Episode 12: Tealium and Wheelhouse: Empowering Healthcare Organizations with HIPAA-Compliant Data Solutions

During Tealium’s Digital Velocity conference, Aaron had the chance to connect with Nirmal Vemmana, Product Lead for Healthcare and Life Sciences at Tealium, to discuss the company’s latest offering, Tealium for Healthcare. Nirmal dives into how Tealium has been working in the heavily regulated healthcare space since 2013 and how their partnership with Wheelhouse has helped them navigate the complex world of HIPAA compliance.  

Nirmal shares how healthcare organizations should view compliance as an opportunity to refine their marketing strategies and adopt a first-party data-driven approach. The conversation also touches upon the evolving landscape of privacy regulations and how Tealium and Wheelhouse are empowering healthcare and life sciences organizations to thrive in this new era of data privacy. 

Tealium for Healthcare

Aaron: I’m here at Tealium Digital Velocity with Nirmal Vemanna. Nirmal, do you want to tell me a little bit about your role with Tealium and some of the exciting announcements that Tealium has made here at Digital Velocity? 

Nirmal: Nirmal Vemmana, Product Lead for Healthcare and Life Sciences at Tealium. I’ve been attending for two years now. I came on board to help grow our Tealium for pharma product, and now I am in the process of launching, actually it just launched, our Tealium for Healthcare product. Before joining Tealium, I was in the industry. I was consulting for GSK, Pfizer, IQVM, and then I worked at Merck in the R&D division for two years, right before joining Tealium. So, I’m very much a person of the industry with deep experience and, may I say, expertise in the life sciences world and the healthcare world. 

Aaron: At Digital Velocity, Tealium announced Tealium for Healthcare. Tell me a little bit about that. Tell me about the evolution of Tealium for Healthcare, and the unique value proposition maybe that Tealium and Wheelhouse can bring to healthcare and life science clients. 

Nirmal: Absolutely. At Tealium, we have been working in the heavily regulated space since about, I would say even from the beginning. Healthcare happened around 2013, so we’ve been HIPAA-certified as a platform since around that time. But as you know, starting out HIPAA was rather simple. Even though the major changes that have happened over the years, they weren’t that drastic. Then around the 2022 timeframe, the OCR bulletin, the earth-shattering announcement from the Office of Civil Rights came out. That led us into even deeper HIPAA compliance waters, and our partnership with Wheelhouse gave us a front seat to the issues our customers, our joint customers and even our own healthcare customers, were facing. We figured it would be strategic to build a solution that would offer the healthcare customer a HIPAA regulated entity or covered entity, end to end control of the patient data that they collect, manage, and disseminate to support their operations.

That’s how Tealium for Healthcare came to be. We announced it yesterday. I think the idea is it has to have two components. HIPAA compliance is really step one. But, you have to treat that as a foundation upon which to build personalized engagement, like have that customer centric communication and engagement strategy to really help patients and improve health outcomes. So, HIPAA compliance is really the step one in doing that because without complying with our privacy being respected, there was no personalization that is compliant. We relied on Wheelhouse and your thought leadership. There were a lot of conversations we had, and for example, the 2024 March revised guidance came out from the OCR, then that got conversations going as well. “Here’s what I’m thinking, are you seeing what I’m seeing as well?” I think Wheelhouse has been a great partner and collaborator in our strategy to go to market for Tealium for Healthcare. We have talked to a lot of customers, we did our own research, we spoke to our compliance professionals, and here we are. I think we have a great solution, and we’re looking to collaborate with Wheelhouse more and more and help more and more customers. 

Aaron: Can you describe the solution for healthcare? 

Nirmal: It’s about gaining control over client-side data collection. Controlling who gets the data from an activation standpoint, so everything trying to move things to the server-side where possible, and being able to control which client-side technologies are capturing data, if any. It should be sort of a whitelisting blacklisting approach, if you will. If a particular vendor is not signing a BAA, they’re not compliant, so they shouldn’t be getting data from the client-side. That would put our customer at risk. Obviously, they would be at risk of non-compliance. Only a BAA signing vendor should be able to capture data from the client-side, if at all. Again, that doesn’t have to happen. If a customer doesn’t feel comfortable firing something collecting data from the client, they can move everything server-side. We’re giving that flexibility to them. So again, giving secure data transmission capabilities to make sure, for example, PHI shouldn’t be going to a non BAA vendor. That’s the reason for preventing the client-side data capture in the first place by these vendors. So again, having fine grained control over what the PHI, if any, is being shared with the trusted BAA vendors. 

Aaron: As you said, we’ve worked with Tealium for years. I think we’ve been engaged since around 2015 and have worked in concert to implement Tealium for a number of healthcare clients. I can just briefly, for the edification of folks who might be listening or watching, describe the value that we’ve seen in working with Tealium in a healthcare context and the way that we implement Tealium. We take control, we provide absolute control, at the moment of collection, with a private ID. We govern the data that’s collected with the data library, that we develop in tandem with the compliance and marketing teams that are healthcare clients, and then we very much leverage Tealium’s event stream, that event data framework, because you offer a HIPAA-compliant data hub. You signed BAAs with your clients, as do we, and so we can use, collectively, that data hub to cleanse URLs of sensitive information and offer injection blocking to ensure there’s no third-party analytics payloads, and then leverage Tealium connectors to offer that fine grained control down to a single data attribute level to any third parties that might not be under BAA or to route full-fidelity data to an internal data store, a first-party data store as well. Tealium, for a long time, has been unique in the marketplace in that you have offered to HIPAA compliance data hub, and this really expands that capability and formalizes it as an offer. 

Nirmal: Correct. We tried to productize as much of that as possible. That way, it’s easier for our customers to use the tool. It’s an easier value proposition. It makes it easier for us to bring it to the market. Again, to help our customers with a solution as much as possible.  

Aaron: It very much clarifies messaging and value for healthcare and life sciences.  

Nirmal: Yeah, exactly.  

Aaron: I know healthcare clients have been a big part of the attendee base here at Digital Velocity, I think 30-40%. 

Nirmal: Sounds about right, yeah.  

Roadmap for Healthcare and Life Sciences

Aaron: So, a really good showing and a good reception as well. Can you share a little bit about what’s on the roadmap for healthcare and life sciences clients with regard to Tealium?  

Nirmal: Sure. As I said earlier, HIPAA compliance is that first piece of the puzzle, and then comes personalization. Now that you have that foundation, what can you do with it? You have clean consented data from the patient or the member. Then how do you use that data to curate a personalized experience to our audience, to our customers’ audiences. To that effect, we are exploring, and we already have some integrations on the on the pipeline, on our current marketplace. We have an integration with or actually we’re exploring integration with Wheelhouse Sonar and Wheelhouse Compass. We also have other vendors and partners we currently work with, for call center analytics, for website analytics, for A/B testing, experimentation, things like that. These are technologies that our customers can use today and get immediate value out of. We’re also exploring other new integrations, like for example, with Epic Systems, leading the HR platform in the industry, so it’s in our best interest to again, if we want to give our customers the ability to personalize how they’re serving their customers, I think integration with Epic is a no brainer. We’re exploring that and trying to see around the corner as to what other vendors our customers might find useful in engagement and engaging their customers with. We’re also exploring what could be done with AI. Could we do some sort of intelligence observability type use cases? We are thinking strategically about these use cases, but one step at a time. I think right now, top-of-mind problem for most customers is achieving HIPAA compliance. Then once you’ve done that, let’s help them achieve that easily and quickly. Then let them get value, let them attack some low hanging fruit, in terms of personalization. Then comes AI and all the other cool stuff, like enhanced observability. 

Aaron: You mentioned Compass and Sonar, which are both applications from Wheelhouse. Just to explain, Compass is a HIPAA-compliant data warehouse that we offer and use with our healthcare clients. Sonar is an automated compliance monitoring application that we use, and both can be married with Tealium to support those implementations, with Compass being the first-party data store and Sonar monitoring and also reporting on the instances in which PHI is cleansed, the way in which that combined solution is actually protecting a client. Can you tell me a little bit more? AI has been very much in the zeitgeist, here at this conference and everywhere else. Can you tell me a little bit more about the way in which Tealium is beginning to employ AI and again, what’s on the roadmap that you might be able to share?  

Nirmal: Yeah. I would say, in terms of AI for healthcare, it’s a bit too premature. We’re still very “pie in the sky” type use cases. We are, in general, trying to support our customers’ AI efforts. We’re working on a solution to that effect. It’s all about, again, clean consent to correlated data. No AI engine can do anything. It can’t do anything without good data. Tealium is the perfect fit for that. We already have the data unification capabilities. We already have the consent capture and enforcement capabilities that will make it such a no brainer as a data supplier to the best AI engines on the market today. That way, we can activate the unified data from different channels, disparate channels – could be digital, physical, first-party data, third-party data, all of that – and put a consent wrapper around that, and then feed that into AI, whatever engine our customers are using, and then get the insights and return, and then activate those insights, wherever the insights need to go. I’m sure there would be applications for healthcare within this paradigm. What we’re exploring is could we do more, for example, could there be intelligent PII identification or PHI identification? That’s something we’re starting to explore, very early stage. We’ll see. Hopefully we crack the code.  

Aaron: Well, I know in healthcare in general, in any context that involves a HIPAA-covered entity, Tealium can offer a unique value because you can assist clients in activating and leveraging that full-fidelity data, that you can still maintain internally. But, you can control the way that it’s shared with third parties.  

Nirmal: And the way it’s captured as well.  

Aaron: Yes, absolutely. Which otherwise can be on the continuum from problematic to impossible for healthcare clients.  

Nirmal: Consent works both ways. We can only bring in, or only should bring in, what the patient or the visitor – I mean, everybody, every visitor is a potential patient, like we talked about during our session yesterday. In the absence of clear guidance from OCR about who is a patient and who isn’t, you have to assume everybody’s a potential patient. That means caution must be exercised in capturing consent and only bringing in what they are okay with being captured, and only sharing out what they’re okay with being shared out because it’s their data after all. I think we have to be careful with that. Obviously, Tealium was in a pretty good place to be able to do that. Again, it’s all about the end-to-end control of data capture, management, and transfer.  

Focus on Compliance

Aaron: What else do you want healthcare organizations, potential clients, to know about to Tealium’s offering for healthcare?  

Nirmal: Right now, the problem everybody seems to be thinking about and hyper focused on is compliance, which is very important. I’m speaking to prospects and customers that are not even compliant, they haven’t thought about compliance, and that’s a bad idea. Nonetheless, we acknowledge that is a top-of-mind problem. However, that should simply be step one. Before you know it, there will be need for personalization, there’ll be need to cater to the customer, like the customers are bringing in sort of the online shopping mentality, as I like to keep calling it. They want that curated experience that takes their pain points into account. They want that specially curated journey that takes their medical history into account, their preferences, how they want to be communicated with, what channel they want to be engaged on, things like that. That is not a compliance problem, compliance as part of that, but you need data orchestration capabilities to be able to do that.

Don’t just be happy with becoming HIPAA-compliant. Use that as an opportunity. I mean, this is not a challenge, it’s an opportunity, that you can then use to think beyond. Otherwise, I think other organizations have been almost forced to adapt digitally. A lot of them have old tech stacks because they have trusted vendors that they were using for many years. All of a sudden, these vendors are found to be non-compliant. Even though they’re free, they’re easy to use, they’re easy to configure, they are not going to help you in a compliance journey. I understand the reluctance on why it took them so far. The OCR guidance, the need to be HIPAA-compliant in the way they have to be today, is forcing change upon them. That is a great time to focus on an end-to-end customer experience. Think about data orchestration. Don’t just be satisfied with compliance. Think about personalized engagement. Think about how can you serve your customer better without violating their privacy, while taking their consent and their privacy into account? Compliance and personalization. You should be thinking about both.  

Aaron: We were talking yesterday, and our experience certainly is that although there’s the inevitable panic when people realize that they have to become compliant and they don’t have access to all the third-party data that was so readily and freely available in other third-party platforms, it really forces thoughtfulness and refinement in marketing strategy, in audience identification, in performance, monitoring and performance assessment as well. Our experience is in that shift to first-party data driven marketing strategies, although it’s much harder at the beginning, you can drive outsized performance. We see very significant performance gains as we shift from third-party to first-party enabled marketing strategies. 

Nirmal: I mean, it’s one of your favorite topics. Correct. I mean, third-party data, the end of third-party data doesn’t need to spell doom and gloom. Going back to using this as an opportunity, shift your mind a little bit. Adopt a new mindset. Patients will trust you with that data if you prove the value to them, if you do it in a way where they feel listened to, where they feel engaged. If they trust you with their data, if they trust you to not abuse the data, they would be more willing to share. Then the insights that come from the patient is more valuable than some third-party data. I mean, this is your own. They’re giving it to you. You should be using more of it, not less of it. You shouldn’t have to feel shackled by not having access to third-party datasets.  

Aaron: What’s also true is that third-party data is in control of those third parties. As a consequence, we’re talking about HIPAA compliance for healthcare and life sciences. But the same sort of privacy regulations that now impact HIPAA-covered entities will impact, I think, all other industries, in the very near future. In fact, that’s not even supposition. We know that Google is deprecating support for third-party cookies in Chrome, Safari and Firefox already do so. We know that Google then will implement what they’ve called a Privacy Sandbox. This data that is the lifeblood of most organizations from a marketing perspective, is going to go away anyway. The data to which you have access in the case of the Privacy Sandbox, is going to be so attenuated that I think it loses value for organizations anyway. So, the more you can take control of your own destiny now before you have to is a win.  

Nirmal: Yeah, I think regulations are coming for all of us. Healthcare is just the canary in the coal mine. I’m talking to our pharma customers, and I lead both our healthcare and life sciences, I lead the whole division from a product perspective. That means I’m seeing how things are changing in the pharma and the life sciences industry as well. As pharma organizations, even though traditionally they were not HIPAA-covered entities, in engaging the patients directly, for example, if they are to ship medication directly to the patient’s home, and if they are curating an online experience to that, where they can go, a patient can provide their insurance information, and then ship the medication directly to their home address. Now our pharma companies, they’re turning into online pharmacies almost. That doesn’t apply to the entire pharma organization, but certain divisions, where they do direct to consumer engagement, so they will now be regulated under HIPAA. I don’t think that’s a problem that is given enough attention by the pharma companies. I still keep getting asked, “We don’t need HIPAA compliance. Why should we worry about it? It doesn’t make any sense. We’re not a provider organization at all.” But, the lines are getting very blurry, you are turning into a provider organization. It may not regulate your entire organization. The parent company will be fine, but your division, the direct to consumer division, could be impacted. You shouldn’t be worrying about whether or not you’re a covered entity. You should be behaving as if you are and take the measures and put the safeguards in place, just like a traditional HIPAA-covered entity would. Sometimes it may not be a compliance issue, it could be a bad branding issue. You don’t want to deliver an icky, less than desirable customer experience. Even though you may not have committed a HIPAA violation, that’s bad for your brand image. Having the right controls in place, healthcare and life sciences both can benefit and thrive.  

Aaron: Yeah. I think it’s also fair to say that “We haven’t been fined or sued yet,” is not a very good business strategy. 

Nirmal: Yeah. I mean, it only takes one lawsuit. That HIPAA compliance ticker is always ticking. 

Aaron: We have been implementing what became HIPAA-compliant data solutions for a long time. In fact, we implemented our first in 2019, I think. Obviously, we’ve been working with Tealium for a long time. You mentioned thought leadership. What has Wheelhouse done, what were we doing that has helped to inform Tealium for healthcare?  

Nirmal: I would say that it has exposed that there was a bigger problem than we were paying attention to. It forced us to look at our competition and what they were doing. We had to sort of adapt. Tealium, you can configure it to do anything basically, but that didn’t quite cut it to serve our customers well. Hence the push for productization. By collaborating with Wheelhouse, we knew the magnitude of the problem. Again, it forced us to look in places we wouldn’t have looked it. We took a long hard look at our competitors and understood what they were doing. Wee revealed certain gaps, and that was the impetus toward launching, building and launching, Tealium for healthcare. I would say Wheelhouse was a critical part in that. I mean, you have been great as collaborators. Whether it’s thought leadership or lending us a different perspective on how to think about compliance. Enormously, you’ve been almost like a customer proxy, if you will, given your deep expertise and experience in the industry.  

Aaron: The initial OCR bulletin, the updated bulletin, in March of 2024 has focused everyone on compliance. Ultimately, though, compliance limits the data to which you have access as a marketer. We’ve talked about the need to move beyond compliance and think longer term, think strategically about what you’re actually trying to accomplish as a business and as a marketing team. What is unique about Tealium’s offering there?  

Nirmal: I would say compliance obviously has to be taken care of. What’s unique about Tealium is the CDP and the HIPAA-compliant data foundation will work seamlessly. You can’t tell where one ends and the other begins. By the time the CDP kicks in, by the time you are starting to orchestrate data for that real time personalized omni channel experience, compliance has already been achieved. It’s almost an afterthought. It’s that seamless integration of that personalization functionality, along with the compliance foundation, is something only Tealium, as far as I can tell, is doing. The vendors are focusing on either compliance or personalization. The vendors that are focusing on personalization, they can’t serve this industry well because they haven’t cracked the compliance problem. The vendors that are focused on compliance, they don’t have the expertise and the experience that Tealium brings to the industry to create those real time personalization and real time engagement across physical and digital channels.  

Aaron: Thanks very much for chatting with me. I really enjoyed the conversation. 

Nirmal: Likewise. Always a pleasure.  

Questions or Comments

Please let us know if you have questions or comments about this episode by emailing Grace Johnson at grace@wheelhousedmg.com. Want to be a guest on a future episode? Fill out the Be a Guest form at the top of the Digital Clinic page to submit your inquiry.

Make sure to subscribe to the Digital Clinic on Spotify, Apple Podcasts, or Amazon Music to stay up to date on our weekly episodes.