start, you want to know what’s working, and not working, in your advertising portfolio. Digital advertising makes it easy to target different groups of people, deliver creative messaging, and test different campaigns to find what works best. It also makes it easy to learn how many people see an ad from a particular platform, how many people click on the ad, and what people do when they land on your website.
To understand what’s working, you don’t need your site to send data to the ad platform. By carefully using UTM codes, you can connect the dots between the view and click data that exists in the ad platform and the on-site activity tracking that exists in a HIPAA-compliant analytics solution.
This allows you see what efforts are working best, and then optimize campaigns (sometimes using automated tools) to maximize click-throughs or minimize cost per click. You can even adjust campaigns for desired on-site activities (usually conversions), although this is a manual undertaking.
The challenge is that we don’t care much about click-throughs. You want to optimize for conversions, and you want to be able to do so at scale. That ability requires automated tools, and those tools need data from your sites. The more data, the better.
How Pixels Track Conversions
Facebook/Meta, Google, and other advertising platforms introduced the tracking pixel to monitor conversions. This code sits on the pages of your website and relays information about every site visitor and every page they visit to the ad platform. It also sends information when someone completes the conversion tasks, such as downloading a brochure or completing a form.
The pixel closes the loop for the ad platform. It knows who saw an ad, who clicked on it, and who converted, so it can use advanced algorithms to present the ad to people who are similar to those converting, thereby mining more conversions for every dollar invested.
And these pixels go further. They also monitor people who complete tasks without viewing or clicking on the ad. This gives the platform even more data on which to build target audiences for the desired ads.
There are additional benefits to this pixel-powered approach as well. For example, it allows for much more sophisticated marketing attribution for conversions. A user may see an ad several times before clicking on it and may come back to a site later to complete a conversion.
Pixels provide data to support the consumer journey and share with advertisers a complete picture of how their campaigns guide consumers towards interaction.
Of course, advertising platforms need to identify specific individuals who are taking these actions. Connecting conversions to a specific user allows them to use data from other sites with tracking pixels to build a profile of what a high-value marketing target looks like.
The Problem with Ad Tracking in Healthcare
Let’s say your organization wants to use Facebook’s suite of tools to optimize campaigns for on-site conversions. To do so, you need to send information that will identify visitors. At a minimum, you’ll need to pass along the ClickID, name, or email address.
This is where the Health and Human Services guidance makes it difficult. To comply with the guidance, there are a few options:
- Hosting analytics yourself
- Selecting a HIPAA-compliant cloud analytics solution that will sign a BAA
- Anonymizing your analytics data before sending it to the analytics platform using a tool, such as Geonetric’s Privacy Filter
As we look at ad tracking:
- You can’t host your own ad platform
- There aren’t any ad tracking solutions (that I’m aware of) that will sign a BAA
- You can’t anonymize the data without losing very valuable features of the platform.
So, we need something different in our toolkit. We need to flip the playbook.
Our Solution
Information needs a few characteristics to be considered PHI:
- It’s individually identifiable
- It tells us something about that individual’s health
- It’s stored or transmitted electronically at some point in its lifecycle.
For the “anonymization” strategy that we talked about in our analytics post, we remove the individual identifiability element. For ad tracking, however, we need to remove the health information component.
This requires an approach similar to the approach used for analytics where information is intercepted between the browser and the ad tracking platform. However, the controls that are applied to the data are different. For instance:
- We only send data when a conversion occurs, not for every visitor to the site on every page they interact with.
- The data sent is the minimum necessary to utilize the automated campaign optimization tools. Typically, a type of ClickID and what conversion occurred.
- We also mask the actual conversion. Instead of sending something like “$99 heart screening,” we send a more generic phrase like “Conversion 123” which only the people in the organization recognize as a heart screening.
Many healthcare organizations are comfortable with this approach. However, with a wide range of interpretations of the new guidance, not every organization is on board. We’re happy to hop on a call and talk with your team as well as your legal and compliance leadership about your options.
I’m not a lawyer, Geonetric is not a law firm. I’m sharing my insights and advice but nothing that I share here should be considered legal advice.
Interpretations of the December HIPAA guidance vary widely and there is no single agreed standard for compliance. Every organization should seek to establish its own understanding of what is and isn’t acceptable given HIPAA rules today and likely redefinition and expansion of privacy laws inside and outside of healthcare in the future.
