Privacy-Powered Marketing: How Healthcare Marketers Are Winning with Compliance

They call it the HIPAApocalypse.

Starting in 2022, a series of regulatory bombshells rocked the healthcare marketing world. Lawsuits, fines, federal guidance, and platform policy changes redefined what counts as protected health information (PHI) and how it can be tracked online. In a matter of months, the foundation of digital marketing in healthcare crumbled.

Faced with mounting risk and legal uncertainty, many organizations reacted by shutting everything off. Tracking technologies were disabled. Marketing teams went dark. Performance took a back seat to risk avoidance. And a powerful myth took hold: that compliance and growth couldn’t coexist.

But with new developments in data and privacy technology, certain leading healthcare organizations are implementing data foundations that enable them to leverage best-in-class tools and improve marketing performance without compromising compliance. One of those organizations is Priority Health, an award-winning health benefits company serving 1.3 million members across Michigan. 

In this article, we’ll share how Priority Health is establishing a compliant patient data strategy and identify best practices you can use in your organization. 

Surviving the HIPAApocalypse

Healthcare marketers have faced unique regulatory challenges for decades. HIPAA was introduced in 1996, and expanded with the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005. Meanwhile, regulations, such as CCPA (2018), have impacted the way in which all marketers collect and use customer data across industries. 

But in 2022, a sequence of events drastically intensified the data privacy environment for healthcare marketers. Here’s the timeline:

• June 2022 - The Markup publishes an article reporting that many healthcare providers are disclosing protected health information (PHI) to Meta. 
• December 2022 - The Department of Health and Human Services (HHS) and the Office of Civil Rights issues a bulletin about web tracking technologies, providing guidelines about risks these tools pose and what healthcare organizations should or shouldn’t do when using them. Notably, the bulletin defined PHI as a combination of health information and a device identifier. 
• March 2023 - FTC fines prominent healthcare companies GoodRx and BetterHelp.
• March 2024 - HHS updates their bulletin to clarify that if a healthcare organization can’t get a Business Associate Agreement (BAA) signed (as is often the case with Meta, Google, and The Trade Desk), platforms like Freshpaint are recognized as a viable alternative. 
• April 2024 - Kaiser Permanente reports a data breach involving tracking technologies.
• November 2024 - Blue Cross Blue Shield’s federal employee program sued for disclosing PHI to TikTok.
• January 2025 - Meta implements new restrictions on data from healthcare organizations within their ad platform, not only reducing functionality for advertisers but also shifting the liability away from themselves and towards healthcare organizations and payers.‍
• January 2025: HealthPartners settles tracking pixel lawsuit for $6 million.‍
• February 2025 - First lawsuit filed under Washington state’s My Health, My Data act, signaling that state-level laws are now being enforced alongside federal laws.‍
• April 2025 - Blue Shield of California reports a data breach caused by Google Analytics affecting 4.7 million members.

On a recent webinar, DJ Willard, Senior Director of Strategic Marketing at Priority Health, described the day the HHS published their bulletin in December 2022 as an “unforgettable day in my career in healthcare marketing. All of our trackers, in one day, were rendered inoperable. We moved swiftly in response to what we were seeing in the changing regulatory environment. And disabled anything associated with our digital advertising. Without an understanding of how our media campaigns were performing, we were flying blind. We had no way to know if our marketing was effective.” 

Although Priority’s response was effective in the short term, the real work was just beginning. The team had to develop long-term solutions that would allow them to understand whether their marketing dollars were driving business goals without attracting regulatory scrutiny. 

Healthcare marketing isn’t dead - How Priority Health is fixing it

Recent Freshpaint research found that since these developments in the regulatory landscape, tracking data while managing consent is among the top challenges for healthcare organizations today, and 45% of surveyed respondents find tracking digital member engagements is no longer possible or has become too difficult. 

Though Priority Health felt the same challenges, they were determined to develop a solution that would allow them to balance compliance and performance. After reviewing multiple vendors, Priority chose to partner with Freshpaint to build their long-term member data strategy. 

Freshpaint is a healthcare-specific Customer Data Platform that enables organizations to run data-driven digital marketing programs while maintaining HIPAA compliance. Freshpaint removes risky third-party tracking code and replaces it with a single, HIPAA-compliant tracking pixel, allowing healthcare marketers to send all the data they want–and none that they don't–to platforms like Google Analytics and Meta in just a few clicks. The platform also provides organizations with website monitoring that keeps teams informed on the risk of trackers as regulations and trackers change. 

‍

DJ worked closely with the Freshpaint team to build a business case for the solution and secure approval from Compliance, Finance, Legal, and Procurement. Next, Freshpaint handled the privacy-first implementation, and got BAAs, SLAs, and compliance controls in place. Priority also partnered with performance marketing agency Amsive to ensure that once data was being forwarded to downstream tools via Freshpaint, it was being used to optimize downstream marketing execution.

After an extended period of marketing “in the dark,” Priority can now measure campaign performance and take steps to improve their marketing programs. DJ describes, "At this point, we are building a new benchmark to which we can evaluate our data. I'm encouraged because we actually see data now, which is what we hadn't in years past. It will take time to see the business impact, as we're able to optimize our campaigns now that we have this data available to us."

It’s not just healthcare benefits companies like Priority Health that are making this transition, however. Organizations throughout the healthcare ecosystem are partnering with Freshpaint to navigate the new regulatory landscape, and they’re achieving remarkable results. A behavioral healthcare provider, for example, saw a 70% decrease in Cost Per Lead after implementing Freshpaint as their patient data foundation, and a top-ranked specialty hospital realized a 50% decrease in Cost Per Click. 

3 best practices for healthcare marketers trying to balance compliance and performance

The regulatory landscape is constantly evolving, creating challenges for healthcare marketers in every corner of the industry. Here are three best practices for finding the right balance between regulatory compliance and marketing performance in your organization. 

1. Start the conversation
   Compliance impacts the whole business, not just marketing. Implementing solutions for responsible data management will require approval from numerous departments, including Legal, Compliance, Finance, and Procurement.
   
   As marketers, it helps to start conversations with these functions early. Make it clear that developing a compliant patient data strategy is critical for the success of the business as a whole. As DJ describes, “invite them into the work you’re doing” as you search for a long-term solution.
   
   
2. Present marketing as a data-driven function
   Many departments associate marketing with the speculative art of Mad Men, not the data-driven practice that many teams embrace today.
   
   As you’re engaging stakeholders across Legal, Compliance, Finance, and Procurement, present marketing as a “data-driven” function, as it will help build credibility as you propose new solutions.
   
   DJ explains, “As I was soliciting partners within our organization, it helped that I had established a track record of using data to drive marketing decision making. That objectivity made for a stronger point of view and helped support our estimates on ROI. So find ways to gossip about the quantitative success of your marketing campaigns. That credibility will help pave the path for you to bring a tool like this into your organization."
   
   
3. Make the right plan with the right partners
   Adopting a new patient data strategy consists not only of building a business case, but also implementing the right technical solution. Teams outside of marketing will want to confirm that any new technology is cohesive with existing systems.
   
   Your web engineering team, for example, may want to confirm that new tracking code won’t impact site performance, while your product management team may be wary that new tracking could mess up their analytics. Partner with vendors and solutions providers that can help you navigate those conversations, and lean on them to help you secure the approvals you need.
   
   “There’s a technical aspect to this that individuals within your organization will want to feel confident about. Having a partner that can help you do that really well is important when bringing a privacy platform into your organization,” explains DJ.  

You shouldn’t have to choose between compliance and performance. Leading healthcare organizations like Priority Health are partnering with Freshpaint to develop a patient data strategy for the long run. If you’re interested in exploring solutions for your organization, connect with our team today.