People don’t mind giving up their data to build human connection, that’s how we do it in real life conversation – like at a cocktail party. Trust is important, though, and it’s our job to protect personally identifiable information. - John Ours, Paragon CEO
In part one of our three-part blog series, Dynamic Personalization in Healthcare Websites, we discussed why personalization is valuable to consider. In our last blog, we shared some tips on the types of personalization tactics that can be deployed to actualize your plan. In this final blog of our series, we’ll let you know what to look out for to stay on the right side of your compliance department.
According to Accenture, 83% of consumers are willing to share their data to enable a personalized experience, however, what data are you allowed to collect?
In the United States, a patient’s personal health information is federally protected and having a leak could lead to a fair bit of trouble. Healthcare marketers must know what is considered protected health information under HIPAA law. As written by HIPAA journal, “Protected health information (PHI) is individually identifiable information regarding the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.”
This means health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information.
As a rule of thumb, personal health information is considered protected when an individual could be identified from that information. If all identifiers are stripped from health data, it ceases to be PHI and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.
Consider these actual risks of exposing PHI:
Healthcare compliance departments will have varying levels of risk tolerance for data collection and storage, and it’s important to consult your legal teams before embarking on the journey to dynamic personalization.
While we highly recommend consulting with your internal legal teams as you build your websites and applications, the following data is probably safe for you to collect:
However, the following data is definitely Protected Health Information (PHI) and you should be very careful when collecting:
While the former list is likely “inbounds”, remember to use finesse with how you use this data to present personalized experiences on your website. Profiling can be very powerful and can often accurately infer diseases and conditions and look like you’re leaking PHI, even when you’re not. Consider careful verbiage such as “Recommended Provider” instead of “Your Provider” or “Suggested Location” instead of “Your Location”. This helps to alleviate perceived PHI concerns.
There are four options as you begin collecting data, with varying complexity. Consider the amount of work you’re willing to do and risk you’re willing to take. Please note that risk increases with each option presented below.
This is the most secure option to completely avoid any pitfalls involving PHI. If you collect the same data that most retailers would, you can be in the clear. However, you won’t be able to provide the customer as personalized of an experience as you could if you were collecting a certain amount of individually identifiable data.
This option collects both personalized data and individually identifiable data, then keeps them separated. Having more information is great, although this will need an increased bandwidth and resources to run well.
Having collected both kinds of data is fantastic and having them together saves on resources. However, this may lead to less security.
Do not do this. Be very careful when presenting protected health information. You do not want your customer to feel like you are selling to them based off information gathered from a very confidential and privileged encounter.
The next step before deploying any personalization or engagement plan is to talk to your compliance officer. Here are a few Important questions to ask.
“As a user progresses from anonymous to conversion, will we gather at least their email address…”
We’re here to help you learn more about your audience, understand their journey, and implement the most effective, thoughtful systems to deliver a personalized message.