Achieve HIPAA-Compliant Data Insights with Tealium Private Cloud and CDP
by Alex Molineux - October 4, 2021
There are a wealth of tools and knowledge available in the digital space for organizations to utilize when looking to optimize the digital experience for their users. We know users expect personalized experiences, and the savviest operators in the digital world target every touchpoint with a user as an opportunity to continue building a relationship and trust. However, for many working in industries that have stricter regulations around user data – for example, those working in the healthcare industry and beholden to Health Insurance Portability and Accountability Act (HIPAA) – this world of interacting with user data to improve users’ experiences has often been only theoretical.
If we think of a tool as ubiquitous as Google Analytics, those working in the healthcare industry cannot use a traditional Google Analytics setup to help them understand user behavior. Google will not sign a Business Associate Agreement (BAA) for Google Analytics, meaning Google Analytics cannot be used to process or store personal health information (PHI). Given PHI includes web URLs and IP addresses (among other data points) this means Google Analytics will not, by default, be HIPAA-compliant.
However, by combining a customer data platform (CDP), such as Tealium AudienceStream, with the HIPAA-compliant Tealium Private Cloud, those working in heavily regulated industries now have a path to utilizing user data to improve the users’ digital experience while remaining compliant with data regulations.
The Power of Customer Data Platforms
In many organizations, data about your users is spread out across multiple, disparate sources. Customer data platforms solve this problem by allowing organizations to stitch together profiles of their users using data from multiple sources. These user profiles are used to build audiences that are shared via the CDP with advertising platforms, testing and personalization tools, and analytics systems, enabling you to deliver personalized experiences to your users. We see CDPs as an essential tool to help organizations improve the digital experience of their users and we only see them becoming more important as third-party cookies are phased out and organizations rely more on first-party data to understand their users and drive marketing efforts.
As you can imagine, given the data it handles, a CDP has often been seen as off-limits for organizations in spaces such as healthcare. This is where Tealium’s Private Cloud comes in.
The Benefits of Tealium’s Private Cloud
Tealium’s Private Cloud is a single-tenant, secure environment to store and process customer data. Data privacy has long been a focus for Tealium, and the Private Cloud follows the principles of Privacy by Design and Default. This focus has allowed Private Cloud to secure a range of third-party security and privacy certifications: HIPAA and HITECH, ISO 27001 and 27018, Privacy Shield, and SSAE18 SOC 2 Type I and II.
Tealium Private Cloud hosts the full suite of Tealium’s Customer Data Hub, meaning the Tealium CDP, AudienceStream, can sit securely within the Private Cloud alongside tools such as Tealium EventStream, a collection and delivery API hub. By hosting your CDP via Tealium’s Private Cloud, you can securely store first-party data, using the CDP to enrich this data from a variety of different customer data sources you load into the CDP. Ultimately, with the collection of user data stored in the CDP and the identity resolution it’s able to perform, the CDP will become the hub for all audience segmentation efforts across your organization. This allows you to effectively store, enrich, and activate user data all while knowing the privacy of individuals’ data is being honored.
The security certifications Privacy Cloud has received means that even HIPAA-compliant organizations can confidently utilize Tealium’s Customer Data Hub and AudienceStream. This provides all organizations with a path toward an improved understanding of their users and customers via improved analytics, as well as the ability to act on user data to personalize marketing efforts and onsite experiences for users.
While the secure environment and architecture of Tealium Private Cloud are the primary benefits that we want to highlight, it’s also worth noting there are a host of additional features Private Cloud provides that allow for additional security and regulation compliance, including:
- Role-Based Access Controls
- Tag Marketplace Controls
- Data Layer Controls
- Password Policy and Multi-Factor Authentication
- Deployment Environment Controls
- Encryption and Hashing
- Visitor Data Controls
- Restricted Data
- Capture IP Address
- Geographical Data Storage
- Event Connector Marketplace Controls
- Data Obfuscation and De-Identification
Utilizing Tealium Private Cloud and a CDP to Act on User Data
So far we have discussed CDPs and introduced the benefits Tealium’s Private Cloud provides. We’ll now turn our attention to actually using these products to better understand your users and improve their experiences when interacting with your organization.
Earlier, I used Google Analytics as an example of a tool that isn’t, by default, HIPAA-compliant given the data it automatically collects. If we consider a data architecture that includes Private Cloud and the Tealium Customer Data Hub, then there’s a path to a HIPAA-compliant Google Analytics (and other by default non-compliant tools) setup. Given the Customer Data Hub is hosted within Tealium Private Cloud, the Tealium tools such as AudienceStream and EventStream are able to safely and compliantly store personally identifiable information (PII) and personal healthcare information (PHI). This means all user data and user interactions from your site can be tracked using Tealium’s tag manager, Tealium IQ.
Tealium IQ will collect the user data and user interaction data into the Customer Data Hub. From here, the captured data can be cleaned so that only compliant data (i.e., non-PII, non-PHI, IP addresses stripped) can be pushed to analytics tools such as Google Analytics via Tealium EventStream. This approach to capturing data in Google Analytics means Google Analytics can remain compliant with rules such as HIPAA, as only compliant data is ever received by the Google servers, with non-compliant data securely stored within Private Cloud.
By itself, this setup will allow many organizations greater insight into both who their customers are and how their sites are being used, as they’ll be able to utilize common analytics tools such as Google Analytics. So far though, this approach hasn’t allowed an organization to make use of the powerful PII or PHI data stored within Tealium, as this data has been stripped before being sent to Google Analytics. This individual data can’t be sent to many third-party tools, as often their privacy policies restrict usage of PII or the tools aren’t HIPAA compliant. Instead, we can now create audiences or segments of this data within a CDP such as Tealium AudienceStream.
You can utilize PII or PHI data points to create aggregated and anonymized audiences of users and then share these audiences or segments with other tools via the audience activation functionality CDPs provide. Only the audience segment is shared with tools outside of the CDP hosted in Private Cloud. No non-compliant personal data of any sort leaves the Private Cloud environment, but we’re able to act on those specific user data points by sending an audience based on those data points to separate tools. These segments can be shared with analytics tools such as Google Analytics to allow more advanced segmentation and analysis, with marketing tools to enable personalized marketing, and also with testing and personalization tools to allow for customized and personalized on-site experiences for users.
As you can see, the Tealium Private Cloud plus CDP setup allows you to share compliant data with previously non-compliant tools such as Google Analytics. The setup also opens up the ability to leverage audience segments based on individual data that by itself cannot be shared with many third-party tools. Using these audience segments, you can gain greater insight into your users leading to an enhanced digital experience for them via customized and personalized marketing and on-site experiences you develop, all while respecting your users’ privacy and ensuring compliance with privacy regulations.
Healthcare Industry Use Cases
We’ve covered what Tealium Private Cloud is and how it, alongside other digital tools, can allow organizations working in heavily regulated industries to utilize user data to help improve the digital experience for their users and customers. We’ll now focus on some specific use cases to show this setup in action with a focus on how a healthcare provider could utilize the setup.
Onsite Personalization + Customized Outbound Marketing
With the Private Cloud safely storing data relating to individual users and customers, you can begin to explore this data in your CDP and develop relevant audience segments. For example, if we consider an organization that provides healthcare plans to individuals, this organization could build audiences of users based on what plan they’re currently signed up for and when those plans expire. These audience segments can then be shared via CDP integrations (Tealium AudienceStream has hundreds of built-in “connectors”) with the testing and personalization tool used by your organization, such as OptimizelyX or Adobe Target.
When it’s getting closer to the expiration date of an audience’s current plan, you can use your personalization tool to customize the experience for this subset of users by highlighting different plans on the site that, based on the information you know about this audience, you think would fit their needs. There are many ways to promote a product or plan within a site’s user experience (UX), including promoting the plan on common landing pages in prime marketing spots or showing these plans at the top of a plan search results page. By actively trying to help the user make what can be a difficult decision, you should improve their experience on the site, showing that your organization is trying to support the user individually rather than taking a one-size-fits-all approach.
On many websites, both prime real estate on popular landing pages as well as pages throughout the site are taken up by copy and material that’s designed to attract a new user’s attention. However, by utilizing Tealium Private Cloud, a CDP, and a testing and personalization tool, we’re now able to instead target users better with recommendations for relevant plans, enabling the organization to align better with where users are in their specific journey.
This example of personalizing the website for users based on the healthcare plan they currently have and what plans could be recommended in the future also follows through to outbound marketing efforts. When considering the user’s digital experience, we want to provide a consistent and personalized experience across their journey and not just on-site. A customer data platform is a key technology to enable teams to implement that seamless approach by activating on the same audience segment across channels. In this example, you can share the audience segments of users with specific plans and plan expiration dates with the marketing tools and networks you use, again via the built-in CDP integrations. With these segments, you can then make simple but impactful updates to your marketing efforts, for example ensuring that these users who have already purchased a plan with you do not see marketing efforts targeting new users. You can also start to develop more specific, personalized campaigns that highlight plans you’d recommend to the user as the expiration date of their current plan draws closer. This type of effort ensures you’re personalizing touchpoints with your users outside of your actual site, meaning every interaction between your organization and the user is customized and targeted to help the user with tasks we know they will be focusing on.
While the demise of third-party cookies has been delayed slightly with Google’s announcement that Chrome’s ban on third-party cookies has been pushed back to the end of 2023, all organizations should be planning for a future, post-third-party cookie world.
Marketing attribution and profile building is one of the main areas that will struggle as third-party cookies are removed. Currently, cookies are used to identify users across sites, allowing advertisers to learn about what users are interested in and also tracking their visits to individual sites and what marketing materials brought the user there.
For organizations seeking HIPAA compliance, Tealium Private Cloud provides an opportunity to maintain attribution accuracy and therefore allows you to continue to optimize your marketing efforts for efficiency and cost-effectiveness. As cookies are removed, the best approach to tracking how marketing materials and ad networks are assisting in conversions on your site is to track these conversions server-side. For an organization using Private Cloud, all user interactions on your site can be securely tracked using Tealium IQ. The data from Tealium IQ is stored in Tealium’s Customer Data Hub and, from there, individual conversions. User IDs then can be passed via EventStream’s server-side events API to the ad networks you use, such as Google and Facebook via Google’s Enhanced Conversion tracking and Facebook’s Conversion API.
This approach bypasses the need for third-party cookies and client-side pixels. By running this data through Private Cloud, you’re able to completely control the data that’s shared with third-party ad networks, meaning you can ensure no non-HIPAA compliant data is shared. Tealium also offers the ability to set a server-side CNAME, which can extend the length an individual user is recognized, allowing for more effective attribution modeling.
Enhanced Analysis and Reporting
By sharing audiences created in your CDP with your analytics tools, you can dramatically increase the scope of the analysis and reporting you can do. The majority of analytics tools cannot store PHI data, meaning there’s no way that an analytics tool will know by default what healthcare plan a user has. By creating the audience segments in your CDP that we referenced earlier that bucket users into different audiences based on the plans they’ve signed up for and when those plans expire, we’re able to share audiences with an analytics tool that are based on this PHI data while never actually sharing PHI with the analytics tool, or putting user data privacy at risk.
Using these new audiences to create segments in your analytics tool you can begin to explore how user behavior on your site changes the closer a user gets to their current plan expiring, or how user behavior differs depending on the plan a user has signed up for. You’ll also be able to see which marketing efforts were most effective at bringing users with different plan types to your site. By mining these segments for insights inside your analytics tool, you should be able to gain a greater understanding of your different user groups and how they interact with your site.
These insights can then be put into action by personalizing the site and marketing campaigns these users are exposed to in much the same way as we referenced above when looking at on-site personalization efforts. Ultimately these insights and the site and marketing updates they drive should lead to an optimized digital experience for your users, building a better relationship between them and your organization.
Improve Your Users’ Digital Experience with Tealium Private Cloud and AudienceStream
If you work in an industry with strict user data laws such as HIPAA and you want to proactively improve your user and customers’ digital experience, then utilizing Tealium’s Private Cloud combined with a customer data platform allows you to do this while ensuring data privacy compliance with strict regulations.
The digital world is changing all the time, and users expect great digital experiences. If you want to make use of your user data to improve your users’ experience when interacting with your organization while keeping their data secure, then Tealium Private Cloud could be an excellent solution for you.