Depending on how you look at it — and who you ask — the state of the healthcare data privacy union is either strong or hopelessly splintered.

On one hand, healthcare marketers fully understand the gravity of the situation. Those who fail to safeguard sensitive health information will be held accountable by customers, healthcare professionals, technologists and regulators alike. At this point in the information revolution, protecting the sanctity of personal data is table stakes.

On the other hand, well, how long do you generally go without some kind of notice that your personal information — health, financial or otherwise — has been misappropriated, whether by bad actors or for impermissible uses? According to the Department of Health and Human Services, there were over 700 major healthcare data breaches affecting more than 45 million individuals in 2021.

In the nearly five years since the Facebook/Cambridge Analytica data scandal awakened the unaware to the potential for data abuse, the aftershocks are still being felt across the technology and marketing landscapes. Consumers are not merely concerned about data privacy; they’re taking proactive steps to wrest back control over their data from organizations they don’t trust.

And tech giants are following suit. In April 2021, as part of an effort to clamp down on the flow of user data on iPhones, Apple introduced a software update that allowed users to opt out of data-sharing and limit the ability of advertisers to track information across apps or websites.

In February 2022, Google announced in that it was planning privacy changes for Android devices that essentially mirrored Apple’s actions. However, Google has delayed implementation of its decision to block third-party cookies in its Chrome browser until 2024.

Marketers who rely on access to user data to personalize their messaging and advertising campaigns have not reacted well to the changes, needless to say. According to a 2021 Innovid survey, more than 80% of marketers said they use third-party cookies.

Medical marketers have thus been left to wonder how data-restricting technologies will affect relationships with patients and HCPs, if at all. Complicating the situation is healthcare’s traditional status as a techno-laggard: Even as the industry goes fully digital, it continues to play catch-up with other verticals in terms of its data protection practices.

Most large industries have adopted the type of data technologies, particularly cloud-based computing, that enables a shift away from highly siloed operations, according to John Sculley, chairman of the board at NirvanaHealth and cofounder of Zeta Global. Sculley is also the former CEO of Apple.

Sculley believes that as consumerism empowers patients to take control of their data, security regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are increasingly relevant to marketers. So, too, are blockchain and cloud computing, which he says give people confidence in their data privacy while also meeting the high security standards set by regulators.

Behavior change in healthcare is achievable, Sculley says, noting that other industries have adapted their practices to meet evolving consumer preferences.

“In the early part of the 21st century people were still skeptical about whether you could actually do online banking. Obviously, that question has been answered,” he notes. “You don’t have to change the whole $4 trillion industry to be able to get some giant success stories.”

Partly as a result of the COVID-19 pandemic limiting in-person care, healthcare as an industry has become more comfortable with all things digital during the last 30 months. While many of the changes have served to offer consumers expanded access to care, they also introduced new concerns about data privacy and security.

Veeva Crossix CEO Asaf Evenhaim says the industry faces a “significant and growing” risk related to patient-data privacy and urges marketers to understand that privacy has to be at the foundation of everything they do. Rather than striving to merely be HIPAA-compliant, marketers should ask more questions of their vendors and be skeptical of targeting schemes that seem too good to be true.

It’s no exaggeration to say that failure to conduct due data diligence on behalf of patients could prompt an industry-
wide disaster.

“It’s important for marketers to think about the Cambridge Analytica scandal and what that could look like in our industry if it were to happen in the next year or two,” Evenhaim explains. “They must have the correct answers.”

Meanwhile, the balance between privacy and personalization remains a headache for marketers who want to deliver unique customer experiences without overstepping their bounds. To that end, Pleio CEO Michael Oleksiw says that permission and personalization must go hand-in-hand.

Oleksiw also believes that additional changes to privacy controls over user data, whether driven by tech behemoths or legislators, are inevitable — and that marketers must react accordingly. American tech companies have instituted greater privacy restrictions due largely to the influence of the General Data Protection Regulation (GDPR). The EU’s signature data protection law was implemented in the wake of the Cambridge Analytica scandal.

Given that data-driven strategies are only going to be more heavily scrutinized and regulated in the years to come, forging relationships with consumers needs to be the first order of business for marketers.

“Healthcare is inherently human; that’s not going away,” Oleksiw says. “We view the human as the best possible precursor to a digital relationship, and that humans build stronger digital relationships.”

IQVIA digital media solutions VP and GM Frank Lin agrees, urging marketers to embrace relationship-building rather than technological shortcuts. He stresses that it takes an investment of time for marketers to understand their audiences and warns that data abuses can undermine meaningful efforts to engage consumers.

“Personally, I’m sick and tired of reading articles that talk about how you should have a first-party data strategy. No, you should have a first-party relationship strategy,” Lin explains. “When you start turning your audience into data, you realize why we got to where we are today.”

Even good actors sometimes find themselves on the wrong side of the data privacy line. Enhanced privacy and security policies are obviously welcome but they’re far from infallible. And then there’s the friction such upgraded policies can introduce into the patient journey.

It’s worth noting that when Apple or Google establishes an opt-in policy for consumers, they usually require the app or brand to ask consumers for permission to track their data. But Oleksiw believes these self-selection aspects of data privacy can create obstacles in the patient experience.

For instance, if a patient has recently been diagnosed with or is starting a new medication for a mental health condition, a prompt such as that can be stigmatizing. That’s why, for medical marketers, issues around data privacy are intertwined with patient outcomes.

“Balancing stigma and privacy is something that we do every day. But when we talk about exceptions, one of the most important components when it comes to privacy is that we need to maintain a frictionless experience for the patients,” Oleksiw says.

Lin notes the data privacy changes handed down from tech companies aren’t intended to punish marketers, but rather offer protection for consumers and avoid additional regulation by the federal government. Still, this puts tech companies in a rock/hard place situation: They have to simultaneously juggle their own business needs (and the needs of their partners) with consumer protections and brands’ desire to better understand their audiences.

When advising other organizations, Lin urges them to prioritize relationships based on preferences and consent. Using GDPR as a blueprint, Lin says the only relationship that will matter in a more regulated future is one that incorporates consumer consent into the data equation.

“We continue to work with brands to focus on the consent and that relationship-building, because that is the human nature of the value exchange, especially for the brands that might not have done that in the past,” he explains. “We ask them to go back to the basics instead of taking shortcuts.”

Oleksiw believes that marketers need to recognize they have to earn the right to avail themselves of customer data. In the post-GDPR era, he says they must be able to answer three questions and share those answers transparently. What data are you collecting? How are you going to use it? What are you doing to ensure that consumers are aware?

 “If we place it in that context, we’ll think of it as needing to develop a relationship first before we leverage the relationship,” Oleksiw says. “Knowing that all this change is coming, it’s important to work on that premise of a relationship first.”