HIPAA is healthcare law that wants to ensure that health specific data, topics, etc [ conditions ] are not transferred to any 3rd party and are not available for remarketing purposes.
Solution Overview
Here is how we propose an alternative to GTM based solutions (FreshPaint, Stape, etc.) - we do not agree that just being BAA for HIPAA enables HIPAA data transfers and requires judicious transforms and audits
Workflow [ and Compliance ]
1. Mandatory: Install Edge Cloud in your VPC
Install their own Cloudflare Edge [ Blotout provides full support for the same ] so Edge Cloud is HIPAA BAA
2. Automated: Switch ON Audit logs
Install their own Audit log system [ Keep system as buckets until legal team requires audit data ]
3. Preferred: Create your 1P data lake
Install their own Segmentation [ no PHI transmitted ] and Analytics data lake via AWS [ manage PII and PHI specific consent ]
4. Mandatory: No 3P code on your site
Turn OFF browser side pixel collection for any marketing channel so that injected code cannot make you non compliant at any point of time
5. Mandatory: Blotout will obfuscate all PHI using AI
And obfuscate any PHI data using AI to automate use of C-API for 3P services and clear text for 1P services (HIPAA containers only)
6. Mandatory: Generic Content + PII as default
If you create generic digital content links, there is no need to delete identifiers like email# or IP Address.
7. Mandatory: Respect Consent, GPC, & Out Opt [ Privacy by default ]
Ensure that consent provider is set against the tagless system – Blotout supports most/all consent providers out of the box.
Novel Approach
Unlike the traditional thought process around removing PII and sending PHI data as is to 3rd party containers like Meta (and others), we are suggesting obfuscating all PHI data and genericising them to prevent any health specific data from transmitting. With the advantages provided to us with LLAMA API, creating a DAG that is specific and runs within our own infra to detect PHI without PII or site context really helps obfuscate data on the fly (within 1s SLA).
100% of infrastructure is VPC (customer premise) enabling them alone to see PHI and privileged data in their containers [ Cloudflare and AWS ]. Blotout has no access to any privileged or PHI data at any point of time.
1st party Analytics containers continue to collect data and enable BI within customer premises. And Segmentation where rules can be applied and non PHI segments can be synced for remarketing purposes.
How does one install
There are three parts to the workflow to get going;
Deploy HIPAA BAA Pixel infrastructure for API transforms
Blotout will help organizations install their own systems where they are the root entity and those systems support HIPAA BAA
Mandatory: https://www.cloudflare.com/learning/privacy/what-is-hipaa-compliance/
Blotout will ensure the advertiser can install and run the Cloud infrastructure and sign up as a DPA for the same. Cloudflare will also act a data store for audit purposes that legal teams may want to rely on for litigation
Real time Audit: Engineers or compliance teams can record real time logs to ensure that no PHI is ever transmitted to any advertising system [ as a Pixel ].
Deploy HIPAA BAA Analytics infrastructure for 1P Analytics
Blotout can also deploy to customers’ AWS HIPAA BAA account software so all PHI and privileged data can be in their control for analytics purposes. Blotout can also help customer connect data tables to their BI systems [ at no cost ]
Optional: https://aws.amazon.com/compliance/hipaa-compliance/
Settings: HIPAA Tag Mode
Blotout will provide a HIPAA flag for every site that needs to be HIPAA transformed and auditable
- Sign up for account
- Create site tag
- Tag as HIPAA
- Fill require credentials to get channels going
- Standard events (PageView, Purchase, Lead) will be fully transformed
- Custom events have rules that need to be followed to ensure PHI does not leak
How do I get started?
Schedule time via Calendar so we can go over the process and setup.
FAQs
Does Meta have requirements for HIPAA based advertisers?
Yes - please request PDF from Blotout team for Meta specific requirements for not sending PHI via C-API
Do other Marketing channels work the same way?
Mostly, those assumptions are correct. We will provide a precanned list from this set -> https://app.edgetag.io/docs
When will the product go to GA?
We should be in General Availability mode by end of October, 2024