The ability to offer healthcare products and services digitally is more important than ever. In fact, the global healthcare eCommerce market is projected to reach $994.2 billion by 2030. But a complex regulatory landscape and data privacy and security concerns are formidable obstacles. Additionally, consumer demand for proactive, personalized experiences is at an all-time high.

What to Expect

• 11:30 A.M. | Lunch Orders: Complimentary lunch orders will be taken until 12:00
• 12:00 P.M. | Discussion: Enjoy an informative review of HIPAA regulation’s relevance to healthcare commerce, how to enhance the patient experience, and a demonstration of Adobe Commerce.
• 12:30 P.M. | Lunch and Networking: Dine and connect with healthcare and life sciences industry peers who share your passion for digital excellence before heading off for afternoon sessions at Adobe Summit.

This event will emphasize the significance of data protection for covered entities and privacy-conscious brands and share how introducing next-gen commerce capabilities can empower seamless end-to-end experiences for your consumers, driving impact for your business.

Register Today

Join us for this exclusive lunch session on the second day of Adobe Summit. You must register to attend. Secure your spot today!

HIPAA-Ready and Personalized Commerce Lunch

Wednesday, March 27th | 11:30 A.M. – 1:00 P.M. PST

The Grand Lux Cafe in The Palazzo

REGISTER!

Learn More About HIPAA-Ready and Personalized Healthcare

In the latest episode of the Sitecore Sessions, our Sitecore MVP’s, Megan Jensen and Myself met with healthcare strategists Priyal Patel and Michael Porter to discuss healthcare trends, our success in delivering healthcare projects with Sitecore, the challenges and opportunities we’ve been seeing across composable, finding search and leveraging AI. You can watch the whole discussion here:

The rest of this article was generated by AI based on the discussion in the Video

The Journey to Healthcare Excellence with Sitecore

The healthcare industry stands at the forefront of technological transformation, aiming to deliver personalized, efficient, and comprehensive care to patients. The success stories woven by Sitecore in the healthcare sector highlight a strategic blend of technology, industry insight, and a deep understanding of patient needs. This article delves into the reasons behind Sitecore’s triumph in creating impactful healthcare solutions, drawing on insights from a panel of Sitecore experts.

The Essence of our Sitecore Team’s Success in Healthcare

The key to our Sitecore team’s success lies not just in its technological prowess but in its ability to align technology with healthcare outcomes. Sitecore’s approach goes beyond mere digital transformation; it focuses on creating meaningful engagements that are outcome-based rather than technology-driven. This mindset ensures that the solutions provided genuinely address the needs of healthcare clients, making technology a tool for achieving broader organizational goals.

A Collaborative Team Approach

Our Sitecore team’s success is also attributed to its collaborative team approach, which brings together diverse expertise. From focusing on user experience and healthcare mandates to backend integration, Sitecore’s teams ensure that each project is handled with a holistic view. This collaborative effort allows for a seamless blend of technological capabilities with industry-specific knowledge, thereby delivering solutions that are not only technologically advanced but also deeply rooted in healthcare best practices.

Leveraging Composable Architecture for Flexibility

Another pivotal aspect of Sitecore’s success in healthcare is its shift towards a composable architecture. This approach allows healthcare organizations to adopt features and functionalities that are transaction-driven while ensuring content and personalization are not compromised. The composable architecture resonates well with healthcare clients, offering them the flexibility to adapt to evolving needs without being tethered to a rigid platform structure.

The Power of Personalization in Healthcare

Personalization stands as a cornerstone of Sitecore’s strategy, particularly in the healthcare domain where it can have a profound impact. The panel of experts emphasized the importance of personalizing healthcare experiences without crossing the line into intrusiveness. Personalization in healthcare should be context-driven, providing relevant and timely information to patients based on their unique healthcare journey. Sitecore excels in this area, leveraging its technology to deliver personalized care that is both respectful and impactful.

Embracing Regulatory Compliance with HIPAA

Sitecore’s commitment to regulatory compliance, especially concerning HIPAA, further strengthens its position in the healthcare sector. The ability to sign Business Associate Agreements (BAAs) with healthcare clients signifies Sitecore’s dedication to safeguarding patient data and adhering to strict privacy standards. This commitment ensures that healthcare organizations can leverage Sitecore’s solutions without compromising on compliance, making it a trusted partner in the healthcare technology landscape.

The Role of Search in Enhancing Healthcare Experiences

Search functionality plays a crucial role in improving healthcare digital experiences. A well-optimized search engine can significantly enhance the patient’s journey by providing accurate, relevant, and timely information. Sitecore recognizes the importance of search in healthcare, ensuring that its platform offers robust search capabilities that cater to the unique needs of healthcare consumers. By prioritizing accuracy and relevancy in search results, Sitecore helps healthcare organizations connect patients with the right information and resources, facilitating better healthcare outcomes.

Conclusion

Sitecore’s success in the healthcare industry is a testament to its strategic approach, technological innovation, and deep understanding of the healthcare ecosystem. By focusing on meaningful outcomes, embracing a collaborative team approach, and ensuring regulatory compliance, Sitecore has established itself as a leader in delivering impactful healthcare digital solutions. As the healthcare industry continues to evolve, Sitecore’s commitment to personalization, flexibility, and patient-centric care positions it well to meet the challenges and opportunities ahead.

Before I begin, I just want to caveat everything with the fact that HIPAA is a complex regulation open to interpretation, and in the end your legal and compliance teams need to be comfortable with how you handle data and the risk associated with those methods. With that being said, I’ve had a lot of experience with healthcare companies, both payers, providers and life sciences organizations dealing with HIPAA regulations over the last decade and having seen the direction Sitecore has been moving to support healthcare companies, I wanted to share some of that knowledge and information.

Defining Protected Health Information (PHI)

When it comes to evaluating your DXP solutions against HIPAA, how you collect, process, and manage PHI is the central concern. Defining PHI is actually more complex than you may think. The HIPAA privacy rule defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.

But what does identifiable mean? There was debate on whether an IP address was identifiable until HHS made it clear that it was in a memo about how website visitor tracking data is to be handled was published in late 2022.  The other part of the definition is what constitutes “health information.” While there could be clear cut cases when visitors are filling out forms on your website when they are providing “health information,” there could be other cases that are less clear cut: for example using the find a doctor feature of your site to identify a specialist, or browsing conditions or specialty related pages on your site.

There is probably not going to be clear cut guidance on how to answer these questions from HHS, so organizations will be left to evaluate the risk of managing this kind of data themselves. This is why more cautions organizations have removed analytics tracking tools like google analytics. But it’s important to realize it’s not just the software we choose that allows us to deliver HIPAA compliant solutions to patients.

There really isn’t such a thing as HIPAA compliant software.

HIPAA is a set of rules around how to process and deal with sensitive health data. There are plenty of details on how those rules guide organizations on HHS’s website.

While software can help organizations adhere to those rules, it is still up to the organization to put the processes in place to remain HIPAA compliant. Take Sitecore XP as an example. It supports an extensible “Experience Database” component that tracks visits to websites it hosts and allows you to store data you capture from visitors to enable personalization. While Sitecore XP provides the capability to manage and secure that data, it is up to the organization using that software to do it properly using the available tooling and configuration as well as putting the necessary processes in place to manage that data in order to be HIPAA compliant.

Things get more complicated when you have partners or vendors with access to systems that manage health data.  This is when you need to ensure you have a Business Association Agreement (BAA) contract in place. The BAA provides assurances that the “associate” organization will protect the PHI of your patients, and you require them to take specific actions and restrict how they may use or disclose PHI. Perficient typically signs BAA’s with clients where the project work will give them access to such data as part of a project delivery.

Sitecore’s Platform DXP Offerings including Sitecore XP are installed software, meaning you take Sitecore’s software and install it on your servers. Those servers could be on premise (in your own network) or in the cloud, but Sitecore never had access to your environments or your data. This means you do not need a business associate agreement (BAA) with Sitecore, since they don’t have access to your data.

Managed Cloud

Sitecore Managed Cloud offering consists of the Platform DXP offering deployed to a dedicated Azure subscription that is managed by Sitecore. Because Sitecore actively manages the environment, they have access to the underlying data in the system. If you are using Sitecore to store or manage health data, Managed Cloud is probably not going to meet your needs as Sitecore does not sign BAA agreements for its managed cloud offering. There was a time a couple of years ago, when Sitecore was moving toward supporting this, but as it began to pivot to focus on its composable SaaS offerings, it became clear that this was not a focus for them.

Sitecore’s SaaS Offerings

Because Sitecore’s composable solutions are all delivered in a SaaS model, using them to manage any protected health information would require Sitecore to sign a BAA. The good news is that Sitecore has indicated that it will be soon support healthcare customers by signing BAA’s around some of their offerings, namely Sitecore Personalize and CDP starting in July 2024 and XM Cloud by the end of the year. Not only has this been communicated from a general Sitecore perspective, but we have clients who have signed agreements with Sitecore to have them enact a BAA for these products within these timelines.

The relationship between XM Cloud and Sitecore CDP and Personalize make the timing of this support really interesting. XM Cloud includes a “light” version of Sitecore Personalize in XM Cloud to support the Page level personalization and analytics capabilities of XM Cloud. As a matter of fact, if a client has a license to the full versions of Sitecore Personalize and CDP they can use the same conditions and segments they define in Personalize as XM Cloud personalization rules. They can even view their XM Cloud personalization experiences and analytics directly in Sitecore Personalize and CDP. This is because under the covers it is actually using the same instance.

Given this relationship between the products, if you have a license for Sitecore Personalize and a BAA in place with Sitecore in July, you should be covered with your XM Cloud solution because the rest of XM cloud only deals with content management and should not house any data that could be classified as “protected health information.” To illustrate this, I put together the following diagram:

With a BAA on Sitecore Personalize that covers the use of those related features in XM cloud, healthcare organizations can target going live on the platform starting on July 1st. All other data is managed in SaaS services that do not house or touch any protected health data.

You’ll also note that “Vercel” is depicted in the diagram as well. This is an important consideration as your front-end application is what serves the experience to your users, and data typically flows through the front-end application, including any logged visitor activity in the form of IP addresses and pages visited. Vercel has indicated that it will start signing BAA’s as early as March of this year. I have heard similarly that Netlify is also open to signing BAA’s, giving us multiple options for hosting our front-end applications within a headless architecture.

Without that in place, you would have needed to host the front end site on your own, either in Azure or AWS, both of which support healthcare organization’s needs through BAA’s.

Beyond XM Cloud and Sitecore Personalize

It’s important to note that there are other products that you may need to drive your digital experiences, and Sitecore has nine other SaaS products which probably won’t support BAA any time soon. Search is probably the most glaring gap, as most sites will require search capabilities as part of the experiences they deliver. While there are several options, we have a ton of experience with Coveo, which signs BAA’s and even has a HIPAA version of their platform.

Implementation Considerations

As mentioned earlier, software alone does not make you HIPAA compliant. Having a BAA in place with vendors that manage that software does not make you HIPAA compliant either. But with these tools and agreements, you can implement HIPAA compliant solutions for your patients. Don’t forget to fully take into consideration how you manage protected health information across your solution. Think through how you manage identity and access, how APIs are secured and all the tertiary use cases that can expose data and create vulnerabilities. Do not take it for granted that because the software can be used in a compliant way, that it will prevent you from using it incorrectly.

Perficient is here for you

At the time of this writing (January 2024), Sitecore has a clear path to supporting healthcare organizations interested in using their flagship DXP solution including both XM Cloud, Sitecore Personalize and Sitecore CDP. These tools can help drive future proof rich experiences across multiple channels while protecting the data you need to drive those experiences.

If you are looking for help in navigating HIPAA, Sitecore’s offerings and your DXP needs, please reach out to me.  You can find me on LinkedIn, Twitter or fill out our contact form.

There’s been a massive change of tone in the healthcare space over the last few years. What is it you might ask? Well, simple. Proactive healthcare choice.

Let me explain.

Traditionally, healthcare was reactive – when something went wrong, we would go to the doctor or seek medical treatment. Today, however, the tables have turned – and healthcare has become proactive. Society has access to wearable technologies that track our sleep, heart rate, and other activities. We can seek therapy from the comfort of our couch with our devices and doctors can diagnose us remotely.

All this proactivity is a good thing. It’s allowing this market and category to grow exponentially. Still, it does bring up additional areas brands need to consider if they are or will consider building these healthcare experiences with consumers through digitally enabled websites.

What are these considerations? HIPAA and PHI compliance.

HIPAA Enabled Adobe Commerce

Adobe offers a HIPAA-ready solution with its latest release of Healthcare Add-on for Adobe Commerce that merchants can leverage. Adobe Commerce becomes the staple within the SaaS commerce space as a leader and clear choice when looking to not only have more secure healthcare experiences, but also to enhance personalized content, products, and services based on medical condition and treatment.

Perficient Earns Adobe Commerce Specialization

HIPAA-Ready and Personalized Healthcare Experiences

Here’s a hypothetical. Let’s say you’re a brand that sells vitamins online. Instead of offering various vitamin categories to customers, you build a guided selling experience that asks customers questions about their health, conditions, and daily activities. Based on these answers, the site curates vitamins that are likely a good fit for them.

Sounds great, right? Of course, it does.

But this only works if the experience itself is HIPAA-ready. Customers won’t feel comfortable giving you information if they feel it’s at risk of being stolen.

That’s where Adobe’s HIPPA-ready commerce platform comes into play. With Adobe’s Healthcare Add-on for Commerce, you can now leverage the power of Adobe Commerce to personalize this vitamin shopping experience, allowing your customers to know that their personal information is more protected by HIPAA-ready security controls and processes.

Reduced Risk and Improved Experiences

The HIPAA-Ready Healthcare Add-on for Adobe Commerce platform allows you to check all the boxes for both your brand and your customers. This foundational approach will help reduce your organization’s compliance risk by providing the features and tools you need to be HIPAA-ready.

Listen, being healthy is a choice. And so is deciding where and how you shop for the medical conditions that you or your loved one might be dealing with. Ultimately, both have the same goal – increased peace of mind. Wouldn’t you like to have peace of mind that your customers’ information is HIPAA-ready? If yes, then you know the clear choice within digital health and medical commerce – it’s Adobe.

Learn more about your Adobe Commerce and Healthcare Experts

Recently, Coveo hosted a webinar discussing the importance of HIPAA compliance in the digital world. Perficient’s very own Michael Porter shed light on key considerations and challenges organizations face when protecting sensitive patient information.

In today’s digital era, healthcare organizations strive to provide exceptional digital experiences while ensuring the security and privacy of patient information. Meeting the rigorous standards of the Health Insurance Portability and Accountability Act (HIPAA) is of utmost importance.

Use of Online Tracking Technologies in Healthcare

Michael Porter delved into the specific concerns raised by the use of online tracking technologies in healthcare organizations. Mike emphasized that any online tracking, be it web analytics, embedded scripts, or other forms, can potentially transmit sensitive patient data. A significant incident involving a hospital using Facebook’s look-alike audience technology to gather patient information to find a doctor. As a result, unauthenticated patient PHI was sitting in a database that Facebook owned. Consequently, the Department of Health and Human Services (HHS) expanded the guidance to encompass all online tracking technologies, and now the use of tracking technologies that result in PHI disclosures is prohibited for Providers.

Staying HIPAA Compliant with Coveo

Compliance with HIPAA is essential for all healthcare organizations, as failure to do so can lead to severe consequences, including financial penalties and reputational damage. By partnering with a HIPAA-compliant technologies like Coveo, healthcare organizations can enhance their digital experiences while meeting regulatory requirements.

Leveraging Coveo for HIPAA Compliance

1. Secure Data Handling: Coveo provides robust security measures to protect PHI. It employs encryption techniques to ensure data remains secure at all stages, both in transit and at rest. Coveo’s platform is designed to meet stringent security standards, helping healthcare organizations comply with HIPAA regulations.
2. Intelligent Data Management: Coveo’s AI-powered search and relevance capabilities enable healthcare organizations to efficiently manage and retrieve patient information while maintaining compliance. Coveo indexes and organizes data from various sources, such as electronic health records, clinical systems, and knowledge bases, allowing authorized users to access relevant information securely and quickly.
3. Role-Based Access Control: Coveo enables healthcare organizations to implement role-based access control, ensuring that only authorized personnel can view or modify patient data. This feature allows organizations to maintain strict access controls, protecting patient privacy and meeting HIPAA requirements.
4. Compliance Reporting and Audit Trails: Coveo provides robust reporting capabilities, allowing healthcare organizations to track user activity, monitor access to patient data, and generate audit trails. These features are vital for demonstrating HIPAA compliance during regulatory audits or investigations.
5. Personalized Patient Experiences: Coveo’s AI-powered platform enables healthcare organizations to deliver highly personalized experiences to patients while adhering to HIPAA regulations. By leveraging machine learning algorithms, Coveo helps healthcare providers deliver relevant content and recommendations to patients, empowering them to make informed healthcare decisions without compromising data privacy.
6. Vendor Compliance: Coveo understands the importance of vendor compliance in the healthcare industry. As a HIPAA-compliant technology provider, Coveo is willing to sign Business Associate Agreements (BAAs) with healthcare organizations, outlining responsibilities and liabilities to ensure the protection of patient data.

Learn More About HIPAA Compliance

HIPAA compliance is a critical aspect of healthcare organizations’ digital experiences. By partnering with a HIPAA-compliant technology provider like Coveo, healthcare organizations can enhance their digital experiences while meeting regulatory requirements and protecting patient data. Coveo’s AI-powered search and relevance platform offers robust security measures, intelligent data management, role-based access control, compliance reporting, and personalized patient experiences—all crucial components for achieving HIPAA compliance and delivering exceptional digital experiences in healthcare.  To learn more about how Coveo can help you stay HIPAA compliant while delivering exceptional digital experiences, reach out to one of our members from our award-winning team.

It seems obvious that general retailers need actionable data to drive business decisions, but many healthcare organizations (HCOs) are businesses that rely in the same engagement and transactional information. Despite an increased level of regulation, HCOs need access to analytics information to make informed business decisions.

Capturing data in a way that does not compromise protected health information (PHI) or violate Health Insurance Portability and Accountability Act (HIPAA) regulations is critically important. With the Health and Human Services Department’s new guidance for payers and providers regarding the use of online analytics technologies, it is more important than ever for HCOs to choose an analytics tool that enables compliant and actionable data.

1. An Enterprise Tool for Data-Driven Business Decisions

Adobe’s Customer Journey Analytics (CJA) solution supports generating insights from both digital and offline HIPAA-related interactions regardless of whether they occurred digitally, in a call center, a retail location or even a kiosk. To make data-driven decisions, HCOs require a deeper level of insight than what can be provided by non-HIPAA compliant tools.  Many analytics platforms record basic unauthenticated traffic engagement such as “1,000 visitors came to the website on a given day”.  In reality, most HCOs need actionable insights from their analytics package. 

Knowing how many people came to the website is interesting, but not useful or actionable for the business.

What’s actionable is being able to see who came to the site, what they came to do, if they were successful doing it and if not, why weren’t they successful, and ultimately what should the organization do about it?

Simply understanding whether a visitor abandoned the brand after exiting the conversion flow or converted in another channel is of significant impact. The former represents the loss of revenue while the latter is simply channel shift.  The decisions (and actions) an organization makes to address a lost conversion are significantly different than the steps to shift a conversion to a lower-cost channel. 

This is the difference between free or non-HIPAA compliant analytics tools and Adobe Customer Journey Analytics. Enterprise HCOs need a tool with deeper, enterprise capabilities and features associated with end-to-end data collection of digital traffic (on-site and off-site) and the ability to gain meaningful insights beyond pageviews and media tracking. This is what allows them to make business decisions based on data. 

LEARN MORE: PHI and Online Tracking Technologies

2. A Cross-functional Tool for a 360-degree View of the Customer

Adobe CJA is an evolution of Adobe Analytics allowing HCOs to gain insights from digital engagement and the end-to-end journey regardless of tactic or touchpoint. Remember the use case of being able to distinguish between a conversion that started on the web but ended in the call-center and a site-abandonment? Adobe CJA takes this to another level by creating a 360-degree view of the visitor. This includes not only digital analytics, but touchpoints like call center, retail, CRM, EDW, API, etc.  In addition, Adobe CJA is tightly integrated with other Adobe Experience Platform (AEP) solutions to support mission critical digital marketing capabilities including – customer identification (AEP Unified Profile), segmentation (Real-Time CDP) and marketing automation (Adobe Journey Optimizer).   

With the Adobe Experience Platform, HCOs don’t have to dedicate time, effort, and money to ensure different technology partner solutions work together. When organizations choose to utilize multiple point solutions that were not engineered to work together, it typically requires significant investment for the initial implementation, as well as ongoing maintenance to manually keep them in sync.  Choosing a single digital experience platform (such as Adobe’s Experience Platform) that ties analytics to the rest of the capabilities stack ensures each of the digital marketing tactics work seamlessly together – eliminating costly, manual, and custom integration efforts. Gartner has recognized Adobe as a leader and a visionary in its “2023 Magic Quadrant for Digital Experience Platforms Report.”

“Adobe has an extensive ecosystem that includes design and creative agencies, systems integrators, marketing and advertising agencies, and creative tools. This provides customers with many options to deploy and support the vendor’s products.” – Gartner, 2023

3. HIPAA-Compliance

Aside from deep analytics capabilities, HIPAA-compliance is what separates true enterprise solutions like Adobe from the rest of the pack.  There are no free SaaS analytics platforms that currently offer HIPAA-compliance. Some vendors offer a level of HIPAA-compliance by requiring the customer to implement the analytics package on their own servers – which is essentially asking the client to self-certify.  Adobe Customer Journey Analytics is one of the few SaaS analytics platforms which the manufacturer will sign a business associate agreement (BAA). 

A BAA is a liability document signed between a software provider and a client that outlines the handling and protections for PHI information within the tool and consequences for data breaches.  These consequences might include indemnifying the client for any/all PHI breaches, defending the client in court should any suit arise stemming from a breach, and even reimbursing the client (and potentially the end customer) for any damages.  BAA agreements can be very complex, and the nature of this binding legal document generally adds to the cost of the software licensing (which is why few non-enterprise platforms offer it). 

Despite a Higher Level of Regulation, HCOs still Need to Understand Critical Healthcare-Specific Engagement Activities which Require PHI Data such as: 

• Open or special enrollment health insurance plan activation information such as plans, tests purchased, plan information, and demographics information.
• Identity resolution engagement such as registrations, forgotten passwords, etc. (aggregate or individual).
• Authenticated member engagement such as filing claims, downloading insurance cards, etc.
• Patient engagement information around scheduling appointments, current conditions, payment information, etc.
• Proactive outreach to certain segments to promote next best actions for positive healthcare outcomes.

These are just a few examples of the kinds of insights HCOs require to effectively run their business – all require PHI. Measurement of any of these is not possible without a signed BAA. Luckily, Adobe Inc. will sign a BAA for Customer Journey Analytics to measure all of these use cases and more. 

READ MORE: PHI In Web Analytics, The Do’s and Don’ts

Perficient + Adobe

Perficient understands the complexities of the healthcare industry and the unique challenges healthcare organizations face. Our healthcare practice delivers strategic business and technology consulting insights that help our clients transform with today’s digital consumer experience demands. This strategic guidance is then transformed into pragmatic technology solutions that improve clinical, financial and operational efficiency. 

As an Adobe partner, we bring the strategic imagination of an agency and the highest level of Adobe expertise and technical acumen to deliver exceptional customer experiences for the world’s biggest brands. And our experience is second to none. We are Adobe’s leading digital experience partner with hundreds of Adobe, Marketo, and Adobe Commerce certifications.

Have questions? Contact us today, and let’s discuss your specific needs and goals.

This is a continuation of my previous discussion on PHI and Online Tracking.  We know you have to be extremely careful when using tracking technologies. This is even true on .com site where you don’t login.  Even with extra care there are a number of ways in which you can track activity and events on healthcare related web sites.

What you can and cannot do

Remember that the guidance stresses that you have to treat analytics under the same constraints as other technologies which access PHI.  HIPAA still applies.  This means you can work with HIPAA.

Can Do

• Communicate with patients and members as you create the right conditions for better health outcomes
• Use all tools as long as there is no chance of gathering PHI.
• Work with patients and members across many channels a
• Use a tag manager to funnel data to HIPAA compliant repositories
• Can send form submits via a POST

Cannot Do

• Use any web or social analytics tool that cannot meet HIPAA guidelines
• Use a Tag Manager to funnel events that may contain PHI to non-compliants tools
• Send form data with PHI in the clear to any tool. This includes HIPAA compliant tools
• Cannot send form submits via a GET which puts potential PHI in the url

Implications of HHS Guidance

When you look at the various ways in which site do their tracking, there are implications that you need to think through and address.

1. Must choose the correct tag management and analytics solution. Remember that tag management solutions send tracking data to a range of possible sources
2. It’s not feasible to just disable analytics tracking on certain pages.  Yes, you can disables tracking on form pages, in find a doctor apps and other areas.  However, I would refer to this as cutting off your nose to spite your face.  You can do it but why would you disable tracking when it’s most important and you want to know what and when a potential member or patient converts?
3. Any tracking should be reviewed.  Facebook, Google, and other vendors have a variety of tracking tools.  Whatever you use on your sites including hotjar should be reviewed.
4. All authenticated experiences fall under HIPAA
5. Many un-authenticated experiences fall under HIPAA
6. Outbound campaigns are less impacted by this.  Yes, you still need to be HIPAA compliant but if your campaign is compliant then tracking the results should also be compliant

Technologies

The good news is that you can still use tracking technologies. The vendor needs to be HIPAA compliant and if the solution is in the cloud, the vendor must sign a BAA.  There are solutions out there and I’ll address that in a future post.

Now that bad news, the most common solution used by a very large majority of healthcare organizations, Google Analytics, cannot be used.  Google has done their own analysis based on this guidance and has published the resulting note:

Customers must refrain from using Google Analytics in any way that may create obligations under HIPAA for Google. HIPAA-regulated entities using Google Analytics must refrain from exposing to Google any data that may be considered Protected Health Information (PHI), even if not expressly described as PII in Google’s contracts and policies. Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.

For HIPAA-regulated entities looking to determine how to configure Google Analytics on their properties, the HHS bulletin provides specific guidance on when data may and may not qualify as PHI. Here are some additional steps you should take to ensure your use of Google Analytics is permissible:

• Customers who are subject to HIPAA must not use Google Analytics in any way that implicates Google’s access to, or collection of, PHI, and may only use Google Analytics on pages that are not HIPAA-covered.
• Authenticated pages are likely to be HIPAA-covered and customers should not set Google Analytics tags on those pages.
• Unauthenticated pages that are related to the provision of health care services, including as described in the HHS bulletin, are more likely to be HIPAA-covered, and customers should not set Google Analytics tags on HIPAA-covered pages..

Note that this guidance states that a healthcare organization should not use Google Analytics or Google Tag Manager where HIPAA may be present. Many organizations use these tools under conditions that the new guidance suggests they should not.

In my next post, I’ll explore possible solutions to this challenge.

Recently, the Health and Human Services Department (HHS) came out with guidance regarding the use of online analytics technologies.  This guidance will impact a lot of Provider and even some payer websites.  This includes hospitals, clinics, medical groups, imaging centers, and more. It gives more insight into how healthcare organizations can better ensure patient data is not inadvertently revealed.

Why Guidance and Not a Rule

This guidance has to with HIPAA which is an existing law and for which many organizations already spend a lot of effort ensuring the privacy of that data.  the guidance focuses on where most people might think there is no issue. Many think that Patient data is behind firewalls and logins and not available on a simple .com site. Why should we worry?  It turns out that there is risk and we need to ensure we do incorrectly expose the wrong data.  Here’s what the HHS have to say about this guidance on their web site.

Tracking technologies are used to collect and analyze information about how users interact with regulated entities’ websites or mobile applications (“apps”). For example, a regulated entity may engage a technology vendor to perform such analysis as part of the regulated entity’s health care operations.⁵ The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI).⁶ Some regulated entities may share sensitive information with online tracking technology vendors and such sharing may be unauthorized disclosures of PHI with such vendors.⁷Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures⁸ of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.⁹

What Advice Does HHS give?

Let’s break down the advice around tracking and HIPAA

• This is applicable to online tracking technologies. (web analytics, embedded scripts, etc.)
• HIPAA rules apply when information collected is disclosed to the tracking tools
• Providers are NOT permitted to use tracking technologies that result in PHI disclosures
• This applies to authenticated and unauthenticated scenarios
• For example, gathering PHI during an online appointment schedule
• IP addresses count as PHI
• You need to determine if a tracking vendor requires a BAA

What Do Providers Need To Address

Even simple web sites like your hospital’s main site can collect PHI.  Let me walk you through some examples of where you must be very careful about the use of web tracking technologies.

Find a Doctor

When you schedule an appointment you collect PHI in the form of  name, address, reason for the appointment, type of doctor you are seeing, etc.  If you use a web tracker of any kind as you capture this information and that web tracker captures this PHI in their public, unencrypted cloud, then you have a HIPAA violation.

Class or Interest Forms

Many hospitals provide classes and newsletters but as they capture information to register interest or register for the class, they may tie identifying information to a condition.

Clinical Trial Finder

In the same vein, registering interesting in a specific clinical trial then that interest has a potential to capture PHI if you also use non-HIPAA compliant tools to track these transactions.

The Bottom Line

Providers need to be very careful when using web and social analytics tracking tools on their public facing sites.  These sites do capture PHI.  All Providers sites already securely capture it in a variety of forms for transfer to their internal systems.  Providers just need to ensure that other analytics tools don’t capture that data and deposit it in their public cloud.

I’ll discuss some additional challenges and do’s and don’t around PHI and web analytics next time.

At Perficient, our Data Solutions team has worked closely with our Healthcare division to implement Snowflake for HIPAA and HITECH compliance. Snowflake offers healthcare organizations a secure data warehouse environment with many HIPAA compliance features. Perficient’s implementation team includes Snowflake and health industry subject matter experts. We’ll take a look at Snowflake’s benefits for healthcare providers looking to improve their HIPAA and HITECH compliance efforts and some specific strategies that you can use.

Snowflake Edition and Cloud Provider

Snowflake is a cloud-based solution or Software-As-A-Service (SaaS). This implies that all three Snowflake layers of architecture (storage, computing, and cloud services) are already deployed and maintained on a specific cloud platform. The level of attainable security depends on the Snowflake edition and cloud provider region. The Snowflake Edition that your organization chooses determines the unit costs for the credits and the data storage you use as well as the level of security. The Business Critical Edition provides support for PHI data for compliance with HIPAA for any cloud provider in any region. HITRUST CSF certification for Amazon Web Services is available in seven US, EU, Canada, and Asia Pacific regions. Azure offers one region each in the US, Canada, and Western Europe. At this time, Google Cloud Platform does not support HITRUST CSF with Snowflake. There are some support limitations for 3rd party applications on both Azure and GCP.

Deploying Snowflake Business Critical Edition on Amazon Web Services is currently the most recommended platform for US-based healthcare companies.

Continuous Data Protection

Snowflake tools and architecture enable Snowflake’s Continuous Data Protection (CDP) functionality. CDP covers a wide range of capabilities that help to safeguard data stored in Snowflake against human error, malicious acts, and hardware or software failure. In the event of accidental or deliberate distortion, removal, or corruption of your data, Snowflake enables your data to be accessible and recoverable.

The Standard Edition of Snowflake enables CDP by providing:

• Automatic encryption of all data
• Object-level access control
• Support for multi-factor authentication

The Enterprise edition of Snowflake provide additional features that can be used to architect a compliant data solution:

• Periodic rekeying of encrypted data
• Column-level Security to apply masking policies to columns in tables or views
• Row Access Policies to apply row access policies to determine which rows are visible in a query result
• Object Tagging to apply tags to Snowflake objects to facilitate tracking sensitive data and resource usage

Finally, the Business Critical Edition, in addition to providing support for PHI data in accordance with HIPAA and HITRUST CFA, offers the following advanced security features:

• Customer-managed encryption keys through Tri-Secret Secure
• Support for Private Connectivity to the Snowflake Service

Deliberate and thoughtful usage of object tagging can help implement the smart row and column-level policies needed to realize HIPAA compliance with Snowflake. 

End-To-End Encryption

Snowflake is designed to minimize risk by encrypting data at rest and in motion. End-to-end encryption (E2EE) is a form of communication in which no one but end users can read the data. The E2EE architecture minimizes attack surface exposure. Regardless of whether a security breach affects the cloud platform’s infrastructure, data is secured due to its encryption, regardless of whether an internal or external attacker causes the breach.

Encryption

All data files are encrypted throughout each stage of a data movement pipeline. Snowflake has both internal and external stages for data files. Internal stages are in the Snowflake database, which you can use to upload your data files before loading them into tables. External stages are in supported cloud storage systems that you own and control.

Key Lifecycle

The National Institute of Standards and Technology (NIST) recommends limiting the lifetime of a key to enhance security. Snowflake’s Encryption Key Rotation service changes keys automatically regularly. When Snowflake identifies that a table master or account key is more than 30 days old, it automatically rotates them. Data can be reencrypted (or “rekeyed”) automatically regularly. Active keys are retired and new ones are generated when necessary.

Periodic data rekeying completes the Encryption Key Rotation lifecycle. When a table’s retired encryption key is more than one year old, Snowflake automatically generates a new encryption key and re-encrypts the data previously encrypted by the old key using it. The table’s data will be decrypted with the new key going forward.

With Snowflake’s Tri-Secret Secure feature, you can restrict access to your data by using a master encryption key that you keep in the cloud provider’s key management service. To create a composite master key, Snowflake combines your key with a Snowflake-maintained key. This composite master key is then used to encrypt all data in your account. Your data can’t be decrypted if either of the composite master keys is canceled, giving you more security and control than Snowflake’s standard encryption. This explicit control over the key provides safeguards that are aligned to your business processes throughout the entire lifecycle. There is a lot of responsibility around safeguarding your key, however.

With Tri-Secret enabled, you can halt all data operations in Snowflake by disabling access to your key in the event of a data breach.

Governance

By allowing you to restrict access based on identity or role, Snowflake allows you to limit who has access to various resources like users and groups. Individual objects in the account (e.g., users, warehouses, databases, tables) can be accessed only with permission, through a hybrid model of DAC (discretionary access control) and RBAC (role-based access control). In the Snowflake model, access to secured items is permitted under permissions assigned to roles, which are in turn granted to other roles or individuals. Furthermore, each securable object has an owner who may grant access to other roles. This method of control differs from a user-based control system in which rights and privileges are assigned to individual users or groups. This object access model supports data governance implementations needed for HIPAA compliance.

Governance in Snowflake is implemented using:

• column-level security
• row access policies
• object tagging

Column-level Security

Column-level security is realized through masking policies. When users submit a query that includes a masking policy, the masking policy’s conditions determine whether or not unauthenticated users see unmasked, partially masked, obfuscated, or tokenized data. The policy-driven approach allows security teams to define restrictions that limit sensitive data exposure, even for the owner of an object who has unlimited access to the underlying data. Masking policies as a schema-level item also provide choices in selecting a centralized, decentralized, or hybrid management approach.

Masking can be implemented either through dynamic data masking or external tokenization. External tokenization requires using an external function in the masking policy body to make a REST call to a third-party tokenization provider. With external tokenization, analytical value is preserved after de-identification. Because tokenization provides a distinct value for each string of characters, records may be classified based on this numerical value without disclosing sensitive information.

Snowflake provides secure views to control access to sensitive data, but secure views have administrative difficulties owing to the large number of views and derived business intelligence (BI) dashboards from each view. Masking policies solve this management challenge by avoiding an explosion of views and dashboards to manage. Masking policies support segregation of duties (SoD) through the role separation of policy administrators from object owners. Secure views lack segregation of duties (SoD).

Use masking instead of secure views to maintain Separation of Duties. Mask all sensitive data and tokenize where distinct values are analytically meaningful (patient diagnosis code versus social security number).

Row Access Policies

Row access policies implement row-level security to determine which rows are visible in the query result. Snowflake supports nested row access policies, such as a row access policy on a table and a row access policy on a view for the same table. Like column-level security, row access policies can include conditions and function to transform the data when certain conditions are met and potentially limit sensitive data exposure. This Separation of Duties at the row and column level is a powerful tool for achieving compliance.

Row access policies are used to control which rows are viewable in the query result by employing row-level security. Snowflake supported nested row-access policies. For example, a table and a view can have the same row access policy. Row access policies, like column-level security, can contain conditions and functions to alter the data when certain criteria are met, potentially limiting sensitive data exposure. This row and column level Separation of Duties is an important compliance tool.

A row access policy is a set of logic used to control which rows are visible in the context of a specific condition. The simplest implementation is to provide an attribute (e.g., member_id) and then define a role that can be filtered on that parameter. Mapping tables can be used to provide more elaborate or fine-grained restrictions. However, mapping tables may decrease performance in some instances.

Cluster by attributes used for policy filtering when possible.

Object Tagging

A tag is a schema-level item that can be linked to another Snowflake object such as tables, views, or columns. When you apply the tag to a Snowflake entity, you may assign it any string value. The tag and its string value are recorded as a key-value pair. Setting a tag and then querying it allows you to discover a wide range of database objects and columns with sensitive information.

Tags enable data stewards to track sensitive data for compliance, discovery, protection, and resource usage use cases through either a centralized or decentralized data governance management approach. By using tags in the data discovery, information security professionals and/or data stewards can examine how it should be made available, such as whether it should be filtered using row access controls or whether it should be tokenized, fully masked, partially unmasked, or completely unmasked.

Create and implement a tagging policy BEFORE you create the column and row level policies.

Support for Private Connectivity to the Snowflake Service

Private connectivity allows you to bypass the public internet when working with Snowflake on the cloud. Snowflake does not provide private connectivity as a service, but it has partnered with Amazon Web Services, Microsoft Azure and Google Cloud Platform to support private connectivity as its implemented natively on each platform. Regardless of cloud provider, you will need to have Business Critical Edition. You will need contact both Snowflake Support and the cloud provider to initiate and manage the process. Although each cloud provider is

AWS PrivateLink is an AWS service that allows you to connect your VPCs without crossing the public Internet. Because Snowflake on AWS is based in a VPC, PrivateLink allows you to establish a highly secure network between Snowflake and other AWS VPCs in the same region, as well as being fully protected against unwanted external access. PrivateLink with private endpoints supports external functions. External functions are used, among other things, to support external tokenization for column-level security. You can also use AWS Direct Connect to connect all of your virtual and physical environments in a single, secure network if you have an on-premises environment (e.g., a non-hosted data center).

Azure Private Link allows for private connectivity to Snowflake by ensuring that access to Snowflake is via a private IP address. Only traffic from the customer virtual network (VNet) to the Snowflake VNet is allowed using the Microsoft backbone, avoiding public Internet access.

The Google Cloud Private Service Connect allows you to get private access to Snowflake by utilizing a private IP address for access. Snowflake is represented in your network (i.e., client network), but the data travels in one direction along the Google networking backbone from your VPC to Snowflake VPC.

Private connectivity should be considered as part of your advanced security profile. All three major cloud providers support private connectivity at some level but Amazon Web Services currently has a somewhat more comprehensive offering.

Conclusion

Snowflake is quickly becoming the data warehouse of choice for healthcare providers looking to ensure HIPAA compliance. Its cloud-based design makes it ideal for big data analytics, and its security features provide a safe environment for storing PHI. Snowflake’s governance features also make it well-suited for healthcare organizations. By selectively granting access to individual objects (e.g., users, warehouses, databases, tables), Snowflake enables organizations to precisely control who can view and work with PHI. To implement HIPAA compliance, healthcare providers will want Snowflake’s masking features and external tokenization support.

If you’re ready to move to the next level of your data-driven enterprise journey in the heavily regulated healthcare space, contact Juliet.Silver@perficient.com with Healthcare or Bill.Busch@perficient.com with Data Solutions.

A scenario: your experience, virtual health, and marketing leaders have shaped creative and compelling ideas to personalize interactions with healthcare consumers.

Of course, execution drives those inspirations to fruition, and any type of communication connected to patient data requires a new set of considerations. Realistically, you’ll employ the expertise of development teams as you move your vision toward reality.

YOU MAY ALSO ENJOY – Hip On HIPAA: The Secret Sauce to Successful Marketing Campaigns

An Agile Way of Working With Your Tech Teams

Over the past 20 years or so, how large scale data and software development projects are implemented has transformed from standard Software Development Life Cycle (SDLC) methodologies, such as waterfall and iterative, to a more collaborative approaches like Agile and Scaled Agile Framework (SAFe).

Companies recognize the benefits of Agile concepts and many are on a journey to fully adopt agile concepts. Some currently are using a hybrid approach taking Agile tenants such as Backlog, Sprint Planning, Sprints and daily standups and incorporating that into an iterative/waterfall methodology.

My point here is there are multiple ways to go about executing the delivery of software development projects. However, regardless of the methodology used there is one constant in the delivery equation that never changes…

And that is data.

Data: At the Heart of Progressive Healthcare Interactions

In the healthcare industry there are many rules in place that guide the use and dissemination of data. These rules are defined as part of HIPAA (Health Insurance Portability and Accounting Act) and the use of PHI (Protected Health Information).

One of the most important aspects of working with healthcare data is to ensure all PHI data is masked prior to starting the testing of any logic. This protects the company, employee, and any third party vendors from accidentally violating HIPAA compliance rules regarding the protection of PHI data and facing fines penalties (or even worse).

YOU MAY ALSO ENJOY – [Podcast] Healthcare Data is Changing Consumer Care

Production Tip for HIPAA-Compliant Personalized Interactions

Most companies have a formal process to request the selection of a subset of production data, and the masking of that data for testing purposes. However it needs to be planned for. The securing of masked testing data could take anywhere from 2 to 4 weeks, depending upon the type of data that needs to be selected and the lead time required to coordinate the selection of the required data.

If not properly planned for, this could cause delays in the development and testing of your projects solution.

So remember, no matter what development methodology you employ, take the time to properly plan for the amount and type of data required to successfully test your software logic.

YOU MAY ALSO ENJOY – Hip On HIPAA: How Do We Deliver Better Front-End Experiences

Struggling to Meld HIPAA Compliance and Great Experiences?

We can help. Reach out, and let’s talk.

As we continue our series of posts on making HIPAA work for you, I am going to address a common problem we hear from health care marketers: “My board/boss/CMO/Legal Counsel says we cannot use patient data for marketing communications.”

This is a tough one. Truly, your board of directors and your legal counsel are going to ultimately dictate the amount of risk they are willing to mitigate in regards to using patient data for outbound communications. Some organizations have a zero-risk tolerance of using data. Period. Sorry, you may be out of luck. We know mistakes can happen. We know breaches happen. We even know that a phone call from a hospital VIP because their spouse received a personalized post card on weight-loss surgery can be a career altering event (true story). So, that aversion to risk isn’t unfounded. It’s real, and the fallout can be bad. HIPAA is serious.

So what’s a modern, data-driven marketer to do?

As stated above, you may be out of luck.

But… if you have the courage, you may also have a chance to change the hearts and minds of those zero-riskers by providing some new information.

In my experience, if you want to change a person’s mind, nothing works better than creating anxiety that someone else knows more than they do.

Let your leaders know how other health systems are gaining a competitive advantage and market-share by using PHI to be data-driven. Because they absolutely are. My last blog talked about how HIPAA expertise can provide the “secret sauce” of successful marketing, but this isn’t much of a secret. The evidence is everywhere. Everyone from top health systems to community hospitals are using patient data to drive successful communications while doing everything possible to avoid violating HIPAA. Nothing can state your case better than your competitor’s success.

If they can do it, you can too!

Earning patient loyalty through relationships

In a consumer-driven world, customer loyalty should never be assumed. Customer relationship management is about earning and cultivating that loyalty.

Would you remain in a relationship with someone who doesn’t listen to you?

Would you remain loyal to someone who doesn’t care what’s happening in your life?

Because there is a competitor across town who is more than willing to listen. They will know you are due for that colonoscopy or that your last mammogram was over 16 months ago. They even know you were recently diagnosed with hypertension. And they care. They’re not afraid to reach out and let you know they’re worried about you.

In healthcare, this is what a relationship looks like, and this is how we gain loyalty. You can’t do this without leveraging patient data.

A CRM database can be the tool that (just as its name describes) helps you to manage these patient relationships. I’ve talked in the past about how CRMs for healthcare have evolved to provide a “decision-engine” that helps understand the complex health needs of individual consumers and are still evolving to adapt the changing market. And I’ve also discussed how these healthcare-specific platforms differ from the Enterprise CRMs that are in use in virtually all business verticals. As you state your case to create a data-driven marketing department, a CRM platform can be a vital component of your plan. Make sure do some research on what you would need.

Overcoming assumptions about personalized marketing and patient data

In 2020 we worked with a large health system that was transitioning from a legacy healthcare CRM to Salesforce. In tandem with implementing the new platform, my role was to create marketing-automation strategies designed to jump-start key service lines that had slowed during Covid.

As we discussed the kind of encounter level information that could be used to trigger an email automation campaign, we learned of some internal assumptions that had kept them from using certain patient information in the past.

By overcoming these assumptions, we were able to build robust, highly-personalized HIPAA-compliant trigger campaigns that could run indefinitely – constantly finding the right person at the right time.

Being data-driven is much more than just sending out targeted communications

Patient data is the key to getting the right message to the right person. But even beyond targeting, the advantages to be gained by leveraging this information can transform all aspects of marketing, business development, and patient engagement. Be sure to share the other ways patient data can empower your activities:

1. Better planning data & goal setting using data-science, modeling fueled by real encounter information can help create realistic markers for success. Model future growth based on past patients. Plot where high-value populations live. Use real numbers when determining how much to budget for future campaigns.
2. Timing – my unsung hero of being data-driven – means really understanding the critical importance of timing in healthcare communications (see last blog) and being there when it matters.
3. Tracking. By giving marketers better visibility into patient data, we have a much clearer view of success. Do the people we target truly return for subsequent encounters? If you can’t track response with patient data, you will be making a lot of assumptions regarding your own success.
4. Data-driven content development. There is no better method to develop custom content for marketing than by taking a deep dive into the demographics of existing patients as well as those most likely to need a service in the future. A demographic profile of your past heart patients can give vast amounts of insight regarding how to talk to future heart patients.

With the right people and experienced partners, you can have the best of both worlds. It is possible to be data-driven while being HIPAA-compliant and doing everything possible to limit risk.

Put together a plan to get the resources you need to transform your marketing. Do your homework. Get examples of success stories and demonstrate how you can safely leverage PHI to create a truly data-driven department.

Driving your personalization journey

Are you considering ways to deliver a more personalized healthcare experience? Our healthcare experts partner with the largest payers and providers in the U.S., helping them build the strategy, technology, and communications to impact change and community health. Contact us to accelerate your transformation journey.

The other day a question came up on what extra due diligence do we need to do as we adhere to HIPAA compliance requirements. My first thought was that, of course, we do comply by embracing that extra due diligence in everything we deliver.

But of course, the devil is in the details. Those details get a little thorny when you create good front-end experiences without crossing the line and sharing any information.

Let me discuss three examples of how you can create a better consumer experience while still taking HIPAA into account:

1. Register for a patient portal
2. Patient Registration with an online form
3. Personalization on a site

Registering on a Patient Portal

Many hospitals commonly require physical signatures and ID before giving access to your patient portal. Technically, this meets all the demands of HIPAA and ensures your privacy. But it requires a lot of extra time just to get access to something most patients won’t access all that frequently. You can set up a process like this, but consider other options.

Other industries commonly use information about you to help with self-verification. What if you could:

1. Start registration with your name, MRN, and a couple of other pieces of information
2. Go through a process where you answer very specific questions like, “Where you got your first loan?” or “What car did you buy in 1999?”
3. Finish with some additional email verification

This type of an approach makes it possible to let patients register for the portal without a physical signature or a trip to hospital. It ensures it’s you because you have key pieces of information known only to you. It ensures your patients don’t start with a bad experience in the digital world they share with you.

Of course, any process like this must be vetted with your compliance organization and with legal. We found that a combination of those two helps to get past issues where one group may only focus on the perceived issues and not on how to adhere to the law and give a better experience.

Online Forms

We’ve all been there. You fill out a pre-registration form and it goes through seven different screens. 98% of that information already exists somewhere in that clinic or hospital records, but you get to do it all over again.

It’s as if they don’t know you despite having access to that very information. It is possible to solve this frustration, but you must be careful. You want to use this data to pre-populate a form, but you must do this in a safe and effective manner.

Here are some thoughts:

1. If you have a custom portal, don’t store PHI on that portal. Make real-time calls to more secure back-end systems to get that information
2. Don’t key information like social security number in the open. You can partially mask it and have a user confirm that the last four digits are correct
3. Verify that the information you “need” is truly what you need and not too much
4. Have two versions of forms: One longer form for new patients and one shorter for existing patients. Once they login, you can give them a better experience.
5. Use these types of events to suggest that now is a great time to sign up for the portal.

Remember that you can take small steps to create a better digital experience. It just takes thought and effort.

Personalizing the Experience

Regardless of industry, every company or organization wants to create a more personalized experienced. Most find it to be incredibly difficult. Health Care Organizations (HCO’s) find it even more so.

How do you use insights about a patient having high blood pressure to help them learn more about their diagnosis and provide options to proactively address the issue? You shouldn’t just come right out and state it. That’s especially true when they are on a public, non-logged in site.

But you can provide insights.

For example, you can have an area with relevant articles from a health library. If you have online classes or other events, you can make them aware of it without explicitly saying anything.

Finally, if they click on these personalized article or classes, you can also make them aware of excellent clinicians who can treat someone with their condition and why anyone who has it needs to take a first step.

This approach isn’t perfect, but it ensures that if someone is curious enough to come to your site and identify themselves, then you can guide them in the right direction to addressing their health needs.

YOU MAY ALSO ENJOY – Hip On HIPAA: The Secret Sauce to Successful Marketing Campaigns

Struggling to Meld HIPAA Compliance and Great Experiences?

We can help. Reach out, and let’s talk.