If you're covered under HIPAA, you likely know of the letter the FTC and HHS' OCR just sent to 130 healthcare organizations, warning them about the risks that using tracking technologies from Meta and Google posed to the health data (PHI/PII) they might be collecting on their consumers. The publicly available letter stresses the regulators’ concerns on how tracking pixels can gather “identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users.”
In other words: relying on these tracking technologies to understand your on-site or in-app patient behavior so you can optimize your overall patient experience (and for purposes like remarketing) can risk HIPAA noncompliance.
Navigating HIPAA compliance is tricky to begin with. Throw in this latest crackdown on the use of tracking technologies from these most ubiquitous healthcare web analytics platforms and the scrutiny on every piece of data you could be collecting, and things get even more complex. So, how can HCOs approach patient optimization while staying on the right side of the HIPAA regulation? Let's see, but first, here's why HCOs must prioritize optimizing patient experience.
Why HCOs need to prioritize patient experience optimization
Digital customer engagement is central to an HCO’s growth. A host of touchpoints along the healthcare journey, right from booking appointments and completing check-ins to consultations, are going or have gone digital first. Healthcare is also getting more experiential as patients are increasingly consumerizing. That explains why 76% of HCOs find digital customer engagement to be central to their growth. Also, most HCOs sell “experiences” and not “products,” so prioritizing patient experience is a natural strategic goal.
Optimized patient experience ties to higher growth. Customer – or patient–experience ties directly to an HCO’s growth.
What does this look like for a real-world HCO?
McKinsey cites the example of how a healthcare provider, on its digital transformation journey, came up with more than 300 test ideas aimed at hitting a range of business goals and priorities. Hypotheses involved offering better digital experiences and engagement by improving everything from online scheduling to optimizing content on specific pages. The team then picked 150 of the hypothesized ideas and launched them over a period of 12 months. The results? A test success rate of about 50%. The scaling of successful tests resulted in tripling the number of new patients from digital channels, compared with before the transformation.
HCOs that apply customer insights to deliver improved customer experiences are five times more likely to grow revenue (at more than 20% year-over-year).
Customer experience optimization results in cost savings. The (increasingly digital) service components of the healthcare matrix – think of all of the administrative stuff like appointment scheduling – can be optimized with better customer experience. In fact, optimizing customer experience over these digital healthcare touchpoints relates directly to cost savings. McKinsey found that HCPs that focused on improving customer experience saw costs to serve decrease by up to 30%.
Let’s now address the key challenge with patient optimization programs – HCO optimization programs run on DATA.
HIPAA exists to protect a user’s sensitive healthcare data from being used without consent or for purposes they didn't consent to.
How HIPAA approaches patient data and why it matters
Instead of going over the list of data items that HIPAA can classify as PHI or PII (a patient's or a prospective patient’s name, email, or social security number, for example), let’s go over what actually can and is, unfortunately, happening to millions of data records (people!).
In its award-winning Pixel Hunt series, The Markup (a nonprofit newsroom that monitors how major tech companies track users) conducted an investigation involving 100 of the top hospitals in the United States. The investigation revealed that 33 of these hospitals were transmitting patient data to Facebook using Meta's widely-used tracking tool – the pixel. You'll be surprised to know that on most of these HCP websites, clicking the online appointment scheduling button on a doctor's page told Facebook about the exact keyword that was used to find the doctor (“pregnancy termination,” in one case), the doctor's name, and the copy of the CTA button that got clicked. Data sharing was worse for some of the hospitals reviewed, where even the first and last names of the patients were passed on to Facebook that were easily retrievable with hash cracking.
A part of this problem is also that all the data on a patient is tied to their IP address, which is their identifier, essentially telling Facebook exactly what an appointment looks like for a patient with a certain IP address. According to the experts who reviewed the report’s findings, these could be HIPAA violations, as it all appeared to be sharing personally identifiable health information data with a third party (Facebook) without explicit user consent.
The Markup team also states that Facebook even uses this pixel data with the Facebook profiles of the patients. The team was even able to identify patients with Meta’s tracking pixels.
Do you see what’s happening here? It doesn't matter what healthcare line you operate in – you could be a payer, provider, or pharma – you could be at risk if you use such tracking technologies.
Healthcare businesses like Monument, Tempest, Cerebral, GoodRx, and BetterHelp, just to name some, are some notable cases of HIPAA violations in recent times.
HIPAA exists so none of this happens and sensitive patient data isn’t compromised.
Given all of this, data apprehensions naturally stifle HCOs’ customer optimization programs as HCOs want to play it safe. But regulations like HIPAA don’t have to get in the way of patient experience optimization. Patient privacy and data-driven optimization can actually coexist.
How to optimize patient experience without using PII/PHI
You can approach patient experience optimization in fully HIPAA-safe ways. Here’s how.
Collecting data in HIPAA-safe ways
Hypothesizing winning healthcare experiences takes data. And you just saw how using an analytics solution like Meta’s pixel can put you at risk. Pixels from the other mainstream tech giants are also reported to work similarly.
But the solution is simple here. Go with a first-party data analytics vendor to capture your on-site or in-app user behavior. HIPAA-compliant product analytics solutions are designed for privacy and give you granular control over what data you collect on your website or app and how you collect it. You can easily configure them to work in a HIPAA-compliant way.
Also, since such vendors engage with the data a HIPAA-covered entity passes on to them or collects via them, these vendors need to commit to protecting the entity's PHI data they use. To protect PHI, HIPAA mandates that any such vendors that HCOs work with do a Business Associate Agreement (BAA). This essentially means the vendors, too, will protect the end users’ PHI.
HIPAA-compliant data analytics solutions easily sign a BAA with you as these analytics tools don’t come with “open borders” like some of the other platforms. They can declare that they “will not use X data for Y purpose,” among enforcing other PHI safeguards.
Hypothesizing experiments that don’t need a lot of data (and most definitely don’t need PHI or PII data)
With eight out of ten HCOs collecting customer experience data, data collection doesn't seem to be the problem (assuming this is data collected in HIPAA-compliant ways). It's actually the data's volume and velocity that pose challenges, with only six out of ten HCOs knowing what to do with their data.
This loops back to privacy. Privacy concerns remain one of the biggest factors that hinder HCOs from leveraging the data they collect for CX optimization. HCOs seem apprehensive even about using anonymized data (which can be used safely). First-party data or zero-party data can be safe too. But HCOs find even these risky.
Contrary to what one might think, most winning patient optimization experiments or experiences don’t need PHI or PII. First-party data like the fully anonymous behavioral data that you collect on your website and that can’t be tied to an individual is good enough for powering customer experimentation programs.
For instance, if you offer virtual check-in and see a massive dropoff, there you have it. The check-in form probably could be improved. It might be the form’s length, the form fields, functioning or the overall UX that might not be working.
If you conduct qualitative research with your customers or even commission independent research on the common digital healthcare journey friction points, it can give you opportunities to optimize your patient experience. Take your patient portal, for example. In Neilsen’s research on a patient’s healthcare journey, patient portals stood out as the most used digital-interaction channel, serving 32 of the recorded 93 interactions. Patients logged in to their portal several times for a host of things like appointment scheduling, video consultations, and accessing their lab reports. The portal alone represents several digital patient experience optimization opportunities.
Appointment scheduling is yet another persistent frustration along the digital healthcare journey – again, an area that can be optimized without any PHI or PII data.
Delivering personalized content experiences also doesn’t involve any PHI data.
The point is that unlike what most stakeholders believe, experiments that don’t use any “risky“ data, too, can yield significant tangible results for HCOs.
Adding HIPAA-compliant experimentation to the HCO CX optimization mix
Next comes experimentation. Experience-led growth is only possible with experiments. Despite the real business benefits that forms of experimentation like A/B tests bring to HCOs, they aren’t (yet) mainstream when optimizing digital experiences for healthcare “consumers.” Only 33% of HCOs use A/B tests to optimize their patient experience. Targeting and personalizations, too, are only implemented by three out of ten HCOs.
If you overcome your data apprehensions, which is one reason why HCOs struggle to unlock the value of experimentation, you will see implementing an experimentation program for CX enhancement is the surest way to achieve breakthrough success.
Again, just as you’d look for compliance with HIPAA when choosing a data analytics solution, you’d need to vet experimentation solution vendors too for their HIPAA compliance. Optimization solutions like Kameleoon, for instance, are designed for heavily regulated industries like healthcare and offer compliance with HIPAA. So with Kameleoon, you can run a HIPAA-compliant CX optimization program at your HCO. We also execute BAAs, which is required under HIPAA.
In fact, with your experimentation solution sitting at the heart of your CX optimization program, HIPAA compliance needs to be one of the first things you look for when choosing an experimentation solution vendor. You’d be surprised to know that even leading optimization solution providers (like Optimizely) aren’t actually compliant with HIPAA.
Building a HIPAA-compliant tech stack and designing privacy-friendly experiments hold the key to running HIPAA-compliant patient experience optimization programs
Greg Kihlstrom, Chief Strategist at GK5A (a leading digital transformation consultancy), stresses how these developments around privacy necessitate designing HIPAA-friendly optimization programs.
He explains that healthcare organizations can maintain their competitive edge by “evaluating their current martech stack, and working with optimization platforms that are HIPAA compliant while utilizing testing methods that minimize the need for PHI or PII.”
Ray Mina, Head of Marketing at Freshpaint, also underlines the need for HCO optimization teams to build their tech stacks responsibly:
To sum up…
- Take a privacy-first approach to optimization
- Build a HIPPA-compliant customer experimentation tech stack and partner only with vendors that offer HIPAA compliance and have BAAs in place
- Look for optimization opportunities that work without PHI or PII – they’re plentiful!