At 26, the Health Insurance Portability and Accountability Act (HIPAA) is the most mature and comprehensive health data protection law in the United States. (He passed in 1996.)
One of the first manifestations of the law came when Gen Z kids were given HIPAA permission forms to take home for their parents to sign for the school nurse.
Behind the forms, however, lies a purpose: the law protects patients from disclosing their protected health information (PHI) to third parties without their consent.
A law that protects Americans from the unregulated collection and sale of their data online, as HIPAA does, now takes on added importance given the legal implications of the recent Roe v. Wade.
But does this patient data protection law apply to data-driven advertising and online data collection? The answer is yes and no.
While many companies may have access to sensitive health information through the services they provide — from period-tracking apps and Fitbits to smart thermometers and blood sugar-tracking apps and devices — these companies are not necessarily subject to HIPAA.
There are many misconceptions about when HIPAA actually applies, said Gary Kibel, partner and attorney at Davis + Gilbert LLP.
HIPAA only applies to “covered entities” – including licensed healthcare providers, insurance centers, hospitals and some pharmacies – who have access to PHI found in electronic health records, such as medical history, diagnoses, and medication and treatment information.
This specificity restricts the applicability of the law more than one might think.
If a marketer wants to target people with diabetes, for example, it’s possible to do so without being subject to HIPAA. What matters is whether the health information comes from an electronic health record or from an uncovered entity, such as a retailer, whose sales data includes frequent purchasers of sugar-free products.
Similarly, at the start of the COVID-19 pandemic, many employees protested the mandatory disclosure of proof of vaccination as a violation of HIPAA – but “the law only applies to covered entities”, said Kibel, and an employer is not a “covered entity.” Nor are Fitbit and period tracking apps.
Probably the most common intersection between targeted marketing and personal health data is pharmaceutical advertising aimed at patients (as opposed to drug ads aimed at physicians).
But the data itself needs a clean bill of health, so to speak, before being processed, said Jay Calavas, vertical product manager at CDP Tealium. “If the data itself is not compliant,” he said, “none of it can be activated within a platform.”
The company’s new product, Tealium for Pharma, for example, aims to give pharma advertisers access to deterministic audiences with “built-in HIPAA compliance,” which can be a lot more complicated than basic consent management.
Tealium ingests patient data from its pharmaceutical customers’ websites, all of which are either consented to or anonymized. It then layers this information with other first-party or licensed third-party data — namely, site engagement and prescription data — to help customers target their patients. If a targeted patient sees an advertisement for a product, it’s because Tealium has obtained their consent, Calavas said.
But HIPAA compliance isn’t just about playing with hashed data. Tealium also had to sign BAA or Business Associate agreements with each of its customers and partners, Calavas said. These HIPAA-mandated contracts recognize the legal responsibility for shared PHI between healthcare providers and any contractors who access it.
Tealium also had to undergo a breach notification and change and risk management implementation audit.
It’s a “huge checklist” for being HIPAA compliant, Calavas said, because of the stringency of protecting patient data.
Conversely, the other branch of pharmaceutical advertisements – those aimed at doctors and suppliers – manage to virtually circumvent HIPAA.
Doceree, for example, is another vendor that provides pharmaceutical ad serving solutions. But because it only targets healthcare providers and “doesn’t touch any identifiable patient data,” HIPAA doesn’t apply, company CEO Harshit Jain told AdExchanger.
Although HIPAA applies primarily to the processing of PHI, which must be anonymized, brands and agencies should still take steps to avoid deterministic targeting just in case.
“You can’t take an actual patient dataset, with conditions identified at the namebase level, and then match that data with, say, Acxiom or Epsilon – that’s a clear case of HIPAA violation. “said Ray Rosti, chief digital officer at Publicis Health Media.
Instead, Publicis Health Media is taking a cleanroom approach with data partners to create modeled, probabilistic audiences for its advertisers, so the agency can avoid targeting actual patients whose data has been used for marketing. modelization.
“We also rely on contextual targeting,” Rosti said, referring to contextual data based on web activity rather than patients. “User research is [actually] one of the strongest signals that someone can be heading for a diagnosis or treatment.
With clean rooms and contextual data, Publicis Health Media can run campaigns without touching actual patient data.
In this case, HIPAA applies in the sense that it is a deterrent to the use of patient data. For healthcare advertisers, contextual advertising not only allows them to circumvent HIPAA; it is less likely to appear frightening or invasive to the targeted person.
An advertiser would need direct access to real patient data through an electronic health record system, like those run by hospitals, in order to violate HIPAA, Rosti said.
What does a HIPAA violation look like?
But HIPAA violations are happening in the area of digital advertising, like Facebook’s recent mini-scandal with hospitals.
Dozens of hospitals were caught earlier this summer sending sensitive patient data to Facebook via a metapixel embedded in their sites when patients made appointments online.
Investigative technology publication The Markup tested the websites of Newsweek’s Top 100 US hospitals in June and found that 33 of them had a metapixel installed. The pixel would transmit patient data to Facebook, which would then link that data to individual profiles for targeted advertising (and also share that information with hospitals for site retargeting).
“This is a much closer example of where a HIPAA violation could have taken place,” Kibel said, adding that hospitals are responsible for patient data that passes through their websites.
Does HIPAA have a role to play in a post-Roe v. Wade?
The recent reversal Roe v. Wade is also putting a lot of pressure on internet giants to take extra steps to protect customer data.
Google, for example, promised to delete location data related to sensitive medical facilities after the decision was reversed.
Conversely, data broker Safeguard was caught selling abortion clinic attendance data before cracking under political pressure and stopped selling such data in the spring (a month before the ruling). SCOTUS).
But will HIPAA fully protect people from the collection of data or the subsequent use of that data against them, especially when it comes to health information related to abortion care?
Unfortunately, the answer is that HIPAA is too narrow to provide this scope of protection.
Sensitive health data can be collected or disclosed by dozens of uncovered entities, from location data providers to retail media companies. And these companies are not restricted from sharing data, unless the data comes from a covered entity.
Regardless of Google’s commitment, if a woman using a fertility tracking app, for example, turns on her location tracking when she visits an abortion clinic, that data isn’t covered by HIPAA.
Nor is HIPAA able to prevent data from being shared with law enforcement investigating a crime, Kibel said. They must comply with court orders and subpoenas.
What happens inside a doctor’s office stays inside the doctor’s office, but beyond that is beyond the control of HIPAA.
For now, the use of health data in advertising is still not a matter of standardized legal compliance, but rather a matter of ethics and sensitivity towards people’s privacy.