Navigate compliance and protect your organization’s reputation

In this episode of our popular Tips in Ten(ish) minutes video series, Kirsten Lecky, EVP insights and growth at WG Content, sits down with Kathleen Perley from Unlock Health. Kathleen shares three actionable takeaways to help you navigate HIPAA and recent compliance changes and develop a game plan to protect your company’s reputation.

Watch this 15-minute video and learn how to:

  • Audit your website for risk
  • Build governance practices
  • Invest in reputation management

This video was recorded on October 30, 2023, before WriterGirl became WG Content.

Watch the video

0:00:05.6 Kirsten Lecky: Well, hello Kathleen. Welcome to Our Tips in Ten Minutes. It’s so nice to have you with us today.

0:00:10.6 Kathleen Perley: Thank you for having me.

0:00:11.9 Kirsten Lecky: Yeah, I’m so excited to have you. Kathleen Perley is the managing Director of Innovation at Unlock. She has a really cool role there and a really cool background and I’ve gotten to know her a little bit. So instead of me sharing and introducing you, I’d love for you to just talk to us a little bit about your background and what you do today with Unlock Health.

0:00:31.1 Kathleen Perley: Yeah, absolutely. So my background actually when we talk about kind of how you end up in your careers, I oftentimes find myself as an accidental marketer. And so my background is actually in linguistics is kind of what I studied in college. Was working on getting my PhD. I had a very strong and very awesome mom who said, if you live under my roof, you have to have a job. And found my first job in marketing in the digital sector. God, almost 15 years ago. And was there for several years and then started my own firm Decode which is now part of Unlock where we focus really on the healthcare side of kind of total really focusing on helping the healthcare organizations really navigate digital marketing and brand and really kind of bringing together the technology patient satisfaction and understanding the patient journey and delivering success.

0:01:29.7 Kirsten Lecky: Leads us to our conversation because of course we’re hearing so much about the risk of HIPAA compliance with online tracking tools. I think every day we’re reading the headlines and hearing the information and being exposed to more cases and things like that that are happening. So talk to us a little bit about in plain language, our love language in plain language. Tell us what is it, why does it matter? Why should we care? Kind of what’s at risk? Just give it to us, the kind of the 101 of what’s happening.

0:02:00.9 Kathleen Perley: Yeah. So interestingly enough, back in November of ’22, the OCR kind of really published their new, what I’ll call guidelines. But really it was like, Hey, we understand when it comes to HIPAA there might have been some gray areas, so we’re gonna clarify that for you. And so what they did is they identified any type of IP address plus a visit to a healthcare website, whether it’s preparing for surgery any type of healthcare website landing page is considered. Those two pieces together is considered PHI. And so that new kind of interpretation really posed a lot of questions on a lot of marketing tactics ’cause they weren’t just concerned about existing patients or past patients. The OCR guidelines actually expanded it to include anyone that would potentially become a patient. So that’s where all of our marketers across the board are now getting pulled into where we used to say, oh, well this is a marketing tactic. They’re not a current patient, we’re not at risk. This is now changing that whole dynamic where you used to have your, whether it was your MyChart messaging system, separate bifurcated, and then your marketing on this side OCR is now saying IP address plus any type of visit within your organization healthcare website is considered PHI. And that is for anyone who is current, past or potential future patient. And so that just really broadened the implications that we’re seeing from that perspective.

0:03:26.5 Kathleen Perley: And so we’ve been dealing with that for a while. And then recently in July of ’23, the FTC, so the Federal Trade Commission is now partnering with OCR and they put out further kind of letters and recommendations in terms of interpretation where a lot of us were, and mainly more so not necessarily on the healthcare provider side, more on what I’ll call like healthcare adjacent industries. That if you are leveraging an opt-in communication that says, Hey, by continuing on this browser, you click opt-in, we have the ability to resell your data and share data back different platforms, things of that nature. The OCR and the FTC said that our consumers don’t know enough to willingly opt into that. So even if you have those opt-in language and infrastructure in place, that’s not good enough. And you still have to have that parameter put in place that any type of IP address plus any type of website content is considered a kind of PHI information. And it should be handled as such in terms of data security and privacy. And so it just has really shifted and put before IT security, HIPAA compliance was more of a concern as it pertained to internal operations, your EMRs, things of that nature to in the front lines for marketing teams, which has been really incredible to see how they’ve had to navigate and learn something net new again.

0:05:00.4 Kirsten Lecky: Yeah, I mean it’s like how can we do our jobs. It’s just completely changing the nature of how our work gets done. What are some like quick easy tips? Are there any easy tips? Like what are maybe two or three things that a healthcare marketer can do today to just be prepared or advance their strategy with these things in mind so that they don’t put them their work at risk?

0:05:24.2 Kathleen Perley: Yeah. So I would say the first thing to do is there’s a tool called and what you can do is you can actually plug in, it’s a free tool. You can plug in your domain, like your website, your healthcare website, and it’ll give you an output of every single type of GA four. If you’re using CloudFlare, Google Translate, Google fonts, it’ll give you every single type of pixel that is on the site. And I found that starting there and saying, okay I think about it in terms of when I clean out my closet and you have like that sweater that didn’t fit like six years ago, but for some reason you still think might one day fit still hanging out.

0:06:03.8 Kathleen Perley: And it’s about like cleaning the closet almost in a way and like using that tool to really go through and say, okay, there’s a pixel on this, on our site from a campaign we ran three years ago. Do we need to reevaluate? Do we A need it? What are some of the data? What data is being passed to the other platforms? Is that based on the new OCR guidelines? Kind of a PHI information that we have to obscure and really kind of creating the opportunity to have that larger conversation. And so the first thing I always recommend is just go to, plug in your domain and it’s like the easiest thing to do is just you, you can actually export it to an Excel spreadsheet. It’s very easy. And the free tool gives you enough information to be dangerous.

0:06:48.1 Kathleen Perley: And then it’s, I think the second part that I really would love to see marketers kind of lean into from that perspective is building a relationship with IT and compliance. Right. As somebody who’s had a background in data and technology and kinda data-driven marketing as a whole, my biggest fear when all this came out was like, oh no, are we gonna go back to the days of, well this doctor likes this and wants at this platform so we’re gonna have to use it because we have no data to share as to why we’re making certain decisions, no data to help drive efficiencies of our ad dollars. And so I almost like, and selfishly I’m like, please let us not backslide into the old days of healthcare marketing. And I think for us to do that, the healthcare markers have to take a proactive role in building that relationship with IT and legal and this audit report is a great way to start the conversation and build that relationship.

0:07:42.3 Kirsten Lecky: That’s a good idea. Yeah.

0:07:44.6 Kathleen Perley: Because you can go to them and say, Hey, there’s CloudFlare, like how are you using CloudFlare? Can you help me understand this? And it also shows, and you guys can start having conversations as do we need this data pixel on our site? And what information do we need out of it to make data-driven marketing decisions? Do we have BAs in place? If not, can we, or there are other options?

0:08:06.1 Kirsten Lecky: It sounds like there would be lots of benefits to just doing that practice. In addition to moving to this is just really understanding, it’s like almost auditing some of the content and knowing what comes out of it. Yeah.

0:08:16.9 Kathleen Perley: Yeah. And it’s really easy. And there’s other benefits too, right? We’ve done this a couple of times and we’ve seen core web vitals jump after we’ve kind of gone through the audit and root stuff. Because when we talk about technical debt and cumulative layout shift when as it pertains to core vitals, like this is impacting your SEO too. So not only you’re able to get more compliant, you’re also giving your experience for the visitors to your site. So I think that would be, doing the audit, getting to know and building a relationship and not just a one and done, but kind of an ongoing piece with your kind of counterparts on IT and compliance I think is a good second step.

0:08:53.0 Kathleen Perley: And then I think the third part is really like putting everything on lockdown and then developing some data governance. So one of the… We work with a lot of our partners in helping them kind of navigate this. One of the things that we look at is who has access to the site? What admin and roles are set up in place? Who can add pixels and data tracking? Is there approval process? If not, let’s help you guys implement one where you actually have a meeting, whether it’s once a month or every two weeks, where anytime anything new needs to get added to the website. Not talking about content, but more like kind of stringent things. Like, we’re gonna add this pixel for a campaign we’re gonna launch, or we’re gonna leverage a new technology from find a doctor perspective and do we have a BA in place there? Things of that nature.

0:09:39.1 Kathleen Perley: And really kind of developing a way to review all the things that we’re gonna be putting in place and then setting up the infrastructure for the teams to kind of really collaborate and say, okay, marketing, what is your opinion? IT and compliance and then everyone being on the same page on the sign off, and then implementing. Because I know with a lot of the challenges we’ve seen in the industry, oftentimes when we’ve had partners who’ve had challenges from a kind of a legal perspective, it wasn’t because marketing failed to do something, it was oftentimes, oh, there was a microsite that we haven’t touched in seven years and I completely forgot existed. Or a rogue actor within the organization who had more access than they probably should have that would unknowingly like not intentionally, unknowingly said, oh hey, our vendor asked us to add this code into our website for them to run SEO.

0:10:32.2 Kirsten Lecky: And you can see so easily how that can happen, right?

0:10:35.3 Kathleen Perley: Oh so easily.

0:10:35.4 Kirsten Lecky: That happens all the time.

0:10:37.4 Kathleen Perley: And I think oftentimes I always say that marketing, sometimes the marketing department sometimes gets the scapegoat. They’re the scapegoat on some of these things and it’s not necessarily them. Right. And so building that alliance with security and IT really helps start to have those conversations and being on the same page that when something does happen, you’ve done your inventory, you’ve identified all the micro sites, you’ve identified all the tracking codes, and then you’ve really gone through who needs access to what, what type of access. And then how are we gonna moving forward go through this in terms of not only staying up to date on new state legislation that’s coming down as it pertains to privacy and patient protections, but really how do we approve certain data stores and where do you need to send data and how we’re using it.

0:11:24.8 Kirsten Lecky: Yeah. I like that you have outlined sort of not only the three tips, but kind of like a work plan. So it’s not just these three things, but you’re, here are the tools that you need to make those three things work really well. It’s kind of like, I wonder too if other organizations have created sort of councils around this where you have all the right stakeholders participating together in a regular sort of workflow and auditing practice to come together and see ’cause it’s not just a one and done, like you said, it’s, this is an ongoing practice and to have discipline around looking and analyzing and talking about it as often as possible. So.

0:12:00.1 Kathleen Perley: Yeah. And we often, when we partner with a lot of healthcare organizations on implementing and kind of really helping them get, implement the technology, implement the infrastructure, the governance, the process side of it, part of our role is really to help bring the teams together. And often to stay up to date. So when we talk about compliance, especially as it pertains to patient data and privacy and security, right? It’s not only a financial challenge for health systems, but also a reputational one. And so you don’t wanna be seen as being flatfooted or passive, but you wanna be seen as an organization that’s trying to proactively get in front of it. You don’t wanna be the one that’s like, oh wait Google fonts might pose an issue after four other health systems have gotten sued versus really thinking about these things proactively. And it’s interesting, like that free audit, the amount of times that we run those and we start having the conversations IT be like, Oh yeah, we added that in to kind of help us understand like site performance, but honestly we’re not really using it. So they’re saving money, we’re reducing the risk.

0:13:02.5 Kathleen Perley: And you’re able to say, okay, great, let’s pull that out. Or we were working with the partner the other day and we ran the audit and I said it says that you’re still leveraging Google Translate, which is not in itself necessarily a negative thing, but when you look at like the data calls and where it’s sending data and pushing data, they are sending the URL of the page, the content on the page and the IAP address of that person, which according to OCR is kind of a PHI event. And we don’t know what Google is gonna leverage that data for, in theory they should not be using it for advertising or marketing, but we don’t have control over that. And so it’s interesting how as you kind of peel the onion, you find things. And we had a conversation and I said, okay one Google Translate effectiveness and efficiency and kind of accuracy is not super high. Help me understand how we’re using it. And they actually identified they’re gonna start building two conversion landing pages for certain audiences. With just enough information and then call center like the right phone numbers to talk to somebody in language and culture that can help navigate them through the health system versus trying to translate the entire site from front to end.

0:14:17.6 Kirsten Lecky: Yeah. Interesting.

0:14:17.7 Kathleen Perley: And so it’s a very interesting kind of dynamic that you keep pulling back.

0:14:22.6 Kirsten Lecky: Right, right. Yeah, absolutely. And I love that it’s like you’ve got this really complex, complicated situation and you’re kind of creating a common language between all these different parts of the organization that speak different languages. IT and compliance and law and marketing, they all have their sort of lingo and language and kind of bringing them together with shared understanding is important. And I think that initial audit kind of gives people a little bit of a place to start. So with that in mind, we’re actually over our 10 minutes. It goes really fast, doesn’t it?

0:14:50.9 Kathleen Perley: Yes it does.

0:14:52.2 Kirsten Lecky: But I know you have more to share and it’s just obviously a very rich topic with a lot to discuss. So you’ve got, you’ll be speaking at HCIC, is that right?

0:15:01.6 Kathleen Perley: Yes.

0:15:02.1 Kirsten Lecky: So we know and we’ll be able to plug some more information about what your session is and the time and day webinar coming up in mid-November. So that, I think we’ll also have a registration link for that, more data on this. So we’ll keep the conversation going and know that there’ll be more questions. And then of course we’ll leave if you’re open to it, your contact information if anyone has any questions.

0:15:20.0 Kathleen Perley: Absolutely.

0:15:21.0 Kirsten Lecky: And I really, really appreciate you jumping in and sharing your expertise and I know we’ll be tapping you I’m sure for a lot more.

0:15:29.6 Kathleen Perley: Awesome. Well thank you so much for having me. And I look forward to kind of nerding out and talking a little bit about…

0:15:35.9 Kirsten Lecky: I love it. Alright, sounds good. We’ll see ya. Bye.

0:15:38.4 Kathleen Perley: Awesome. Thank you so much. Bye.

0:15:38.4 Kirsten Lecky: Take care.