As the privacy landscape undergoes dramatic changes, it’s more important than ever to evaluate whether your partners have built their offerings to support data privacy and consent standards.
The privacy landscape is undergoing dramatic changes, with new regulations and state laws, increased FTC enforcement within the healthcare and technology sectors, and changes to commonly-used measurement and audience definition technologies. As these shifts occur, it’s more important than ever to ensure that your partners and vendors have meaningfully built privacy and consent into their offerings. By doing so, consumers can make informed choices about their data privacy and your team’s plans comply with all applicable regulations.
Investing in tools and strategies that support responsible data collection and use is critical to maintain patients’ trust. When evaluating how a vendor’s consumer tactics prioritize privacy and consent, consider these four questions:
1. Does the partner have a Consumer Health Data Privacy Policy in place? If so, what is it asking consumers to agree to, and how is this communicated?
When assessing partners’ privacy policies, both substance and clarity are important. Carefully examine what the policy allows partners to do with consumer health data, how long they can keep the data, and if/how the data can leave their control. It’s important to ensure policies are easily digestible for consumers to maintain transparency. Some additional elements that regulators are watching for are specificity and how clearly the policy communicates these requests.
For example, if the language used in a vendor’s privacy policy includes too much jargon or is overly technical, how well will consumers understand what they’re being asked to agree to? When choosing a partner, it’s important to look for policies that make it clear to an individual what they can expect to happen with their data if they agree to it being used.
2. How does the partner prioritize patient consent? Is health content delivered based on data captured from individuals via unconsented technologies like cookies, trackers, pixels or other methods?
Technologies like pixels, cookies and trackers often gather information without an individual’s consent, or even their awareness. However, new state privacy laws now require specific consent before collecting and using consumer health data, which means that tactics that rely on these technologies may not meet the standards in some areas. Investing in technologies that require appropriate consent and use first-party data to deliver health messaging is important. Not only does this allow for personalization and effective delivery, but it also offers both you and the consumer transparency about when and how a message will be served.
Consent-first platforms also help teams plan and execute campaigns more efficiently without a state-by-state-level approach that needs to be frequently adjusted to comply with shifting regulations. Plus, with the full phaseout of third-party cookies from Google’s Chrome browser quickly approaching, working with consent-first platforms will be a matter of both compliance and practical necessity.
3. Are data models used to draw inferences about one group of individuals, based on the consumer health data of others?
Although tools like lookalike audience modeling don’t directly gather consumer health data from the people they identify for messaging, there’s concern about whether these types of models are obtaining accurate consent. For instance, do the individuals whose data is used to create a lookalike model give consent? And do the people who receive healthcare messages through these models also provide consent? Making inferences on high-quality data that has been gathered from individuals with their consent ensures more reliable and accurate results, all while staying compliant with new privacy standards.
4. Does the partner use geofences to deliver health content?
Geofencing is a method used to identify and interact with consumers based on their location. However, the tactic is prohibited or limited under various state consumer health privacy laws. Additionally, GPS data, which is often used in geofencing, is now increasingly considered as sensitive information. Some stakeholders are attempting to work around these restrictions by excluding certain healthcare service areas from their geofencing efforts. However, completely excluding these areas is more challenging under the new state laws than some realize, as there is no comprehensive list of all the specific healthcare locations that fall under protection.
If considering using geofencing strategies, it’s crucial to understand how a partner that supports geofencing implements exclusions around places like health facilities and other sensitive locations. This is essential for complying with existing state laws. As this area of regulation continues to evolve, it may be worthwhile to explore alternatives to geofencing to ensure compliance and effectiveness in messaging and engagement efforts.
Creating a privacy-preserving environment
As new laws go into effect at both the state and federal levels, considerations around what is acceptable for privacy and consent within healthcare messaging are evolving quickly. Healthcare communications specialists know the value of personalization—and consumers, too, expect to find relevant content when using digital channels. Offering a tailored experience does not need to be at odds with compliance, but it may require thinking about partners in a different way.
Learn more about our consumer health data privacy policy and how Phreesia can help you safely connect with patients at key moments in their healthcare journey.