Healthcare Marketing Compliance with Conversation Intelligence

min read
Healthcare Marketing Compliance with Conversation Intelligence

Keeping up with the never-ending search engine algorithm changes, evolving privacy regulations, and new technologies can make any marketer’s head spin faster than a couple double quarantinis. For healthcare marketers, the compliance and privacy regulatory landscape can induce more than headaches — not following the rules can result in big fines and a loss of customer trust.

Healthcare and health insurance marketers will frequently see their customers call at some point in the patient journey. So not only do they have to make sure their digital marketing is compliant with regulatory requirements if they’re tracking calls generated by marketing campaigns, they also have to make sure that any call tracking or conversation intelligence platform they’re using is collecting and sharing data in a manner that’s compliant with privacy laws like HIPAA. 

Here’s how healthcare marketers can drive more revenue, improve the patient experience, and run HIPAA-compliant marketing campaigns while using AI-powered conversation intelligence.

Data Privacy Regulations that Impact Healthcare Marketers

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act or HIPAA was instituted to provide data privacy and security provisions for safeguarding the medical information of individuals. Specifically, it regulates the use and transfer of medical information in four areas that can impact healthcare marketing:

  • Privacy and patient confidentiality
  • Security, including the protection of information, including physical, technological, and administrative safeguards
  • Identifiers, including the types of information that cannot be released if collected for research purposes
  • Codes for electronic transmission of data in healthcare-related transactions, including eligibility and insurance claims and payments

The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.

It also requires that healthcare companies and their business associates (e.g., vendors, agencies, technology providers, etc.) enter into contracts known as Business Associate Agreements (BAAs) to ensure that those business associates will adequately safeguard protected health information (PHI).

There is no formal certification process for HIPAA and it relies mainly on self-attestation that a company is HIPAA compliant. The BAAs are put in place to give some legal teeth to liability and accountability that the requirements of the standard will be upheld by all parties involved.

While HIPAA is the most obvious regulation that affects healthcare marketing, GDPR and CCPA compliance may come into play, too.

Vendors must be BAA-supported to ensure HIPAA compliance

The Department of Health & Human Services (HHS) issued a reminder bulletin outlining the use of online tracking as it relates to HIPAA in 2022. While the bulletin did not provide new guidance or policy, it suggests that HIPAA-covered entities must execute a Business Associate Agreement (BAA) with any vendor that may handle PHI. The BAA establishes a legally binding relationship that ensures  collection of PHI is permissible and will not violate HIPAA. This has led healthcare marketers to reevaluate their existing ad and website tracking solutions, as some vendors like Google will not sign BAAs. In some cases, healthcare companies took the drastic action of removing conversion tags and turning off automated solutions like Google Ads Smart Bidding.

General Data Protection Regulation (GDPR)

When GDPR went into effect in 2018, many US-based companies assumed that they were exempt from the regulations if they did not do business in the EU. Many assumed incorrectly, as the regulation covers any data gathered on an EU resident anywhere in the world. That includes an EU citizen who visits a small practice for care while in the U.S. 

In most cases, though, GDPR can be seen as an extension of the same protections and requirements of HIPAA for U.S.-based healthcare and health insurance marketers. GDPR expands on the idea by regulating the whole life cycle of personal and sensitive information, similar to the protection that HIPAA offers for personal health information (PHI). This includes how information is collected, processed, stored, and eventually destroyed.

California Consumer Privacy Act (CCPA)

CCPA is new state legislation that will provide additional data privacy rights and consumer protections for residents of California. Now, don’t leave the room because your business is not based in California—CCPA, much like GDPR in the EU—applies to any company that conducts business in or on behalf of anyone in California. Since California makes up 12% of the national population and 17% of its net worth, that likely means you.

CCPA gives California consumers the right to:

  • Know what personal data is being collected about them
  • Opt-out of having their data sold to a third party or being used by the company they transacted with
  • Have access to the data that has been collected on them
  • Have any data collected be deleted from a business’s systems
  • Not be discriminated against by the company for exercising any of the above rights

When it comes to healthcare marketers, though, healthcare organizations in the US that are already compliant with HIPAA are exempt from the important “right to forget” clauses in the CCPA. However, that’s only applicable to protected health information (PHI). So, if there’s any other non-PHI information on a consumer that is personally identifiable, like a billing record, call record, or even browser cookies or user-level ad IDs that information has to be “forgotten.” 

Payment Card Industry Data Security Standard (PCI DSS) 

If you take payments over the phone, Payment Card Industry Data Security Standard (PCI DSS) may apply to your organization, and your call tracking platform, as well. While call tracking providers do not directly handle payment processing, PCI DSS compliance may be required for call tracking users who process payments over the phone. This is because some call analytics features will record and/or transcribe calls and therefore potentially record sensitive customer data. Invoca has gone through the formal audit and is certified in the PCI DSS standards with all call analytics features — including Signal AI conversation analytics — enabled. 

Why Your Call Tracking Software Must be Compliant

If you’re using call tracking software to get attribution for conversions that happen on the phone or in the contact center, you could run afoul of data privacy and security compliance measures. This is because any of your calls that are routed through the platform may be recorded, transcribed, or in many cases, both. Transcription and recording enables the speech analytics algorithm to analyze the call and detect conversation outcomes (e.g., appointment set), spot trends, and analyze customer interactions in the contact center that can help you coach agents

Software Compliance Features Healthcare Marketers Need to Look For

While most call tracking and conversation intelligence platforms are HIPAA compliant, some achieve that with some caveats. Namely, they require that you turn off features like phrase spotting, call recording, and AI-powered speech analytics, which enable you to automatically analyze and classify calls. 

Invoca’s conversation intelligence platform provides HIPAA, GDPR, and CCPA compliance without the compromises. Invoca can record and transcribe inbound calls in a secure and privacy-friendly way to enable marketers to uncover new sources of customer data and insight. With improved visibility into these important customer interactions, healthcare marketers can drive cost savings from their media spend, and deliver improved customer experiences. 

Another reason that it’s important that your conversation intelligence platform is HIPAA compliant with all speech analytics features enabled, is that it can actually be used to ensure compliance in your contact centers. By creating signals that can automatically detect non-compliant conversations with patients, such as contact center agents giving out medical advice, you can coach agents to respond to inquiries appropriately. 

One of the ways Invoca is able to meet compliance standards while providing call recordings, transcription, and full conversation analytics functionality is with automated redaction of sensitive caller information. Redaction happens automatically through a process of scanning and analyzing each inbound call recording, and identifying and removing any instances where sensitive information is spoken. To ensure optimum security, call information is only exposed after applicable PCI sensitive information has been redacted from the call recording and transcript. Redaction includes credit card number, credit card expiration date, credit card security code, Social Security number, and date of birth.

Invoca also requires all HIPAA-covered entities to execute a Business Associate Agreement (BAA). This establishes a legally binding relationship that ensures Invoca’s collection of PHI is permissible and will not violate HIPAA. Invoca can provide and will sign BAAs with its healthcare customers to ensure compliance.

From Prospect to Patient: How Healthcare Marketers Use Conversation Intelligence

Healthcare marketers can use conversation intelligence and call tracking software to get full visibility into the journey from prospect to patient. With insights from conversations that are occurring in the contact center, you can optimize their marketing campaigns and messaging and optimize the customer experience both online and offline. Here are some of the results healthcare marketers have achieved with Invoca conversation intelligence: 

Banner Health

Banner Health is one of the largest nonprofit healthcare systems in the country. They use Invoca to see how many appointment calls each marketing campaign drives to track their true ROI. This allows them to double down on what’s working and cut spend on underperforming campaigns. They also use Invoca to segment audiences, including: loyal patients, patients who visit intermittently, and new patients. This helps to inform their bidding strategy — for instance, they can increase bids on new patients to prioritize acquisition and reduce bids on loyal patients who are likely to return.

Get the case study to see how Banner Health drove these results with Invoca. 

University Hospitals

University Hospitals’ goal is to create a more seamless journey for patients, from the moment they start researching symptoms or doctors through billing and follow-up care. They use Invoca for Healthcare to greatly improve the patient experience when they call to make appointments, optimize marketing to drive more high-value appointment calls, and provide more effective and consistent messaging across the board. Invoca even helped them discover call experience issues they didn’t know were occurring—resulting in a dramatic increase in appointment conversion rates.

Get the case study to see how University Hospitals drove these results with Invoca. 

Comfort Keepers

Comfort Keepers is a leading provider of in-home care for seniors, with over 650 franchisee locations in the U.S. To be successful, franchisees rely on the Comfort Keepers marketing team to deliver not just a steady stream of new sales opportunities but also qualified job applicants. With Invoca AI-powered conversation intelligence, Comfort Keepers increased phone sales conversions, drove more high-value calls to franchisees, and decreased their acquisition costs.

Get the case study to see how Comfort Keepers drove these results with Invoca. 

Subscribe to the Invoca Blog

Get the latest on AI and conversation intelligence delivered to your inbox.

Get expert tips on marketing, call tracking, and conversation intelligence AI delivered straight to your inbox every two weeks. Join thousands of marketing and contact center professionals and subscribe today!

An exclusive Revenue Leadership Summit with a private cooking demonstration and dinner by Eleven Madison Park’s Chef Nancy Nguyen.
Business insights + private dinner with NYC’s Top Chef!
Hear from Google, Verizon, and Other Industry Powerhouses at the Revenue Leadership Summit in NYC. Spaces are limited, so don't wait!
Claim Your Spot Now!
white arrow
Close