Digital Tracking Technologies and HIPAA Regulations

Marketing Changes in the Face of New Privacy Laws

The Health Insurance Portability and Accountability Act (HIPAA) has been in place to protect patients since 1996, but technology and personal data access has expanded exponentially since then. Today, digital tracking technologies and other online communications can create a “fingerprint” or digital ID of a person’s healthcare digital interactions, which expose sensitive information that has allowed some marketers to leverage this private data to achieve their objectives. 

This fact has led the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to release new guidance regarding access to patients’ Protected Health Information (PHI) in December 2022 that now includes limiting the access and use of this digital information. 

Because of the change to what is now considered PHI, the channels that healthcare marketers and their partners use to find, engage and acquire new patients are changing.

Regulations Regarding Digital Tracking Technologies Impact Business Associates

Any entity that has access to PHI must protect it, and HIPAA includes detailed national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Patients, healthcare providers and healthcare providers’ business associates, such as marketing companies, are typically well aware of these policies.

What’s new, however, has been the need for the OCR to reinforce PHI guidelines in the face of online tracking technologies. In addition to many others, these sources include online searches and information obtained from health-related apps, such as those on smartphones and watches.

The OCR, which administers and enforces HIPAA rules, states: “Tracking technologies are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications (‘apps’). For example, a regulated entity may engage a technology vendor to perform such an analysis as part of the regulated entity’s healthcare operations. The HIPAA rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI).

“Some regulated entities may share sensitive information with online tracking technology vendors and such sharing may be unauthorized disclosures of PHI with such vendors. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA rules. 

“For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”

A healthcare practitioner uses an electronic device while speaking with a patient.
Healthcare practitioners, insurance companies and business associates (such as marketing providers) that have electronic access to patients’ PHI must ensure that the information remains secure. 

Highlights of the rules include the following:

  • All individually identifiable health information that an individual provides while using a regulated entity’s website or mobile app generally is PHI.
  • Entities that have access to PHI must configure user-authenticated web pages (which require logins, such as patient portals) to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule. They also must ensure that the electronic PHI collected through its website is protected and secured in accordance with the HIPAA Security Rule.
  • HIPAA rules apply if tracking technologies on unauthenticated web pages (which do not require logins) have access to PHI.
  • HIPAA rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities.

Because of these enhanced PHI rules, marketing companies can no longer rely on some of the traditional methods of obtaining some forms of data. However, there are still many options for healthcare providers and insurance companies that are hoping to grow awareness of their brands and increase their return on investment.

Digital Advertising vs. Direct Mail while Protecting PHI 

HIPPA regulations that limit online data collection impact marketing efforts to find, engage and acquire new patients, but healthcare-based organizations have many avenues to reach their current and prospective audiences.

Although some digital marketing techniques are no longer available for marketing considering the OCR’s guidance, digital marketing remains a smart option in many ways. Additionally, direct mail enhances and complements these marketing efforts while eliminating many of these online privacy concerns.

Digital Advertising and HIPAA Regulations

Using digital advertising for patient acquisition offers several significant benefits, although marketers must ensure that they are complying with privacy laws along the way.

Traditionally, some of the most notable benefits of digital advertising in the healthcare space include: 

  • Having a wide reach
  • Targeting the audience
  • Personalizing ads
  • Utilizing a cost-effective advertising method
  • Being able to measure results and A/B test campaign results
  • The ability to include interactive content
  • Remarketing (marketing again to users who have shown some interest in the past)
  • The speed
  • Offering educational content

Under the new laws, being able to target the audience, personalize ads, remarket to prospects and measure and test the campaigns may become challenging. 

The rest of the options, however, remain viable and beneficial. Notably, organic marketing (as opposed to digital advertising) with educational content and interactive content can still make healthcare organizations stand out as leaders in the industry, although organic marketing is more of a long-term marketing strategy than a solution for quick results.

And that’s where direct marketing comes in, offering the best of both worlds.

A person takes mail out of a residential mailbox.
Direct mail can be an outstanding alternate for or complement to digital advertising strategies, especially considering the fact that HIPAA rules limit how electronic PHI can be obtained and handled.

Direct Mail Solutions

In order to increase the speed of your investment results and also avoid PHI issues, direct mail remains a viable solution. While digital marketing can still be very effective, direct mail is an important channel in the healthcare arena, now more than ever.

Direct mail can be a beneficial marketing strategy for several reasons.

  1. Direct mail allows you to reach a specific audience without having access to PHI.
  2. It can be personalized enough to catch recipients’ attention, yet not so personalized that it would violate their privacy.
  3. Direct mail can be designed to comply with relevant healthcare regulations.
  4. You can still offer educational content like you can on a website.
  5. Your call-to-action may drive conversions, or at least send people to your website to increase its organic traffic.
  6. You can decide how much you are spending because your dollars would be targeted for a specific demographic or region. You won’t have to worry about advertising to people who are not interested in your service, which is often the case with digital advertising.

Direct Mail Remains an Important Channel in the Insurance and Healthcare Arena 

At Phoenix Innovate (PI), we customize transformative and sustainable solutions to meet our clients’ goals, and security is a top priority. PI provides a multi-channel approach for marketing solutions that help healthcare providers and insurance companies grow awareness of their brands and improve their ROI. 

Our comprehensive solutions include direct marketing, digital marketing, distributed marketing, innovative technology solutions and more, depending on clients’ specific needs. To date, we have ZERO HIPAA violations and are one of very few marketing solutions providers with HITRUST certification.

In other words, we care about protecting PHI as much as you do, and we are ready to help you meet your goals.

Contact us to learn more about our marketing solutions! 

Read our posts to learn more about HIPAA, HITRUST and PHI:

John Holloway
John Holloway

Vice President – IT Infrastructure & Security

Phoenix Innovate

LinkedIn logo
Mark M Gaskill
Mark M Gaskill

EVP of Marketing Solutions

LinkedIn logo