Podcast: When State Laws Supersede HIPAA: Privacy and the Marketing Funnel

The Shift: From HIPAA-Centric to State Law Complexity

For decades, healthcare marketers operated under a straightforward framework: if you weren't handling Protected Health Information (PHI) under HIPAA, you were generally in the clear. That simplicity is gone.

Today, 22 states have comprehensive privacy laws that regulate healthcare marketing in ways HIPAA never contemplated. These laws don't replace HIPAA—they layer on top of it, creating a complex compliance environment that most marketing teams aren't prepared to navigate.

The fundamental difference? HIPAA focuses on confirmed health information held by covered entities. State privacy laws regulate inferences, predictions, and assumptions about health—even when made by organizations that fall completely outside HIPAA's scope.

Why State Laws Matter More Than HIPAA for Digital Marketing

During our conversation, I explained why state privacy laws have become the primary compliance concern for healthcare marketers—more so than HIPAA in many cases:

Broader Scope

State laws regulate any organization that collects or uses consumer data—not just HIPAA covered entities. If you're running digital ads, using analytics platforms, or activating audience segments, state privacy laws likely apply to you.

Inference Regulation

States like California, Colorado, and Connecticut explicitly regulate health inferences— predictions or assumptions about someone's health status. This means modeled audiences, predictive targeting, and behavioral health segments all carry significant legal risk.

Consumer Rights

State laws grant consumers enforceable rights that HIPAA doesn't provide: the right to opt out of data sales, the right to delete information, and the right to know what data is being collected. Healthcare marketers must honor these rights—even for non-PHI.

Active Enforcement

State attorneys general are aggressively enforcing privacy laws in healthcare contexts. We've seen significant actions against health publishers, data brokers, and digital health companies—with more enforcement coming.

Three Privacy-Safe Approaches That Actually Work

Rather than just identifying problems, we outlined three compliant approaches that healthcare marketers can use to reach target audiences without creating legal exposure:

1. Opted-In Consented Data

The safest foundation is data collected directly from consumers with clear consent. This includes email lists, CRM data, and first-party website interactions where users understand and agree to the data collection. When consumers explicitly opt in, you have a solid legal basis for using their information.

2. Contextual Advertising

Instead of targeting individuals based on inferred health conditions, target content contexts where your audience naturally appears. Place ads on health information sites, in relevant search results, and alongside content about specific conditions. This approach doesn't require making health inferences about individuals.

3. Aggregate Insights

Use group-level behavioral patterns rather than individual-level predictions. Instead of asking "Who has diabetes?" ask "Where do people interested in diabetes management engage online?" This shift from individual targeting to group insights maintains effectiveness while eliminating inference-based risk.

Shared Compliance Responsibility Across Stakeholders

One critical point we discussed is that compliance isn't just the vendor's problem or just the marketer's problem—it's a shared responsibility across all stakeholders in the advertising ecosystem:

• Healthcare marketers must understand what data sources they're using and verify vendor compliance claims
• Audience vendors must build compliant data products and provide transparency into methodology
• Media platforms must enforce policies around health data usage and support compliant targeting approaches
• Agencies must educate clients about privacy risks and recommend safe strategies
• Technology providers must design systems that enable privacy by default, not just privacy by configuration

The days of "the vendor said it's compliant, so we're covered" are over. Every participant in the value chain needs to understand their compliance obligations and actively verify that they're meeting them.

Beyond Checklists: The Privacy-First Mindset

During the conversation, I emphasized that true privacy compliance isn't about checking boxes—it's about adopting a privacy-first mindset that informs every marketing decision. This means:

Ask "Should We?" Not Just "Can We?"

Just because something is technically legal doesn't mean it's the right approach. Consider consumer expectations and potential reputational impact before activating any health-related targeting strategy.

Design for Transparency

Build marketing programs that you can clearly explain to consumers and regulators. If your audience targeting methodology requires a complex legal defense, it's probably not the right approach.

Embrace Privacy as Strategy, Not Constraint

The most successful healthcare marketers I work with view privacy not as a limitation but as a strategic framework that drives better decisions. When you build privacy into your strategy from the start, you create more sustainable, trustworthy marketing programs.

Privacy as Competitive Advantage: The Apple Example

We discussed how leading brands like Apple have transformed privacy from a compliance requirement into a competitive advantage. Apple doesn't just comply with privacy laws— they build privacy into the core consumer experience and use it as a differentiating feature.

Healthcare marketers can adopt the same approach. Instead of viewing privacy requirements as obstacles to performance, use them as opportunities to build trust and differentiate your brand. Consumers—especially healthcare consumers—increasingly value transparency and respect for their personal information.

The organizations that get ahead of privacy regulations, rather than reacting to them after enforcement actions, will build stronger consumer relationships and more sustainable marketing programs. That's the real competitive advantage.

Transparency and Empathy: The Foundation of Compliant Marketing

We concluded the discussion by emphasizing two fundamental principles that should guide all healthcare marketing in the privacy era:

Transparency

Be clear with consumers about what data you collect, how you use it, and who you share it with. Transparency isn't just a legal requirement—it's the foundation of trust. If you can't explain your data practices in plain language, you need to rethink them.

Empathy

Put yourself in the consumer's position. Would you be comfortable with this data collection if it were about you or your family? Would you expect this use of your information based on the context where it was collected? Empathy is the ultimate compliance test—and it's becoming a legal standard in consumer expectation requirements.

Key Takeaways from the Conversation

• State laws matter more than HIPAA — for most digital marketing activities, state privacy laws create greater compliance risk than HIPAA
• 22 states, 22 different rules — the patchwork of state regulations requires sophisticated compliance infrastructure
• Inferences are regulated — health predictions carry the same legal risk as confirmed health data in many states
• Three safe approaches — opted-in consented data, contextual advertising, and aggregate insights provide privacy-safe paths to reach audiences
• Shared responsibility — all stakeholders in the advertising ecosystem must actively verify compliance, not just rely on vendor claims
• Privacy-first mindset — move beyond checklists to embrace privacy as a strategic framework for marketing decisions
• Transparency and empathy — these principles are becoming legal requirements, not just ethical guidelines