Stripped PHI Creates 'Blind Spots' in Marketing
The common practice of stripping Protected Health Information (PHI) from datasets for safety and compliance creates significant blind spots in healthcare marketing. Analyst Colin Hung discussed how this de-identified data can cause marketers to lose crucial context. This challenge highlights a need for analytics solutions that can help reclaim context while respecting privacy, enabling more impactful messaging in enterprise sales.
- The HIPAA Privacy Rule provides two methods for de-identifying data: the "Safe Harbor" method and the "Expert Determination" method. The Safe Harbor method is the most used because it provides a clear checklist of 18 specific identifiers to remove from the data, making it easier to implement and audit. - Identifiers that must be removed under the Safe Harbor method include direct identifiers like names, addresses, and social security numbers, as well as dates, contact information, and biometric identifiers. This process, while ensuring compliance, can also strip out valuable context for marketing analysis. - Even with de-identification, the risk of re-identification can persist, especially with smaller or more complex datasets. Because of this, even de-identified data should be treated with care to avoid reputational damage and to align with patient expectations of privacy. - Many common marketing and analytics tools, like Google Analytics, will not sign a Business Associate Agreement (BAA), which is a contract required under HIPAA to ensure that vendors handle PHI securely. This places the full compliance burden on the healthcare organization and limits the use of platforms that could receive PHI. - The use of online tracking technologies, such as website cookies and pixels, can inadvertently collect PHI, even from users who are not logged in. In July 2023, the FTC and HHS jointly warned hospital systems about these risks, highlighting that even an IP address linked to a specific health-related query can be considered PHI. - Emerging privacy-enhancing technologies (PETs) offer alternatives to simple data stripping. These include federated AI, which analyzes data where it is stored without centralizing it, and homomorphic encryption, which allows for computations on encrypted data. - Some companies are developing privacy-safe solutions specifically for healthcare marketing. These platforms aim to enable targeted advertising and analytics by creating de-identified segments of patient populations or by using data masking and pseudonymization techniques, which can help in tracking a patient's journey across different datasets without revealing their identity. - Penalties for HIPAA violations can be severe, with federal fines reaching up to $50,000 per violation. These financial risks, coupled with the potential for reputational damage and loss of patient trust, are driving the need for more sophisticated, privacy-preserving analytics in healthcare marketing.
