While most of the time, marketing agencies tend to love getting new clients, healthcare clients are one of those occasions where they tend to be more worried about taking them onboard. The reason is, of course, that they have some regulations that make working with them considerably more difficult.

The main worry is HIPAA. A law in the United States where the data of a patient (or potential patient) is considered to be something to handle with extreme care. While marketers don’t often deal with customer data, they could end up having to deal with it circumstantially. Therefore, HIPAA is a real worry to have.

That said, healthcare is an industry that pays very well . Not surprisingly, given how massive it is. Therefore, marketing agencies shouldnt try to ignore it. Instead, let's understand what HIPAA actually is, and when does it apply to a marketing agency.

Basics of HIPAA

HIPAA is a law passed in 1996. Its main purpose was to control how the Protected Health Information (PHI) was handled by healthcare organizations. Mainly it was focused on trying to establish some guidelines to ensure that there wasn’t any fraud or theft, given how personal health information is.

In the law and subsequent legal determinations, 18 identifiers are listed as consisting of PHI:

1. Names
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone Numbers
5. Fax numbers
6. Email
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10.  Account numbers
11.  Certificate/license numbers
12.  Vehicle identifiers and serial numbers, including license plate numbers;
13.  Device identifiers and serial numbers;
14.  Web Uniform Resource Locators (URLs)
15.  Internet Protocol (IP) address numbers
16.  Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Thats a lot to take in. A lot of it isn’t relevant for marketing thought. The only really relevant ones are:

1. Names
2. Geography
3. Dates
4. Phone
5. Email
6. IP Address
7. URL

Where it gets more complicated: Conversion Tracking

Healthcare marketing is often described as marketing in hard mode. Its definitely not wrong. By default, no marketer can just use pixels when doing healthcare marketing. Pixels have a lot of arbitrary code used to suck in as much data as they can. In contrast, healthcare requires being very selective with which data is pulled in.

So what is actually acceptable? In truth, it depends. Just 3 months ago, the government vacated a previous guidance from June that said that ip address + url was enough to trigger a HIPAA violation (See Here). So the law is literally changing in real time. That said, the best place to look at the current government's opinion is in its own website.

The Basics

Summarizing what's on the government website, there are a few things that are allowed and a few that aren’t allowed. Let's start with what not to do:

1. No pixels in authenticated pages - Anything in the signup/login page and after can’t have a pixel.
2. No direct conversion events. By direct I mean, nothing that makes a user a patients (Appointments)
3. No sending patient PII. The word patient is key, since it signifies an completed appointment. So if someone is a returning customer and the email is available for some reason? Don’t send it

In contrast, what's allowed is:

1. Sending Page View events on unauthenticated web pages - Any page views before the signup/login page are good to go. For example, the homepage, the about us page, etc.
2. Sending Browser id and Click id for the ad platform - This identifiers are not healthcare related, they are marketing identifiers and don't contain PHI(HIPAA doesn’t apply)
3. Non-appointment conversion event - Events such as reaching the sign up page don’t establish a patient relationship, so HIPAA doesn’t apply

What to optimize in the platform

What should a marketing platform optimize for is somewhat complicated. Usually, one would optimize for whatever generates revenue, but as previously mentioned, we can’t optimize for appointments since that makes someone a patient (HIPAA applies) so we need a non-appointment conversion event.

In practice, in the industry, there are effectively 2 options that are popular. One which is considerably more correct than the other:

1. Get Started Event - The conversion event is when someone clicks on “Get Started” to reach the sign up page. The event will send only the browser id and click id
2. Page 1 Event - The conversion event is after someone provides an email address in the first page of the sign up flow. The ad platform then sends the browser id, click id and email address. 

The first one is the one that follows most cleanly the HIPAA law requirements. The second event is very often used because it's more valuable since it includes an email. Plus, there’s a case to be made that the second event does comply with HIPAA given that the event is still not an appointment event, but that's somewhat more complicated. To be safest, the former is better. To be most effective, the latter is better.

All of that said, while it's used a lot, I would nonetheless not recommend 2). The reasoning, quoting directly for the article on tracking technologies’ HIPAA guidance from the NHS:

The login page of a regulated entity’s patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages. However, if the individual enters credential information on that login webpage or enters registration information (e.g., name, email address) on that registration page, such information meets the definition of IIHI.30 Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login information or registration information, that information is a disclosure of PHI and is subject to the HIPAA Rules.

With that in mind, its best top optimize for 1) , unless the lawyers say otherwise.

Conclusion

To conclude, healthcare clients are excellent for marketing agencies, generally having good budgets and excellent products to market. The difficulty, however, is that they’re not allowed to utilize normal tracking tools due to regulatory reasons. That shouldn’t discourage anyone from pursuing them thought, as the tracking concerns are very much fixable with the right tech and processes.

Lastly, it should be noted that there’s a bit more besides ensure proper tracking to be 100% in the clear from a HIPAA point of view. For example, it's likely better to have internal analytics so the ROAS is 100% accurate (using appointment events instead of the others). Plus, it might be necessary to get a BAA from Google Workspace for one's email and such. But those are a topic for another time 😀