SOLUTIONS

Digital advertising is not what it used to be, especially in the healthcare industry.

Over the past couple of years, the U.S. Department of Health and Human Services has strengthened regulations to protect patients’ Protected Health Information (PHI) and has reinforced these standards with the public through various communication channels.

Specifically, the federal Health Insurance Portability and Accountability Act (HIPAA) includes stronger standards to prevent the release of PHI given the state of technology-driven marketing techniques that utilize an individual’s private information. Additionally, the breadth of data available in Google Analytics, which marketers relied on for years to reach prospective audiences, has been reduced in an effort to protect the privacy of consumers.

The good news is that healthcare organizations still have many effective methods for patient acquisition and retention. By leveraging the power of direct response marketing, healthcare organizations can still reach individuals and families within their target audiences – and possibly experience a greater return on investment when compared with past efforts.

HIPAA Regulations, Google Analytics and Digital Tracking Technologies

Any regulated entity that has access to PHI must follow HIPAA laws. These entities include healthcare organizations, healthcare insurance providers and their business associates, among others.

Today, digital technologies, such as those for health-related apps, can create a “fingerprint” or digital ID of a person’s healthcare digital interactions. Tracking technologies – which are in the form of a script or code on a website or mobile app – expose sensitive information that some marketers had leveraged to achieve their objectives.

This fact led the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to release new guidance in December 2022 that limits access to and use of this digital information. The OCR then issued a bulletin in March 2024 to increase clarity for regulated entities and the public in relation to HIPAA obligations. 

Highlights of this detailed guidance include the following:

• Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors. Impermissible disclosures of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish or other serious negative consequences to the reputation, health or physical safety of the individual or to others identified in the individual’s PHI.
• Regulated entities must ensure that they disclose PHI only as permitted or required by the HIPAA Privacy Rule.
• The OCR acknowledges that insights via tracking technologies can be helpful for healthcare practices and other organizations that use it in an appropriate and legal manner, but these insights could also be used to promote misinformation, identity theft, stalking and harassment when used inappropriately.
• Regulated entities may have user-authenticated webpages, which require a user to log in before they are able to access the page. Tracking technologies on a regulated entity’s user-authenticated webpages, such user portals, generally have access to PHI. Tracking technology vendors are considered business associates in this case. However, unauthenticated webpages, which do not require login credentials, do not have access to individuals’ PHI. Using tracking technologies on unauthenticated webpages is not strictly forbidden, as it can be helpful in certain situations; however, if these pages happen to have access to PHI due to some oversight, it could potentially lead to various negative consequences.
• The HIPAA rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities. However, other laws may apply, such as those from the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR).

As described in a post on The HIPAA Journal site referencing the December 2022 OCR guidance, Google Analytics is not a regulated entity under HIPAA. It cannot be used by HIPAA-covered entities or business associates to track the activity of website visitors if any metrics collected include individually identifiable health information. 

To protect itself, Google has essentially asked users not to expose the platform to PHI. In fact, the Google Analytics support page states the following:

“Please remember that to protect user privacy, Google Analytics policies and terms mandate that no data be passed to Google that Google could recognize as personally identifiable information (PII), and no data you collect using Google Analytics may reveal any sensitive information about a user, or identify them.” 

According to the post, Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service. The support page goes on to state that Google Analytics may only be used on pages that do not apply to HIPAA and that customers should not set Google Analytics tags on authenticated pages.

Direct Response Marketing for Patient Acquisition and Retention

All of these factors combined have reduced the effectiveness of digital advertising strategies, particularly regarding paid ads and audience retargeting. Hence, the benefits of direct mail marketing become abundantly clear.

Direct response marketing has always been a powerful tool. However, given modern limitations in digital advertising in the healthcare space, direct response marketing is now becoming essential.

Direct mail allows you to reach a predetermined audience without having access to patients’ health information. With direct mail, honing in on a specific neighborhood near your healthcare practice may be all you need for patient acquisition and retention. In fact, many organizations have been able to reduce expenses and gain a higher return on investment by doing so.

By focusing on direct mail, organizations may also be able to save on digital advertising costs. While paid digital advertising can be very beneficial for many marketing campaigns, every detail can make or break a paid ad. With more stringent HIPAA policies in place along with fewer resources available on platforms like Google Analytics, obtaining data to make paid ads most effective is even more challenging. Businesses may try to overcome these challenges by blindly buying paid aids, but the trial-and-error approach to marketing can be very expensive and unreliable. 

Direct response marketing, on the other hand, reaches key target audiences and can be eye-catching and personalized – all without the need for in-depth data.

Additionally, direct mail marketing may provide you with a higher return on investment when compared with email marketing or paid advertisements. According to the Direct Marketing Association, the average success rate for direct mail campaigns in 2023 was about 4.4 percent, whereas the average open rate for email marketing was 0.12 percent. The response rate for paid searches is about 1 percent, depending on the channel and the goals of the campaign. Paid advertisements and email marketing can be very beneficial for certain types of marketing campaigns, but their effectiveness depends on having data that might not be appropriate when marketing to patients. 

As consumers become increasingly inundated with digital communications, direct mail tends to stand out. In 2022, 33 percent of marketers sent weekly emails, and another 26 percent sent emails multiple times per month. On the other hand, the average U.S. household received only 361 pieces of direct mail in 2021. That means there is less competition and more opportunity for conversion.

Additional methods of marketing to patients – as well as other healthcare professionals with whom you would like to develop a professional relationship – include some of the most traditional, tried-and-true avenues.

• One is in-person networking, such as through healthcare conferences.
• Organic online marketing, such as on social media channels and your website, can be very effective in raising awareness of your medical practice.
• Being a part of the community, such as by sponsoring a fundraising event, mentoring students, volunteering and participating in civic events, also makes your brand more visible and allows you to build connections.

It’s clear that in today’s landscape, leveraging the power of traditional marketing techniques, including direct response marketing, can help healthcare organizations attract new patients and engage existing patients while avoiding potential HIPAA violations. 

As a HITRUST-certified marketing solutions provider, Phoenix Innovate places the utmost priority on securing clients’ data, while at the same time creating innovative ways to help clients meet their goals. Phoenix Innovate has had zero HIPAA violations in 12-plus years, and we are committed to maintaining that record. For more information, visit our website or email us at info@phoenixinnovate.com.