Choosing an Analytics Solution to Navigate a Hyper HIPAA ‑Conscious Environment
You would never ask a stranger about their personal health struggles or private life. But is your marketing tech stack so polite?
With advancements in AI and machine learning, it’s easy to get caught up in the possibilities of knowing what your customers want at the exact moment in time they want it. Those tech stacks have evolved from wow-inducing conference booths and workshops to real-world applications being put to use today.
Look Before you Leap
A wealth of knowledge brings great power and with that, the responsibility to wield that power carefully.
To serve our customers the content or products they want when they want it, we have to know our customers. To aggregate audience cohorts, we strive to identify specific customer attributes. But which attributes are safe to collect and measure, and which are considered a violation of privacy and trust?
This is where it pays to be a well-read marketer. Last year, the Federal Trade Commission and U.S. Department of Human and Health Services Office for Civil Rights put out a joint letter spotlighting the risks in online tracking in marketing tech stacks.
“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”
The letter was sent to about 130 hospital systems and telehealth providers alerting them to the risks of online tracking technologies and suggesting a privacy and security checkup.
These risks compelled many marketers and technologists to start to evaluate both the technologies and the data that they collect. Not all solutions passed the test. However, Adobe collaborated with legal and privacy professionals over HIPAA standards and requirements to develop robust data governance and security capabilities within their solutions.
In today’s landscape of hyperawareness around privacy and data protection, it’s important to understand and responsibly evaluate any risks or gaps in protection with a healthcare brand’s marketing tech stack, data flow and de-identification methods.
HIPAA Regulations and Data Management
HIPAA security rules provide two acceptable methods for de-identification: expert determination and safe harbor (the removal of 18 identifiers). Masking, or blocking Protected Health Information (PHI) from reaching downstream destinations is not an acceptable solution under HIPAA security rules. This includes names, dates, phone numbers, Social Security Numbers, and more. The federal HIPAA Privacy Rule protects PHI to ensure its confidentiality and security.
Relying on masking as your de-identification method opens your company up to the following risks:
Accidental data exposure: Inadvertently sending unmasked PHI data to downstream solutions puts companies at risk of violating HIPAA regulations. Once the mistake is made, it’s not so easy to go back in and delete the improperly handled data. It’s not uncommon for sensitive data to be accidentally sent to vendors, which is what makes accidental data exposure such a high risk for healthcare organizations.
Masking service breakdown: A service failure could result in sensitive data being sent to any downstream solution, opening the door for possible regulation issues and privacy breeches with downstream tools and regulators.
Impact on data quality and use cases: Masking could be a bit too effective, negatively impacting underlying data used for legitimate analysis and use cases – missing or incorrect geo-data, inhibited bot detection based on IP, hindered internal IP filtering, restricted domain lookup, limited general reporting use of IPs, and HIPAA mode support limited to server-side destinations being a few of the resulting challenges.
Data activation limitations: Masking data can challenge activities in a Customer Data Platform such as sending campaigns based on PHI or re-engaging individuals based on masked data.
Adobe Customer Journey Analytics with Healthcare Shield
All Adobe Experience Platform-based applications, including Customer Journey Analytics (CJA), are built with vigorous privacy, security and data governance capabilities. For U.S. healthcare brands, Adobe had released a new Adobe Experience Platform add-on to AEP-based applications. Adobe Healthcare Shield frees brands to use certain PHI in these applications to drive successful customer experiences and extract more actionable insights.
Adobe Healthcare Shield enables healthcare brands to bring PHI into Adobe Experience Platform and use it to inform customer experiences. Adobe Healthcare Shield can also execute Business Associate Agreements with covered entities and business associates.
With Adobe Healthcare Shield, CJA is HIPAA-ready to:
Optimize cross-channel experiences: Use CJA to derive how patients or members surf devices to uncover experience gaps impacting site conversion or success events after authentication.
Deflect support calls: Evaluate the effectiveness of self-support channels and discover friction points driving patients, members, or prospective customers to call support centers.
Manage population health: Map patient journeys to improve their health based on their condition and activate data based on missed touchpoints of that journey, i.e. campaigns or personalized content.
Quantify the value of wellness programs: Connect data sets to measure the impact of wellness programs on care needs, improving healthcare outcomes.
By improving understanding of the challenges and risks around responsible data management, healthcare organizations can make informed decisions in selecting an analytics solution that passes muster with HIPAA regulations and avoids the risks associated with middleware or point solutions.