BHB INVEST – Balancing Growth & Risk: HIPAA-Compliant Marketing Solutions

This article is sponsored by Cardinal Digital Marketing. This article is based on a discussion with Alex Membrillo, CEO of Cardinal Digital Marketing, and Rich Briddock, Chief Strategy Officer at Cardinal Digital Marketing. This discussion took place on October 11, 2023, during the BHB INVEST Conference. The article below has been edited for length and clarity.

Alex Membrillo: At the start, one thing should be clear— as a healthcare marketer, you can no longer ignore HIPAA guidelines. Tightening regulations are impacting and will continue to impact all aspects of digital marketing in healthcare, including advertising, reporting, and your marketing technology and operational stack. There’s no understating what an impact this all has had on marketers and digital marketing strategies.

Until now, marketers haven’t had to deal with compliance. With these new compliance paradigms in place, however, marketers now have to go to legal and compliance and their C-levels and say, “Hey, some things that we’re doing might get us sued and are getting lots of people sued.” All of these changes at the regulatory level have triggered the need for industry-wide adjustments with regard to compliance.


Today, we will talk about how marketing has changed, where you need to operate with more caution and clarity, and what you can do to adapt and grow faster.

I’m not going to shortchange it: Becoming HIPAA-compliant is a pain. Everyone in the healthcare industry is experiencing it. There is a significant upside, however, to becoming compliant— better technology and, more importantly, better ways to track the effectiveness of your marketing campaigns. At Cardinal, we’ve seen our clients lower their cost per lead and their cost per patient. Overall, these changes have helped tremendously, and today we’ll walk you through what you have to do.

We’re going to talk about some complex issues around compliance today, but at the end of the road, there is a lot of growth. We have seen it personally with our clients.


First, let’s talk about timelines. It started with the FTC on September 22, 2021. The FTC released a notice that, in short, said, “We’re not exactly sure what’s going on with these pixels that Google and Meta and TikTok have, but we think they might be capturing some data that they shouldn’t.”

At the time, not many people paid attention, including some of the largest health systems and behavioral groups. Then, the other acronyms started getting involved and releasing bulletins, including the HHS and OCR, reiterating the FTC’s original point about pixels. Shortly thereafter, the lawsuits started coming in from government entities.

The case that people are mostly familiar with is BetterHelp. BetterHelp was taking their patient lists and uploading them into ad platforms like Facebook and Google to help those ad platforms target better. The industry reaction was, “That’s what BetterHelp was doing, and that’s why the lawsuit came, so as long as we don’t do that, we’ll be fine.” We didn’t do that, and it still “wasn’t fine” for many groups.

The fines started coming from the FTC. The lawsuits didn’t stop coming from the government entities. The class action lawyers stepped in and started suing almost everyone with a pixel on their website.

Rich Briddock: Who here uses Google Analytics? Who here uses Google Ads? Who here uses Facebook Ads? Yes. If you use any of those three, you are not compliant.

Membrillo: You can use them and just not have the pixel on your website. Unfortunately, most provider groups still have the pixels on their websites. Google Analytics, the first one you mentioned, is not HIPAA-compliant either. Google will not sign BAAs, and they don’t even infer that it is halfway compliant.

State-based privacy changes are starting to roll out, too. Delaware and a few other states, including California, have these new changes in place, but you’ll see it soon across the entire country. You might ignore it for now if you are, say, a smaller organization and believe you will not get any attention from the government. Unfortunately, we’ve seen smaller organizations get sued, too. In short, you’ve got to do something about it.

Briddock: Yes. Absolutely have to.

Membrillo: You’ve got to do something about it. The problem is the combination of PHI and PII. Anytime you ingest a URL and combine it with anything, it’s a violation.

Briddock: Which Google Analytics, by the way, and all of these solutions collect by default. It’s not just thinking about, “Oh, well, I’m not sending IP addresses, email addresses, or names and phone numbers to these platforms.” Problems can arise, however, with something as innocuous as a URL or a device ID, potentially. Google Analytics is specifically the one where you’ve got to be incredibly careful. The whole purpose of Google Analytics is to track what happens on your site, which includes URLs.

Google came out and expressly said that Google Analytics is not HIPAA-compliant, that they never intended it to be HIPAA-compliant, and that if you utilize Google Analytics on either authenticated pages, which is where people are logging in for patient information, or on unauthenticated pages that talk about the provision of healthcare services, you are not in compliance. Every single page on your website probably talks about the provision of healthcare services because you’re a healthcare company.

Essentially, if you have Google Analytics on any page of your website, bar the careers pages, you are probably not compliant.

Membrillo: You have to conduct an audit. Unfortunately, there are not a lot of people that know much about this. We’ve spoken with compliance groups, private equity firms, some of the best-known healthcare services, and private equity firms with huge port codes. A lot of these entities, including their compliance officers, are not worried about these issues yet.

You need to worry about these issues, unfortunately. You have to get educated, talk to legal, talk to compliance, and tell them to read where all these fines and these class actions are coming from. The class actions are listed online. Then, you’ve got to start doing an audit of your marketing efforts and your tech stack.

Meet with your marketing team and ask: What do we have? Where are the pixels? If I can say anything else, the pixels matter most. When you use Google Analytics, Meta, Google, you have pixels. Any tool on any website can show that there’s a pixel in a GTM container. Pixels have to be the first thing to go.

Briddock: One of the key issues is not that you use this technology; it’s that these technologies will not sign BAAs. Facebook will not sign a BAA, Google Ads will not sign a BAA, and Google Analytics will not sign a BAA. These companies will not be governed by any agreement with what they will do with your data because, obviously, they utilize your data to make billions of dollars a year, and they’re not going to curtail that for the sake of compliance.

They don’t need to, especially in the case of Google Ads and Facebook Ads, because they’re monopolies. You’re going to use them probably irrespective of whether you can put a pixel on the site or not. They’re not going to do anything to hamper what they can make in terms of money. There are solutions out there that will sign BAAs, and marketing platforms that will sign BAAs, specifically on the analytics side.

When you’re looking for a Google Analytics alternative, and we will recommend some here, there are companies that can be reasonable in terms of cost that will sign a BAA so you’re protected, and you can be compliant. Also, data warehouses. If you’re going to send data to a downstream data warehouse or to a data lake, which is obviously a buzzword and very fancy, and everyone likes to do that nowadays again, you want to have a BAA in place if you’ve got PHI going into that data warehouse.

Membrillo: Before we transition to discussing CDPs, I want to point out something else related to the agencies you’re working with. Most have call recording in place to check the viability of calls. We, as an agency, have access to all kinds of PII. Make sure your agency can also sign a BAA. Cardinal is putting a HIPAA compliance program in place. We can sign a BAA and not violate it.

Some agencies will just sign it, but you need to ensure services and tech vendors are on board, too. Now, on to CDPs. This is not one of the more inexpensive routes to go. This is for your bigger groups that have a lot more exposure.

Briddock: Yes, a Customer Data Platform. Customer Data Platforms have always existed. Their basic function was to allow you to collect data from your website using one tool instead of multiple tools. You didn’t have to collect using Google Ads as one mechanism, and Google Analytics as another mechanism, Facebook Ads as one mechanism. It was to make collection of data easy to send down to downstream destinations. The added benefit is these guys will sign BAAs. If you basically take all the pixels off the website that you’re using with Google Analytics, Facebook, etc., you can put a CDP in place, it will collect all the same information that you were sending to those programs or those platforms, but with a BAA in place, so it’s okay. Then you can control what information then gets sent to those downstream destinations.

In that case, you can still use Google Ads, you can still use Facebook Ads, but instead of sending them the whole kit and caboodle, which is what you’re doing by having a pixel on the site, you are limiting what information they receive, which can be compliant. The best part is you can have your compliance officers review what is being sent and sign off on it. That is a layer that does not exist right now because it’s completely black-boxed.

You have no idea what Facebook is gathering through that pixel, you have no idea what Google Ads is gathering, and you have no idea what Google Analytics is gathering because they won’t tell you.

Membrillo: This is not a cheap solution— you’re looking at a few thousand a month. You really have to be a big group with big exposure and a sophisticated marketing squad.

If you’re removing pixels, how do you still have visibility? The pixel, after all, was telling you what people did on your website, and it also fed information back to the advertising platform. Without it, how do you give feedback information to a platform? We have partners, including Line and Patient Prism, that focus on healthcare only. That is who we generally send all of our clients to for call and lead tracking. Most people in healthcare marketing are familiar with simple call-tracking platforms. These are a little bit more elaborate, especially Line, a good partner of ours.

They can look at everything— not just calls, but also lead forms. When a lead form comes in, they call the call center and the patient immediately for instant connectivity. The really powerful platforms like Line will also give you call center information, including which agents are converting well and which are not. They’re going to give you reasons by location, too, where people are not booking appointments, whether it’s due to lack of payer partnerships or scheduling availability.

You can glean tons of data from these platforms if you use them right. The key to these solutions is to feed that data back to the marketing platforms. Since you no longer have the pixel, you must feed back the information on what was a good lead or who became a patient into the ad engine. It’s not cheap, but it’s very important for marketing analytics. Mixpanel is the easiest, cheapest solution and can swap out for Google Analytics.

Briddock: Yes. There are about four or five different analytics solutions out there that you can pay for that will sign a BAA. Mixpanel, as Alex said, is the cheapest, it is the easiest to stand up if you just need a standard BAA. That is the big caveat. If you guys have a compliance team or an in-house counsel who wants a tool to sign your BAA on your paper, that completely changes this equation.

Mixpanel has a $75,000 annual fee in order to sign your BAA. To sign their BAA, it’s $200 a month. It’s a big, big difference. Heap is going to run you $30,000 a year minimum. Amplitude, PeerWeek Pro, a few others, the same. Again, these are serious investments, but I think with Mixpanel, the value is clear. Not getting sued by the FTC, not getting a class action lawsuit for two to $300 a month. It’s a pretty easy decision to make.

Membrillo: Is it easy to use as they tell us it is?

Briddock: It’s easy to use. It’s also completely customizable. You can have an implementation team set it up however you want it, unlike Google Analytics which is just how it comes out of the box. It’s a lot more flexible, as well.

I think the key thing, though, is algorithms now are so reliant on the data that you pass back to them, with smart bidding and all these functionalities, with Facebook looking at audiences and everything else. Obviously, a lot of hospital systems, in the early days when this story started to break, they just removed pixels. Now, they have absolutely no way of measuring what impact they’re deriving from their marketing.

Even if they could measure, say, if they implemented Mixpanel, they’re not sending any signals to the ad platforms that they’re doing the patient acquisition through. Those platforms inevitably become inefficient. You can’t use the same bidding models that you were using before, you can’t use the same strategies. You’re really operating with one arm tied behind your back.

It’s really important to not only stand up an analytic solution but also to stand up the right conversion passback with Line or with Patient Prism. It’s not one or the other, it’s both.

Membrillo: What does a full-funnel marketing strategy mean?

Briddock: Yes, I think the other key piece here is there’s still some marketing that you guys can do that doesn’t have to exist around actions that take place on the website. In an ideal world with digital marketing, you should be diversified anyway and you should be targeting the top of the funnel, the middle of the funnel, and the bottom of the funnel. You should be engaging with people at the top of the funnel and just making them aware that you as a brand exist.

Those solutions don’t really need pixel-based tracking because they’re all happening on the platforms that you’re advertising on. Suppose I show you a 30-second video on Facebook about my behavioral health solution. In that case, I don’t really need to see what happens on my website because all I need you to do is watch a certain percentage of my video where you learn about how my behavioral health solution is so much better than anything else out there and how I can really help you overcome whatever issue it is that you have.

Membrillo: How do you look at Facebook, Instagram, Display, and YouTube? Do you recommend it for lead generation out of the box for a behavioral group?

Briddock: There is a tendency to think about branding and patient acquisition as two separate buckets. Ultimately, they work together. If I saw your video and I became aware of your brand, and I now know your brand, and I like your brand because I love your content, you have really explained to me and educated me on what you do and how you’re different.

The central issue is humans can’t determine what is better, but they can determine what is different. If you’re really educating me on how you’re different, and how you stand out, then I can make a more informed choice. The counterexample is everybody running to the bottom of the funnel when someone types in “therapist near me” and then I, as a consumer, can’t make a decision because I can’t determine any differences, and I have no idea why I should buy from you versus someone else.

What we found and what Google has found is that clients who do more of a full-funnel approach actually generate a lot more patient acquisition with a much more effective conversion rate than if you just go to the very bottom of the funnel and you try and reach people right before they convert.

Membrillo: If you’re a smaller group and you’re not spending a lot on Google Ads, should you be running this full-funnel approach? When do you start looking at running Facebook, Instagram, YouTube?

Briddock: If you are hitting a point of diminishing return on search and your SEO is performing well, or if you’re opening new, de novo locations, emerging into new markets, then you should definitely be doing a full-funnel strategy. If you’ve got $1,000 to support five locations, then yes, your money’s going to be best spent on search because you need to engage with people at the bottom of the funnel. You can’t afford to be running top-of-the-funnel category awareness Facebook campaigns.

Membrillo: Yes, that’s important to know. Something else that those tracking platforms can do is split out your traffic and your leads and your appointments by service line. You’ll know your cost per booking for therapy versus med management and you can optimize towards those. The caveat is, as Rich said, that you want to be hitting a certain impression share loss to budget— say, 60%— before looking at doing anything upper funnel.

Briddock: Yes. Like I said, I think it’s more of a diminishing return. If you’ve got an exponential investment opportunity on search where you can drive a cost per new patient at a reliable rate, then you should probably keep spending and driving that. There will come a point, however, where those costs start to creep up, and that’s when you should really start to think about full funnel.

Membrillo: Something else we’ve seen that really hurts cost per patient and cost per lead is the lack of appointment availability or not having online booking. Get yourself some online bookings and then make sure appointments are available in the next 72 hours. We’ve seen conversion rates get crushed because of that. When do I need a DSP? What’s a DSP? What’s it for?

Briddock: DSP is a demand-side platform. Essentially, that’s for display advertising, native advertising, programmatic video, and programmatic audio. Any banner ads that you see on the website, native ads that you see like sponsored content, or programmatic video ads you see when browsing around websites or in-app all come through these demand-side platforms. Again, similar to Google Ads and Facebook Ads, a lot of these DSPs are not HIPAA-compliant. They’re taking a lot of your data and essentially nothing is governing what they’re doing with that data. They also use pixels. Again, if you’re running any display advertising outside of Google Ads, you definitely want to look into a HIPAA-compliant DSP. There are some specific DSPs out there that are, again, built for healthcare.

You’ve got Lasso, PulsePoint, and DeepIntent. There are others that you can use in a HIPAA-compliant way by, again, using offline conversions. What’s great about these DSPs is they’re good for patient acquisition, but they’re also great for provider acquisition. Really what these three companies were built on, was actually marketing to providers.

If you guys have this issue of provider recruitment, these three solutions are incredibly effective at getting in front of those providers and priming the pump. You’re probably not going to get 500 applications from running a display campaign to providers.

Membrillo: Or any, but you’ll get more awareness.

Briddock: You will build awareness so that when that provider feels burnt out, they’re like, “Oh I know so-and-so mental health care company.”

Membrillo: Can you target mid-levels and like RBTs, VCBAs, etc.?

Briddock: Yes, you can target any job position out there.

Membrillo: How are they doing that?

Briddock: You can target by MPI number. If, say, you know John Smith and really want John Smith to come work for you, you can target John Smith. The cool thing about provider recruitment solutions is there are no constraints on what you can do. HIPAA is not an issue.

Cardinal Digital Marketing is made up of strategic growth partners dedicated to helping the world’s largest healthcare organizations scale their business—and their impact. To learn more, visit:

Companies featured in this article: