Webinar: What Attorneys Need To Know In Today’s Healthcare Marketing Landscape

Meet Your Hosts

Aaron Burnett, CEO at Wheelhouse DMG

Aaron Burnett is CEO and founder of Wheelhouse Digital Marketing Group and has nearly 30 years experience in digital marketing. Prior to founding Wheelhouse DMG in 2010, Aaron was president of a UX design firm, VP of Marketing for a Business Intelligence Platform Provider, VP of Marketing for NetMotion Wireless and VP of Sales & Marketing for AT&T Wireless.

Connect on LinkedIn →

Jodi Daniels, CEO at Red Clover Advisors

Jodi Daniels is the Founder and CEO of Red Clover Advisors, a certified Women’s Business Enterprise specializing in data privacy consulting. With over 27 years of experience spanning privacy compliance, digital marketing, and behavioral targeting, plus her background as a CPA, Daniels has established herself as a leading voice in privacy and AI governance.

Connect on LinkedIn →

The Changing Privacy Landscape In Healthcare Digital Marketing

Aaron Burnett: Hello and welcome to What Attorneys Need to Know in Today’s Healthcare Marketing Landscape. In today’s webinar, we will take you through the changing privacy landscape in healthcare digital marketing, some key data restrictions and trends that are impacting healthcare marketers, legal’s role in guiding privacy-first healthcare marketing—they have a very active and important role to play, which is the focus of this webinar—and then best practices for privacy-first healthcare marketing and our outlook and conclusions about what we have seen in the marketplace, what we believe is coming, and how to prepare for the future. I am Aaron Burnett. I’m CEO and founder of Wheelhouse Digital Marketing Group. Jodi, would you like to introduce yourself?

Jodi Daniels: Absolutely. I’m Jodi Daniels. I’m CEO and Privacy Consultant at Red Clover Advisors. We’re a data privacy consulting company.

Aaron Burnett: Fantastic. Wheelhouse provides world-class performance marketing for privacy-first industries. We’ve been working with very large healthcare providers, insurance providers, and medical device manufacturers for more than a dozen years, unlocking performance and working with some of the world’s most innovative brands for even longer.

Jodi Daniels: And Red Clover Advisors is, as I shared, a data privacy consulting company. We are all about trying to help companies simplify the complex data privacy requirements. Think of us as the privacy operations team with a very flexible approach and also making sure you’re compliant with the applicable privacy laws for your organization.

Aaron Burnett: Thanks. So let’s talk a little bit about the privacy landscape. It is complex. It is ever-evolving. I won’t take you through the panoply of everything on this slide. We’ll make the slides available and you can review it on your own. But I will highlight four seminal moments here that are instructive for where we are today. The first is enforcement of GDPR in Europe, which really has become the gold standard for data privacy regulations and the litmus test for privacy regulations globally.

The second is the increase in privacy regulations at a state level. You have a tapestry of state-level privacy regulations that differ from one another in very meaningful ways. Some are very restrictive, as in California. Some are a little bit more lax. Some acknowledge federal regulations and have carve-outs for them, and some don’t. You have 21 states at this point that have their own version of data privacy regulations. The third thing that I would draw your attention to is the expansion of the HIPAA privacy rule, which occurred at the end of 2022. That was important and very meaningful because it expanded the definition of PHI, protected health information, to include some aspects that pertain to third-party tracking. The net effect was really to render a good deal—in fact, the majority—of third-party tracking a de facto HIPAA violation.

And then the fourth thing that I would point out here is that absent the regulatory environment, platforms themselves have made changes to the data available to agencies and clients, the tracking available, and the targeting available to agencies and clients that significantly constrains anyone or any entity that is in what is deemed to be a sensitive category or a highly regulated category. Even absent everything happening from a regulatory perspective, the environment for digital marketing and digital advertising—the data available to you, the way that you have to go about targeting audiences, optimizing campaigns, and determining what worked and what didn’t—has changed dramatically over the last few years. So it’s very complex and it will only get more so.

I mentioned that there are 21 states with their own version of privacy regulations. There are another 17 or so that have pending regulations in the legislative process. So let’s talk about the use of tracking technologies and why that is problematic with this expansion in the HIPAA privacy rule. At the end of 2022, the Department of Health and Human Services Office of Civil Rights issued a bulletin, which is new guidance related to the HIPAA privacy rule. The expansion that this bulletin resulted in is to say that PHI was not only patient information—someone who has logged in, let’s say, to a healthcare provider’s site and can be identified by name and the information that pertains to their treatment or a healthcare condition. That had been commonly understood to be PHI for a long time.

The expansion was to say an individual who also isn’t logged in, may not be known by name, and may not have had a prior relationship with a HIPAA-covered entity—the technical expansion was that PHI now is the combination of any unique identifying number or characteristic or code. The issue here is really IP address. That’s how most analytics platforms and advertising tracking identify anyone who is on a webpage and the content that they view. So if I can identify you by IP address and I know that you were on a URL that pertained to cancer treatment or getting an appointment with a particular physician or symptoms to look for, now that is also protected health information. And so the implication is that most third-party tracking is a de facto HIPAA violation as of that OCR guidance.

So the trouble with these tracking IDs and pixels is that they are not just third-party in that the data is collected by a third party. They are third-party in that they are created by a third party and governed and controlled by a third party. You have a pixel that is placed on a covered entity site, and you have the data that is collected by that pixel, which is governed by a data library that is fully within the control of that third party. And so even if you were to review a pixel—let’s say the Meta pixel, since it is the poster child for some of the more egregious data collection violations—let’s say a compliance team reviews everything that the Meta pixel collects and decides that’s all right, there actually is no PHI here. There’s nothing to say that the data library that governs data collection wouldn’t be updated by Meta the very next day, and that very next day they expand data collection in a way that is non-compliant. So that is the risk of third-party tracking. That’s what is problematic about third-party tracking.

The worry was that privacy compliance might leave healthcare marketers in the dark. That was the big question as of November 2022 and for quite a long time afterward. The landscape changed. We’ve got the regulatory landscape tightening because of this expansion of the HIPAA privacy rule. Now data sharing of almost any type requires a business associates agreement so that the partner entity is governed by and obligated to the same care and privacy rules as the covered entity. And in a lot of instances, compliance ended up turning off the lights for digital marketers by eliminating third-party tracking. So a lot of angst, a lot of concern that if you eliminate that third-party data, you would by definition lose fidelity and lose the ability to optimize campaigns, to properly find your audience, and to drive performance. Things would become much less efficient and much more costly. Our experience has been the opposite. We also had those worries as we were working with our clients. What if this results in gross inefficiency? What if we lose visibility into what’s working and what’s not? Our experience is that performance actually has improved for a number of reasons that we’ll get into a little bit later in this webinar.

Our experience also is that there are significant benefits to embracing privacy. The first is that one of the most scarce resources in all industries—and I think this is particularly pertinent to healthcare and MedTech—is trust. And if you embrace privacy, if you show yourself to be a good steward of your customers’ or your patients’ data, you can build trust with them, which becomes a brand asset. It is a competitive advantage. This is not a one-size-fits-all or a one-response environment. Many different entities have responded in many different ways, all along the continuum from let’s just wait and see and do nothing to let’s go all in and go privacy-first and become fully compliant and figure out how to operate our businesses in that way. If you are privacy-first, if you are working in a fully compliant manner and you are doing so now, you are differentiated from your competitors. You know that you can drive performance in a way that is within your control. You’ve taken control of your own destiny, and you know you have a competitive advantage.

Our experience is that privacy-first digital marketing is more efficient. We have ended up, rather than relying on third-party tracking—tracking that might get us to a proxy conversion, let’s say lead generation or an appointment set—with the loss of that third-party signal, which initially was a source of anxiety, we have needed to focus much deeper in the conversion stack to the moment of actual business value creation. So instead of a lead or an appointment set, did the patient actually attend the appointment? What’s their lifetime value? At what point did the lead convert and become actually a customer of our client? And we can optimize for those moments of true value creation, which means that our digital marketing, our digital advertising, is much more efficient. And finally, our performance is much, much better than when we were relying on third-party tracking.

Our perspective is that the data privacy rules, the compliance rules that most bear on healthcare and MedTech right now, are really coming for all industries. You can see them begin to encroach and have impact on non-healthcare industries today. You need only look at the litany of data breaches and consumer and legislative response to those data breaches to understand why it will be true that data privacy will become a pressing factor for non-healthcare industries as well. And so if that’s the case, then now is the time to prepare for what’s to come. Jodi, do you want to tell us about the changing privacy landscape in healthcare digital marketing?

Jodi Daniels: Yes. Aaron, I really liked your slide that talked about the evolution that we have from privacy. GDPR really is what has set the modern era of privacy. Today it’s considered the gold standard. And when I say GDPR, I mean our friends in the EU and the UK. What has happened is other jurisdictions have used that, and some have just replicated it completely. Others have said I like pieces of what you have. I’m going to take this piece, but I’m going to change this other piece. In the United States, what has happened—Aaron shared—we have this patchwork approach to privacy. It’s actually called the sectoral approach. From a state level, we have 19 different comprehensive state privacy laws. Then we also have some specific privacy laws. For example, in Washington we have the My Health, My Data Act, which is way broader than just what most people think about health data. And it also has really no minimum floors. It captures a wide range of companies and health-related data. You could be a wellness company and you might be in scope for the Washington law. We also have some of those state laws pulling in specific health-related pieces. What this means is that companies have to really understand where their customers and prospects are and be able to identify which laws are in scope for them.

As a friendly reminder to anyone listening, the way privacy laws work globally, especially nowadays in the modern era, is not where only you, the company, are located. It is where the people that you are processing data on are located. The other piece is I mentioned GDPR being that global standard. I know I just mentioned the US and the patchwork. Of course, we have our traditional privacy laws. We have HIPAA. We have the Federal Trade Commission’s guidance. But we also have other jurisdictions, like Canada to the north, where they have—Quebec has its own privacy law—the national privacy law in Canada. And globally, depending on where you are, you might have another privacy law. So what does this mean? This means you need someone in your organization really thinking about privacy first and saying, wait, we’re going to do what with our data? Let me make sure and think about the privacy law for that particular situation.

And then let’s talk a little bit about some of the specific enforcement trends. What’s actually really interesting is, as we’re recording this webinar, I know it’s not healthcare, but I just can’t help but share—hot off the press is another enforcement fine from the California regulator. Now I know it’s against Tractor Supply, not healthcare-related, but why is it important? What we are seeing, especially from the California regulator, is that we are seeing increased fines and focus on privacy notices, digital cookie consent experiences, and contracts. I think that plays well into the conversation around the different OCR enforcement actions and the FTC actions because they all end up focusing on some pretty common themes. Privacy notices—you need to have an accurate privacy notice that actually reflects what it is that you have on your site.

And Aaron, you talked earlier about those IP addresses and being really tied to other types of data, and that nowadays is considered personal information. So what has happened is there’s been a variety of different cases. For example, the FTC fined BetterHelp $7.8 million a couple years ago. The FTC fined GoodRx $1.5 million, Premom $100,000. And these are just a few. We could keep going. It was a very busy year that year. And why? What is the issue? They had pixels on the site that were capturing health information and sharing it to a third party, like a social platform or other advertising platforms. They did not disclose what was actually happening in the privacy notice. And in some of those situations, that needed to be an opt-in scenario where you couldn’t just grab that health information and just share it with whomever you wished.

And then I mentioned California. I started with our Tractor Supply because it’s so hot off the press. At the same time, though, we have state attorneys general who have also done a variety of investigations, and some of those might have been joint, like the state of New York has done some joint investigations before alongside these health-related pixel situations. And then we talked about our patchwork. We have California that has its special Do Not Sell or Share My Personal Information link. And you might say I’m not sharing or selling that information. Actually, short version, ad tech has pretty much been interpreted to be considered a sale or share under California. If you’re engaging in it, not only do you need to understand and think about the health-related data that might have been in that pixel stream, you also need to make sure you have the appropriate disclosures, not just the privacy notice but also the appropriate link.

Cookie consent software is going to be your friend to make sure you have it properly set up. And we have other states like Colorado that require, as well as California—and we’re up to nine or ten I think—that have this universal opt-out. Maybe you’ve heard of Global Privacy Control (GPC) that allows at a browser level for you to be able to opt out. These states say make sure you’re complying.

So net-net, and Aaron, I’d love if you could add a little bit extra context here, but we have these enforcement trends that are saying if you’re collecting health information, that might not be okay. That is personal health information. That might not be okay. If you’re going to do anything, you likely need to opt in. You definitely have to disclose what’s happening. You can’t hide that in a privacy notice. And then of course, we have this patchwork approach that companies need to figure out not only at a federal level but also at a state level.

Aaron Burnett: I think there are a few things to note here. The first is a lot of this starts with consent. You need to obtain consent. One of the things that has been our experience is that as we monitor, as we scan sites using technology that allows us to determine whether in fact the consent state that is agreed to at the front end is actually honored through a visitor’s journey on a site, it almost never is. In fact, we work with a partner organization called ObservePoint, and they will tell you that they have never once scanned a site with a consent option in place that was compliant, that honored consent fully. And the reason for that isn’t evil. It’s not deliberate. It’s simply that there’s a lot of complexity in the placement of pixels on sites. If you don’t have proper governance with regard to the way content or new web updates are published, you may end up accidentally republishing a pixel that you didn’t intend to have in place. And so having some monitoring solution in place and running regularly is important to ensure that you are honoring consent.

The second thing is that the enforcement actions and the fines that Jodi mentioned are the public enforcement actions and the public fines. Jodi, you and I have also both spoken with data privacy attorneys, and they tell us that the visible stuff is just the thin end of the spear. There’s an awful lot that is invisible. You have demand letters and other threats of enforcement actions or class action lawsuits that are most often very quickly settled in a way that doesn’t result in publicity. And so there is even more happening behind the scenes than is visible in these enforcement actions.

Jodi Daniels: Yes. And Aaron, I’m so glad you brought up the enforcement because some of those fines that I shared, those are the public ones. And there are oodles of enforcement letters, settlements, and warnings that are coming that you and I won’t know about unless we might work with that company. And it is important for everyone listening to think about these enforcement actions that become public as we cared a lot about that. That’s one that was going to settle and get some media attention. However, if you were to talk to a long list of my privacy and security attorneys and litigators, they are dealing with these all day long. Regulators care, and it is a much broader net that they are casting than what we might know about today in the news.

Aaron Burnett: Yeah. There’s one other brief point that I would make, and that is something attorneys need to know—what’s being tracked, what’s being collected, is knowable by an external party. And so a pixel’s not visible to a visitor to that site, but it absolutely is visible to anyone who cares to audit, as is the data that is being collected by that pixel. And there is so much attention being paid to this space. You should assume that your site is being scanned by people who are looking for you not to be in compliance and trying to figure out what advantage or what value they can extract or what fines they might impose based on your lack of compliance.

Jodi Daniels: So let’s talk a little bit about some of the requirements. And this is incredibly important for those of you who are sharing data, processing data globally. If we think about GDPR, there are also other laws that are really particular on where data is processed. If I am processing data on an EU resident, for example, and I’m a US-based company and I’m going to have my US-based software—how is that data, my US-based team, going to access that data? And I’m just using US as an example. This is true, honestly, for any other country around the world. GDPR says you have a cross-border transfer, and you have to make sure that when that data is being processed across borders, it is still going to be processed with all the concern and level of security and strictness that GDPR believes it should be.

What does that mean in practice? First, there’s a contract. There’s a specific contract with a long list of provisions that you need to have in place with every single third party that is going to process your data. This might be your agencies. This might even be with freelancers and contractors, as well as software companies. Oftentimes, the software companies have one contract for all their millions of people, but you need that contract in place. Fun fact, you also need that contract here in the US. Anytime you are having data between your organization and any other vendor, processor, subprocessor—pick your flavor word—anyone else using it, you want to make sure you have the right contract in place. Part of that contract, though, from a GDPR point of view, is going to be talking about what type of security measures you’re going to have in place, how the company may or may not use the data that’s going to be processed. And essentially, this is how you’re able to process the data overseas.

Some of the other pieces that might have to happen—there might be an assessment that your organization also has to complete. It’s called a transfer impact assessment. It’s a long list of questions to basically ensure when that data is being transferred, you have all the parts in place. You have the right contract. You have the limitations. You have the security measures in place. You have appropriate training, all of those types of things. So as a reminder, if you are processing data on someone in the EU and you are sharing it outside the EU, you need to go through these provisions.

Now there are 12 countries around the world that are what’s called adequate. That means the other country’s privacy law is equal to GDPR, and they say, oh, you’re going to transfer data to those countries? Wonderful. We feel comfortable with those. Off you go. You still want the contract. Still want to make sure you are thinking about what that other company might do with the data. But from a cross-border perspective, that’s considered adequate. The United States is not adequate. So if I speak to the United States, what we have in place is a Data Transfer Framework. It’s called the DPF. It’s gone through three iterations. You might have known it as something called Privacy Shield. You might have known it as something called Safe Harbor. The latest version is the Data Privacy Framework. This is where an organization self-certifies to a program that the US and the EU governments have agreed upon. And in that self-certification, you basically get the opportunity to say we are part of this framework, and now you, the organization who might rely on that third party, can rely on what that transfer framework means.

Some companies, I will share, still go through the contractual process even with the particular rules for cross-border transfer. They want both. And at the same time, if you are looking for providers—maybe you’re actually listening and you are a provider, or maybe you are a brand and you are looking at who your providers are—it’s really nice to have. There are several thousand organizations who have gone through the self-certification process. At the same time, you don’t have to go through the self-certification process. You can contract your way through the ability to transfer that data. And as we have here, ads and collecting leads counts.

Now we also have these different frameworks. And I’m going to talk a little bit about some of these. And Aaron, I know I want you to hop in on some of these particular healthcare-related ones to ensure that we are fully comprehensive. So we’ve talked about state privacy laws. We’ve talked about GDPR. I mentioned in Canada they have some privacy laws. There are over 120-plus privacy laws around the world. We’re not going to cover them all today, but some of the things you want to think about—if you happen to have anything from a financial perspective, there’s the Gramm-Leach-Bliley Act. That’s actually the bottom right here, GLBA. Anyone listening, if you’ve ever received a privacy statement from your bank or your credit card, it looks like a chart. That’s one of the requirements from them. I hope everyone here has read it.

If you are processing information on children, there’s a specific children’s law that you also have to adhere to called COPPA. Note, in several of the privacy laws in the states, as well as GDPR and around the world, they also cover children, so you might have to double dip for COPPA and some of the others. You’re sending text messages? You’re going to need to be complying with the TCPA. Emails? CAN-SPAM here in the United States or CASL up in Canada. Are you conducting virtual appointments? There’s telehealth privacy. What kind of vendor are you using? Does that vendor comply with HIPAA? Do you have a business associate agreement in place with them? It’s really important to understand—and I always go back to the data—know your data. What type of data are you processing? And where are your people? That’s going to determine which privacy laws are in scope for you. And based on that, then you’re going to have to think about—we have frameworks here. Which framework do you need to be thinking about and consider? It might be a blend. And Aaron, I’d love if you could talk about HIPAA, clinical trials, and FDA drug.

Aaron Burnett: Yeah, I’ll focus mostly on HIPAA and BAAs and also just our approach as an agency and with our clients with regard to how to navigate this patchwork and the different levels of privacy. The advice that we give our clients and the way that we operate is basically to adhere to the most conservative version of the privacy regulations that you have to deal with. And as much as possible, to take control of your own destiny by creating your own tracking infrastructure, your own first-party data strategy, your own first-party tracking, and not relying on third parties. In that way, we have been able to create highly performant digital marketing campaigns, digital advertising campaigns, very rich data that still is of value to our clients in a way that creates protection and ensures compliance in all of these different contexts. We have clients who are healthcare providers who also have medical devices. We have had some clients who also are executing clinical trials. And by taking this approach—the most conservative approach possible—we can ensure compliance.

Key Data Restrictions and Trends Impacting Healthcare Marketers

Let’s talk about key data restrictions and trends that are impacting healthcare marketers in particular. As you can tell from all of the fantastic information that Jodi has shared, there are really big shifts in data strategy. The biggest shift is away from third-party data—data that is collected by, saved by, and stored by third parties and made available to you as a covered entity or as an agency. Again, you can understand, given everything that we’ve shared, why that is problematic. It at least puts you at risk, if not puts you out of compliance. And so instead, the shift has been to first-party data strategy. So collecting consented data from users, data that you have permission to use, and also collecting data within the infrastructure of a covered entity or a partner entity that is under BAA. So remember, if you’re under BAA, then you have all of the same privacy obligations as that covered entity.

As a general rule, the biggest problems in privacy-first marketing are not so much in the collection of data as in the sharing of data. You still need consent for the first-party data that you collect, but you can collect and maintain relatively full-fidelity data if you’re not sharing it outside of the conceptual four walls of the covered entity or a partner under BAA. So you need to control collection. You need to control sharing and ensure that in that sharing part, you don’t put yourself at risk. There are definitely healthcare-specific consent challenges—ensuring that you have proper consent for patients versus those folks who are not identified and not patients, that you’re not tracking in parts of the site where you shouldn’t, that you haven’t universally deployed a pixel that applies to both the publicly facing aspect of a website and also the logged-in state of a patient.

And then there are big platform change impacts. I mentioned the changes. Platforms generally—the sensitive industries change for Meta—we’re seeing similar changes with Google in their advertising approaches, in the data that they make available to you for certain forms of advertising, in the types of advertisements that you can actually use if you are in a sensitive category or a privacy-first category. And then Apple has continued to invest in privacy from a technical perspective and as a part of really their brand promise. iOS has long done quite a lot to suppress tracking at an app level and require permission or consent from an end user. They’ve really doubled down on that with the latest iOS that has been released across their system of devices. And each time that happens, whether in fact you have moved away from third-party tracking or not, the data is being taken away from you. The latest estimates that I’ve seen are that as much as 60% of third-party tracking data that previously had been available is no longer available through a combination of cookie blocking in the browser, ad tracking suppression, Apple’s privacy moves, and platform changes. So you can choose proactively to take control of your own destiny, or you can end up not taking control of your destiny, creating vulnerability from a regulatory perspective, from a brand perspective, and trying to make your digital marketing work with just a fraction of the data that you need to actually understand what’s going on.

Jodi, do you want to talk about legal’s role in guiding privacy-first healthcare marketing?

Legal’s Role In Guiding Privacy-First Healthcare Marketing

Jodi Daniels: Yes. So it’s really important that everyone here be friends and partnering. It’s an education. It’s evolving. We are continuously learning. And the legal team always wants to be brought in at the beginning, and the marketing team wants—often a yes—but they want to make sure that they’re doing what they need to be doing. And the best way to do that is at the very beginning. So working hand in hand when the marketing team has a brand new initiative, we want them to be coming at the beginning to be able to say, legal team, what are the considerations that I need to have? And we also want that legal team to be able to act as that strategic advisor to be able to say, okay, so the goal, marketing team, you are trying to achieve is X, and here are what we need to consider in these areas. Here are the risks. Here’s how we can accomplish that. And collectively, because everyone is working for the same company—legal and marketing—you all work together on the same goal here of moving the company forward. So that partnership is going to be very important.

And at the same time, it’s also critical that everyone understands each other. The healthcare marketing tech stack is complicated. It’s helpful to be able to understand the technology. What are the different terms? Everyone has their fancy acronyms. US privacy people have our acronyms. Marketing has theirs. Legal has theirs. But what does it actually mean? Because when we’re trying to execute on a campaign and be able to follow the data through, understanding how that data is actually following through is important because that ties to what we’re actually putting in a vendor contract, that ties to what needs to be in a privacy notice, that is connected to what that consent might need to look like. And following that data trail is also going to help anywhere we might need to have those BAAs.

We are required—if those of you listening are thinking, this sounds great, how do I actually get this started? I actually ask this question a lot to people, and honestly, the old-fashioned roadshow or cup of coffee or lunch or whiteboard session—just literally getting to know each other is a very helpful starting point because that’s where the casual conversation happens. Honestly, it’s where the good scoop of we’re trying to do this initiative also happens. And then when you have these important decisions, you already have the most important piece. And I think that’s displayed by the icon graphic we have here, which is a relationship. We have to be able to have a relationship to be able to have that privacy-first healthcare marketing be successful in today’s environment.

Aaron Burnett: I would also chime in and say we have implemented HIPAA-compliant data solutions and digital marketing programs for a significant number of companies. Some of them quite large, some of them a bit smaller. And I would stress this isn’t a meeting. It’s not even two meetings. This is a series of meetings over an extended period of time to get a deep understanding of, as Jodi said, what marketing’s trying to do and the way that data currently is being collected and the way that data is flowing through the organization today, so that you then can figure out what you need to do to bring the organization into compliance while also continuing to maintain performant digital marketing. In these projects that we do, it might take six months to implement a HIPAA-compliant data solution. 80 to 90% of that time is spent in discussion and change management and planning and mapping and all that sort of thing. The technical work is arguably the easiest and fastest work that we do.

Jodi Daniels: Yeah, really well said. And I just would love to echo what you shared. This is ongoing. You should be building upon these conversations. Obviously, a very specific project would have all those discussions and meetings like you just talked about. And on the relationship-building piece, it’s also ongoing. So once you get that project up and going, everyone, don’t retreat back to your areas till the next one. Keep the conversation going and continuously learn because, quite honestly, six months later there’s probably something new that we need to be implementing and adjusting for given the current privacy environment.

Aaron Burnett: Yeah, Jodi, I think every time I talk with you, you have new information that I wasn’t aware of because you’re so tapped in.

Jodi Daniels: So when we start thinking about those key responsibilities, we also have education. And I just think this is so important, right? We were talking about it keeps changing. How do we do this? It really is important. How do you also learn best? So some people are video and audio and reading and teaching others. Understand your learning style and find the places that are going to be best suited for the information you need to know. And it’s also important, though, to be able to translate that law. So we’re talking about how do we work together? How does legal and marketing pair nicely? The marketing team needs to know what’s in it for me. What do I need to know? And the legal team is so excited often to read these really complex legislations or enforcement actions. It needs to get distilled down into the appropriate speak. And here, obviously, we’re talking about marketers. That’s really true for anyone around the organization. You might tell at a really detailed level to someone who might actually be in the code or in the software tool to an executive. It might be a slightly different version. The same is going to be true here. Really understand your audience and make sure you are using stories, examples, analogies, distilling down the nuts and bolts to what that group needs to have. And we just keep getting all kinds of enforcements and staying on top of cases as well as new privacy laws. Because it does, it just keeps adjusting and changing all the time. Privacy people and legal professionals are staying very busy.

Aaron Burnett: I think one interesting and germane point to make here as well is that in most of these instances, you have regulations that are published or you have guidance from HHS. And both the regulations and the guidance really aren’t settled and clarified until there’s case law that shows exactly what is and isn’t binding, how that guidance, how those regulations are going to be interpreted by the courts. And so it is very important to stay in tune with legal and for legal to stay abreast of everything that’s happening in these enforcement actions and case law because you’ll get clarity over time through those actions.

Jodi Daniels: Yes. So we’ve talked a bit about you have to have these notices, and we’ve been talking about clarity and being transparent. It’s also important to connect your brand and your voice as well. Privacy notices have a specific list of requirements that need to be in them. The same with cookie banners. I’ve also seen teams work with their communications teams to be able to craft and make sure we’re using—we have a good brand experience. This might include a summary, for example, at the top of the privacy notice. And it might, again, be some of those simple words. I’ve even seen some, if it’s a fun and lighthearted tone on the site, that they infuse that perhaps in the summary section. I’ve even seen some of it in the body of the privacy notice as long as we still cover all the requirements. That is good. It’s really helpful to do that. I will also add it’s important to make sure from a user experience—please don’t forget the user experience. I see a lot of notices that don’t work on mobile, and we have a significant percentage of people accessing them on mobile. Or it takes over the whole screen, or you have hyperlinks and the hyperlinks don’t work. So let’s not forget about the consumer experience, but very important to be able to make sure you have accurate privacy notices. You have a privacy notice link that works on every single page that collects personal data. Hint, hint, just put it in the footer. It’s a great solution.

Cookie banners—an entire other conversation. Need to make sure you have the right jurisdiction, you have the right setup, no dark patterns, the correct opt-outs, the correct cookie categorizations. But then at the same time, if you also have a HIPAA Notice of Privacy Practices and you have your marketing privacy policies, you want to make sure it’s clear. So sometimes I see just “privacy notice,” and then you only have one of them. If you have a website, you actually need both. You’re going to need your website privacy policy, and you’re going to need your HIPAA Notice of Privacy Practices. So sometimes people are creating privacy centers where it’s really easy. You’re using icons and links and the appropriate names to be able to make sure that it’s clear and easy to be able to see. And depending on your company—and Aaron, this really goes to the very beginning where you talked about trust and how privacy is so central and core—how can you turn privacy compliance into part of your brand story? What kind of data are you collecting, and how does the customer, whether they’re B2C or B2B, feel comfortable about the kind of data that you’re processing?

I was working with a company yesterday, and we’re trying to vet and learn who a company is. When we go to their site and we see that they have 2021 from their GDPR compliance story, they have a data protection agreement and a contract that looks weird and all cobbled together, their privacy notices from several years ago, they don’t talk at all about security measures—right away from the outside, we’re a potential customer, and we don’t feel very comfortable with their privacy practices. It’s an opportunity to share and shout from the rooftops. Here’s why we care. Here’s why it’s important. Here’s where it shows up for you. And again, all related and relative to the kind of data that you are processing because that matters. Privacy matters. Trust matters. And when you do all of this, don’t forget to actually test. Make sure the links work. Make sure the cookie consents work. Many of the enforcement actions, especially at the state level right now—they did test these things. I talked to a company earlier today and they go, yeah, we still have our 2023 privacy notice. Hint, California and others say at least once a year test. You go through all this work, just like you would test a campaign. Did the email work? Did the ad deliver? You want to test this part too.

Best Practices For Privacy-First Healthcare Marketing

Aaron Burnett: All right, let’s talk about best practices for privacy-first healthcare marketing. First, build a first-party data strategy. Take control of your own destiny. Get consented data from your users. Build your own data repository. One of our experiences—I alluded at the beginning of the webinar—the anxiety that we and others had when the OCR guidance came out, that with the lack of fidelity, the lack of data in third-party platforms, the lack of tracking, the lack of audience targeting, that we would then lose performance, digital marketing would become inefficient, very costly, and really prohibitively expensive. Our experience has been the opposite. By building first-party data strategies, by taking control of our own destiny, by warehousing our own data—so not relying on third-party data repositories—we moved away from what felt easy.

It was easy in digital advertising, for example, to log into a platform, target an audience demographically, psychographically, geographically, go after that audience, and rely on third-party tracking to tell us what was working or what wasn’t working. But what became clear when we shifted to a first-party data strategy and we warehoused our own data, we gleaned insights from our own harmonized and integrated data across multiple platforms, and we integrated that data warehouse with client CRM data, which brought us much lower, much further down the value chain—what felt easy was also inefficient. We were dealing with proxy data, imprecise audience targeting, a conversion that felt like the moment of value. But really there was so much inefficiency and fall-off between a lead conversion or an appointment that was set but maybe not attended. By focusing much deeper in our own data, in our client’s data, and optimizing for that moment of true value creation, we were able to significantly improve performance. So we didn’t lose anything. We gained. And when I say improve, I mean that our clients are having record years. This year, the gains that we’re seeing are in the 50 or 60 or 70% improvement range by taking this approach.

Privacy-first marketing is not a loss. It is a gain. Focus on data inventory and mapping. We alluded to this when we were talking about developing relationships with legal and getting a clear understanding of the way that data flows through the organization today and the way that data needs to flow through the organization and to any third parties to be in a fully compliant environment. And this, by the way, is something that you need to not just develop once, but you need to maintain it and refresh it over time. There’s an update to the security rule for HIPAA compliance that in fact requires that sort of data inventory and mapping at regular intervals. So not just a good practice, a required practice.

You need to identify PHI interactions. You have to understand where protected health information intersects with marketing data. You need to understand the threshold for PHI and then you need to understand this lesser threshold of individually identifiable health information, which is the nexus of an identifier and content, for example. Then limit and secure sensitive data. Use data minimization principles. You only collect what really is needed, what is consented. You only share what is legally allowable and what is absolutely required. So you need systems in place to control that moment of collection. You need systems in place to cleanse the data and to ensure no third-party tracking is introduced on your site inadvertently. If someone were to, for example, post a YouTube video on a company blog, which by the way comes with its own analytics payload embedded in the video, you need systems in place to control data sharing with third parties.

When we do this, we’re controlling sharing down to a single data attribute level so that we absolutely share the absolute minimum with any third party, and we are certain of compliance. By having these systems in place, you are both compliant and also not subject to the whims of platforms as they make changes to their tracking, data they make available, data they will accept, and the sort of performance information that they’ll share with you.

Operational excellence. Let’s focus on this. As Jodi alluded to, you must audit third-party vendors with healthcare-specific security requirements. One of the things to understand here is that as a covered entity, it’s not sufficient just to sign a BAA with a partner and obligate them to the same protections, the same duty of care with data that you have. You actually are responsible for ensuring that partner organization is compliant, that they actually are doing the things that they are supposed to do to honor the BAA and protect data. You must integrate privacy practices with your marketing strategy for all the reasons that we’ve talked about. I think this is a value add. It’s a key part of brand strategy and brand promise. I think it will become increasingly—and as you integrate privacy practices with marketing strategy, you are again taking control of your own destiny and putting yourself in a position where, regardless of what happens at a platform level, regardless of what may change from a regulatory perspective, you can adapt and adjust and still remain performant. And then establish privacy governance structures and regularly audit your procedures. This includes things like auditing consent management and consent states, auditing your site to ensure that you are tracking in the way that you intend, that nothing has been introduced that shouldn’t, auditing your data flow, auditing the way that you are handling, caring for, managing data, and using and stewarding that data as well.

Implementation best practices. Jodi, do you want to speak to this?

Jodi Daniels: Yeah. So when we think about consent, the language matters as well as the law that you are considering and the kind of data that we’re processing. A cookie consent is different than an email marketing consent, which is different than a HIPAA consent. So it’s really important that you have tech that’s going to help you manage that. And going back, Aaron, to what you talked about with the data, you need to know which data and which purpose to help you make sure you have the right consent. And I’m going to tie it to what I said before. You actually have to test it. Having consent and you think it works, and then it doesn’t, means you have no consent. So ensuring you have a functioning one—like what, Aaron, you also said—the strategy and the time to make sure that you are thoughtful. This is where I see sometimes people are creating a holistic preference management, making it easier for me, the consumer, and it is then working and in compliance as well for the company.

Then, of course, we have the vendor validation. I shared my story a little bit before how I was working with an organization recently, and we were trying to vet a vendor. And what did we do? We went to their website to try and see who they are. That was not a very good experience. But I have done that with other vendors and service providers, and they have shared, here’s everything we have. Here’s all of our security practices. Here’s how we handle HIPAA compliance. We’re HIPAA certified. Here’s our list of all of our certifications. It’s important that you know each vendor that you have, which certifications from a security and a compliance area you need, and then you are looking for validation that they actually have those. This also is where that contractual conversation will also come in. So really, you’ve got to know who your vendors are. You need to know what kind of compliance and certifications they’re doing, as well as don’t forget that contract.

And then, of course, my favorite, we have cookie and pixel governance. I could have a whole webinar on this today, but Aaron told me I can’t, so we’ll have to do another time. But really, we’ve been talking about pixels and trackers. Know which ones you have, obviously the vendors as well, and who are they and what are they going to be doing with that information. But the governance piece ties into the enforcement actions that we had several years ago. It’s what type of data is actually being grabbed in that pixel? What other pixels are being dropped on the site that you might not know about? Maybe you have pixel one, but then there’s piggybacking that is actually happening. The governance aspect means I have a new pixel. I want to actually vet and understand everything about it at the beginning before I place it. Then the continuous life cycle of cookies and pixels is I’m testing it, I’m scanning, I’m looking to see did anything else drop. And if I don’t need it anymore, we take it off the site. Why give another company data that you don’t need any further? A clear process that is going to make sure you are aware of what type of tracking technologies are on your site is the very first step to being able to comply with the long list of laws and trying to stay out of the crosshairs of a regulator.

Future Outlook

Aaron Burnett: So what’s the outlook for the future? Again, as you can tell, this is a recurring theme. We’ll see increasing enforcement that already is happening. The OCR enforcement, or rather the OCR guidance, continues to be clarified through cases in the judicial system. State health privacy laws are becoming more restrictive, also more diverse as more of them come online. And we already are seeing greater enforcement and litigation across all levels. We’ve talked about the need for industry transformation and the fact that industry transformation already is happening. Platforms are preemptively changing the way that they’re handling data, moving to a privacy-first stance with sensitive industries, and that will continue. Privacy is becoming integral to patient care and safety. It is a part of the operations of healthcare systems, of medical device manufacturers, getting so much scrutiny and so much attention, both in public and from a regulatory perspective.

So prepare for what’s coming. Data privacy, we think, is coming for all industries. You can see it happening. You don’t have to be a sage to understand that it is coming for all industries. Healthcare faces unique scrutiny right now because of sensitive health data and vulnerable populations. But again, the same thing is coming for everybody. So take control of your own destiny and put in place privacy-first marketing today so that you can remain performant even as this landscape adapts. Again, as we’ve said, privacy-first marketing is integral to quality of care. It’s integral to organizational culture and part of the continuous evolution of organizations that want to remain performant, remain compliant, and also protect themselves from the whims and the vagaries of this tapestry of very complex privacy regulations we have at a state, federal, and international level.

We hope this has been helpful to you. It’s been very interesting to do with Jodi. Jodi, as always, you are a wealth of information. Thank you very much. If you want to reach us, we have our contact information here. You can reach me at aaron@wheelhousedmg.com. And Jodi, your email address there. How else should folks reach you?

Jodi Daniels: LinkedIn. Speaking on the education front, I produce a significant amount of content on LinkedIn. I would love to connect with you there. And I’m so grateful, Aaron and Wheelhouse, for having me here today to talk all things privacy.

Aaron Burnett: It’s fantastic. It’s been a privilege to have you here. Thanks very much.