Embracing Privacy as a Competitive Edge in Healthcare Marketing

Health care marketing has never been more challenging. From navigating HIPAA compliance to keeping up-to-date with the latest marketing technologies, health care marketers must constantly adapt to a rapidly evolving landscape. This podcast episode addresses these challenges head-on. Ray Mina, Freshpaint’s Head of Marketing, will dive into how health care marketers can turn the challenge of privacy into a strategic advantage. By embracing a privacy-first approach to health care marketing, marketers will actually be able to unlock high-performance marketing tactics that have previously been off-limits. Doing that will put health care marketers ahead of their peers, allowing them to use privacy as a competitive advantage.

Embracing Privacy as a Competitive Edge in Healthcare Marketing
Featured Speaker:
Ray Mina

Ray is a serial marketing entrepreneur with over fifteen years of experience leading marketing and go-to-market functions across seven startups. Ray has led marketing and sales at ed-tech startup TreeRing, legal tech startup Lawyaw (acquired by Clio), and construction tech startup Fieldwire (acquired by Hilti).

Transcription:
Embracing Privacy as a Competitive Edge in Healthcare Marketing

 Intro: The following SHSMD Podcast is a production of DoctorPodcasting.com.


Bill Klaproth (Host): On this edition of the SHSMD Podcast, we talk about embracing privacy as a competitive edge in healthcare marketing. What's that you say? What am I talking about? Well, you've heard about the HHS guidelines that came out last December, right?


And the HIPAA and data privacy concerns? No? Well, it's going to affect everyone in the hospital healthcare marketing space. And we've got just the person to talk to, Ray Mina from FreshPaint, and we're going to talk about HIPAA and data privacy, and how that is now a priority for healthcare marketers. You have come to the right place, so let's not delay, let's get into it, right now.


This the SHSMD podcast, rapid insights for healthcare strategy professionals in planning, business development, marketing, communications, and public relations. I'm your host, Bill Klaproth. In this episode, we talk with Ray Mina, head of marketing at FreshPaint. This episode also brought to you by FreshPaint.


FreshPaint provides the data governance, monitoring, and routing tools that allow healthcare marketers to maintain HIPAA compliance while unlocking high performance marketing. It is a must hear episode. Ray, welcome to the SHSMD podcast.


Ray Mina: Hey, Bill. Thanks for having me on today.


Host: Yeah, you've got to be a busy man lately with all of this HIPAA compliance stuff going on.


Ray Mina: We're a busy company right now. Yeah. There's definitely, you started off with the right, with the right comment.


Host: Right, right. So why has HIPAA and data privacy then become a priority for healthcare marketers recently? Nobody understood why I asked you that. Why is this such a big deal now?


Ray Mina: Yeah. I'd be surprised if nobody in healthcare understood why you asked that question, but, just in case we connected before this podcast, Bill, and we were talking about in December of 2022, how HHS updated their guidance around HIPAA. And literally overnight healthcare organizations went from not being too concerned about visitors to their website, to being concerned about visitors to their website and their website, potentially sharing protected health information with a whole bunch of tools they rely on for marketing.


Host: Yeah, this really has upended the way healthcare marketers can do their jobs. Is that right?


Ray Mina: Yeah, I would say that I think this has been a bit of a journey because, now we're talking almost a year later from that initial guidance. I would say that we went from existential crisis of not knowing how to go forward to yes, your job is being affected and the way that you can do marketing healthcare has changed, but that people are starting to adapt and find those pathways forward.


But yes, the landscape of healthcare marketing is very different than it was this time, last year.


Host: Right. So what is the risk of non compliance then in healthcare marketing? What is the risk?


Ray Mina: I mean, this has been pretty wild because, Bill, when in December of last year, the risk was that you would be out of compliance as it relates to HIPAA, but what we've seen over the course of this 12 months is it's almost like a multi headed dragon, which yes, you have HHS and HIPAA concerns, but the FTC has weighed in multiple times fining healthcare and healthcare adjacent organizations, issuing warning. Lobbying Congress for more money for healthcare privacy protection. And you've also seen number of class action lawsuits where major healthcare providers, if not fined by the regulators have been caught up in lawsuits by attorneys. And then I guess the last thing that I've really noticed that healthcare brands are starting to talk about is you have all these legal concerns, but like, isn't this really about just building trust with your consumers, with your patients anyway?


And you have that risk from your brand standpoint. Do you want to be that healthcare brand that consumers and patients trust? Or do you want to be that healthcare brand that consumers and patients, have some kind of reason not to trust?


Host: Yeah, and trust, very important, as we all know. You want to be on the side of trust, that's for sure. So to be more clear for someone that might not know exactly what we're talking about. Just by the way, if someone coming to a hospital website, clicking on a blog, or an article on diabetes, etc. Of course, we all use web trackers.


We're tracking visits to our website. Now, with the new HHS guidelines, you are then collecting, or potentially collecting, personal health information, or what we're calling PHI. Is that right?


Ray Mina: You could be, right? What HHS called out specifically was the web trackers that power a lot of the marketing and advertising tools that we rely on in a lot of industries and healthcare markets to consumers. So they certainly rely on them too. So what are the examples, Google analytics, the ad platforms, even things like embedded and hosted video are things that are concerned.


If those web trackers exist on your site, they have the opportunity to collect context about the visit. So, health information, pages that people are visiting. You made a great example it could be a mom looking at pregnancy services, right? That web tracker is also picking up what HIPAA calls identifiers.


IP address, device ID. The obvious stuff like name and email Bill are, you know, things people have always paid attention to. But even an IP address is an identifier, and when you combine the two and you share it with some of these marketing and advertising tools that don't have the legal framework in place to protect your data, that's exactly what the guidance called out as being something that would be a compliance risk.


Host: And the risk or the issue is, if someone goes to a hospital website and is viewing health information, health content, whatever that may be, and then they're on Facebook or Google and all of a sudden they're getting served up ads on what they were just searching, that now is a breach of privacy. Why am I seeing all these ads now? I just went to this hospital website. What's happening? That's basically what the problem is. Is that right?


Ray Mina: Yeah, exactly. I think this is a growing concern in consumer privacy, even outside of healthcare. We think healthcare is just a canary in the coal mine, is that these ad platforms leverage, you created a great example of how they can leverage this data to know a lot about a consumer.


And start to, like, serve them information in a way that may feel like it's intrusive to that consumer. And then maybe that goes even further and some of this information that's collected in the future could be used against people for legal purposes. Who knows? So I think that's really what the, I think that's really what the government agencies are after is to just limit the amount of data, especially when it comes to protected health information that can be shared with a platform that has no, really no need to protect that data. There's no guidelines in place for them to protect us as consumers.


Host: Right, but now hospitals are having to worry about these privacy concerns and make sure that this information is being protected. So, this is what this is all about now, and if you think, oh, it's not going to affect me, well, it could, because I've heard there's lawyers out there that are looking for cases to bring against hospitals.


Is that what you're hearing or seeing?


Ray Mina: We're definitely seeing that. That was when you asked me about the risk of noncompliance, that was one of the things that we've learned this year, which is there, the lawyers have mobilized. So, even if you're not going to be fined by one of the agencies, you know, even if you avoid that risk, lawyers are looking for former patients and there's tools that are available where they can scan a healthcare provider site and see what tools are already, what web trackers are installed. And if they see the Metapixel, if they see Google analytics, if they see some of these things where they know that these tools with those web trackers put you at risk; and they can find former patients, then they open up class action lawsuits. And you can just, you can Google this stuff and you can see some pretty big healthcare and hospital names that have been caught up in, in these suits.


Host: So if you think, eh, this isn't going to happen to me, I don't need to worry about this. I'm a small rural hospital. Not true. You do need to worry about this, right?


Ray Mina: Yeah, I think so. I think that what we're also seeing is that, I don't work at the FTC, so I can't tell you exactly what they do, but what we have seen is that the FTC has gone after smaller healthcare organizations. Some of the organizations like GoodRx and BetterHelp; they were on the smaller side and so sometimes it's a lot easier for FTC to create an example by going after a smaller organization that maybe doesn't have as many legal resources as a larger organization.


You see the same thing with the FTC when it comes to things outside of healthcare, right? The last company they're gonna go after is Amazon because it's gonna take them 10 years to like navigate that in the courts. So they're looking, they eventually will, but they're looking for quick wins.


They're looking to like, cause part of their goal is actually just to get people to follow the regulations and the guidance. So they want to create those examples. So if you think you're a small organization and you're not going to be at risk, then I think that's a slippery slope because you're at risk of lawyers suing you, you're at risk of FTC looking for quick wins and once again, it really ultimately comes down to the trust with your consumers. So if there are ways to mitigate this and protect your consumers, but still achieve your marketing goals, isn't that the better question to ask than can I avoid risk?


Host: Yeah. So, and that is a great question. So let's talk about that because we all use Facebook pixels, right? We need to track usage. So how do you see companies like Facebook and Google, who are non covered entities, are they adapting to these data privacy regulations?


Ray Mina: I mean, I don't think, you know, we both know Facebook and Google combined, they're 250 billion dollar a year advertising businesses. They've built like two of the greatest advertising platforms in the history the world. It's all predicated on having a rich data set about each of us as a consumer; because then informs future targeting and hey, I'm a marketer that's used all those tools for multiple startups, and they're very effective if you can target properly and that targeting requires data.


And so these platforms have no vested interest in signaling to the world that they're willing to throttle the collection of data. And so when this first guidance first changed, a lot of people thought, surely like Google or Facebook will sign BAAs and put the legal framework in place to make these tools safe.


But signing a BAA would say that they're willing to like protect consumer information and limit the use of that consumer information, which goes in the face of their 250 billion dollar and growing advertising business. So our position, we think that, and many people in the industry think that, Google and Facebook are not going to make any changes and are not going to be HIPAA compliant ever, or unless they're like eventually forced to in, in the courts, which as you and I know can take years, if not a decade.


Host: Right. So then I guess the really big question is, Ray, how can we marketers embrace privacy and use it as a competitive advantage? How do we work in this new world?


Ray Mina: Yeah. I mean, first of all, let me just say that I'm new to healthcare. I never worked as a healthcare marketer. I'm kind of a spoiled SAS startup brat who didn't have to deal with healthcare privacy and some of the challenges that folks have here. And so I've always been able to invest. If we can prove out that things work, in my position, I've always been able to invest in new tools and new software to help like accelerate growth at a startup.


And one thing I've learned about healthcare, which was a surprise for me, and maybe it's not, shouldn't be a surprise, but it's been very difficult for healthcare marketers to get some of the tools that they need to grow the business because there's a lot of friction to put them in place, right?


There's obviously budget in a low margin industry is a concern, but then when you get into like legal compliance, security reviews, the number of stakeholders that have to like, sign off on a solution to get it in place; it's been prohibitive for healthcare marketers to get some of the same tooling.


And when I say about tooling, I'm talking about, it's not just about acquisition. It's about how do you market for the life cycle of like a visitor or patient? How do you improve margins? How do you improve engagement? You need software to like collect the data and be able to leverage that data in such a way that sends like really engaging conversational emails and text messages to, to get our visitors and patients to a better outcome. And that's been a real challenge for healthcare marketers to achieve. And we see this now. We see a lot of our customers who come to address this kind of immediate compliance issue and kind of turn the lights back on. The very next thing that they're able to do is actually start to do some of the marketing they've always wanted to but, weren't able to because they didn't have the tools in place.


Host: So when it comes to tracking technologies, we were talking about Facebook and Google Analytics. So the problem is, is that when somebody searches something on the internet, there's an IP address attached with it. So now with this new HHS guidance, the IP address is considered PHI. So that again is part of the problem. So what you're saying now is there are new tools that even though someone is searching on a hospital website for that diabetes page and reading that article or whatever, there's tools now that people can use to de-identify that person, so you're not collecting that PHI. Is that right?


Ray Mina: Well, very specifically, and again, I'm neither one of us, unless you have a background in law, I'm not a lawyer, I'll just say that, the guidance is very clear about what PHI is. Protected health information is the combination of a HIPAA identifier, like an IP address, and the key here is AND health information.


So, according to the letter of the guidance, the IP address by itself is not PHI and a web URL that's like diabetes treatment or pregnancy services by itself is not PHI. It's when you combine those two things that, that runs a risk. And so then that creates the opening for how do you mitigate risk? Well, you just make sure that for tools that are not compliant, you just make sure you never share both sets of information in the same data payload. So as an example, to just put this into real world terms, we know that Google analytics, its main job is to tell us about a visitor journey through the healthcare website.


Like what pages did they visit that diabetes treatment page? Did they sign up for an appointment. Like that's how we use these tools to improve experience and measure our performance as marketers. You're going to have health information with that data set that I just talked about. So therefore, you know, that you can never share an identifier, right?


Google analytics today captures IP address and device ID. We know can never share that. So there are tools that are in world today, like FreshPaint, where you can govern that data to make sure that that set of PHI is never shared with Google Analytics. And the same thing is possible with ad platforms and other tools as well.


Host: So what you're saying is there are ways around this by using tools that help govern the data so you're not sharing PHI, but you can still use Google Analytics and Facebook Pixels, etc.


Ray Mina: Yeah, like the typical stack for a healthcare marketer is they're using Google Analytics to measure performance and improve experience. Their job is to like get new patients. So they're using consumer marketing advertising tools like Facebook and Google ads and they probably have some kind of engagement platform like Salesforce marketing cloud or, iterable to send really engaging emails. You need some way now to replace all those native trackers that power those tools with something that can collect the data safely and then govern that data in a way that makes sure those tools never get PHI or make sure that PHI is only shared to tools where like a legal framework, like a BAA actually exists.


You need something that sits in the middle to basically control this flow of data across your tech stack.


Host: So you can still use these tools in essence then by using this go between in the middle that kind of will collect that PHI. Right, before it gets sent out to Google Analytics or Facebook or Google Ads or Salesforce. So those individual tools aren't ever receiving it.


Ray Mina: That's right. Yeah. We have more than a hundred of some of the leading hospitals and healthcare organizations in the country that are doing exactly that, they're still able to leverage those tools that they were relying on before the guidance. They're able to leverage those today without completely changing their strategies; but they're able to do it in such a way that makes sure that they're meeting the legal and compliance requirements, and they're getting the sign off from their internal stakeholders in those groups.


Host: So a company like FreshPaint will allow someone to use those tools, Google Analytics, Facebook, Google Ads, all those things, without the risk of sharing or collecting PHI.


Ray Mina: That's correct. You nailed it, Bill.


Host: So which is right now in this climate that we're in with this new HHS guidance and HIPAA compliance is really, really important. So, Ray, then, can you give us an example or a case study where a healthcare organization did successfully leverage privacy focused marketing to gain a competitive advantage, even?


Ray Mina: Yeah, I mean, we talked about the first existential crisis was, oh my gosh, I can't use the advertising tools and the analytics tools I rely on. Let's figure out a way to move forward. And that's usually when customers come to us from healthcare organizations. That's their pants on fire problem that we helped solve.


But then immediately after that, they realized that, FreshPaint is more than just like turning my ads back on. It's a healthcare privacy platform that can help basically address a whole bunch of use cases I have. So I'll give you an example, like it's really straightforward if your conversion that you're aiming for just happens on your website, right, like an appointment, a scheduled appointment, that's fairly easy to track.


But what if the actual conversion that you care about is the birth of a baby, like, nine months later? That conversion probably happens in your EHR, which is in a post auth environment. Like, healthcare organizations, most of them have never been able to track that back to the original acquisition. So what if you could, what if you could actually track that in a safe way and actually go to your CFO with true patient acquisition costs?


Healthcare marketers tell us that that's like the holy grail. And we have clients now who are starting to put those pieces of data in place and have a much more complete story and have a better view of like how they can do like higher margin healthcare marketing. So this is like a game changer for them.


Another one I'll just share with you is, you still need to do like granular analysis of data, but you can't rely on some of these other tools like Google analytics to do it because they're unsafe. But a lot of teams have a data warehouse. So they maybe have, Google won't sign a BAA for Google ads, but they will for something like BigQuery.


And so FreshPaint can send the entire rich dataset to BigQuery, even merge different datasets, so that teams can get like a better view of like lifetime value and these data points that are really going to help them drive better outcomes. So these are things that were really hard or impossible for marketers to do in the past. And now with a tool like FreshPaint, a lot of these things are becoming unlocks for them.


Host: So you're able to merge the data from the different tools to present an even clearer picture of the consumer?


Ray Mina: Correct.


Bill Klaproth (Host): Yeah. That's fascinating. That's well, that's a positive byproduct from all of this. Ray, can I ask you as well about YouTube and Vimeo? Somebody might be thinking, well, if I have a YouTube video on my website about prenatal or diabetes or whatever it is, and someone is searching that information out, IP address, coupled with, as you said, actual healthcare information. Wait a minute, am I not in compliance then? What about those things like YouTube and Vimeo?


Ray Mina: Yeah. This wasn't planned, but your timing is amazing. We just launched support in the FreshPaint platform for Vimeo today. And we had launched support for YouTube a few weeks ago. So you're right. Like if you believe, and everyone believes that Google analytics by sharing health information, plus an IP address is all that it takes to be at risk for compliance; then we know that in hosting videos on YouTube or Vimeo, and then embedding those players on your website, it's the same thing because if you've ever uploaded a video to YouTube, for example, they immediately generate a transcript of the video. So, they're getting context and if that video contains health information, then therefore you've introduced health information to YouTube where there's no legal framework to make that safe.


And then the embedded player that's running on the healthcare website, that's just trying to do the job of creating a better patient experience, shares the user's IP address when they go to access that video. Now YouTube has health information context and the IP address, which is PHI, and it's behaving exactly the same as these other tools.


And this is now becoming a bigger and bigger concern for legal and compliance teams in healthcare organizations.


Host: Wow, that is interesting. So again, I'm, I watched the YouTube video on diabetes. YouTube's got that information. They have my IP address. They basically know who I am. They know that I'm interested in diabetes health information. And all of a sudden I'm getting served up with ads just because I went to a hospital website and watched the YouTube video.


Ray Mina: Even if you never get served up with ads, the guidance is like sharing that information is the issue. And so, even if YouTube and Google never use that data for anything else, the guidance specifically calls out, you just can't share it. You can't share it at all. And by you hosting it on YouTube, and then embedding that player on your website, on your healthcare website, yeah, you just by sharing that information, you run the risk of running afoul of the regulators.


Host: Yeah. Because YouTube and Vimeo, and like you said earlier, Google and Facebook, they're not going to sign a BAA or a business associate agreement, right?


Ray Mina: That's right. They don't today. And we just don't see, we don't see a world or there's not really a financial reason for them to do it.


Host: So the thing is, a company like yours, that's the difference. You will work with an individual hospital and sign a BAA. So can you explain to us exactly what a BAA does?


Ray Mina: Yeah, I mean, the BAA is table stakes here. We'll sign a BAA, which makes it safe for our tracking snippet. It replaces all the native web trackers. It makes it safe for us to collect and then store that data about your visitors in our platform. The real value that we provide is then we provide this layer of governance that makes sure that those downstream tools don't get the data. So in the YouTube example, we just make sure that YouTube doesn't ever get the IP address of that visitor that's interacting with your video and therefore no PHI shared and you're no longer at risk and that tool is safe for you to continue to use.


Host: So when a vendor signs a BAA with a hospital, basically the vendor is taking on that risk saying, okay, hospital entity, you're not at risk of breaching PHI, here's how we're collecting it, and we will assume the risk. Is that basically it in layman's terms?


Ray Mina: Yeah, that's right. If we are collecting PHI from visitor experience on the website, we're just basically protecting the hospital in case there's any kind of breach. And then we're guaranteeing that we're not using that data for any other purposes outside of the benefit of that healthcare system to use that data, to create a better experience for their customers, unlike Facebook or Google, who is clearly using that data collected to continue to advertise for other vendors, and other companies and benefit from the revenue there. You know, we don't use the data at all other than the use of that healthcare organization.


Host: Sure, so with this new guidance, which we just said is going to affect everybody, if you're a healthcare organization, it is going to affect you. I can see why you're so busy, and hence why I asked that question right at the very beginning. You're probably a very busy man right now, Ray.


Ray Mina: It's busy for the whole team, right? Like that's, it's not just me. We've got amazing engineers and we've just got a great team of people really dedicated to solving this problem for healthcare.


Host: Absolutely. So, as we wrap up, Ray, this has been fascinating, and this is the topic du jour. If you went any of the marketing shows this fall, this was at the top of the list. Certainly, at SHSMD, I think there were three or four of these things on HIPAA compliance, and you did a great session there, by the way, talking about all of this, so, this really is at the forefront of a lot of what people are talking about, for sure. So as we wrap up, any final thoughts? The floor is yours. Anything else you want to say or add to this?


Ray Mina: Yeah. The only thing I want to say there, there's been so much conversation about like what is the risk here? What should we be worried about? I think there's a lot that's been covered. I think it's time to move the conversation to how do we move forward? How do we make this really productive?


And so we wrote a framework, a privacy first framework in collaboration with some legal groups, with healthcare partners and you can find it, it's on freshpaint.io and on our blog. And it's just a Privacy First Framework to how do we go about doing marketing in healthcare. And I think this is going to be a change in process and there's going to be some technology that you'll need to do it, but the good news is there are ways to move forward and we're seeing even bigger downstream advantages for people who do.


Host: Well, that seems really beneficial, and thank you so much for sharing that. So the Privacy First Framework, you can grab it at freshpaint.io. Ray, this has been fascinating, and like I said, everyone is talking about this and needing a solution right now, so thank you for helping to provide that. We really appreciate it.


Ray Mina: Yeah. Thanks for having me, Bill. It was great chatting with you today.


Host: And once again, that's Ray Mina from FreshPaint, and we thank them for sponsoring today's episode. You can visit them at freshpaint.io, freshpaint.io to learn more about their services. And please join us for SHSMD Connections 2024 coming up this October in Denver, Colorado. And if you found this podcast helpful, and how could you not? Please share it on all of your social channels and please hit the subscribe or follow button so you get every episode chock full of goodness. And to access our full podcast library for other topics of interest to you, please visit shsmd.org/podcasts. This has been a production of Dr. Podcasting, providing turnkey podcast solutions for over 130 hospitals. I'm Bill Klaproth. See ya!