If you have forms on your website or a call center that tracks consumer healthcare information requests, the collected marketing data may, or may not, be considered protected health information (PHI). If it is PHI, you may need to reconsider whether it can be used to create personalized marketing campaigns, even with the consumer’s permission.
Healthcare marketers should be justifiably concerned about online consumer data privacy and how they chose to use collected data. Websites have been collecting consumer information online for more than 28 years and healthcare marketers have followed the master guideline...the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. In the past the definitions were clear, but at present, the line is blurred. We are all asking...What can we do to stay compliant, and how should we approach PII data collection?
PII vs. PHI
HIPAA compliance has to be top of mind for marketers when working with patient or healthcare consumer data. If a healthcare consumer submits information, agrees to the approved terms/use of their submitted information, and the information is PII (personal identifiable information) and not PHI (protected healthcare information), a healthcare organization can identify their interests and provide valuable information to the consumer in exchange for their PII. The rule — do not cross the HIPAA line. But where is the line? When does PII become PHI?
We’ve compiled some great sources and checklists that help improve your understanding and confidence in where your organization can comfortably draw the line.
It all starts with the data collection process. Whether online, via phone, or in person, understanding the combination of fields of information you collect and how that information is used determines whether it is PII or PHI.
PII and tracking data from analytics platforms, such as Google Analytics, help marketers determine the success of marketing campaigns and their placements. Without it, agencies and marketing departments have significant blindspots that impair their ability to measure effectiveness in ways they have been able to do in the recent past. We are all looking for cookieless solutions and first-party data resources where possible. How we use that data to optimize a campaign or build a personalized nurturing channel for lead-generation programs is being closely watched by legal groups who ask if we need to redefine and repurpose how we currently use consumer data so that more protection is in place for consumer privacy.
UPDATING POLICY AND PROTOCOL
While this is still a gray area, healthcare organizations are building interim policies for consumer data collection and use. It is time to dust off the Privacy and Data Usage Policies, review your tracking tools, audit your online forms and revisit HIPAA and data protocols. Waiting for federal or state laws to firm up their definitions is not an option for us. By taking the good faith safeguards listed in this document, you are well on your way to mitigating legal risk or investigative bodies questioning your due diligence.
MAPPING THE PROCESS
If you haven’t done this in the past, we suggest you start with visually building out your healthcare consumers’ pathways to data collection, data security, and future data use. The following diagram is a simple example that shows the critical touch points you should check to safeguard your data process.
Example of a simple PII collection process. Key data collection, security, and use are identified. Evaluate and determine if they are HIPAA-compliant and PHI-proof.
THE ONGOING LEGAL DEBATE
Recently, legal groups across the U.S. have been challenging healthcare systems and their online practices of consumer data collection. They are trying to make the case that consumers interested in receiving general information on healthcare topics or sign-ups for events or screenings in exchange for non-clinical PII (Personal Identifiable Information) should be considered identifiable PHIs (Protected Healthcare Information) and the consumer is saying that they MAY be associated with a disease or health condition based on their interest in the topic, putting their name and information into a category that applies to HIPAA (Protected Healthcare Information). This applies to forms on a website and spills into ad and website tracking tools and forms completed on paper – any way you can collect and place that information into a database for marketing use is being carefully reviewed. There are several cases where healthcare systems and healthcare data brokers are being pursued, so it is worth the time and effort to take preventative measures.
WHAT CONSUMERS SHOULD EXPECT
Consumers should have confidence in a healthcare organization’s proper use of lead generation or marketing use of information submitted on a form. This applies to a written or digital form or information collected over the phone.
Inform the consumer what their submitted information is being used for in every capacity.
Always allow the consumer to “Opt Out” of unwanted communications or third-party information.
Never use, share or sell information outside of the use identified in #1.
Secure the consumer’s submitted information by ensuring privacy measures are taken and encrypted messages are passed to a secured database. (Always look for reputable icons and make sure you can click through to their source.)
Follow form creation best practices designed to convert and boost UX.
HOW TO KEEP FORMS HIPAA COMPLIANT
Learn the letters. Learn and share the official definitions of HIPAA, PII and PHI. This will go a long way to staying vigilant when reviewing forms.
Stay informed. Stay attuned to credible and official sources who share the latest developments on HIPAA compliance such as the AHA (American Hospital Association) and HHS (Department of Health and Human Services).
Follow the big dogs. The large healthcare systems are tracking this closely and updating their forms to stay in what they consider a safe zone away from any implied PHI.
Audit your website forms. Work with an organization or partner who can take a knowledgeable, unbiased approach to evaluate forms. It’s a good time to take inventory; check the form paths, form security, encryption, and database information safety; and review accessibility compliance as well as identify any PHI red flags. Lock down that data and map the paths from your forms to your databases, CRM system algorithms, tracking tools, cookies, pixels, and marketing use of that data.
18 PII IDENTIFIERS
“Health information, by itself without the 18 identifiers, is not considered PHI. For example, a data set of vital signs does not constitute protected health information. However, if the vital signs data set includes medical record numbers, the data is considered PHI and must be protected since it contains an identifier."
All of the following are PII identifiers BUT when combined with a piece of personal health information (such as a diagnosed medical condition, medication, procedure or treatment), they represent PHI. The data, bundled together, makes it possible to identify a person AND that person's health information.
Names
All geographical data smaller than a state
Dates (other than year) directly related to an individual
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health insurance plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers including license plates
Device identifiers and serial numbers
Web URLs
Internet protocol (IP) addresses
Biometric identifiers (i.e., retinal scan, fingerprints, etc.)
Full-face photos and comparable images
Any unique identifying number, characteristic or code
Source: The HIPAA Compliance Guide
REQUIRED ANNUAL AUDITS/ASSESSMENTS FOR HEALTHCARE ORGANIZATIONS
According to The HIPAA Journal, all healthcare organizations should perform 6 annual audits or assessments to ensure compliance. This is a good safety measure for any organization that manages patient and prospect healthcare data.
Security Risk Assessment
Privacy Standards Audit (Not required for BAs)
HITECH Subtitle D Privacy Audit
Security Standards Audit
Device Audit
Physical Site Audit
If your marketing department is responsible for the content on your websites, you should take on the Physical Site Audit (websites) as a standard annual review. For more information, see The HIPAA Guide for audit recommendations.
HIPAA COMPLIANCE RESOURCES
WORKING WITH YOUR PARTNERS
Your partners should be able to help you with educational information about how this affects your current marketing program. This is particularly important if you have lead generation campaigns in market, email marketing programs, or haven’t audited your campaign landing pages with forms. Also, ask about how this changes your tracking data. With G4 Google Analytics in full swing, all marketers are making big changes in how they should accurately read their data story. Until the blurry areas of what is considered PHI become clearer and there is a broader acceptance of the new definition, you – and your healthcare system – will need to make some interim changes to ensure you are compliant AND able to obtain useful consumer data.
Consider conversations on the following:
What does a cookieless option or first-party data option look like for my digital ecosystem’s tracking?
What changes are recommended in tracking and reporting?
How do I tell this data story to executives without overwhelming them with the technical nuances?
Can you audit my landing pages and forms online for HIPAA compliance and best UX standards? While you are in there, can you check for accessibility compliance?
Can you map my consumer’s experience from first eyes on marketing and let us know where we can make improvements?
Are there materials I can share with my marketing team that will help them become more familiar with the changes and challenges in PII and PHI data collection?
Do I have a tech partner who can audit our site for security purposes and ensure that captures and any databases are up-to-date and secure?
How should I adjust my campaigns that are currently in market?
Do you have any materials I can share with executive colleagues that can help them and help the marketing department, communicate changes in the legal environment?
When and where should our legal department be involved?
STEPS TO TAKE
Audit the forms on your website and review “Opt-in” protocols with your call center when consumers ask for topic information, events, screenings or anything promoted under marketing.
Bring in a subject expert to confirm all your website and form-building security protocols are working and up-to-date on your website.
Make sure your privacy policy and SSL securities are present and easily identifiable.
Check your state’s exemptions on data privacy laws.
Check your forms and marketing emails for “Opt-in/Opt-out” language with self-selection available.
Keep a close eye on the HIPAA Compliance Resources listed in this document to stay current on updates or changes.
CONCLUSION
If you have any questions about website forms, security protocols, healthcare marketing strategies, lead generation landing pages, or tracking best practices, we’d be happy to help. Please contact SVP, Director of Marketing, Erin Spalding (ESpalding@doeanderson.com) to request more information on these topics or join a conversation.
Please note: The information above is provided to help organizations understand the new healthcare data privacy landscape and is not intended to be legal advice. Consult legal counsel about any case-specific applications or concerns. Legal opinions are constantly evolving, and organizations should consult with experts or reliable HIPAA resources for any new updates following the date of this publication.