Health plan executives and marketing leaders are facing intensifying pressure to grow member volumes, improve outreach and engage consumers digitally — all while navigating an evolving legal minefield of data privacy risks. At the heart of the challenge lies the use of tracking technology, such as cookies and pixels, that fuel performance advertising. For payers and providers alike, what was once standard digital marketing practice now presents significant compliance and litigation risks.
During a recent webinar hosted by Becker’s Healthcare, Ray Mina, chief marketing officer at Freshpaint, and Elliot Golding, partner at McDermott Will & Emery, unpacked the growing legal scrutiny of third-party web trackers and offered a roadmap for healthcare organizations to protect themselves without sacrificing performance.
Here are four key takeaways:
Note: Quotes have been edited for length and clarity.
- HIPAA isn’t the only law that matters
The conversation about data privacy in healthcare often starts with HIPAA, but it shouldn’t end there.
“We’re up to 20-ish state privacy laws,” Mr. Golding said, noting that some — like California’s — regulate data even if it’s not classified as protected health information. He emphasized that many state laws define personal data broadly and require consent, or even opt-in, before tracking can occur.
Even when HIPAA doesn’t apply, other rules — including the Federal Trade Commission’s unfair practices authority — still expose healthcare marketers to risk.
- Litigation is outpacing enforcement
Regulators may move slowly, but plaintiff’s attorneys are moving fast.
“There were 1,000 complaints filed in court in California alone last year,” Mr. Golding said. Additionally, he argued that many of these lawsuits often use outdated laws — such as wiretap statutes — to target healthcare companies for unauthorized data disclosures through tracking tools.
The legal costs are far from trivial. Some plaintiff’s firms now refuse to settle for less than $1 million, according to Mr. Golding.
- Meta and Google won’t save you
When current digital privacy concerns emerged, some healthcare organizations hoped that major ad platforms might sign business associate agreements. That hasn’t happened.
“They’ve gone the other direction,” Mr. Mina said. “They’re putting all of the ownership on the healthcare organization.”
This shift leaves health plans in a precarious position. Using ad tools without appropriate safeguards may now expose them to violations of both HIPAA and state privacy laws.
- The way forward requires change
Despite the risks, both speakers emphasized that healthcare organizations don’t have to abandon digital marketing altogether. The key is to reduce exposure by limiting data shared with third-party tools and to invest in first-party infrastructure.
Doing so requires collaboration across legal, IT and marketing teams.
As Mr. Mina noted, “You’re going to need some cross-functional collaboration to dig in and understand [your risk exposure].”
For health plans, privacy isn’t just a legal concern — it’s a strategic one. Organizations that modernize their tracking practices today can avoid costly litigation tomorrow while unlocking new performance opportunities in a privacy-conscious world.
