Pixel Trackers & HIPAA Compliance in 2023: Where to Begin?

May 24, 2023 12:00 PM1:00 PM EST

Request The Full Recording

Key Discussion Takeaways:

In the wake of OCR’s (Office of Civil Rights) bulletin surrounding tracking technology to market healthcare, IP addresses are considered PHI (protected health information). Consequently, healthcare organizations are prohibited from utilizing pixel tracking. How can you navigate HIPAA regulations to provide personalized health information for consumers?

Traditionally, healthcare companies have used Google Analytics to collect and evaluate consumer data for customized recommendations. But this tool is no longer HIPAA compliant, so you must consider alternative tools like Freshpaint and cloud-based solutions. However, it’s critical to assess the legal risks surrounding these tools, which involve de-identifying data to remove sensitive information from your tech stack.

In this virtual event, Aaron Conant talks with Tom Swanson of Adobe, Amanda Todorovich of Cleveland Clinic, and Tom Hileman of Global Prairie about approaching data analytics amid new HIPAA requirements. Together, they explain how pixel-tracking regulations affect healthcare companies, the risks and benefits of HIPAA-compliant tools, and how to assess the emerging legal risks of healthcare marketing. 

Here’s a glimpse of what you’ll learn:

  • Key takeaways from the OCR’s (Office of Civil Rights) bulletin on pixel-tracking 
  • The impact of pixel-tracking regulations on healthcare companies
  • HIPAA-compliant alternatives to Google Analytics: risks and benefits
  • How healthcare marketers can navigate HIPAA compliance
  • Assessing emerging legal risks of healthcare marketing
  • Cloud-based solutions for data analytics
  • Differentiating between data obfuscation and de-identification 
Request The Full Recording

Event Partners

Global Prairie

Global Prairie delivers transformational branding, marketing and digital solutions through the lens of an organization’s unique purpose. Bringing together industry leading strategy, creativity and technology expertise, we generate measurable business and social impact for our clients, their stakeholders and the world.

Connect with Global Prairie

Guest Speaker

Aaron Conant LinkedIn

Co-Founder & Managing Director at BWG Connect

Aaron Conant is Co-Founder and Chief Digital Strategist at BWG Connect, a networking and knowledge sharing group of thousands of brands who collectively grow their digital knowledge base and collaborate on partner selection. Speaking 1x1 with over 1200 brands a year and hosting over 250 in-person and virtual events, he has a real time pulse on the newest trends, strategies and partners shaping growth in the digital space.

Tom Swanson LinkedIn

Head of Health & Life Sciences Industry at Adobe

Tom Swanson is the Head of Health & Life Sciences Industry for Health & Life Sciences at Adobe. As a healthcare expert and executive, he has over 20 years of experience in digital ecosystems. Before Adobe, Tom was the Senior Manager of Marketing Technology Platforms at Medtronic and the Director of Business Development for New Products at Media New Group Interactive.

Amanda Todorovich LinkedIn

Executive Director Digital Marketing at Cleveland Clinic

Amanda Todorovich is the Executive Director of Digital Marketing at Cleveland Clinic, where she is responsible for growing the medical center to one of the top 40 most visited websites. She was inducted into the Healthcare Internet Hall of Fame in 2019 and named Content Marketer of the Year in 2016. As a digital marketing and social media thought leader, Amanda has over 20 years of storytelling experience and specializes in data-driven marketing and communications in healthcare.

Tom Hileman LinkedIn

Managing Partner, Digital at Global Prairie

Tom Hileman is the Managing Partner of Digital at Global Prairie, an award-winning digital marketing agency that delivers high-touch, data-driven marketing solutions for leading healthcare organizations nationwide. With more than 25 years of multi-industry experience, he leverages strategic insights, measurable engagement tactics and technology to drive business growth and success. Tom has spoken at HCIC, HMPS, World Congress, SHSMD, Adobe, and other healthcare and technology events.

Event Moderator

Aaron Conant LinkedIn

Co-Founder & Managing Director at BWG Connect

Aaron Conant is Co-Founder and Chief Digital Strategist at BWG Connect, a networking and knowledge sharing group of thousands of brands who collectively grow their digital knowledge base and collaborate on partner selection. Speaking 1x1 with over 1200 brands a year and hosting over 250 in-person and virtual events, he has a real time pulse on the newest trends, strategies and partners shaping growth in the digital space.

Tom Swanson LinkedIn

Head of Health & Life Sciences Industry at Adobe

Tom Swanson is the Head of Health & Life Sciences Industry for Health & Life Sciences at Adobe. As a healthcare expert and executive, he has over 20 years of experience in digital ecosystems. Before Adobe, Tom was the Senior Manager of Marketing Technology Platforms at Medtronic and the Director of Business Development for New Products at Media New Group Interactive.

Amanda Todorovich LinkedIn

Executive Director Digital Marketing at Cleveland Clinic

Amanda Todorovich is the Executive Director of Digital Marketing at Cleveland Clinic, where she is responsible for growing the medical center to one of the top 40 most visited websites. She was inducted into the Healthcare Internet Hall of Fame in 2019 and named Content Marketer of the Year in 2016. As a digital marketing and social media thought leader, Amanda has over 20 years of storytelling experience and specializes in data-driven marketing and communications in healthcare.

Tom Hileman LinkedIn

Managing Partner, Digital at Global Prairie

Tom Hileman is the Managing Partner of Digital at Global Prairie, an award-winning digital marketing agency that delivers high-touch, data-driven marketing solutions for leading healthcare organizations nationwide. With more than 25 years of multi-industry experience, he leverages strategic insights, measurable engagement tactics and technology to drive business growth and success. Tom has spoken at HCIC, HMPS, World Congress, SHSMD, Adobe, and other healthcare and technology events.

Request the Full Recording

Please enter your information to request a copy of the post-event written summary or recording!

Need help with something else?

Aaron Conant

Co-Founder & Managing Director at BWG Connect


BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution.

Co-Founder & Managing Director Aaron Conant runs the group & connects with dozens of brand executives every week, always for free.


Schedule a free consultation call

Discussion Transcription

Aaron Conant  0:18  

Happy Wednesday, everybody. My name is Aaron Conant. I'm the co founder and chief digital strategist here at BWG. Connect. We're a giant networking and knowledge sharing group of 1000s of organizations. And we spend a lot of our time just talking to different organizations around, Hey, what are the biggest pain points trends that you're trying to solve for as a whole, when the same topics come up over and over again, we also know that like this, a couple of things we'd like to do is make them highly interactive, as you have questions. If you have questions along the way, drop them in the chat, drop them in the q&a, we're gonna try to get as many answered as possible. This is a very interesting one new one that I don't know if we're gonna get to all of them, but we're gonna certainly try. But we've got some great friends, partners, supporters of the network that we've asked to kind of jump on here and help participate in the conversation and just lend some knowledge across the board. And so today's topic, pixel trackers, HIPAA compliance, and 2023, where to begin. So it's going to be super fun conversation. But, you know, Tom Hileman, I'm going to kick it over to you first, if you want to do a brief intro on yourself and the organization. That'd be fantastic. Then we'll kick it to Amanda, then Tom Swanson. And we can jump into the conversation. Does that sound good?

 

Tom Hileman  1:24  

Sounds great. Thanks, Aaron. I'm excited to talk about today. I know it'd be a lot of specific questions in this. It's literally every one of our clients is asking these questions. So Tom Hileman Managing Partner of digital Global Prairie, we work with health systems, providers, and payers and help them communicate with patients and the physicians channels. So, Amanda, I'll hand it to you.

 

Amanda Todorovich  1:47  

Hi, I'm Amanda Todorovich. I'm the executive director of digital marketing, Cleveland Clinic lead a team of about 100 people responsible for pretty much everything digital in marketing.

 

Tom Swanson  1:58  

And I am Tom Swanson, head of Strategy and marketing for healthcare and life sciences here at Adobe. Many of you might actually be surprised, right, that Adobe has a healthcare life sciences team. You know, it's actually kind of the fastest growing marketplace, you know, for Adobe, because I think, as everyone on this panel would have passed, or I mean, we've seen profound changes the changes in the industry, as we've kind of moved into what I'm calling the golden age of consumerism, right in, in health care post pandemic, right. So I think this topic, again, like Tom said, is one that we get asked all the time, and so I'm very excited, right to be able to actually participate in this panel discussion with these very smart people. So as we kick this off,

 

Aaron Conant  2:51  

you know, a lot of times we don't do a presentation on these, it's just a great conversation. But this is so new, and there's so many nuances. You know, Tom, I'm going to kick it over to you just to kind of rattle through a few slides on this to kind of set the framework for the conversation as a whole. If that works for you, that would be great. Thanks for putting those together. I think it's going to be incredibly meaningful to the conversation today.

 

Tom Hileman  3:16  

No problem. Happy to just, we'll be real quick. We want to get to the conversations with Amanda and, and Tom and Aaron, but thought would frame it. So Aaron isn't showing up? Okay. Yes, it is. Yep. So we thought a little history would be helpful just for everyone. So back in June of 22, there was a report from the top 100 health systems that 33 of them were using the meta pixel tracking. And then with that, in December 22, when it came, the part that changed a lot of our lives, is the OCR, the Office of Civil Rights, issued a new bulletin, we're going to talk about that in a little bit. Talking about online tracking technology, and it's extremely broad, basing IP, one of the key things being IP addresses being pH i, which of course impacts a lot of the tracking that we do. And of course, the beginning of this year, health systems and Amanda will talk about Cleveland Clinic but across the board are looking at ways is how do they address the OCR bulletin and how do they maintain compliance while still providing tracking and the best experience that we can for our patients? So that's a little of the history of the next patient. So a couple of the key takeaways from the bulletin. One, their stance is pretty clear. The regulated entities are not permitted use tracking technology around the HIPAA rules. So in the disclosure of pH I via tracking is the primary issue that's highlighted and they essentially call with ai ai individually identifiable health information, such as email address IP address connected to that is pH I And that with with that said, we have to handle it just like we would any other item that's PHSI. So the big part is the third bullet, even if the individual does not have an existing relationship with the entity. So essentially, even trafficking across a website where you may just be browsing for health information for a seventh grade, seventh grader for a report, essentially, in there's no health, there's no relationship with the EMR or no even visiting of that they're considering that part of PHSI. So really broad context. So the three main directives that we'll talk about today, one, everything we do has to be the minimum psi necessary to achieve our goals, to if we're going to information is gonna be shared, there has to be a business associates agreement in place with those vendors or partners. And that's a real sticking point, because certain large vendors, and I will name the guilty here, meta, and Google and HubSpot, and many others in Google Analytics being one of the keys that literally nearly every website in the US uses, they will not sign Bas, so that leaves you to option three, well, that leads you to have to have an individual consent to that, to sharing that information if it's going to be and then finally, there's no private the breach notifications. And there's no privacy disclose be the ESA bhi, without event without a BA in place. So really, it puts us in a tough spot as marketers. And finally in our wrap up. So we want to get to the conversation. But we're seeing with our work across health systems throughout the US, we're seeing essentially six approaches here. Now there's little variations that can be some folks are doing scorched earth and removing all tracking from their sites. So that's the kind of option one second one is utilize existing tools, but adapt the settings to limit your exposure and risk separating perhaps patient pages from other pages. And that middlewares another option that you can do to kind of de identify self hosting with only VA providers in the stack so that you can minimize that. And then finally, some people are just going naked, as they say and as us lay utilizing the tools as is and just incurring the risk. So there's kind of a spectrum I'm sure we'll talk a lot about today. But Aaron, I'll pass it back to you to start the conversations.

 

Aaron Conant  7:31  

Yeah, I just want to jump into you know, you know, how is this affecting, you know, these healthcare organizations and their marketing teams in the mahr tech stacks? I think that's probably top of mind. There's some questions coming in here about third party cookies, about fresh pain, about Google Maps about YouTube, you know, embedded videos and everything else that comes on the page, but kind of high level, take it away, what do you our healthcare systems handling this?

 

Tom Hileman  8:03  

Amanda, I think it's a great place for you to start, I'm sure it's you make a lot of your time,

 

Amanda Todorovich  8:07  

every single day right now, it is honestly the most frustrating experience I've ever had in my career. Because of some of the points Tom made about the language about the policy being so broad, and extremely far reaching, right, when you have to treat every single visitor to your site as if they are a patient. It definitely limits what we're able to do. And when you have to really look at removing your analytics platforms. It's flying blind, right? I mean, we as marketers have built our teams to be incredibly sophisticated, really trying to drive some best experience with our website, give them the content they're looking for. And when you're not able to understand what that is, um, you know, it's kind of soul crushing as a marketer, to be honest. And yeah, we're all exploring these alternatives, looking at things like fresh paint, right? And what can we do that that is compliant. But at the end of the day, you know, I think the vast majority of things that are truly impacting my world the most, it all comes down to Google, to be honest, whether it's Google Analytics, or it's Google Ad Manager, or any, any of the tools that we use, it's truly impacting our ability to do business. You know, it's more than just marketing. And I just had this conversation with my cmo this morning, when we're not able to also share data with our providers about interest in services or, you know, what trends we're seeing. It affects operations, it affects our ability to deliver service. And it's, it's excruciatingly challenging to educate, legal and make people understand the impact of this because it's not just about, you know, the website and marketing. It really is impacting the entire industry and our ability to serve patients and drive the right credible, trusted information that so many people need. I mean, just for example with us is 90% of our site traffic comes through Google search. So they're telling Google what's wrong with them before they ever do a thing on our site. So it's incredibly frustrating to then not be able to just build on that. And it's also, you know, the vast majority of our traffic is coming from geographies where we have no physical location, and these people will never be our patients. They are truly just information seekers. And so to limit our ability to help them, I think it's just incredibly frustrating and disappointing. You know, I think the new the letter from the HA this week gives me a little glimmer of hope. But but it is honestly an incredibly frustrating, disappointing place to be right now in our profession.

 

Tom Hileman  10:38  

And we're seeing it, I mean, literally, every one of our clients crossed we many academic medical centers and smaller health systems and regional ones, like literally they're everyone's revisit revisiting the stack, and what can we do and what can't we do, and specifically around Bas, which I know, I know, Tom, I'm sure you're gonna jump in here in a minute. But many event, many of the larger vendors don't provide bas to protect us now. Adobe does. So I'm sure Tom will talk about that in a minute. But I think we all need to just revisit our Mar tech stacks and think about who we want to do business with as well, when folks don't want to don't want to protect patient data. And I agree, Amanda, it is way overly broad, right. I mean, literally, an IP address, and Oklahoma hit going on diabetes page,

 

Amanda Todorovich  11:28  

address, just to be clear, and IP addresses a device, not a person. So to me, it's so ridiculous, counted as that when you could have a computer in your house to five different people are logging into and using

 

Tom Hileman  11:41  

or shares in the neighborhood or the library. Right. So but so I'm I guess from a, from a vendor perspective, or from a technology provider perspective, I guess, what do you see in?

 

Tom Swanson  11:49  

Well, I mean, Tom and Amanda, of course, we're seeing kind of the same level of concern and or frustration, right from the health systems. And the payer systems, right? That, that we work with, were essentially, every data point that's being collected, right, in order to help you understand your customers and help better serve your customers is essentially considered PHSI. Right at at this point. Now, from a strictly strictly colloquial point of view, right. Adobe's point of view, this is a good thing, right? For our platform, right? Because our platform, is HIPAA ready? And our analytics platform is HIPAA ready, and we will sign a baa, you know, for the analytics platform. So, you know, from the perspective of this guidance actually helps Adobe differentiate from the other analytics platforms that are out there. Right. And so, Tom, when you were laying out the context of kind of the six, or I'm confident there's even more right pathways that, you know, our customers are looking to address this, the examination of the staff, right, and making sure that you've got technology that can accommodate the new guidance, of course, is my first my first vote. But right, all of that understood, right, even for our customers, right, that are using our legacy analytics platform, and have not migrated to the the HIPAA compliant platform. This is a this is a significant issue. Right, in terms of how do we utilize, right, the data that we've got, right, in a compliant manner? without investing, right, in a new in a new platform?

 

Amanda Todorovich  13:47  

Well, that's the challenge, right? It's extremely expensive, none of the stuff is free. And most of us spent years investing in the platforms we currently use. And so there's also this crazy burden on all of us to figure out the impact on our budget at a time when the industry is suffering financially, anyway, and still trying to recover from COVID. Like it's a really an unintended consequence, I think of what OCR put out. But it's reality for all of us. Right. Like, there's nothing that we can do to solve this problem. That's free.

 

Tom Swanson  14:14  

Right? No, that's free. Absolutely. Amanda, you're spot on. Right. And I think, I think one of the things, Tom, that you hit on, right, when you were setting the context, I mean, of course, you've got to have that be a place where if you're going to collect and use PHSI, like one of the things that is not being taken into consideration is the patient or the consumer demands, right, and the consumer expectations, right, the notion of consent, right in the fact that technology actually gives you a robust ability to, to, to manage identity, right and then manage consent. attached to identity, and even manage consent in a very fluid way, right. So that because consent can change, right based on circumstances based on based on changes in opinions based on, you know, the specific application or program that it's that it's being applied to write and to have this kind of broad, universally, like all of this data now will be considered or treated exactly the same, I think is a significant step backwards from, right the consumer mentality or the consumer approach that has taken hold in health care post pandemic, and a step backwards in terms of recognizing that there's robust technology out there that can actually manage all of this. Right, if if it's being done correctly.

 

Tom Hileman  15:55  

Mean, Amazon and Netflix, two examples wouldn't be able to do what they do. Right. Like so essentially, we've we've handcuffed marketers, healthcare marketers, I should maybe I should be more I should be more specific on that, specifically that within so yeah, it's a very frustrating time. I think, as Amanda said, what we have to do, though, is navigate our way through, and what I was hoping what those kind of six different options I threw out, there's a myriad more likely, but really, there's, there's there's a few, there's a few ways to attack the problem. So but here, I'm guessing we have a few questions coming in here on

 

Aaron Conant  16:29  

Yeah, yeah, there's a few here. The first one is, you know, what, what does the panel feel about fresh paint? And then what is fresh paint? It was mentioned a couple of times. And so I don't know if you know, everybody wants to share. But if you want to jump in and try like, what is fresh paint? And then

 

Tom Hileman  16:45  

yeah, I can take it Amanda, I know you've looked at it, I'm sure Tom, you're familiar with it. But fresh paints are there's so there's a variety of solutions out there, they fall in a few different areas. One, they're like Adobe analytics is essentially Google Analytics better. But being with a BA, right. So there's, there's a whole bunch of people in that space, that are that that are building, HIPAA compliant with VA, but with the goalie side of VA, that are Google Analytics replacements, then there's some who also add in user experience tools, I call them UX tools. So think hot jar and Clicktale today, but you're not BAA compliant. But some of the other vendors keep and whatnot are pulling together where they combine analytics and UX together, fresh paints a little different fresh paints more of a middleware. And it does do analytics as well. But essentially, it will take Google Analytics data, or outputs, and insight outputs and essentially deidentified anonymize the data so that the third party Google in this in this example, doesn't get pH I data. So basically tokenizing the data as it goes through, so So fresh paints a little different than the other ones. In there's other middleware as well. And I want to make fresh paint the only one, but they're essentially a middleware with analytics, where some of the other solutions are replacements completely for Google Analytics. Through that process, so I know, Amanda, and, Tom, if I summarize that, alright, or,

 

Amanda Todorovich  18:12  

and I think, you know, for most of us that have been using Google Analytics, it's an enticing option, because you can continue to keep your historical data and understand apples to apples. So you know, there's a lot of us talking about it, looking at it, the lawyers are talking about it and looking at it, because, you know, they say they're HIPAA compliant. They have their own VA, I will tell you right now, our lawyers are like, Absolutely not, they need to sign our Baa. And so anyone that we're looking at, we're also just to be transparent about it. We're exploring all these tools, looking at all these things. We have, you know, meetings and demos and all of that setup and have the lawyers involved in vetting them. heep is the other one, but it's very different. Like you said, it's a it's a different approach. We were meeting with Adobe, we're having all these conversations and trying to just understand the best step forward. But to be honest, there's so many factors and considerations that go into it, right? Costs, obviously a big one. But then also, again, depending on what you're doing, and how sophisticated you are with what you're measuring, and how it ultimately impacts the not just the cost of the analytics, but the cost of all your other marketing tactics as you lose efficiencies is a very real problem. And so it's complicated. You know, there's the legalities, there's the costs and then there's the actual impact on what you can measure and how you can do business.

 

Tom Swanson  19:27  

Yeah, Tom, I thought your your summation was was spot on. Right. And I think it raises a bigger issue, right, you're gonna see kind of a common thread in my point of view are my opinions here is making sure that we're doing what is right for the consumer or the patient or the the plan member right now, holistically use the term customer consumer, because of the kind of consumer like behaviors and expectations that we're seeing throughout the the healthcare industry now, right if you're using middleware or using things like fresh paint, to do that D identification, right one, D identification, while it can be effective also has inherent risks, right? Because there's like 18 different data points that need to be de identified in order to remember to render pH, I no longer pH i. The question then is, what value is the data in terms of analytics, right? If you done this D identification across 18 different data points that you've collected, right? And can you actually give your customers what it is that they're looking for what they're expecting in terms of personalization of content? If you're D, identifying all of your data, right, so I totally get where Amanda's coming from in terms of the frustration, right? Because the downstream impacts of this are profound, right? Because your customers are telling you one thing, right, your patients are telling you, I know, you've got data on me. And I know, you, you know, and I want you to use that data, to provide me the most information and to provide me the best value and the most personalized coverage and care that you that you possibly can. Right. And now you've got a government entity, basically saying, I don't care what the customer says, right? We're going to kind of render your ability to give the customer what they're looking for. Impossible, right? Without making significant changes, right to the tool set that you're using. And so yeah, again, right Adobe's got kind of a dual perspective, right? Good thing for us, right? Because we've got the tools that can actually help you do this ad thing, right, for those that are kind of scrambling in order to figure out how do you keep meeting the needs and expectations of your customers? without blowing up your technology budgets?

 

Amanda Todorovich  22:03  

Yeah, isn't the only thing and I know, I saw a question come in about GTM as well. You know, it's also the advertising side of it, the paid activities that we're doing your paid search, and how you're tracking how you're optimizing campaigns are affected. I mean, it's so much of what we do. As marketers, I know, we've focused a lot on the analytics side of this. But there's so much more than that. And in for us, in particular, and there's really only one other health system that I know of that does this, but we also run advertising on our website today. And the way that that works, we can't do that it's going to ultimately cost us a lot of money. And we're in revenue. So this is, it's bigger than just there's metrics.

 

Tom Hileman  22:44  

Yeah, no, you're right. I mean, we talk about GA a lot, because it's so ubiquitous, that everyone has it, right. So literally every I think every marketer in the world has been trained on GA. So they think it's time for us to analyze that assumption for a minute and see if that's the right answer long term here. But I think one of the risks on the middleware side of things is, is going to rely heavily on configuration. So Tommy, you mentioned that we have to Mathis points, but I think from a legal and compliance perspective, when the questions that the the attorneys always ask about is you can make it work, but how do you prove it? Right? So and there's configuration when you add middleware that you have to configure what data you're ingesting and passing along. So as we listed those options, I know went through pretty quickly on the screen and happy to share afterwards if people are interested. But that there's risks inherent in the implementation of those, right. So the other thing to point

 

Amanda Todorovich  23:39  

out, though, too, is what OCR put out, there's not like dates on it. It's not like, you know, and I think everyone's kind of at a point now where it's been six months, lots of conversation about compliance, and are you compliant? And what does that mean? And what what is the risk? Right? What could be the fine? What could be the consequence? If you're not compliant? And and when do you have to be fully compliant? Right? So all of us are in this weird, murky water of trying to navigate? How quickly to act? And and what does that ultimately mean? Right? Like if you if you go completely dark on everything, which is a point in time, where a lot of us are at, for how long? And what is this going to mean as you navigate through picking a new tool and the evaluation of those tools, not only through our legal teams, but supply chain and it and all the steps and all the hurdles that we have to go through in our systems to enable a new tool or a new platform are the learning curve that comes with that for the entire department and team? You know, I just feel like there's so much to this issue that is impacting us in so many ways. It is it is unreal. Yeah, for sure.

 

Aaron Conant  24:45  

I mean, there's a question. Yeah, please share the slides after the call. 100% Well, I'll share them with everybody just let us know. And if you want follow up conversations, of course with anybody on the panel, more than happy to make those as well.

 

Amanda Todorovich  24:57  

Put it out. That's funny. Yeah, the bulletin. That was also like a three month conversation. What does that mean? What's a bullet? They've never put it out like this before. It was so confusing. The way it's been handled by OCR, I think is just incredibly hard. The vagueness, the language the whole way. It's been positioned. It's so great. Well,

 

Aaron Conant  25:18  

so a couple things. Amanda, I'd like to hear how you handle the conversations with executive leadership. And then obviously, you know, Tom on your side, because you deal with so many organizations, you know, taking that and also, you know, pulling a couple threads of like, hey, there's just one way to do it. But there's five different conversations, because all leadership teams are different are at different stages of their digital educational journey. Amanda, how do you handle that? That right now upward? And then asking for budget on tools? You don't know if you can get or not? It's yeah,

 

Amanda Todorovich  25:48  

it's, it's hard. As I'm spending quite a lot of my time, I was actually in a meeting last night with chief digital officer, chief information officer or chief legal officer, chief marketing officer on this topic, and what do we do now? It is, all day every day, right? I'm is constant education of what we currently do, why we do it, what the impact would be if it went away tomorrow. You know, we've made baby steps. And we've done incremental things. I know, one of the approaches that Tom had on his site was around patient pages. But the reality is, if you're seriously considering every visitor to the site, a patient, then it doesn't matter. That's not a long term solution at all, it was an interim step, you know, and it's a constant assessment of risks, the conversation with leadership every single day is what's High, Low, medium risk. And what do we need to do right now, in this moment? How much time do we have to continue these evaluations? And how urgent is it to get some of these things pushed through and to make sure we have that support? Because this is outside of our control? This is not something we wanted or asked for? And it's, you know, it's no different than any other kind of clinical regulation. Right, we have to comply, and the cost of the institution is the cost of the institution. And, you know, I think that that's a horrible reality. But it's a place where I'm right.

 

Tom Hileman  27:01  

I mean, no one budget for this, right? I mean, we all well budgeted to have tools that we've purchased over history built up and implemented, right? And let alone just, it's not just the tool cost, that's actually probably the smaller part of it. It's all the implementation costs of moving all your tagging, and all the end dashboards and analytics, and all those pieces, right. So

 

Amanda Todorovich  27:20  

we all work with agencies and vendors and partners and people, you know, and it's not, it's not simple, and it's not a flip a switch, I've had to have so many conversations with the lawyers, like I can't make this happen tomorrow, like this, it's gonna take us time, and it's gonna have to roll out in phases. And that's why the conversation is constantly the high medium low risk, like, Okay, today, like, what, what's highest priority today? Because it is complicated, and it cuts across so much, and the teams that use the tools and use the platforms and engage, you know, with this data all the time, literally, the question is, where's like, how do I do my job? Now? You know, we have people who literally can't. And so how long do we just let them sit there and twiddle their thumbs until we get a new doll? Like the cost is so much greater than just the tool? For sure.

 

Tom Hileman  28:08  

So the conversation here, and that we usually have is a lot of education, because this is complicated, right? I think, Tom, we mentioned that if you run sometimes I'll run an analyzer on their website and show them how many different things are plugged into it. Right. So it's not just I mean, we talked about GA a lot, because obviously GA is the broadest one that literally everyone on this call probably has, right. But the UX tools, right, so you think about the hot jars, the click tails, the other variants of those kind of heat mapping and which we're trying to do better user experience that that's the goal, right? It's not, I mean, there's no nefarious goal. But there's also, and I will talk advertising about a pixel here in a little bit, right, versus this Caapi conversion API, but it cuts across all those pieces. And I think it'd be the question before about embedding videos and embedding, mapping. And by the way, your service desk, your service techs tools for helping support for that we used to track the website page loads, and and is it working? Those are also impacted by this because technically, they're pulling IP addresses. And that so it literally cuts across everything that you have in the script that comes out. That's to a third party does not with a BA, right. So like there's, there's a wide range. So and we spend a lot of time talking through all the details. And the executives, I warn me like you have to focus on the details here because this is going to be a very complicated discussion. There's just no way around it. And so fortunately, most executives and the compliance and legal they understand there's risk here and they're willing to sit and talk but it's a lot of fundamental education on how digital marketing works, to get them to a level that they can then understand what OCR means, and then what our options are to do about it. Are you

 

Aaron Conant  29:57  

do you like workshops then? Because

 

Tom Hileman  30:00  

the more they're more one offs can be candid, I'm assuming that's where you're gonna kind of go demand is like people are all clamoring to get the updates. So workshops would be great workshops will be a way to do it and in a broader sense, but most of mine have been one offer, or two or three people in a meeting where I'm trying to kind of walk folks through just because there's different kinds of knowledge and education about it and awareness, it also really

 

Amanda Todorovich  30:23  

depends on on your suite of, of tools and how complex what you're doing really is I like a system like ours is probably far, far stream on one end, you know, versus some others. So, you know, I think a lot of the conversation I've had to have with executives and legal is so detailed, providing all the use cases like Tom was talking about, it's all the tools we use and how we use them, and what data is shared with, what parties involved and do we have the BA or do we not have the BA will they sign one? Or will they not? I mean, the list is long for many of us and complex. But I think workshops around the this in general, and like what it means, I think, definitely have a place. And I'm glad we're having this conversation today. Because I know there's so many of us going through this together. I did see the question about GTA GTM versus meta pixel, I will tell you right now, we've never used the meta pixel. And it's one of the best decisions we've ever made. Thank goodness. But the Google Tag Manager is there for now, let me just say that, again, conversation every single day, but what we're doing and where we're headed next, you know, and again, that risk assessment, and I will say how and what is in GTM today is different and changing every day. So, you know, the assessment of the risk is evolving. But it's definitely we've never used the Met of Excel. And I'm really glad we're not on that list. Yeah.

 

Aaron Conant  31:48  

So you're more of a, an audit than a than a workshop, like just bring you in Tom and say, Hey, run an audit on everything and just give the executive leadership team. The quick rundown of how urgent and how important and how complicated it is. Because sometimes it's great to bring somebody in from the outside, right to sit down and say, Hey, everything they're saying is true. Right, everything they're saying it is this complicated, you are gonna see an impact on revenue, you know, anyways, just as I'm going through this, it's interesting. 

 

Tom Swanson 32:22

Hey, you know, Aaron, I have a question for my fellow panelists, Amanda and Tom, right, because Tom, one of the six kind of options or approaches, right, that you listed as, as potential is running naked, right, or not changing what you're doing? Right. And it begs the question, you know, Amanda, you said, this guidance has been in place for six months now. Right. And it's still kind of very quiet, right? We're all talking about it. But I'm just wondering, has anyone anywhere? And you know, this question can be for all of the audiences Well, who's policing this in terms of compliance? And have we heard right of anyone? Or any organization being policed on this? Or is it still very much, you know, something that we're all paying attention to, but, you know, nothing has actually been done to implement the guidance yet.

 

Amanda Todorovich  33:28  

The latest I've heard and this was just last night, is that OCR is starting inquiries with how systems they feel are non compliant. Okay, and they're starting to ask questions. Um, I think it's the six month mark, I think that nothing formal has been done. I think, though, if you see what's what's in the aaj letter, it points out the fact that we're all at risk for lawsuits. And I think that that's what we're most afraid of. Yeah, you know, because it, OCR, you know, enforcement of this is one thing, but then what it opens us up to, you know, to be liable for a violation of HIPAA is a whole nother thing. And I think that's really what's driving a lot of everyone's fears.

 

Tom Hileman  34:10  

You get the plaintiff's attorneys to me or the, the big, the big class actions, the bigger issues, right, but the megapixel ones, that's kind of where this started. Yep. And then so, and that's complicated. The dogs, the dogs

 

Amanda Todorovich  34:23  

thing really drove a lot of this too, right. I mean, the last thing anybody wants us to be subpoenaed for somebody's activity on your website related to anything that like, right. And so, you know, it kind of the timing of it is really interesting, as well, but how broadly they're gonna enforce and what they're really looking for.

 

Tom Swanson  34:41  

They'll TBD Yeah. Okay. That's what I thought as well. So thank you. I wanted to make sure I had the right perspective. Yeah, cuz I think fear of litigation, right. It has been a fundamental driver, right around I'm help the healthcare industry has used, right, all of the data that it has at its fingertips regardless of what the consumers are asking for. Right. So

 

Amanda Todorovich  35:12  

that high, medium low risk it's of litigation.

 

Tom Swanson  35:15  

It is. No, it is. Right. And I think I think Amanda, one of the things that's so frustrating is I think we as holistically as an industry, we're kind of starting to cross that line into utilizing the data, right? Because the technology has given us a safe or private and compliant way to use the data. And now suddenly, based on the guidance, right, we're kind of being forced back behind behind that line.

 

Amanda Todorovich  35:44  

I see the question about one trusts, I have experience with that, so I'll just talk about it for a quick second. Um, you know, Cookie management is one thing, HIPAA compliance is another. So opting in and consenting to things doesn't necessarily make it HIPAA compliant, I had this exact conversation last night was like, oh, we'll just put a cookie banner management thing across the whole website. Not enough, because I think it was time to pointed out earlier, you have to with HIPAA, you have to have expressed consent, and that consent can change. And so an opt in cookie manager, like one trust isn't going to cut it. So it still exposes you to certain types of risk.

 

Tom Swanson  36:24  

And Amanda, it's also the data that you ingest, right? And even if you're not storing it in a data lake, right, even if you're passing it through to a vendor, or vendors passing it through to you, and you don't actually store it, right for the time, right, that that data is actually in your system, it needs to be protected, right. And there's a lot of a whole debate that can go on as to what that protection looks like in terms of field level encryption, or, you know, data at rest versus data in transmission. But you actually have to protect that data according to HIPAA privacy and security rules, right? And so, the fact that your customer consents, right, or opts in to the use of the data, you actually on the back end have to do a lot to protect that data while you're using it. Right. And so that's why one trust is totally, totally, I mean, it doesn't bind job at the front end. But but you know, the health care organizations such as yours have to manage all of that data on the back end. And then police who has access to that data. Yeah, and

 

Amanda Todorovich  37:35  

we've used it more from the GDPR compliance side of things like you'll see a one trust banner on our London website. And so it serves that purpose. But again, GDPR and HIPAA are two different things. And the requirements are far greater. You know, I saw some other questions about GTM. And I'll just say this generally about Google, if you're using any Google product, you're probably a risk, because you're sharing something with Google. And that's the issue. And there's zero transparency about what Google does with the data that you give. Right? And they will not sign a BAA with anyone for any.

 

Tom Hileman  38:08  

Because they want to monetize them, they want to monetize the data, right.

 

Amanda Todorovich  38:11  

And it's also a stance, right? I, we work with publishing partners on other things, and, you know, signing a BAA at this point from from certain types of vendors with you is saying that, and agreeing with the fact that IP addresses pH i, and there's a lot of us who just feel really strongly that that's not the case. And so some of these companies who aren't governed by HIPAA who don't have to be compliant, don't want to take on that liability. They don't want to have to be compliant. Because why should that?

 

Tom Hileman  38:42  

Yeah. Now there's there's many, many sides to that. I also think one thing, one issue that's going to come back up now, Tom, I'd be interested in your perspective on this is self hosting versus cloud hosting. Because technically, where you put the data matters in this world a lot, right? So I think there was a mention in one of the questions about matomo or matomo. I always, I don't know exactly how to say it, but and the host thing. So it's an open source platform. And then it does, essentially an analytics type platform. But it's an at its core. It's it's very, they tout the security of it, and it's built for that purpose built for that. But they offer options of either on premises hosting or versus cloud hosting. And on premises hosting is really been going down in favor given the scale of Azure and Azure, AWS GCP, any of the big vendors, right, but I think, Tom, I'd be interested in your opinion, are we thinking about this the world of self hosting come back a bit, or are we doing private clouds or what are your What are your thoughts there? Because that's really where the doesn't does resident. There's a lot of where the one trust argument was going to right? Yes,

 

Tom Swanson  39:54  

well, and I Tom hope that self hosting or on prem really does not come back into vogue, right for a variety of reasons. And so Tom, I think it comes down to, again, willingness of the vendor or their provider to sign a BAA. Right. And so like AWS and Microsoft Azure, both claimed to be HIPAA compliant. And they will sign a BAA regarding data transmission and data storage, right. And meaning in complete transparency, Adobe utilizes Azure, right as our HIPAA compliant Cloud Platform. Right? So we are willing to sign a BAA predicated on the fact that, you know, we have a BA with Azure, right? That that protects us, such that the utilization of our tools in that cloud environment, right, it then protects our customers, right. So there's kind of like a BA, brain, right in that particular case. So I mean, I think there are good cloud based options. But again, you've got to have that vendor willing to sign the BAA. And we

 

Amanda Todorovich  41:13  

looked at matomo as well. And I will just say that it's a little complicated, because they're also headquartered overseas, which creates its own set of challenges.

 

Tom Hileman  41:24  

With many vendors in this space, right. So there's, where's the data? Where's the vendor from? I can settle in generally, I agree. And my advice to clients is, if we, if you're, if you're looking at Mar tech stack, and you have people who won't sign Bas, you have to ask yourself, Why am I willing to take that risk? And I think in most cases, the answer should be no, for a health system.

 

Amanda Todorovich  41:46  

Lawyers probably won't let you anyway. Yeah.

 

Tom Hileman  41:49  

So even if you wanted to, yeah, no. So I mean, but I mean, really, that's where it comes down to Tom, I think in the stack is I think, what one things that we're working on is coming up with a healthcare, our tech stack, but that's fully VA compliant. So pulling out all the pieces of things that we have risk and trying to build that model out. So it's up. But that's that's a big ask, because there's a lot of pieces to that, to that to the attack any organizations, Amanda's yours, yours is certainly very sophisticated. But even if we go to the smaller health systems, I mean, they have dozens of tools embedded in any website, if you run a built with or something on it. Like it's amazing. And none of its nefarious, by the way. It's all to try to help serve the patient better, I think, which is the most frustrating part of this is we're trying to do good and do well for our customers. It's not like we're meta or Google and trying to monetize the data, right? We're trying to better personalize the experience for our patients so we can get, as Tom mentioned, give them what they want with what we know. Right.

 

Aaron Conant  42:51  

There's a couple more questions that come in here. I want to make sure that we grab one is can you please share the HA letter? Amanda? Is that what you shared with us earlier? Can I share that link with everyone? Really?

 

Amanda Todorovich  43:01  

It's a public? It was just published on Monday. Okay,

 

Aaron Conant  43:06  

pick that out to everybody. And then the next one that comes up here, has anyone entertain the idea of suing OCR over the IP address matter? No, if we want to jump into that one, or or have an entire call on that one,

 

Tom Hileman  43:22  

it might have been I don't think we did very far. So

 

Aaron Conant  43:28  

there's a thank you for mentioning smaller systems is tough because of costs. But also, hello, my team has been advised not to de identified data because it can be re identified, therefore is not completely secure. You know, what are your thoughts or concern with this? Well?

 

Tom Hileman  43:47  

I'll take that good.

 

Tom Swanson  43:48  

Okay, I was gonna say that actually goes to the last question that came in as well. Right, which is around the idea of hashing. Right, or obfuscating the data? Right? And, and there's a difference between obfuscation of components of data points and then D identification of components of data points, right, where d identification means that that data is either a rogue physically removed right from the dataset and not just obscured, right as to who can see or read it. And I would argue that there's much greater risk in the obfuscation or hashing of data because yeah, the data is still there, right, which means it could potentially be you know, revealed right or it could be re identified. Screw D identification, right, according to the safe harbor rules means that that data is either a not collected, right and stripped out during the data collection process, or you have to physically go in Then remove that data from your your data set. Right. So I think there's less risk with the identification. Because essentially, the data isn't there. Right? It depends entirely upon how you're collecting it. And then you know how you're tagging that data is? Well, I can so I think the far greater risk is in the hashing or the obfuscation.

 

Tom Hileman  45:23  

Yeah. And I'll tack on just a little bit there, Tom. And it gets pretty technical pretty quick, because this is actually how most in transit data security works is one way hashes. So you have reversible and non reversible or one way, it's not reversible hash. So I won't get too far into the technical details. But it matters how you do it. Because to Tom's point, if we're obfuscating, but we can it's a, it's a reversible hash, then you can get the data back, someone can certainly your internal folks, most of this stuff would have to be one way hash. And then the sophistication of doing that gets pretty hard pretty fast. And if the need to be able to prove that you're doing that, well. So it's, it's a lot of G, it's a lot of squeeze, I don't know how much juice you get out of it, I guess would be my, my metaphor for that one. They can't be done. It's just it has to be technically very well implemented.

 

Tom Swanson  46:15  

So yeah. And then Tom, I would go back to something that we mentioned earlier, right, is when you start to begin, you know, whether you're hashing or starting to strip out data points, right? We're elements to the data. At what point do you reach that diminishing returns on the value of the analytics that you're doing, right, versus the effort that you're putting in, in order to do all of this D identification?

 

Tom Hileman  46:45  

I think there was a question about the smaller systems or comments and said, thanks. So for the smaller systems, if just to give a little bit of, of, I guess, free consulting here for a moment is I mean, obviously, we work with a lot of small systems, and they don't have the marketing budgets to undertake like a complete replatform for a lot of their main things. So the main thing would be to get a good grasp of what you all have. So run a built with or one of the tools that goes through your website identifies kind of everything that you're pointing to, you'll have a shorter list, but it won't be all that short. Because almost every website has just tons of different JavaScript hooks in there for things. But I would start through that, and then just prioritize the ones where you know, the there's the risk. And you've probably heard that from us today. Obviously, when it comes to Google and Facebook, one has to be very careful. And the megapixel shouldn't, in my opinion, should not be used anywhere ever. Now see the Caapi from meta is a different, different ball of wax, because you can control that. That's probably a half an hour session itself that comment, but you should really do a deep inspection on your site for get somebody who can help you with that, because it's that that's where your starting point is that assessment that Aaron mentioned, you got to know what you got to know what the what the risk profile is.

 

Aaron Conant  48:05  

Can we please discuss GTM server side tagging? Oh, I think we tackled that along with BA I think, do we tackle that one? Right? I'm trying to make sure we get to all these. Can you name some of the tools you use?

 

Tom Hileman  48:20  

Well, I'll say we don't endorse any vendor. I mean, Tom can endorse the Dhobi, of course. But in general, we give you the lamp, we give you the landscape of the tools. But I mean, it's it's a very individualized decision based on where you are today. Right. So what Amanda, Cleveland Clinic might use is probably remarkably different than what Mayo Clinic might use, right? It's depending on the history of what they have and whatnot, and specifically smaller systems. So I would say that the mean, we miss them matomo Adobe, there's P WIC fadem analytics are another one post hog he bio amplitude, fresh paint. There's a bunch of vendors out there that that claim to do this. And those are all ones that we I've seen and heard more about. I think you have to look at the sophistication of the software vendor. And then I also look at the trust profile. So if folks like Microsoft signs, Bas, Adobe signs bas. If people don't do that, then I think that's you got to that's got to be top of your list of how much do we trust who we're working with, for these pieces. So there's a whole there's a whole laundry list of them out there. But I can't give specific recommendations without obviously knowing more.

 

Aaron Conant  49:34  

Well then let me you know, let me get really quick time and then if you want to jump into like key takeaways as well. Tom Swanson. Always like to wrap up a few minutes early so people get to the next meeting without being late. We'd love to hear your thoughts and then some key takeaways and we'll kick it to Amanda and then Tom Hileman. And yeah,

 

Tom Swanson 49:54

absolutely. Or, you know, Tom to kind of just wrap up that topic, right because we talked about endorsing Adobe or the fact that Adobe will sign Bas, right? It's important to keep in mind that Adobe's willingness to sign Bas is actually relatively new. Right? It came with the release of our HIPAA ready software platform last summer, right prior to that we would not sign bas because we did not have a technological solution that actually adhered to the HIPAA rules. And we intentionally went out and redeveloped our platform specifically for healthcare and life sciences in order to meet those requirements, right, that would enable us to sign a BAA. So simply claiming right that you're HIPAA compliant and that you're willing to sign a BAA? I would recommend that you do a little homework, right? And see, is the willingness to sign that BAA something that came out since the guidance right was released? or have there been significant technological changes right to the platform in order to accommodate those those HIPAA rules? Right, I think, Aaron, the takeaway would be to, I don't know, as frustrating as it is, I would say, don't panic, right. And, and be as insightful and resourceful around kind of exploring the solutions for this, right. And, and make sure that the solutions, right that you're putting into place are not kind of knee jerk short term solutions. Because, you know, one of the things that if we know anything, is that this guidance will evolve, or it will change or new guidance will come out. Right. And so I would just recommend that you not do something to address kind of beat immediate short term, because you could be hamstringing yourself in the future. Awesome, Amanda. Key takeaways.

 

Amanda Todorovich  52:01  

Yeah, I mean, this is all consuming right now. And so if it's not for you, brace yourself, it's coming. Because this is heating up every day. And I think, you know, to Tom's point, being thoughtful and considerate of your options, and the alternatives to help you achieve the goals that you have, no matter what size your system is, is critical. And a lot of these tools are emerging, they're not they weren't necessarily established or prepared for this onslaught of need from this industry. And so vetting them thoroughly and carefully is really important. We've done a lot of that work over the last six months, and I'm having if anyone wants any of that knowledge, I'm happy to share it. Because like I said, we've we've dug into a lot of them, you know, and it's going to impact your team, it's going to impact your budget, it's going to impact your work, period, there's no way around it. Again, like I said, at the start, it's out of our control, we have to go with it and figure it out together as an industry, and whether you know, they respond to what he is doing or not. It's reality right now. Hopefully, like I said, that letter gives me a glimmer of hope that maybe they'll respond and change some things for us. But in the meantime, you know, you got to stay on top of it. And I would encourage anyone in this industry to start to follow this conversation if you're not already, because it's, it's, it's really starting to heat up and become very, very critical.

 

Tom Hileman  53:34  

Yeah, no, I mean, timing matters. Most all my points already. So I can keep this brief. But I think what I see, so I agree that there are going to be these, these guidelines are gonna be evolving. But I think what's not going to ever happen is where I don't think we're gonna go backwards. This is GDPR and CCPA. And some of the other pieces, we're going to be have more and more guidance and regulation about how and where we use data and our care of today. And I actually was joking. And I'm not joking anymore, that we do a campaign brief that data, data protection and how data manage should be in every campaign brief that we do in marketing now. Right? And literally, we should tie it back to what are we using? Why are we using it? And do we need to use all that? So I think as marketers, we have to address with a new world of trust. And to get that trust, we have to manage and care for data well, right. So my key takeaway is that that's going to be there. And then the second part of that is you start to have to really dig in and know what you have. So assess where you're at. And I think tom toms guidance is that don't be panicked, right? You are where you are today and you're not going to change it tomorrow. Not easily right. So you have to think about what's what's the right path and Strategy to get you moving forward and get guidance and as Amanda said, let's I mean definitely want to stay on top of the industry trends, these kinds of sessions and and find some some fun notes that you can work with you can help guide you through there just like the lawyers and the different things that are going on. So I want to thank my fellow panelists. It's been a great discussion a lot, a lot of fun on a not particularly fun topic, but it's been a great discussion. Thanks, Aaron.

 

Aaron Conant  55:14  

Yeah, well, thanks, Tom, for you know, all you do for the network. If anybody wants to file conversations with any of the panelists more than happy to make those connections if you need help in this space, obviously, Tom Hileman and Hileman Group are just crushing it. We're setting some follow up time with them. And with that, we're going to wrap up the very fun conversation. Thanks for all the great questions that came in and how interactive it was. Hope everybody has a fantastic Wednesday everybody take care, stay safe and look forward to having you at a future event. Alrighty, thanks again Tom. Tom, Amanda.

Read More
Read Less

What is BWG Connect?

BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution. BWG has built an exclusive network of 125,000+ senior professionals and hosts over 2,000 virtual and in-person networking events on an annual basis.
envelopephone-handsetcrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram