Category: Healthcare

Online tracking is nothing new. For years, companies have tracked users’ behavior using codes and scripts placed on a website or mobile app. The goal of digital tracking has always been to make more informed marketing and communication decisions that will benefit the specific user. When properly implemented and used to provide that custom experience unique to that particular consumer, it’s great for both parties. However, when executed poorly, or when data collected is sold to third parties without consent, it becomes a serious issue on many levels.

In the healthcare space, providers have implemented tracking on consumer-facing products to improve the digital care journey. But tracking for a healthcare organization is more complex than that of an e-commerce store, for example. In the healthcare industry, the data collected often contains sensitive information, or Protected Health Information (PHI). The nature of this data complicates how and when tracking can be used, regardless of the intent.

The constant evolution of consumer needs, how they use and trust digital devices, and the privacy they seek continue to drive change in the rules and regulations around tracking data in healthcare. This is precisely why HIPAA was created in the first place back in 1996, along with the subsequent addition of the Privacy and Security Rules in 2003. As technology usage has increased and the amount of data shared and collected online continues to grow, we are seeing a heightened concern around PHI collection and usage not to mention concerns exacerbated by recent data breaches.

A newly released bulletin from the Department of Health and Human Services outlines the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, governing how healthcare organizations (or, as HIPAA refers to healthcare organizations: ‘regulated entities’) should manage digital tracking and measurement.

What do the new guidelines mean for your organization?

The HHS decisively spells out that a ‘regulated entity’ cannot improperly share PHI with a third party:

Regulated entities (note: healthcare organizations = ‘regulated entities’) disclose a variety of information to tracking technology vendors through tracking technologies placed on a regulated entity’s website or mobile app, including individually identifiable health information (IIHI)19 that the individual provides when they use regulated entities’ websites or mobile apps. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code.20 All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.21 This is because, when a regulated entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care.22

In simpler terms, the above excerpt emphasizes that you want to ensure that the ‘regulated entity’ (your healthcare organization) passes information “only in the right way” to third-party vendors or systems. Basically, don’t pass identifiable PHI to a third-party vendor. 

Okay, but what about IIHI?

In addition to stating guidelines on PHI collection, the HHS also outlines a wide range of IIHI (Individually Identifiable Health Information) that you should avoid collecting on your digital properties. Someone clicking on a provider profile on your organization’s website, by itself, doesn’t guarantee a problem and is fine to collect. 

However, there are two ways that information becomes a problem  – in other words, becomes “individually identifiable” – and should not be collected or passed along to a third party: first, if an individual can be reasonably identified (by collecting commonly identifiable information like names, phone numbers, or even IP addresses), and second if that information is passed to third parties. 

Want to avoid problems? Avoid collecting IIHI as much as possible. 

There are three primary offenders of personal information tracking that make it individually identifiable:

1. Precise geolocation
2. IP Address or other unique identifiers (think advertising)
3. Personal information is entered in text input fields (think a form or login)

What is the best way to ensure we’re not passing identifiable data to third-party vendors?

The bulletin, helpfully, distinguishes three broad categories of digital properties: 

1. User-Authenticated web pages (requires a user to login, such as MyChart)
2. Mobile Applications (delivered by and on behalf of a healthcare organization)
3. Unauthenticated web pages (does not require a login, like your standard consumer-facing website)

Let’s break each of these down a bit more with the important information you should know.

User-authenticated web pages: 

A user-authenticated web page is something a user must log into with identifiable information to access. In healthcare, MyChart (or other patient portals) instances are the primary example of this kind of property. The easiest way to solve this is simply don’t put third-party tracking on your MyChart or patient portal instance, especially any kind of pixel or session-recording software. 

If you do need to get meaningful user behavior tracking from a MyChart instance, consider a secure way to send information within your systems, like an on-premise server using Matomo or similar tool, or a custom tracking implementation (though these are expensive). You can use the free suite of Google Analytics tools, but be sure to talk to an implementation expert to ensure it’s set up in a secure and safe way.

Mobile applications: 

How to manage this: 

• For mobile applications, GA4 automatically masks IP addresses by default. 
• Most mobile applications for healthcare do not log the precise location of a user, but those with wayfinding built-in may be at risk — especially if that wayfinding data is passed to or stored with any third parties.
• Additionally: Advertising should be disabled for mobile applications.  
• The guidance mentions DEVICE ID, but to clarify: our understanding is that “device ID” is assigned to the individual phone/laptop/tablet by the manufacturer, not the value reported by Google Analytics. That refers to a unique app installation ID, and one device or individual could have multiple app installation IDs.

If these conditions are met, you can prevent most PHI from being collected as well as prevent identifiable PHI from being passed to third parties.

Unauthenticated web pages:

Unauthenticated web pages are ones that don’t require the user to log in. In other words, your standard-issue, publicly available internet web page. The majority of health system digital properties fall under this category. As the HHS guidance states, as tracking technologies on these unauthenticated webpages generally do not access PHI, HIPAA regulations generally do not apply. 

However, HHS does indicate two instances in which IIHI could be exposed or collected: 

1. The login page of a patient portal, linked to from the main unauthenticated website
2. A search for symptoms or an appointment request form that doesn’t require authentication, but does require a user to enter personal information

How to manage these risks:

1. Do not allow third parties to collect keystrokes or any information entered on a form, whether via tracking or session recording. (Many organizations use tools like HotJar, CrazyEgg or Inspectlet to record sessions and better understand user behavior. Be extremely mindful of using these tools on healthcare websites. Read the fineprint and understand what these tools do and do not collect – and what they can and cannot be configured to do.)

2. Do not collect individual IP addresses. GA4 automatically masks IP addresses by default. If you haven’t upgraded to GA4, develop a plan to do so very soon. Also, once more, turn off the advertising ID for Google Analytics.

Managing these areas can help mitigate risk to avoid collecting IIHI on your digital properties.

Keep your marketing data de-identified.

There is one additional area of considerable risk: your Google Tag Manager account.

Many GTM accounts have years of old and little-examined marketing pixels, custom html tags for specific landing pages for specific campaigns, and other third-party insertions. Look through your existing GTM account and audit your marketing pixels and their configuration. Remove any that are unnecessary, and make sure you understand what they are collecting. 

Pixels come with their own configuration and can send information to a third-party vendor that the vendor then controls. Once a third party receives data from a pixel, that third party will do whatever it wants with that data, including reselling it to others. Be extremely mindful of what information these marketing pixels are collecting.

With those points in mind, you should be well set-up to keep your data de-identified.

In conclusion

Use this article as your guide to ensuring your organization is in compliance with the HHS and HIPAA’s latest guidelines surrounding PHI and IIHI. 

If you want the TL; DR version or need to share key takeaways with others in your organization, here you go:

1. Turn off advertising ID to prevent unique advertising ID sharing. 
2. Upgrade to GA4. (We recommend this for many reasons, not least of all that older versions of Google Analytics are being sunset July 2023. In this case, the upgrade to GA4 is critical to ensure automatic IP address masking).
3. Be extremely mindful of collecting user-entered text or login credentials. If you are using session-recording software, thoroughly review the documentation and configuration of your software to ensure no text or keystroke inputs are being collected, stored, or shared.
4. Make sure that third-party tags and pixels in your Google Tag Manager account are in place only to collect the most critical information, and nothing more.

Almost 18 months after the Centers for Medicare and Medicaid Services (CMS) new price transparency rule went into effect, the organization issued its first of many fines.

Hospitals are now required to provide a comprehensive machine-readable list of services as well as prices listed on their websites. This recent ruling affirms the government’s commitment to making it easier for consumers to shop and compare prices across health systems. Now, a consumer should be able to estimate the cost of care before going to a specific hospital for services.

Who was fined and how much?

An Atlanta-based hospital system was fined close to $1 million. CMS stated that neither a “consumer-friendly list of standard charges was found”, nor a machine-readable file.

CMS set a minimum CMP (Civil Monetary Penalty) of $300 a day for smaller hospitals with less than 30 beds. As well as a penalty of $10/bed a day for hospitals with 30+ beds. These are not to exceed a maximum daily dollar amount of $5,500. For a full year of noncompliance, the minimum to the max range for total penalties is $109,500 – $2,007,500 per hospital.

You can learn more by viewing this document for frequently asked questions from CMS’ website.

What does that mean for you?

A recent study by the Journal of the American Medical Association shows that only about 14% of hospitals are fully complying with this new federal law.

If CMS concludes that your hospital is non-compliant it may take any of the following actions and stated that “generally but not necessarily will occur in the following order”.

• Provide a written warning notice to the hospital of the specific violations
• Request a Corrective Action Plan (CAP)
• Impose a Civil Monetary Penalty (CMP)

If CMS issues a request for a hospital to submit a CAP, it must be submitted by the date specified in the request and must also…

1. Specify the process the hospital will take to fix the issues
2. List the timeframe by which the above will be completed

If a hospital fails to respond to CMS’ request to submit a CAP or comply with requirements, the organization may impose a CMP. 

CMS has already issued around 350 warning notices to hospitals that violate the ruling. If you did not receive a notice, but know that your system does not accurately display price information we suggest that your team, whether internally or with your digital partner, implement amendments to your digital properties as soon as possible. 

The Challenge

So, if this is such a big issue, why are only 14% of hospitals following the rule?

From a patient’s perspective, it’s simple, “quickly show me how much I’ll pay for x, y, and z”. However, it’s not so easy for a hospital to implement.

There are a handful of reasons why organizations may not be posting pricing fast enough. The biggest we see is discrepancies and variations in costs for patient A versus patient B, even if they both receive the same treatment.

In order to protect the hospital, each service will factor in a certain amount of risk (depending on the situation), and therefore, the “price tag” of a particular service could be elevated. Prices for services can also change frequently depending on when agreements with each payor start and end as well as factors like who is incurring the cost (employer, insurer, patient, etc). This requires consistent updating in order to keep the list up to par with CMS’ ruling.

How to follow the ruling?

Two ways to post standard charges:

1. ) Machine Readable File

A single machine-readable digital file that contains: gross charges, discounted cash prices, payer-specific negotiated charges, and de-identified minimum and maximum negotiated charges.

2.) Consumer-friendly Display of Shoppable Services

Display all “shoppable services” with ancillary services and provide discounted cash prices, payer-specific negotiated charges, and de-identified minimum and maximum negotiated charges. It’s crucial to note, that each of these services must also contain a plain language description.

To learn more about what exactly your hospital needs to provide, visit CMS’  help or resources page.

An ending note

In summary, many organizations are not investing beyond the bare minimum in price transparency requirements. 

If your team does not already have pricing listed on your website you’ll need to act quickly.

Early in the new year, it’s customary to take some time to reflect on the past, set goals for the present, and plan for the future.  

Our team spent time reflecting on the significant changes we’ve seen over the last decade in healthcare that have directly impacted the landscape today. One of the most prominent and the main catalyst that we’ll cover is the cost of care. 

In this article, we’ll review the 3 major trends that have materialized from the continued rise in the cost of healthcare and how they’re directly shaping the industry.

Healthcare costs continue to climb

In the past decade, consumers paid more for healthcare than ever before. In fact, Americans spent nearly twice as much in 2019 as they did in 1980. And yes, this data does account for inflation. The observed dollar amount was adjusted appropriately in order to compare apples to apples. It may not surprise you that the cost of healthcare has increased year after year. After all, we have more advanced technology, treatment plans, drug production, and consumer engagement platforms. But all of those niceties are not the main driver of the cost influx. Instead, insurance is the primary offender.

The shocking fact is that…

“insurance costs have grown by 740% since 1984”

CNBC stated that the average American paid about $3,400 for insurance alone in 2018. While a household spent nearly $5,000 per person on healthcare in the same year.

It is truly no wonder that medical bills are the number one cause of bankruptcies in the U.S.A. This alone helps to contribute to the lack of trust in healthcare systems, a colossal issue today.

It’s also worth noting that in 2020, annual spending on healthcare was estimated to be around $3.65 trillion or $11,172 per person in the U.S.A. This total is larger than the gross domestic product of Mexico, Canada, and Spain combined. It is also, by a wide margin, the highest annual healthcare spending in the developed world. 

This climb in cost over the past 40 years laid fertile ground for change and new entrants to quickly grow.

#1 Bigger is better; mergers and acquisitions

Over the past decade, we’ve seen large healthcare systems, drug makers, and insurers begin and close mergers. 

In 2018, CVS Health and Aetna closed a $70 billion deal. The nation’s largest pharmacy chain and health insurer combined to instill their towering goal of ”transforming healthcare delivery for the better”.

Locally, we’ve seen Wellmont Health System and Mountain States Health Alliance come together to form, client, Ballad Health. Intermountain Healthcare and SCL Health are planning to merge in early 2022 to form an $11 billion health system. As well as two of Michigan’s largest providers Spectrum and Beaumont Health will combine forces and create a $12.9 billion “mega-merger”.

This trend of healthcare system consolidation is not only an act to gain new efficiencies but also to reduce the cost of operation. Let’s hope that we see these mergers translate to cost savings for the consumer. 

#2 Digital front door comes to stage

The buzzword “digital front door” started circulating in healthcare circles in 2017. Around this time the industry started to understand the importance of creating and implementing strategies that leverage the use of technology to create better and more connected customer experiences. 

Often a digitally connected healthcare customer experience will include tools such as:

• Well-designed and transparent appointment scheduling.
• Access to scheduled or on-demand telehealth visits.
• Digital service channels via live and AI-based chat.
• Easy access to the information a patient or their family needs.

The digital front door strategy is all about taking the time to truly understand what your customers need most and taking the steps to meet those needs. One big need, you might have guessed, is cost. 

We’ve seen healthcare systems combat rising costs by offering more channels for consumers to interact with their brand and where most convenient. For example, AI-based chat can help concerned patients quickly find the information they need at less cost and 24/7.

#3 New players enter the healthcare space

Companies like Apple, Google, and Amazon set a new standard when they created and launched revolutionary digital customer experiences. Now consumers have high expectations for optimal user experience and seamless functionality with any product or brand, no matter the industry. 

Over the past decade, we’ve seen the deities of digital enter the healthcare space to disrupt the industry. In 2018, healthcare experienced a “wild-west” style shoot-out for who would partner up and enter the market. Many large tech companies accomplished their goals by quickly merging with strategic elites.

Google hired a healthcare CEO to organize its health initiatives. Apple began testing the market with wearables and EHRs. In addition, companies like Lemonaid empowered patients by “treating you better”.

Never before have consumers had such a strong voice or choice. These new entrants are offering consumers new and engaging ways to manage their healthcare.

For example:

• Scheduling a quick telehealth appointment with Amazon.
• Seeking dietary advice from a NutriSense glucose-monitoring skin patch.
• Getting a physical while grocery shopping at Walmart.

Fortunately, these companies are offering affordable services and tackling the rising cost of healthcare head-on.

What’s to come?

It’s no big surprise that healthcare consumers are fed up with paying outrageous prices and struggling to manage care. We’ve seen some movement to correct the pressing pain points but more must be done. 

On the bright side, there’s no time like the present. The sooner that health systems can…

• Get on board with customer journey mapping.
• Show price transparency and insurance information.
• Implement a digital front door strategy.
• Understand that digital healthcare is here to stay.

…the sooner they can captivate consumers and increase lifetime value.

Earlier this month, our team sponsored, exhibited, and presented at the Healthcare Marketing & Physician Strategies Summit in Miami. It was refreshing to be back in person and see familiar faces. 

There were many noteworthy speakers and trending topics covered throughout the week. We decided to put together a list of major HMPS 2021 takeaways and themes from the content presented for those who were unable to attend this year.

#1 Communication is “key”

The importance of communication was brought to light last year. Consumers and the general public were constantly looking for answers. Yesterday’s news was no longer relevant and we spent hours sifting through articles only to find outdated information.

HMPS dedicates one out of its five tracks strictly to communication. We attended numerous sessions that provided suggestions on how to do so efficiently and effectively without inundating an audience. Overall the presenters advised that you take a natural, authentic approach to content creation and delivery. Do not make the consumption of news more complicated than it needs to be. Make the best use of the systems you have.

Some organizations took a unique approach to communication that was very notable.

LCMC Health, took a celebratory and welcoming approach to combat the cold, impersonal lines during the vaccine rollout. The Louisiana-based organization made the vaccination process fun for all. Their team added Mardi-Gras-themed floor stickers, photobooths, and free concerts to liven spirits.

Hunterdon Healthcare had a member from the C-Suite team provide quick and personal updates for patients via daily Facebook videos.

#2 Consumers expect more from healthcare

This should come as no surprise. We know that consumers are expecting healthcare to deliver experiences as the big tech companies do. 

You’re falling behind if your organization cannot deliver a customer-centric experience that delivers real value and a lasting impression.

Two ways your organization can get started:

#1. Create a customer journey map

We surveyed several nationally ranked hospitals and found that only 18% indicated that they had completed a customer journey map. Problems arise when digital content is created from the inside out, without data and input from the end-user. Why spend hundreds of thousands of dollars on a consumer-facing product that does not meet the needs of the customer? 

Journey mapping can help you strategically set goals and expectations as well as more accurately understand what your customers need. Understanding the importance of customer journey mapping and how your consumers can directly benefit should be a critical step in your digital road mapping strategy.

#2. Understand your consumer behavior trends

It’s fair to say that the experience of living through a pandemic has forever changed consumer behavior, especially in healthcare. Your patients demand quality, affordability, but what else?

From our research, our team uncovered 3 top trends that can help your team prioritize customers’ needs on the web.

Time is precious

We found that the pandemic has exacerbated an interesting trend. Customers are more likely to be transactional, and they want transactions to happen immediately. 

Perfect the details

Did you know that today’s customers are more likely to have shorter sessions—specifically, sessions of 1-3 pageviews? Therefore, your customers are likely to miss important content that is 1-3+ clicks from your product page content.

Connection is key

If a customer enters your site on a non-product page, such as an informational coronavirus page that has updates and relevant information, and is able to navigate to another area of the site within 3 page views, they are roughly 30-40 times more likely to convert.

So even as your customer’s willingness to hunt for information continues to decrease, how well you connect the disparate areas of your site can increase overall conversions for the site. 

#3 The future of telehealth

Since the major onset of telehealth, we’ve seen countless direct benefits. In fact, Becker’s Hospital Review reported that 85.5% of Americans said telehealth has “made it easier to get the care they need.”

However, as we emerge from the pandemic, telehealth should not go to the wayside, rather organizations need to expand beyond virtual urgent care. McKinsey & Company reported that around 40% of consumers stated that they will continue to use telehealth going forward—up from 11% prior to COVID-19.

In addition, research shows that between 40-60% of consumers are interested in broader virtual health solutions i.e. “digital front door” as well as lower-cost health plans.

But how should healthcare systems plan for the next chapter of virtual healthcare? 

Our team suggests that any digital plan forward should be rooted in data by firstly understanding your consumers and their needs. This can be done through customer journey mapping exercises, user interviews, persona development, and more. The collected data should then be used to drive the creation of seamless consumer experiences across the board and will help to optimize the future of your organization’s virtual care longevity.

#4 Chatbots are here to stay

Why not aim for a patient-oriented approach to reduce the strain on your limited resources?

All sounds fantastic! But, have you and your team thoroughly thought through your organization’s specific needs?

A well-thought-out and implemented chatbot can seamlessly integrate into an organization’s digital consumer experience. However, a not-so-great one can lead to serious consumer discontent. That’s why our UX team advises that before getting too excited about a chatbot, your team first answers…

“What is the main problem we’re trying to solve for the consumer?”

In order to create a proper chatbot, you will need to be very clear and upfront about its capabilities. Otherwise, some patients will automatically expect to “chat” and have a full range of flexibility. However, when the chatbot is unable to do so, will become frustrated. We suggest that your team plans to complete an in-depth UX exercise prior to implementation. This includes:

• Settling on a goal
• Mapping out personas
• Crafting user flows
• Teasing out the language (and possibly synonyms your chatbot will use)

Quick tip: if you’re trying to help a patient find specific content you may be better off investing in content strategy and internal search. 

What’s next?

COVID has helped to accelerate digital transformation and consumer experiences for healthcare. As we emerge from the pandemic it’s imperative that organizations continue to forge stronger connections with patients.

Our team can help.

We help healthcare organizations identify the right digital strategies and create products that …

• infuse control
• transparency
• and choice

… into the consumer healthcare experience.

Contact us to learn how our clients are tackling some of healthcare’s biggest challenges.