Is Your Healthcare Marketing Tracking HIPAA Compliant?

The CMO's Guide to iOS 17 and Paid Media Measurement

Tracking on Paid Social Media Channels: Meta Pixel and HIPAA Violations

Social media giant Meta has been making headlines recently with accusations that their pixel violates HIPAA. In response to the lawsuits, Meta claimed that the hospitals that use the tool are the liable parties, not the platform. 

As a full-service paid media agency, we have heard many advertisers ask the critical question: “Can I use tracking pixels safely in healthcare advertising?” The answer is yes!

The CMO's Guide to iOS 17 and Paid Media Measurement

Can Advertisers Safely Use Pixels in Healthcare Marketing?

If you work in healthcare advertising or run paid media campaigns for health systems, don’t panic! There are ways to use the pixel for campaign data without collecting personal health information (PHI). 

As of August 2023, The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS)’s bulletin for the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates was last updated December 2022. Based on their guidance, here are 3 takeaways to consider when developing your media strategy and media measurement tactics.

As of August 2023, The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS)’s bulletin for the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates was last updated December 2022. Based on their guidance, here are 3 takeaways to consider when developing your media strategy and media measurement tactics.

1. Avoid tracking technologies on user-authenticated webpages, such as patient portals, where users login to access their health information. For example, a study by Markup found that 7 hospitals installed the Meta Pixel inside their password-protected patient portals, a practice not recommended by HHS.

A HIPAA compliant media agency will help health systems such as these hospitals navigate privacy-centric measurement. It’s possible to gain valuable campaign data while honoring privacy laws.

2. If incorporating tracking on user-authenticated webpages, the technologies must comply with the HIPAA Privacy Rule. Healthcare entities must also ensure electronic protected health information (ePHI) complies with the HIPAA Security Rule

Avoid costly HIPAA violations and maximize performance with a media agency who’s familiar with the healthcare vertical. They should have an understanding of both the Privacy and Security Rules.

3. Remain mindful of data collection on unauthenticated webpages even though they do not generally have access to individuals’ PHI. These pages may include information like location, services provided, or policies and procedures. Any unauthenticated webpages that allow users to schedule an appointment or create an account for an authenticated user portal, however, might collect PHI in which case HIPAA rules apply. For example, the Markup study found that 33 of Newsweek’s top 100 hospitals were sending sensitive data to Facebook via appointment request forms, not specific to a patient portal.

We recommend consulting with your media partner before having your IT or marketing team place pixels on any page of your website, whether user-authenticated or unauthenticated.

Using Pixels in Your Healthcare Paid Media Campaigns

It is possible to use tracking pixels in healthcare advertising, but it requires knowledge of and adherence to HHS/OCR guidelines. 

While Meta reports that they have a sensitive health information detection system in place, we recommend that only as an added layer of protection, not a dependency. According to Meta, if their signals filtering mechanism detects potentially sensitive health-related data, the tool will prevent it from being ingested into the ads ranking and optimization systems. 

Additionally, the latest and more advanced solutions that lie within Google Tag Manager and the Google Cloud Platform allow you to purge any personal identifiable information (PII) from event data before it goes to an ad tech vendor. This requires coding knowledge, so be sure to talk to a Marketing Developer to learn about how.

Alternative Tracking Methods for Healthcare Advertising

If your infrastructure or policies can not support pixels safely and compliantly, there are other ways to track campaign activity. 

Talk with your media planners and data strategists who can recommend alternative tracking methods that better meet your needs, dependent on your paid media mix. It may also make sense to have varied tracking methods dependent on the campaigns you are seeking to launch.

Overall, it’s important to make sure you work with an agency with a long history in healthcare advertising best practices to minimize risk and maximize outcomes. 

Take the guesswork out of healthcare marketing: If you need an audit of your current paid media, contact us today. Our work with health systems always begins with an assessment of your media interests, goals, and infrastructure. And if you like our content, sign up for our newsletter for more!

Tracking on Paid Social Media Channels: Meta Pixel and HIPAA Violations

Social media giant Meta has been making headlines recently with accusations that their pixel violates HIPAA. In response to the lawsuits, Meta claimed that the hospitals that use the tool are the liable parties, not the platform. 

As a full-service paid media agency, we have heard many advertisers ask the critical question: “Can I use tracking pixels safely in healthcare advertising?” The answer is yes!

Can Advertisers Safely Use Pixels in Healthcare Marketing?

If you work in healthcare advertising or run paid media campaigns for health systems, don’t panic! There are ways to use the pixel for campaign data without collecting personal health information (PHI). 

As of August 2023, The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS)’s bulletin for the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates was last updated December 2022. Based on their guidance, here are 3 takeaways to consider when developing your media strategy and media measurement tactics.

1. Avoid tracking technologies on user-authenticated webpages, such as patient portals, where users login to access their health information. For example, a study by Markup found that 7 hospitals installed the Meta Pixel inside their password-protected patient portals, a practice not recommended by HHS.

A HIPAA compliant media agency will help health systems such as these hospitals navigate privacy-centric measurement. It’s possible to gain valuable campaign data while honoring privacy laws.

2. If incorporating tracking on user-authenticated webpages, the technologies must comply with the HIPAA Privacy Rule. Healthcare entities must also ensure electronic protected health information (ePHI) complies with the HIPAA Security Rule

Avoid costly HIPAA violations and maximize performance with a media agency who’s familiar with the healthcare vertical. They should have an understanding of both the Privacy and Security Rules.

3. Remain mindful of data collection on unauthenticated webpages even though they do not generally have access to individuals’ PHI. These pages may include information like location, services provided, or policies and procedures. Any unauthenticated webpages that allow users to schedule an appointment or create an account for an authenticated user portal, however, might collect PHI in which case HIPAA rules apply. For example, the Markup study found that 33 of Newsweek’s top 100 hospitals were sending sensitive data to Facebook via appointment request forms, not specific to a patient portal.

We recommend consulting with your media partner before having your IT or marketing team place pixels on any page of your website, whether user-authenticated or unauthenticated.

Using Pixels in Your Healthcare Paid Media Campaigns

It is possible to use tracking pixels in healthcare advertising, but it requires knowledge of and adherence to HHS/OCR guidelines. 

While Meta reports that they have a sensitive health information detection system in place, we recommend that only as an added layer of protection, not a dependency. According to Meta, if their signals filtering mechanism detects potentially sensitive health-related data, the tool will prevent it from being ingested into the ads ranking and optimization systems. 

Additionally, the latest and more advanced solutions that lie within Google Tag Manager and the Google Cloud Platform allow you to purge any personal identifiable information (PII) from event data before it goes to an ad tech vendor. This requires coding knowledge, so be sure to talk to a Marketing Developer to learn about how.

Alternative Tracking Methods for Healthcare Advertising

If your infrastructure or policies can not support pixels safely and compliantly, there are other ways to track campaign activity. 

Talk with your media planners and data strategists who can recommend alternative tracking methods that better meet your needs, dependent on your paid media mix. It may also make sense to have varied tracking methods dependent on the campaigns you are seeking to launch.

Overall, it’s important to make sure you work with an agency with a long history in healthcare advertising best practices to minimize risk and maximize outcomes. 

Take the guesswork out of healthcare marketing: If you need an audit of your current paid media, contact us today. Our work with health systems always begins with an assessment of your media interests, goals, and infrastructure. And if you like our content, sign up for our newsletter for more!

Ready to lead your industry with the latest media insights?

Sign up for our monthly Media Minute newsletter for hard-hitting, data-driven media buying content.

Top Insights

Want the latest insights delivered to you?

Sign up for our newsletter. 

Untitled
This field is for validation purposes and should be left unchanged.