In December 2022, the U.S. Department of Health & Human Services issued a new bulletin1 that will fundamentally change digital health advertising. The new guidance specifically calls out the use of online tracking technologies, such as cookies and pixels, as it relates to HIPAA, and how personal health data can be shared and used with technology vendors. Regulated covered entities (CE) under HIPAA, like healthcare providers and health plans, often work with tech vendors that collect a user’s personal data via pixels or cookies. This kind of tracking data can provide valuable analytics about patients and their online behaviors and preferences. If that data is collected via a CE’s digital property it is now considered to be protected health information (PHI), and it could be in violation of HIPAA according to this new bulletin. While sensitive health data has always been covered, this notice broadens the potential definition of what PHI might mean. For instance, if a person is browsing maternity care providers in their area, even if she is not viewing her own medical records, this could be considered PHI. In the U.S., different states also diverge when it comes to what counts as sensitive health information, and what information can be pieced together to create sensitive health information. This will require far more than the simplified opt-in banners that have become prevalent in the age of GDPR, as providers will need to get more explicit consents to share this kind of information with third parties. While the industry awaits more guidance on what qualifies as PHI, health brand marketers should start to reassess their data strategies by:
- Audit Trackers on Your Website. A potential HIPAA violation occurs on the first transmission of PHI, so ensuring any potential sensitive data under these new guidelines is encrypted before it goes to a third-party vendor will be essential.
- Connect With Technology and Data Vendors. Technology partners should have healthcare-specific data practices and be moving to address this new guidance. Some consent management providers have created prior opt-in health data tools, including ones with features to collect opt-in consent for use of sensitive and non-sensitive first-party data and/or PHI such as OneTrust and WireWheel.
- Review and Update your Disclosures to Consumers. A CE should be very clear in their privacy disclosures to consumers on their digital properties regarding the types of data, the purposes for which data is being collected, and the parties with which they may share/sell data. Additionally, some states now or will soon require opt-in consent for sensitive health data.
- Move to Context Over Cookies. As the entire advertising industry grapples with the depreciation of third-party cookies, some brands are already moving to context-based advertising versus personalized advertising by targeting their ads using text-based signals, like the content on a page.
No matter what guidance continues to come forward, health marketers that put privacy first will be best equipped to stay compliant while reaching their audiences with the right message.