Which Privacy Safe Method is Right for You?

Do you spend a lot of time thinking about HIPAA and patient privacy? Whether the answer is “yes” or “no”, it’s something every pharma marketer wants to make sure is taken care of to avoid that “front page Wall Street Journal” headline. As privacy laws continue to evolve, it will be an even more important focus pharma brands and their partners. But with so many different ways and levels to patient privacy, what’s the best approach for you and your brand?

In this article we focus on the various approaches to patient privacy and HIPAA that companies may follow. Although all methods are federally compliant and legal, some methods take extra steps to ensure you get both patient privacy and optimal targeting.

HIPAA Safe Harbor Method

HIPAA safe harbor is the base standard of patient privacy. Anyone using this approach can be comfortable they are compliant with all privacy laws, including HIPAA. It is the process of removing certain identifiers of the patient, patient’s relative, other household members and employers[1]. With safe harbor, 18 different types of identifiers[2] are removed to de-identify any personal health information with the individual, one of which is geographic location. In terms of geography, safe harbor limits targeting of any kind to only the first three digits of the ZIP code (i.e., 100 vs 10004). This is done to prevent any kind of information from being associated with a specific address or location, which could result in a re-identification of the patient.

For media audience targeting, this geographic requirement may limit the quality and granularity of certain audiences. Having to target a wider geographic area increases the possibility of added waste in impressions and budget. Although not the ideal way to target, safe harbor provides a legal avenue of de-identification. When working with a partner who follows the safe harbor method, you will be well protected in terms of HIPAA compliance, but you must also think about the waste you may incur by targeting at such a wide scale unnecessarily.

For media campaign measurement solutions, this type of approach would result in a geography-based analysis. This type of analysis is much less specific than matching at the individual level and may not fully capture the value delivered by a campaign.

HIPAA Expert Determination Risk Re-Identification Assessment

Another form of de-identification is an expert determination. It is the rigorous process by which statistical analysis or scientific principles are applied to a process and data set to determine that the risk of re-identification is very small and statistically insignificant[2]. In this process, assessments are performed and documented by third-party expert statisticians experienced in conducting HIPAA-related privacy analyses to determine that the health information reviewed is not individually identifiable.

This methodology is globally recognized and complies with accepted U.S. standards and guidelines, including The Health and Medicine Division (HMD) of the National Academies of Sciences and the Health Information Trust Alliance.

For media targeting, the benefit of utilizing this method of de-identification is that it allows companies, like Medicx Health, to target audiences at hyperlocal geographic areas while still having an insignificant risk of re-identification. This method greatly helps reduce wasted efforts to target your condition audiences.

For media campaign measurement, this type of approach allows you to truly understand the impact of the campaign by getting to offline actions (e.g., MD visits, Brand Rx filled) at the individual level. The end result is a strong analysis with clear and actionable insights.

This method goes above and beyond the base standard of safe harbor to provide you with granular targeting while still being HIPAA compliant.

Third Party External Organizations

Some may think third party organizations (such as the NAI) provide a gold standard when it comes to patient privacy. The truth is, they have nothing to do with laws and legality. These organizations require self-regulation among their members to ensure they are following specific guidelines when it comes to media compliance. Following these guidelines does not make you any more or any less HIPAA compliant. Third party organizations provide standards for data collection and use of that data for advertising, but don’t dictate whether any data is HIPAA compliant.

Additionally, companies who are not members can still apply those same guidelines to follow those standards. At Medicx, we can apply those same guidelines to our audiences to ensure you have audiences that comply with any external requirement, while also ensuring they are HIPAA compliant through our expert determination.

In Summary

While all methods listed above have the intent of patient privacy and compliance, certain methods go above and beyond to allow for targeting granularity while still keeping patients’ information safe.

At Medicx Health, we have over a decade of experience with expert determination. We have specialized in using these risk assessments to provide you with audiences that are granular and HIPAA compliant, ensuring your deliver strong audience quality and ROI.

For more information about our audiences and targeting methods, contact your client partner or contact us here.


[1] https://compliancy-group.com/what-is-the-hipaa-safe-harbor-provision/
[2] https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#safeharborguidance