HIPAA & Healthcare Marketing: Privacy is a Digital Marketing Responsibility

Andy Kemp

Citing user privacy protection and following HIPAA compliance, Facebook faces a lawsuit for the alleged facilitation of U.S. hospitals sharing sensitive patient information via their Meta Pixel for the second time in 2022. Two cases were filed in the Northern District of California in June and July. In a privacy-forward industry, it is vital to highlight and explore alternative methods that exist and come to light during these inexcusable incidents protecting healthcare and pharmaceutical organizations and, ultimately, the patient. Technology partners must remain compliant alongside organizations (i.e., hospitals and telehealth providers) through privacy-focused innovation in the space. It is up to the marketer, however, to ensure that this aligns with brand safety.

How does HIPAA apply to marketing?

All marketing and communication must be HIPAA compliant. Institutions such as hospitals and greater healthcare systems cannot legally share private information such as residential location, contact information, medical conditions, or prescriptions with any institution without their patients’ consent. This list from Loyola University outlines all 18 HIPAA identifiers. Any marketing using this information without explicit permission from a patient violates HIPAA laws.

What do HIPAA and consent look like for healthcare marketing?

HIPAA marketing rules are relatively simple. No information a patient provides to a doctor, hospital, or other health entity should be used to market to them directly. While some patient portals or telehealth programs may market directly to their patients and customers for yearly visits or follow-ups, Third-Party providers should stay clear of this data. Instead, marketers can utilize vendors and websites such as WebMD. In these instances, marketers should observe explicit terms of service laid out during registration.

🚦Case Study: How Did Meta Violate HIPAA?

Websites can install the Meta pixel onto their website to collect information regarding a user’s online behavior across websites and social media. This code tracks activity and information a user inputs across the web. According to the Verge, 33% of all major hospitals in the United States currently use the Meta pixel. Seven of these hospitals allegedly installed this pixel on password-protected portions of their site, giving Meta (formerly known as Facebook) private information that the social media platform then used to target users based on information (such as specific ailments) that HIPAA protects. The lawsuit named both Meta and the violating hospitals.

Healthcare Privacy & the Future of Marketing Technology: Who is responsible?

Present day, the marketing industry continues to test non-ailment-based, cookie-less solutions. Over the past decade, healthcare marketers have experimented with solutions in advance of Google’s timeline to deprecated Third-Party cookies. As marketing technology evolves alongside a digital transformation in the healthcare space, a focus on HIPAA-compliant practices will continue to become increasingly important.

Marketing for this sector requires clear guardrails around this information, ensuring patient privacy while aiming for performance. Ultimately, the product owner (Meta) and the website owner/marketing entity are responsible for meeting HIPAA standards. Technology partners’ responsibility is to remain compliant with these organizations through innovation in industries such as telehealth and beyond.

💬 Who is responsible for healthcare data marketing? 💬

“The reality is that marketers, agencies, and those purchasing services from vendors who collect First-Party data from users cannot rely on these companies to be HIPAA-compliant. Instead, we should focus on marketing tactics that do not rely on this data, safeguarding against costly lawsuits that can damage brand trust and safety.”

-Corey Rice, Director of Strategy, KORTX

Once opted into patient portals and telehealth platforms, most end-user patients lack an understanding of who has access to their data and how their private details can be used to target them. In a category that spent $1.18 billion last year alone, the current Meta challenges expose an incredible opportunity for independent ad tech companies and marketers to find privacy-friendly solutions that do not risk patient privacy or any breach of trust while still providing high-performing campaigns.

US Healthcare and Pharma Industry Digital Ad Spending, 2020-2024

Protecting Your Brand and Agency: HIPAA Violation & Consequences

Any marketing agency handling data with patient and healthcare privacy compliance concerns should be diligent in finding solutions that generate outcomes and protect a client’s brand and reputation. 

To avoid consequences, marketing agencies with patient and privacy experience must consider privacy compliance their north star moving forward in a regulatory-driven industry. The two main implications of violating HIPAA (knowingly and unknowingly) include hefty fees and fines, and brand reputation. 

User Privacy and Brand Safety in Healthcare

Users who feel that a healthcare system or provider does not value their privacy are likely to move to another hospital. Healthcare details are profoundly personal, and customers are unlikely to consent to share this information. When HIPAA violations present themselves, all too commonly, most articles pertain to user privacy and sensitive data that was shared or utilized in a non-compliant manner.

However, the creative approval process is just as necessary regarding the perceived patient benefits of said product or service and the specific legal requirements. While users may or may not be fully aware of how or where their data is collected, a perceived privacy violation or slight can be just as damaging for a brand or specific product. A marketing campaign’s responsibility is to educate and make end-user patients accurately aware of proven benefits. The goal is to create campaigns that perform and reach an intended audience without creating privacy consent concerns, no matter the technicality of the law.

HIPAA compliance and marketing should not be considered opposites. Healthcare and pharmaceutical consumers clearly understand and are interested in keeping their data private. Contextual advertising is a much more customer-friendly tactic as it feels less intrusive and provides a better avenue for brand-safe marketing.

🩺 Case Study: HIPAA-Compliant Audience Discovery & Targeting

Check out how KORTX created a comprehensive digital strategy that reached potential product users while remaining compliant with healthcare marketing guidelines and HIPAA, surpassing industry benchmarks by 2.5X.

HIPAA-Compliant Healthcare Marketing Solutions

Consistent methodologies that avoid any chance for patient privacy violations within categories (like healthcare) are the answer to marketing in a HIPAA-compliant manner—respecting patients’ privacy benefits both the marketing entity and the end user. Cookie-less targeting, article-based context, page-level Metadata, and modeled script segments exist as clear solutions for privacy-informed marketing. Being HIPAA compliant is step one.

💬 Brand Safety & Healthcare Marketing 💬

“Legal consent does not always mean that a patient is explicitly comfortable sharing this information. There is a difference between marketing to patients legally and ethically. KORTX believes you can achieve the same performance goals without risking brand safety.”

-Chris Rowell, Co-Founder & Managing Partner, KORTX

In search of a marketing solution from a team with patient privacy experience?
To learn more about our KORTX advanced healthcare solutions, HIPAA-compliant targeting methodology, and ISI creative approval process, contact us today.

About the Author

Andy Kemp is a Managing Partner at KORTX. He has been with the organization for six years servicing key clients within priority verticals.

Andy Kemp

Latest Stories

Here’s what we've been up to recently.

Get our stories delivered

From us to your inbox weekly.