Inside HIPAA-Compliant Marketing: A Guide for Healthcare Leaders

The regulatory landscape for healthcare marketing has shifted dramatically—and compliance teams are feeling the pressure.  

In the latest Compliance Conversations episode, CJ Wolf is joined by Aaron Burnett, CEO of Wheelhouse Digital Marketing Group, for a deep dive into the crossroads of digital strategy and HIPAA compliance. 

Aaron lays out the big picture: sweeping changes in OCR guidance, FTC crackdowns, and privacy-first updates from platforms like Google and Meta have made traditional third-party tracking tools a risky bet. But that doesn’t mean healthcare marketers have to settle for less. 

His advice? Take control of your data destiny. 

That starts with replacing third-party trackers with first-party data collection, building HIPAA-compliant warehouses, and shifting from outdated attribution models to advanced media mix modeling. Burnett also discusses why collaboration across compliance, IT, marketing, and legal is essential for reducing risk while driving results. 

Episode Transcript

CJ Wolf: Welcome everybody to another episode of Compliance Conversations. I am CJ Wolf with Healthicity and today's guest is Aaron Burnett. Welcome Aaron to the show. Thanks very much. Looking forward to the conversation. Yeah, we're so grateful that you've taken some time to share your expertise. Before we jump into our topic, we always invite our guests to share a little bit about themselves. Maybe tell us about your background or what you're currently doing, whatever you're comfortable sharing. 

Aaron Burnett: Sure. So I'm Aaron Burnett. I'm CEO of Wheelhouse Digital Marketing Group. We provide performance marketing for privacy-first industries. We have a strong concentration in healthcare and med tech, have worked in those industries for 13, 14 years. We think about our work as helping our clients thrive by solving their toughest digital challenges. So we're not necessarily the agency you bring in to get a 5% incremental gain year over year. We're the agency you bring in to completely redefine strategy change go-to-market, and get 100% or 200% gain. The sorts of problems we might solve are reimagining the online booking experience, as we've done for Providence, which drove, I think, an 860% year-over-year gain in online appointment bookings, or developing HIPAA-compliant data solutions, as we've done and implemented for very large healthcare and insurance and medtech clients, or some of the work that we've done for NASA over the last six years to consolidate about $2.5 million pages of content across 29 websites into a single new unified information architecture. 

CJ Wolf: Awesome. So then it is rocket science because you're working with NASA. Some of it. 

Aaron Burnett: You know I’ll tell you, NASA is exciting work because of the scale. It's also exciting because of the results we can drive. They're the one client where we can say we drove an increase of one billion impressions in search over six months. Awesome. 

CJ Wolf: Awesome background. Thank you so much for being willing to share. And so, you know, as we were talking a little bit before the show started, most of our audience are compliance officers in healthcare. You know, you mentioned HIPAA. And so a lot of compliance officers, obviously HIPAA is one of the larger areas that they oversee. And so we're going to talk a little bit today about digital marketing and kind of regulatory compliance and those sorts of things. So maybe to kind of get the stage set, What would you say is kind of the current state of regulatory compliance as it relates to digital marketing? 

Aaron Burnett: Sure. I think, you know, the short answer is it's complex and unsettled and continues to be so. So you can kind of take you through three different levels or so of where compliance and regulatory changes are having impact. You think about it at the federal level. We talked about HHS and everyone in your audience will be aware of the OCR guidance in 2022. The de facto impact of that was to say pretty much all third party tracking for digital marketing is a HIPAA violation because most third party tracking captures the content that someone is visiting and an identifier, which was defined as IP address. And so that upended the industry. And we had lots of clients who pulled out all tracking. We had some who took a wait and see approach, some who implemented new solutions, some who very quickly regretted the new solutions and are on to a second better solution. So we have that going on. And then, of course, we had the lawsuit from the American Hospital Association against HHS, which nullified a key part of of HHS guidance saying this prescribed combination, the URL plus IP address, really couldn't be forbidden. What's interesting about that ruling is the judge didn't say that's bad policy, you can't do that. The judge said you failed to comply with the Administrative Procedures Act, which can be distilled to you did it wrong. You didn't do the wrong thing, you did it wrong. And so we anticipate that there will be a new run at similar guidance. And then on top of that, HHS has, issued their intent to add to the security side of HIPAA guidance, or rather HIPAA compliance, and require organizations now to audit and document their security procedures and data flow across the organization. So a lot of continuing complexity and a lot of additional overhead there. You have increased regulations at a state level. I think we're up to 21 states with active privacy laws that are different from one another and some of are even more restrictive and onerous than what exists at a federal level. You have FTC actions against those organizations that might be sloppy with or suffer from data breaches. And then you have the impact at a platform level. So regardless of what happened in that AHA versus HHS lawsuit, the ship had really sailed, and Google, Meta, and other advertising platforms, along with covered entities, i think had collectively decided it's not worth the risk and so you have google introducing what they've called the privacy sandbox which is a different way to track i think that can best be understood as google gets all of the data and everyone else gets almost none of the data. You have Meta introducing their sensitive categories restrictions at the beginning of this year, which significantly constrains what covered entities or even not covered entities, MedTech companies that aren't a covered entity can share in what Google will ingest. And you have changes at a browser level. Firefox and Safari don't support cookies at all. You have changes with Google shifting to a consent model, where many of their users, a significant percentage, now also won't allow third-party tracking. And so collectively, you have a high degree of complexity on the regulatory side, creating risk and uncertainty regarding what you can track. And you have a high degree of uncertainty I guess, loss of fidelity on the platform side, meaning that if you are a digital marketer in healthcare or med tech, you have much less data than you had previously. The fidelity, the accuracy of that data is much lower than it was in the past, and you have a lot greater regulatory uncertainty and regulatory risk. Having said that though, I think one of the things that maybe gets missed here is that that does not mean that if you're in digital marketing for healthcare, you necessarily have to have less data. You have to go about collecting the data differently. You have to handle it with greater care, perhaps, than you did. You have to activate it differently. But we have clients that have significantly more data and more data fidelity today than they did prior to the HHS guidance. 

CJ Wolf: Nice. That's a great kind of summary of this regulatory background. And hearing you speak, makes me think as a compliance officer in past lives, I'd often be invited to meetings. I have a seat at the table where our marketing folks or operational or business leaders are pursuing certain things and compliance is there. And as you mentioned just briefly, some people just say, it's easier to avoid the risk. Let's just not even get close to it. Let's not try to maneuver it. But what I'm hearing you say is there is an appropriate way to maneuver it. So, you know, as a compliance officer sitting at a table where these kinds of business decisions are being discussed, what do you think are some commonly misunderstood things about compliance and digital marketing? Because, you know, we might jump to the conclusion of it's just not safe. Let's not do it. But it's sounding like now. might be misunderstanding some things sometimes 

Aaron Burnett: yeah i think there are a couple of things um i think the biggest and most important thing is that uh you can collect a great deal of data it's not the collection of the data that's problematic in the main as long as you're observing cookie consent it's the sharing of the data with third parties who are not under baa now what that implies is some significant operational changes. You can't rely on third parties to collect your data, provide it to you in a manner that allows you to analyze it and discern insights and performance information from it. You have to do that yourself. But again, if you shift from we're going to use third party tracking, we're going to use Google Analytics, a MetaPixel, all of these third party tracking, and we're going to send data to those third parties, which is absolutely problematic. That's a bright line issue. And instead, we're going to develop a means of collection that allows us to house the data internally. So it's either in our infrastructure or it's warehoused by a partner who's under BAA with us. You can have absolutely high fidelity, very detailed data. That data can be related to all of your advertising and site analytics. And if you do it right, it can also include data that you never could have incorporated into third party platforms. You can include integration with your CRM system. You can include first party and zero party data. And now you have a really interesting, rich data trove that you can mine to understand the entire user or patient journey, the performance of your digital advertising and then think about how to activate that data. A really critical consideration is activation. You can discern, you can glean insights from data in your data warehouse if you develop one and you should, you cannot take that data and share it with a third party platform. You have to air gap those insights and activate without sharing anything that approximates PHI. So it's just a different way to develop and optimize campaigns. 

CJ Wolf: Yeah, so it sounds like you've probably helped clients kind of navigate those nuances in the past. What's your experience in helping compliance officers understand those nuances? It 

Aaron Burnett: starts with a lot of conversations. I mean, you described a typical meeting to which you might be invited. And our experience is that compliance officers are sometimes invited to those marketing meetings, but not often. Correct. It's seen as sort of, ah, you know, this is really going to slow things down. Sort of a necessary evil. We'll do it in this instance. So it starts with kind of changing that mentality. This needs to be a partnership. So the compliance team and your legal team and your marketing team and your IT folks all need to be need to become friends and understand things in the same way and understand data flow today and the points of risk in data flow today and the options that are available to change that implementation and to preserve utility and optionality for digital marketing while ensuring compliance and an elimination of legal risk to the greatest extent possible. And so it starts for us with a lot of discussions with these parties and a lot of education because all All of them are expert in different things and they all now need to become semi expert in one another's disciplines. That's right. And then describing the options that are available to an organization in a manner that has no agenda except that we want the organization to identify the best option for them. And so we try to come in neutrally. We have a recipe for how we have developed and implemented HIPAA compliant data solutions. Our recipe might not always be the right one for a particular organization. There might be something in their infrastructure that means our approach isn't the best. They might already have preexisting technology that we should actually be building on rather than introducing something new or they might have quite a simple digital marketing ecosystem, which means that the approach that we might take is perhaps overkill. So we come in neutrally and just say, these are the things that you could do. And this is sort of the continuum of cost. These are the vendors who are available in this space. This is what we know of our work with them and how what these options are mapped to your particular circumstance, and then help to guide the discussion to selection. I think the key ingredients of the right kind of HIPAA compliant data solution, regardless of the technologies or partners involved, is absolute control at the moment of collection and absolute absolute control at the moment of sharing. Right. Those are the two things that our approach includes. And there are other things that we do in terms of data cleansing and injection blocking and that sort of thing. But those two elements are the key. And those two elements make the job of a compliance officer so much simpler. One of the problems with third party tracking is that What is collected is governed by a data library that is defined by a third party. And the data library can be updated whenever they choose. And so even if you and I were working together and I'm in marketing and I want you to review a pixel for a third party advertising platform, and we go through and we identify everything that that pixel collects today, and we decide that's okay. We have no guarantee that tomorrow they will be collecting the same thing that they were collecting today. And so the shift that we make is, all right, we replace all third-party tracking with a private client ID that exists only in the ecosystem of a client and with a data library that we define in concert with a client so that we know positively what is collected and nothing else can be collected. And then we do the same thing on the sharing side. We control down to a single data attribute level what is and isn't shared with any third party And those are key ingredients to any solution in this space. 

CJ Wolf: Yeah, sounds wonderful. So Aaron, we're going to take a quick break and then we'll come back and we'll talk some more about the compliance and digital marketing. Welcome back from the break, everybody. We're talking to Aaron about compliance and digital marketing. And Aaron, you're just sharing kind of ingredients of the recipe. I just wanted to make sure there wasn't anything else, any other ingredients that you think are included, or do you feel like we've got the batter mixed and we're ready to bake the cake? 

Aaron Burnett: Yeah, there are a couple of other things that really need to become motherhood and apple pie for this sort of ecosystem. So one is the HIPAA compliant data solution. But the second, you know, In order to develop and maintain high-fidelity data, you need a data warehouse that is within your infrastructure or is held by a third party under BAA. And so increasingly, we see that as just a foundational element. You can't get anywhere without a data warehouse. We warehouse all of our clients' data just by rule because it's the only way that we can see what's going on and do so with a high degree of sophistication. I think the third element is that is quite important now. is a shift away from what's called attribution modeling. So attribution modeling is the conventional way to figure out what's working and what's not in digital marketing. You look at performance. And historically, through platforms like Google Analytics, you would look at the last channel that a visitor came in through before they converted or the first channel that began their journey. Or you might model and say, I'm going to equally weight among all of the touch points. And that had some use. much greater use when we had much greater fidelity and trust in that data. But as the percentage of data that we collect has dropped so precipitously, some estimates are that we've lost up to 60% of the cookie-based data that previously was available. And as you have more happening with cookie deprecation and cookie suppression at a browser level, you can't really rely on attribution modeling. And so you have to shift to a much more sophisticated approach, in our opinion, called media mix modeling, which allows us to see, it's a very sophisticated statistical approach. It allows us to see the direct and indirect effects of all marketing channels. Historically, that was only available to big advertisers who had millions of dollars to spend. It usually took six to 12 months to develop media mix models, and it would take another six months every year when you wanted to refresh the model. That data, because it was so insightful and so powerful, gave those advertisers a significant advantage. What's changed over the last year is that there are a couple of open source models that are really good. So these are free for clients, for companies to use. One is from Google, and it's called Meridian. We've evaluated it thoroughly. It is neutral. It doesn't bias toward Google. It's quite sophisticated. And the other is from Meta and it's called Robin. Both of them can be deployed in a HIPAA compliant fashion. So we've deployed Meridian on top of our HIPAA compliant data warehouse and give you the ability to run these sorts of sophisticated analyses and to have directionality and even to understand where you should be investing your budget to get an optimal return and what return you should expect. So something that was only available to the really big boys with lots of money before is available now to independent companies and smaller entities. Implementation is not for the faint of heart. It is complex, but 

CJ Wolf: it's worth doing. Well, that's fascinating. As I'm hearing you talk, I'm thinking a lot of these concepts compliance officers need to be aware about, but also, just connecting people in the right form or fashion. So you compliance officers that are listening out there, I know that you have interaction with your marketing folks, but this might be a good episode to forward to them. And you both kind of get on the same page when it comes to kind of digital marketing topics and talking points. Aaron, so, you know, I'm not an expert in antitrust rulings, but before the show, you were sharing with me that there's been some recent rulings. And so maybe we can hear from you about do any of those recent antitrust rulings, and you mentioned against Google, impact any compliant healthcare marketing? Yeah. 

Aaron Burnett: So just a couple of days ago, the Department of Justice filed with the courts that already had ruled that Google is in fact monopolistic in their practices. Right. And what they're advocating is that Google be forced to divest of Chrome, their browser. Okay. And I think that the impact that that might have on privacy regulations and on compliance is something that already is underway today, but is likely to accelerate. Google gets... a tremendous amount of data through Chrome. That is arguably one of the main reasons that they developed and rolled out that browser, which is a free browser. They get lots of signal that allows them to understand the search landscape. They get a tremendous amount of signal that allows them to understand and the Department of Justice would say, sort of manipulate the search advertising landscape. Without that data and anticipation of, I think, some of these rulings, Google has shifted to a form of device fingerprinting. So rather than third-party cookies or even server-side tracking, device fingerprinting requires no consent on behalf of a user and occurs entirely at a machine level and can stitch together identity and sessions from device to device. So from a laptop to a tablet to a mobile phone and back again. So I think that what we're likely to see is that data collection kind of goes underground in a way that end users have very little control over and compliance officers also can't really anticipate and govern either. I don't know what new regulations will be developed to govern that, but I do think that it's probably not good that the data collection that we've attempted to govern, to handle ethically, now goes underground in a manner that isn't visible to compliance, to end users, or even maybe to regulatory entities. 

CJ Wolf: Interesting. Yeah, see, I'd seen that headline, but I didn't really know kind of some of those details that you just shared. So I appreciate you sharing a little bit more about that. 

Aaron Burnett: The device fingerprinting has not been widely publicized and Google certainly isn't gonna make any noise about it. Makes sense 

CJ Wolf: now, thank you. So Aaron, I wanna ask you to kind of read the tea leaves and predict a little bit here, given your expertise and your experience in this field. So if we were to look forward you know, what innovations or technologies do you think will most likely impact HIPAA compliant marketing? And then how should healthcare organizations prepare for that as we always are trying to anticipate the future a little bit? Yeah, yeah. 

Aaron Burnett: Well, I think, you know, we've covered a lot of it. I think that really the headline for me and the guidance that we give our clients is that as quickly as possible, you have to take control of your own destiny. Historically, digital marketing was made easy by third parties providing us with data through third party tracking, insights in their own platforms, even if those insights were sometimes biased. They would define audiences for us years ago, allow us to track those audience and remarket to those audiences. All of that was made easy. Most of that is gone now, should be gone if it's not already for anyone who is a covered entity. And our belief is that You have to take control of your own destiny in terms of data collection, in terms of data warehousing, in terms of gleaning insights from your own data, in terms of audience identification and activation. You have to develop your own data ecosystem that does not rely on third parties in the same way. And our experience is, and our belief in the future, that if you do that, you are protected against the whims of third parties. So for example, at the beginning of this year, Meta rolled out their sensitive categories restriction, which compliance folks may or may not be familiar with, but it was a really big deal for marketers. What Meta said is if you are in any of these 14 categories that we have defined, we believe that there is There are regulatory restrictions and or risk associated with our collecting certain forms of data related to digital advertising, to prospective clients, patients, what have you in these spaces. Some of them were healthcare and med tech related, and some of them were not. Some of them were finance or even travel. The problem is that one of the things that they restricted is conversion data. So an event that says a person did the thing that I wanted them to do. If you don't have conversion signal, then you can't optimize a campaign to get the performance that you need. And it doesn't matter whether you're collecting client-side or whether you're doing server-side tracking. If you can't send that data to a platform, you have a problem. For our clients who had already implemented our HIPAA compliant data solution, we simply were able to change naming conventions and still provide signal that we understood to be conversion that was still compliant with what Meta did, with what Meta implemented in terms of their restrictions. We didn't get back to perfect parity. We can't take advantage of algorithmic optimization in the platform, but we maintain clarity with regard to performance. And it took relatively little effort on our part to do it because we already had taken control of the data collection and sharing mechanism that allowed us to define what's shared, what's not down to a single attribute level. So doing those kinds of things protects you from a platform, a browser, a new set of regulations coming out and upending your entire Apple cart. 

CJ Wolf: So Aaron, you know, so I am hearing kind of the part of this take-home message is taking control and being in control of your own destiny. You know, you've talked many times about having your own data warehouse and those sorts of things. Who are the key players in an organization? Is this limited to a silo of marketing, but, or, you know, in a large complex health system are, you know, the information security officers involved, the compliance officers is involved, your head of IT. Tell me some of the key players that you typically would want involved in an initiative of taking control of your own destiny? 

Aaron Burnett: Yeah, so all of those folks you just listed. So when we work with an organization of any size, we go through operational security review. We're working with IT and IS. We're working with chief compliance officer, usually a chief marketing officer or VP of marketing. We are working as well with people who are at a director or even manager level, who are developing and implementing and optimizing campaigns to ensure that we understand their needs and we're accounting for those needs. And we're working with the web team as well. The initial work that we do when we're implementing our solution, and this would be true of anyone's solution, is to implement a new private client ID and often implement some form of analytics container on a website and that requires working with the web team as well. We often are working with folks in terms of change management and we're working with folks in terms of quality control to ensure that once we go through the process of creating an optimal environment and an environment that is compliant, that it's not accidentally messed up by a new web update or someone who decided to run a new campaign. And so there's a lot that we do to ensure that processes are in place and we implement a monitoring solution to ensure that if a change that isn't correct does take place, we catch it really quickly and we can define what it 

CJ Wolf: is and revert. Gotcha. So, you know, that last question then was about innovations and technologies, and we've had a lot of other episodes on the podcast in healthcare about AI being involved, like with coding and medical billing and auditing and revenue cycle. This may be a yes or no answer, but does AI play any future role, do you see, in this area that we've been talking about?  

Aaron Burnett: I can see that AI might play a role in automation of monitoring, compliance monitoring. Okay. It would be hard for me to see AI playing a role in development and implementation of a solution that is meant to satisfy compliance. That feels like a hands on the keyboard sort of a thing that you wouldn't outsource to an agent. 

CJ Wolf: Yeah. And that's basically what I've seen in a lot of responses as we've talked about AI and other compliance areas. But just wanted, you know, kind of your expert opinion on that as well. 

Aaron Burnett: Yeah. Our perspective on AI is that it delivers a lot of efficiency in terms of our internal processes. It helps us with some forms of analysis. Some forms of data gathering are made very efficient with AI. Where we draw a line is that we don't use AI for development of content for our clients. We're in healthcare and med tech. The author really matters. The absolute accuracy of the content really matters. And so we'll take no risk there. We also believe that the quality of the content is much better when a human is involved, but we can use AI for idea generation, for structuring and optimizing content that a human then takes across the finish line. Yeah, 

CJ Wolf: yeah, makes a lot of sense. Well, Aaron, this has been fascinating. We're kind of out of time, but I want to give you kind of the last word. If you have any parting advice or a topic or a response that I might not have asked you about that you think our listeners should hear. No, 

Aaron Burnett: I think it's been a good conversation and we've covered things. I would just say again, take control of your data destiny. 

CJ Wolf: Awesome. I love that. That's kind of the take-home message that I received. And for our listeners, we will include in the show notes ways to get in touch with Aaron and his company if you're looking for that kind of service. So thank you, Aaron, for being here today. Thanks for the opportunity. Absolutely. And thanks to all of our listeners. As usual, we at this point in the podcast, we ask that if you have topics or speakers that you would like highlighted on the podcast, please reach out to us. We want to make sure we're bringing content that is important to you as a compliance professional. So thanks, everybody. And until next time, take care.