At 26 years outdated, the Well being Insurance coverage Portability and Accountability Act (HIPAA) is probably the most mature and complete well being knowledge safety legislation within the US. (It handed in 1996.)
One of many earliest manifestations of the legislation got here when Gen Z children got HIPAA authorization varieties to deliver house for his or her dad and mom to signal for the college nurse.
Behind the varieties, nevertheless, is goal: The legislation safeguards sufferers from disclosure of their protected well being info (PHI) to any third events with out consent.
A legislation that protects Individuals from the unregulated assortment and sale of their knowledge on-line, as HIPAA does, now has added significance given the authorized implications of the current Roe v. Wade overturn.
However does this affected person knowledge safety legislation apply to data-driven promoting and on-line knowledge assortment? The reply is sure and no.
Whereas many firms could have entry to delicate well being info by way of the providers they supply – from period-tracking apps and Fitbits to sensible thermometers and blood-sugar-tracking apps and gadgets – these firms aren’t essentially topic to HIPAA.
There are various misconceptions about when HIPAA really applies, mentioned Gary Kibel, a associate and legal professional at Davis+Gilbert LLP.
HIPAA solely applies to “coated entities” – together with licensed healthcare suppliers, insurance coverage clearinghouses, hospitals and a few pharmacies – which have entry to PHI present in digital well being data, equivalent to medical historical past, diagnoses and drugs and remedy info.
That specificity narrows the legislation’s applicability multiple may suppose.
If a marketer desires to focus on individuals with diabetes, for instance, it’s attainable to take action with out being topic to HIPAA. What issues is that if the well being info got here from an digital well being file or a noncovered entity, like a retailer, whose gross sales knowledge contains frequent consumers of sugar-free merchandise.
Equally, on the onset of the COVID-19 pandemic, many staff protested the mandated disclosure of vaccination proof as a HIPAA violation – however “the legislation solely applies to coated entities,” Kibel mentioned, and an employer isn’t a “coated entity.” Nor are Fitbit and period-tracking apps, for that matter.
Knowledge pharming
The commonest intersection between focused advertising and marketing and private well being knowledge might be patient-facing pharma adverts (versus drug adverts meant for physicians).
However the knowledge itself wants a clear invoice of well being, so to talk, earlier than it’s processed, mentioned Jay Calavas, head of vertical merchandise on the CDP Tealium. “If the info itself isn’t compliant,” he mentioned, “none of it may be activated inside a platform.”
The corporate’s new product, Tealium for Pharma, for instance, goals to provide pharma advertisers entry to deterministic audiences with “built-in HIPAA compliance,” which is usually a lot extra convoluted than primary consent administration.
Tealium ingests affected person knowledge from the web sites of its pharma shoppers, all of which is both consented or anonymized. It then overlays that info with different first-party or licensed third-party knowledge – particularly, website engagement and prescription knowledge – to assist prospects goal their sufferers. If a focused affected person sees an advert for a product, it’s as a result of Tealium gained their consent, Calavas mentioned.
However HIPAA compliance is extra than simply enjoying good with hashed knowledge. Tealium additionally needed to signal BAA or Enterprise Affiliate Agreements with every considered one of its prospects and companions, Calavas mentioned. These HIPAA-mandated contracts acknowledge obligation for PHI shared between healthcare suppliers and any contractors that entry it.
Tealium additionally needed to endure breach notification and alter and threat administration implementation auditing.
It’s a “large guidelines” to be HIPAA compliant, Calavas mentioned, due to the stringency of affected person knowledge safety.
Conversely, the opposite department of pharma adverts – these focused to physicians and suppliers – get to just about bypass HIPAA altogether.
Doceree, for instance, is one other vendor that gives pharma advert serving options. However as a result of it solely targets healthcare suppliers and “doesn’t contact any identifiable affected person knowledge,” HIPAA doesn’t apply, the corporate’s CEO Harshit Jain advised AdExchanger.
Shopping for in
Though HIPAA primarily applies to the processing of PHI, which have to be de-identified, manufacturers and companies nonetheless must take steps to keep away from deterministic focusing on simply in case.
“You possibly can’t take an actual affected person knowledge set, with situations recognized at a name-base degree, after which match that knowledge with, say, Acxiom or Epsilon – that’s an apparent case for a HIPAA violation,” mentioned Ray Rosti, chief digital officer at Publicis Well being Media.
As a substitute, Publicis Well being Media takes a clear room method with knowledge companions to construct modeled, probabilistic audiences for its advertisers, so the company can keep away from ever focusing on the precise sufferers whose knowledge was used for modeling.
“We additionally go heavy on contextual focusing on,” Rosti mentioned, referring to contextual knowledge primarily based on internet exercise moderately than about sufferers. “Person analysis is [actually] one of many strongest indicators somebody could also be heading towards analysis or remedy.”
With clear rooms and contextual knowledge, Publicis Well being Media can run campaigns with out touching actual affected person knowledge.
On this case, HIPAA applies within the sense that it’s a deterrent to utilizing affected person knowledge. For healthcare advertisers, contextual promoting not solely permits them to sidestep HIPAA; it’s much less more likely to come throughout as creepy or invasive to the individual they’re focusing on.
An advertiser would want direct entry to actual affected person knowledge through an digital well being file system, like these maintained by hospitals, to be able to breach HIPAA, Rosti mentioned.
What does a HIPAA breach appear to be?
However HIPAA violations do happen within the digital promoting sphere, like Fb’s current mini scandal with hospitals.
Dozens of hospitals had been caught earlier this summer time sending delicate affected person knowledge to Fb through a Meta pixel embedded on their websites when sufferers scheduled appointments on-line.
Investigative tech publication The Markup examined the web sites of Newsweek’s prime 100 hospitals within the US in June and located that 33 of them had a Meta pixel put in. The pixel would transmit affected person knowledge to Fb, which might then hyperlink that knowledge to particular person profiles for focused promoting (and likewise share these insights again with the hospitals for website retargeting).
“This can be a a lot nearer instance of the place a HIPAA violation might have taken place,” Kibel mentioned, including that hospitals are liable for the affected person knowledge that passes by way of their web sites.
Does HIPAA have a job to play in a post-Roe v. Wade world?
The current Roe v. Wade overturn can also be placing a whole lot of stress on web giants to take further steps to guard prospects’ knowledge.
Google, for instance, promised to delete location knowledge associated to delicate medical services after the choice was overturned.
Conversely, the info dealer Safeguard was was caught promoting abortion clinic visitation knowledge earlier than it cracked below political stress and stopped promoting this kind of knowledge within the spring (a month earlier than the SCOTUS resolution).
However will HIPAA totally shield individuals from knowledge harvesting or from that knowledge subsequently getting used in opposition to them, particularly in the case of well being info that pertains to abortion care?
Sadly, the reply is that HIPAA is simply too slim to supply that scope of safety.
Delicate well being knowledge could be collected or revealed by way of dozens of noncovered entities, from location knowledge suppliers to retail media firms. And these firms aren’t prevented from sharing knowledge, except the info was sourced from a coated entity.
No matter Google’s pledge, if a lady utilizing a fertility-tracking app, for instance, has her location tracker turned on when she visits an abortion clinic, that knowledge isn’t coated by HIPAA.
And HIPAA additionally isn’t in a position to forestall the sharing of information with legislation enforcement companies which can be investigating a criminal offense, Kibel mentioned. They should adjust to courtroom orders and subpoenas.
What occurs inside a health care provider’s workplace stays contained in the physician’s workplace – however past that’s out of HIPAA’s management.
In the meanwhile, utilizing well being knowledge in promoting remains to be not a matter of standardized authorized compliance, however moderately considered one of ethics and sensitivity towards individuals’s privateness.
