Blog Articles
HealthcareBest Practices

HIPAA-compliant digital roadmapping

Summary: The 2022 HHS guidance regarding pixel trackers threw healthcare marketers for a loop, and blew up digital roadmaps once again. By re-evaluating where you are now and identifying opportunities to build compliance into your roadmap, you can get back on track.

“I talk to my IT guy so much, I think he thinks we’re dating.” - Marketer wrestling with data challenges

Sound familiar?

Healthcare marketers have a tough job right now. You’re simultaneously being asked to:

  • Have a website that’s as performant and optimized as Amazon

  • But don’t let it track any data or you’ll get sued, oh and by the way…

  • We slashed your budget in half.

…Good luck!

This week, I had the opportunity to sit with marketers wrestling with the PHI problem and hear how their organizations were tackling it. Overwhelmingly, the response fell into two camps:

  • Turn it all off and fly blind

  • Leave it on until IT and Compliance say otherwise

Yikes, either way. But, there is a third option: make HIPAA compliance part of your digital roadmap.

HIPPA-compliant digital roadmapping

The push for consumer-centric digital experience has created a demand for new platforms, redesigns, and updated digital strategy. These are all needed experience updates marketers need to make, regardless of HHS guidance. By aligning these updates with investments into HIPAA-compliant tech and partners, you can achieve both goals simultaneously.

  1. Revisit your digital roadmap and budget. Start where your stakeholders will have the most questions—funding, technology, and integrations. If there are items that can be re-prioritized or funding shifted around, see where those opportunities lie.

    Ideally, your digital roadmap should look something like this:

    • 70% business-as-usual projects (upgrades, optimizations, planned projects)

    • 20% needlemovers (ideas you’re testing that could lead to larger initiatives)

    • 10% gamechangers (experimental and blue sky thinking)

    HIPAA should live in the business-as-usual camp, and if that means you need to adjust the needlemovers and gamechangers, so be it.

  2. Align HIPAA-compliant tech with already-planned upgrades. As the PHI guidance continues to expand and evolve, more platforms—including your CMS—will need to be HIPAA-compliant. Not all CMS platforms (or agencies) will sign a BAA, so you may be looking at a scenario where a planned redesign may also be a replatforming effort. If you’re due for either of these things, now is an excellent time to switch to a compliant platform like

    A caveat: some platforms will claim they're HIPAA compliant, but in fact, they aren't. Seek out tech companies and partners that will sign a BAA. Otherwise, you’re still going through a third party that may or may not be fully compliant.

  3. Identify future concerns along the way. Chances are, you won’t be able to tackle everything at once, but you can plan ahead. Look at every part of your tech stack and evaluate how at risk it is. Analytics platforms are the obvious first concern, but everything else will likely be called into question as well, so have those conversations early with your IT department and develop a plan to confirm each piece’s compliance.

Cross-department collaboration

Digital roadmapping falls under the umbrella of change management, and the hardest part of change management is behavior change. Healthcare is siloed for myriad reasons, and the path to breaking down siloes is open communication and transparency. Marketing, IT, Compliance / Legal all need to be working arm-in-arm to maintain data security while collecting information that helps drive the organization forward.

The examples I heard of tight coordination between departments required a very specific collection of abilities among the core team tasked with data management, as well as a commitment to updates and transparency. When I asked one marketer if there was a template she could share that others could follow, she smiled and shook her head no, because it’s not about a spreadsheet or a Teams channel—there is no template for trust and communication.

Each stakeholder has a want and a need (two different things), and being open about those goals at the outset helps everyone at the table rise to meet them for each other.

The future of HIPAA compliance in tech

Hospitals “need tech to fix tech,” Lokker CEO Ian Cohen said in an interview, and he’s right. Internal teams in healthcare that are feeling the pressure only have so many options, and the rest of the industry needs to rise to meet them where they are. Many marketers aren’t aware of what is available to them—there’s a lot of noise in the marketplace related to the problem, but not the available solutions.

Reason One will sign a BAA, we build on HIPAA-compliant platforms like, and we help our clients select HIPAA-compliant analytics platforms to replace or work in concert with GA4. We consistently scan the marketplace for emerging tech that can help our clients achieve outcomes while maintaining data security.