How to Build an Actionable PHI Privacy Framework for Marketing

Full webinar can be viewed at the bottom of this page.

It’s a confusing time at the corner of healthcare and digital marketing. After a 2022 investigation by The Markup spurred a string of lawsuits against hospitals, the HHS’s Office of Civil Rights (OCR) issued new guidance. It dealt with the use of tracking technology by HIPAA-covered entities—and caused a panic in marketing departments across healthcare. 

To clear up some of the confusion, ADM recently joined data law experts from Faegre Drinker and health data solutions provider FreshPaint for an hour-long webinar. We dove into the meaning of the OCR guidance, FTC enforcement against non-HIPAA-covered entities, and how companies can build a compliant framework without sacrificing their digital marketing success. 

Here’s how to get started.

Health Tracking Compliance Framework

Step 1: Create an Inventory of Tracking Activities

  • Gather your IT, legal, and marketing teams to create a comprehensive inventory of all third-party tracking activities across all corners of your website and/or apps.
  • Determine the business purpose of any tracking tech found

Step 2: Analyze PHI Disclosure

  • Engage in a thorough discussion with all involved parties to assess if PHI is being disclosed through the tracking technologies.
  • Identify any situations where tracking data contains any of HIPAA’s 18 personal identifiers and could be combined with health information (e.g., condition-specific pages, appointment schedules, etc.).

Step 3: Ensure Permissible PHI Disclosure

  • Verify if third-party entities are classified as a Business Associate (BAs) under HIPAA regulations and ensure that, in any Business Associate Agreement (BAA) in place with that entity, PHI disclosure is permissible under the terms of the agreement.
  • If a BAA is not in place, determine if a HIPAA authorization has been executed to allow PHI disclosure.

Step 4: Consider Limiting Placement of Tracking Technologies

  • If you have BAAs in place or have obtained HIPAA authorization, place any tracking technologies carefully and strategically.
  • For third parties unwilling to sign BAAs, consider limiting or excluding the use of tracking technologies.

Step 5: Conduct HIPAA Breach Risk Assessments

  • Regularly conduct HIPAA breach risk assessments based on new rules and enforcement actions to evaluate your ongoing compliance.
  • Document the results of these assessments and implement necessary measures to minimize risks.

In the full webinar, the experts dive into the specifics of each point and introduce specific tools and approaches that healthcare companies can use to remove the risk of PHI branches from their digital marketing programs. They also weigh in on important questions, like:

  • How should health marketers approach gray areas in current guidance?
  • Does Google Analytics 4 still collect IP addresses?
  • Will HIPAA be amended to include new definitions and guidance for tracking and digital marketing tech?
  • Do third party platforms linked to your Google Analytics data need to sign BAAs?

…and more. Access the complete conversation below.

Watch the Full Webinar:


Nothing in this blog should be considered legal advice. This content is for informational use only. Health marketing policy is also evolving quickly, and this blog may not have been updated to reflect any new developments relevant to the situation. If you require legal advice about any of the matters discussed here, we recommend seeking a healthcare privacy attorney.