How to Keep PHI Out of Digital Targeting Experience Personalization
PHI, A Trap for Digital Marketing
Healthcare is highly regulated, and Protected Health Information (PHI)—the information that medical institutions, insurers, billing systems, researchers, doctors, and nurses may know about your health—is extensively regulated, as it should be, by HIPAA (the “Health Insurance Portability and Accountability Act” of 1996), to protect the privacy of patients and potential patients. In healthcare marketing, PHI is like a highly radioactive material in the real world (think Cesium-137): not only do you need to keep it seriously at an arm’s length, you need to keep it inside a thick lead box. To understand the principle, a simple way to understand PHI is that an organization can’t remarket, personalize, or otherwise message to me because they know I have ever had diabetes, because I made an appointment to see a doctor and indicated diabetes as the issue at hand, or made an appointment with diabetes specialist. All of that is expressly forbidden—and pretty much anything like it—to protect the patient’s privacy, and severe consequences await those who don’t take it seriously. The rule is to keep PHI rigorously out of your marketing and targeting.
But that is hardly the end of the discussion. Being rightly afraid of making mistakes with regards to PHI, healthcare organizations are often unable to find the boundary between PHI and non-PHI and extend the proprietary characteristics of PHI to all manner of information about individuals that have never originated in the PHI-protected zone of medical interactions with the patients. Further, many organizations have I.T. or I.S. departments that are (correctly) very focused on data governance (what data lives where and can be accessed by whom), but in the course of that, their staff double down on PHI concerns—sometimes extending the concerns to include anything that ever could be mistaken for PHI by anyone or could ever be mistakenly mixed with PHI—relegating all sorts of non-HIPAA-issue data and interactions to the rigid world of medical portals. While this is perhaps an understandable reticence on their part, it is a major problem, since much of what is needed to provide a first-class digital experience to potential patients and to market in a competitive landscape will not work without that sort of information.
Being (understandably) seriously risk averse, healthcare entities cast the ominous shadow of PHI onto all sorts of information that has nothing to do with PHI but which, without critical thought, could be mistaken for PHI, such as information about what a user has looked at on a website that possibly indicates their health interests or for which free information sessions a potential patient has registered. These and many similar elements that occur outside true medical interactions DO say something about the user’s intentions, as a member of the general public, but they are not PHI. In fact, these elements and types of information are fine to use for the purposes of remarketing, targeting, and are not regulated by HIPAA at all, even though they might sound scary to risk managers of all stripes and those who want to protect patient privacy.
What Isn’t PHI
Why ISN’T that data considered PHI? What is missing to make it PHI is that the interaction that provided the information about user interests and intentions did not occur within a true medical interaction in the first place! To be clear, even if someone is already a patient of the institution, plenty of potential interactions can occur with that person in a public space that are not privileged medical interactions and therefore, not PHI.
For instance, someone who is a patient of the neurology department can browse a specific set of neurological conditions, and that can become a part of their profile for the purposes of personalization and targeting. If those interactions were to happen within a secure form in which the patient selected conditions to discuss with a health care provider, it would be a totally different matter. In the first case, the interaction is something that happens in a public space, outside of the bounds of privileged interaction, and is the sort of activity that anyone could take part in; in the second, it is clearly tied to a privileged interaction, which puts it in a radically different category.
We essentially have two profiles of a particular individual that cannot ever touch, or at the very least, information from the PHI side cannot ever enter into the non-PHI side, without breaking the law. These two profiles may at times overlap and indicate many of the same things (for coincidental or common sense reasons) but have totally segregated careers and uses—and different statuses. The non-PHI profile information can be safely used to personalize websites, retarget, send emails, provide special offers or content, and the like, and the fact that it may include personal contact information about a user along with healthcare interests and the like, though it may look like PHI, in no way actually makes it PHI. But the moment one field of data is moved from the EMR or from a submitted secure appointment form into that profile—blammo!—it is contaminated with PHI, and it now cannot be used for marketing.
To put a fine point on it, from a certain position it is counterintuitive, but the law is like that (because its function is to rigidly generalize clear domains from the deeply complex and enmeshed cases of reality). It is counterintuitive that an organization could have two profiles of a person—both indicating that they might be a candidate for, say, bariatric surgery—and one would be OK to market with while the other would not. After all, isn’t it the same person, and doesn’t the institution at some level know they are interested in bariatric surgery and that is protected information? How can one act on that information without it being essentially the same information as what is held in the Non-PHI database?
The Formal Flow of Information
The answer is that HIPAA formally treats the information gathered in privileged healthcare interactions like specially tagged atoms moving through a series of interactions. As long as those atoms don’t touch other, atoms of information created from non-privileged interaction, the two can coincidentally say the same sorts of things about a user, while still being OK to use for all sorts of marketing and targeting reasons. Common sense dictates that at some level, all the information an institution knows about a user would be reconciled together; HIPAA says, explicitly, that you can’t do that, which benefits marketers, as it leaves a large number of indicators of the healthcare interests of patients and potential patients fair game for marketing.
Welcome to the Real World
Many institutions don’t comfortably get these distinctions, and often make one of two mistakes:
- Clamping down on anything that even looks like PHI before it can get started, even if it is data culled about a person from public, non-privileged interactions, because of fear it may be secretly PHI, or, less commonly,
- Using information from billing systems or EMR to build profiles that are mistakenly used for marketing. We say less commonly, because the whole industry is on high alert, and it is more common for the pendulum to swing too hard the other way (mistaking benign information for PHI) than for marketers to gain access to privileged information.
For that reason, the CRM vendors TBG works with in healthcare are very clear about the boundary of PHI and keeping it out of their systems, to make them safe for marketing uses, and likewise, we take many precautions to make sure our work in systems that profile and automate marketing to users (like Sitecore) are PHI-free. We spend considerable time getting buy in to these approaches—making sure our clients understand where the boundaries actually are, and what can and cannot be done. These issues also intensify where data governance issues overlay—as in the case of cloud hosted services (Sitecore’s xDB or Salesforce Marketing Cloud come to mind) which may raise eyebrows with healthcare I.T. or I.S departments because they are hosted in the cloud. However, once security concerns are put to rest, the concerns over PHI and HIPAA are unfounded—since that data never touches these cloud-based marketing systems.
Are there any areas of ambiguity? Some exist, but in our experience they are relatively few and far between. To some extent, they relate to judgement calls about some of the edge-cases by specific organizations. To give a simple example: if an anonymous person comes to the site and converts via a make-an-appointment form, and a record is captured in a marketing system that indicates that for that user (with their name and email address) some kind of conversion has occurred but without any details of what sort of form was filled out. This might feed into remarketing, identifying a user as someone who is at least minimally engaged with the organization but not anything about the details of that engagement.
About the Author
Leave A Reply