At 26 years previous, the Well being Insurance coverage Portability and Accountability Act (HIPAA) is essentially the most mature and complete well being knowledge safety regulation within the US. (It handed in 1996.)
One of many earliest manifestations of the regulation got here when Gen Z youngsters got HIPAA authorization kinds to carry dwelling for his or her dad and mom to signal for the college nurse.
Behind the kinds, nevertheless, is goal: The regulation safeguards sufferers from disclosure of their protected well being data (PHI) to any third events with out consent.
A regulation that protects People from the unregulated assortment and sale of their knowledge on-line, as HIPAA does, now has added significance given the authorized implications of the current Roe v. Wade overturn.
However does this affected person knowledge safety regulation apply to data-driven promoting and on-line knowledge assortment? The reply is sure and no.
Whereas many firms could have entry to delicate well being data by means of the companies they supply – from period-tracking apps and Fitbits to good thermometers and blood-sugar-tracking apps and gadgets – these firms aren’t essentially topic to HIPAA.
There are lots of misconceptions about when HIPAA really applies, mentioned Gary Kibel, a associate and lawyer at Davis+Gilbert LLP.
HIPAA solely applies to “coated entities” – together with licensed healthcare suppliers, insurance coverage clearinghouses, hospitals and a few pharmacies – which have entry to PHI present in digital well being information, equivalent to medical historical past, diagnoses and medicines and remedy data.
That specificity narrows the regulation’s applicability multiple would possibly suppose.
If a marketer desires to focus on individuals with diabetes, for instance, it’s doable to take action with out being topic to HIPAA. What issues is that if the well being data got here from an digital well being file or a noncovered entity, like a retailer, whose gross sales knowledge consists of frequent consumers of sugar-free merchandise.
Equally, on the onset of the COVID-19 pandemic, many staff protested the mandated disclosure of vaccination proof as a HIPAA violation – however “the regulation solely applies to coated entities,” Kibel mentioned, and an employer just isn’t a “coated entity.” Nor are Fitbit and period-tracking apps, for that matter.
Information pharming
The most typical intersection between focused advertising and marketing and private well being knowledge might be patient-facing pharma adverts (versus drug adverts meant for physicians).
However the knowledge itself wants a clear invoice of well being, so to talk, earlier than it’s processed, mentioned Jay Calavas, head of vertical merchandise on the CDP Tealium. “If the information itself isn’t compliant,” he mentioned, “none of it may be activated inside a platform.”
The corporate’s new product, Tealium for Pharma, for instance, goals to present pharma advertisers entry to deterministic audiences with “built-in HIPAA compliance,” which generally is a lot extra convoluted than primary consent administration.
Tealium ingests affected person knowledge from the web sites of its pharma purchasers, all of which is both consented or anonymized. It then overlays that data with different first-party or licensed third-party knowledge – specifically, web site engagement and prescription knowledge – to assist prospects goal their sufferers. If a focused affected person sees an advert for a product, it’s as a result of Tealium gained their consent, Calavas mentioned.
However HIPAA compliance is extra than simply taking part in good with hashed knowledge. Tealium additionally needed to signal BAA or Enterprise Affiliate Agreements with every certainly one of its prospects and companions, Calavas mentioned. These HIPAA-mandated contracts acknowledge obligation for PHI shared between healthcare suppliers and any contractors that entry it.
Tealium additionally needed to bear breach notification and alter and danger administration implementation auditing.
It’s a “large guidelines” to be HIPAA compliant, Calavas mentioned, due to the stringency of affected person knowledge safety.
Conversely, the opposite department of pharma adverts – these focused to physicians and suppliers – get to just about bypass HIPAA altogether.
Doceree, for instance, is one other vendor that gives pharma advert serving options. However as a result of it solely targets healthcare suppliers and “doesn’t contact any identifiable affected person knowledge,” HIPAA doesn’t apply, the corporate’s CEO Harshit Jain instructed AdExchanger.
Shopping for in
Though HIPAA primarily applies to the processing of PHI, which have to be de-identified, manufacturers and companies nonetheless should take steps to keep away from deterministic focusing on simply in case.
“You possibly can’t take an actual affected person knowledge set, with situations recognized at a name-base degree, after which match that knowledge with, say, Acxiom or Epsilon – that’s an apparent case for a HIPAA violation,” mentioned Ray Rosti, chief digital officer at Publicis Well being Media.
As a substitute, Publicis Well being Media takes a clear room strategy with knowledge companions to construct modeled, probabilistic audiences for its advertisers, so the company can keep away from ever focusing on the precise sufferers whose knowledge was used for modeling.
“We additionally go heavy on contextual focusing on,” Rosti mentioned, referring to contextual knowledge based mostly on net exercise slightly than about sufferers. “Consumer analysis is [actually] one of many strongest indicators somebody could also be heading towards analysis or remedy.”
With clear rooms and contextual knowledge, Publicis Well being Media can run campaigns with out touching actual affected person knowledge.
On this case, HIPAA applies within the sense that it’s a deterrent to utilizing affected person knowledge. For healthcare advertisers, contextual promoting not solely permits them to sidestep HIPAA; it’s much less prone to come throughout as creepy or invasive to the individual they’re focusing on.
An advertiser would wish direct entry to actual affected person knowledge through an digital well being file system, like these maintained by hospitals, with the intention to breach HIPAA, Rosti mentioned.
What does a HIPAA breach appear like?
However HIPAA violations do happen within the digital promoting sphere, like Fb’s current mini scandal with hospitals.
Dozens of hospitals had been caught earlier this summer time sending delicate affected person knowledge to Fb through a Meta pixel embedded on their websites when sufferers scheduled appointments on-line.
Investigative tech publication The Markup examined the web sites of Newsweek’s high 100 hospitals within the US in June and located that 33 of them had a Meta pixel put in. The pixel would transmit affected person knowledge to Fb, which might then hyperlink that knowledge to particular person profiles for focused promoting (and likewise share these insights again with the hospitals for web site retargeting).
“It is a a lot nearer instance of the place a HIPAA violation may have taken place,” Kibel mentioned, including that hospitals are liable for the affected person knowledge that passes by means of their web sites.
Does HIPAA have a job to play in a post-Roe v. Wade world?
The current Roe v. Wade overturn can be placing a whole lot of strain on web giants to take additional steps to guard prospects’ knowledge.
Google, for instance, promised to delete location knowledge associated to delicate medical services after the choice was overturned.
Conversely, the information dealer Safeguard was was caught promoting abortion clinic visitation knowledge earlier than it cracked beneath political strain and stopped promoting this kind of knowledge within the spring (a month earlier than the SCOTUS resolution).
However will HIPAA absolutely shield individuals from knowledge harvesting or from that knowledge subsequently getting used in opposition to them, particularly in the case of well being data that pertains to abortion care?
Sadly, the reply is that HIPAA is just too slender to supply that scope of safety.
Delicate well being knowledge could be collected or revealed by means of dozens of noncovered entities, from location knowledge suppliers to retail media firms. And these firms aren’t prevented from sharing knowledge, until the information was sourced from a coated entity.
No matter Google’s pledge, if a lady utilizing a fertility-tracking app, for instance, has her location tracker turned on when she visits an abortion clinic, that knowledge isn’t coated by HIPAA.
And HIPAA additionally isn’t in a position to forestall the sharing of information with regulation enforcement companies which might be investigating a criminal offense, Kibel mentioned. They should adjust to courtroom orders and subpoenas.
What occurs inside a physician’s workplace stays contained in the physician’s workplace – however past that’s out of HIPAA’s management.
In the meanwhile, utilizing well being knowledge in promoting continues to be not a matter of standardized authorized compliance, however slightly certainly one of ethics and sensitivity towards individuals’s privateness.
