HIPAA Compliant LinkedIn Ads with Salesforce Data Cloud

A recent bulletin from the Department of Health and Human Services (HHS) on tracking technologies underscores the seriousness of this issue, offering healthcare advertisers two high-stakes choices. They can immediately stop all advertising campaigns on LinkedIn, or risk huge financial fines.

Navigating these challenges requires healthcare marketers to prioritize compliance by assessing their tracking technologies, ad strategies, and data practices carefully.

Solving the Use Case

To our knowledge, LinkedIn will not sign a Business Associate Agreement (BAAs) with healthcare advertisers. As a result, healthcare companies must not pair protected health information (PHI) with LinkedIn conversion events. The standard for what passes as "PHI" is a low bar. PHI can include any content on a website that reveals a visitor’s intent related to a healthcare condition or service.

That means that PHI isn't just what users submit on web forms. It's located in URLs, page titles, content, and any visible data on the page. LinkedIn Ads enables visitor tracking through the "LinkedIn Tag," a snippet of javascript code that sends visitor behaviors back to LinkedIn. The tag gathers two key things to measure ad conversions: user identifiers and content identifiers. This information helps marketers measure ad performance – unfortunately, it also pairs user identifiers with PHI.

The LinkedIn Tag identifies users with the following data point:

• liFatId
  Universal identifier that ties users back to an ad conversion.

The LinkedIn Tag also identifies the content driving a conversion with the following parameters:

• pageTitle
  The title of the page where the conversion took place.
• url
  The URL of the page where the conversion took place.

Each LinkedIn Tag parameter helps marketers identify the who and where of ad conversions, enabling precise performance tracking. Keeping LinkedIn conversion data is crucial for measuring campaign performance. However, pairing sensitive information from the URL and page title with identifiable information is a potential HIPAA violation. To maintain HIPAA compliance when using LinkedIn Ads, it's vital to redact any protected health information (PHI) from parameters such as url or pageTitle.

Here is a diagram to explain:

To be compliant, healthcare companies need an intermediary to bridge the gap between their websites and platforms like LinkedIn. Recently, the Department of Health and Human Services advised marketers that they could safeguard PHI in a customer data platform (CDP). Salesforce Data Cloud is a leading CDP that will enter into Business Associate Agreement (BAA) with covered entities, establishing a compliant way to manage healthcare data with user identifiers collected from the LinkedIn tag.

The Platform

To ensure HIPAA compliance with LinkedIn Ads, Penrod sets up a secure server-side container for processing data. This data can then be stored in a Customer Data Platform (CDP) like Salesforce Data Cloud for measurement.

• The BAA-compliant CDP (Salesforce Data Cloud) gathers sensitive data from web conversions.
• The BAA-compliant secure server-side container removes protected health information (PHI) from page titles, content, and user-submitted data, making sure that sensitive data never reaches LinkedIn.

The resulting platform architecture for addressing the HIPAA-compliant LinkedIn Ads use case looks like this:

This ensures that user identifiers are never combined with PHI, helping healthcare companies to launch successful LinkedIn marketing campaigns.