Skip to Main Content

In the first half of 2021 alone, nearly $15bn of funding flowed into the digital health space, fueling advancements in genetic testing, telehealth, diabetes care, mental care workflows, research, and more (Rockhealth). 

With all of this new competition, getting critical information about your new product in front of consumers is a daunting prospect. And even in quieter times marketing in the healthcare industry is no simple task.

Indeed, healthcare marketing in the age of COVID almost warrants hazard pay. Working in a highly polarized environment, marketers must address nearly unprecedented levels of distrust for the industry. And building trust is just the first step towards creating consumer engagement. 

Healthcare marketers cannot create new customers unless they get the right information to the right people and tell them a story to which they can relate. Marketers can begin to overcome trust barriers by showing consumers that they are vested in protecting consumers and their rights. Data privacy compliance is an excellent place to start.

After establishing trust, marketers must continue to show that they care about healthcare consumers and their issues. Using empathic storytelling instead of relying solely on the science, which, while informative, is rarely engaging, helps marketers build relationships with consumers.

Building trust and empathy will help healthcare providers deliver on their own business goals while also getting much-needed information to the public to advance the common good.

Trust challenges for healthcare marketers

Healthcare marketers face trust challenges on multiple fronts, all of which require creative thinking to overcome.

Distrust of the healthcare industry

While many front-line healthcare workers saw their visibility and prestige soar during the COVID crisis, the healthcare industry as a whole does not have the most glowing reputation among consumers. Indeed, the media has deluged consumers with bad press about the industry. Studies show that confidence from the general public in the medical industry dropped to just 38% in 2019. 

Politicians wage war over access to healthcare and inequities in healthcare. Organizations decry the high cost of healthcare and attack insurance companies for their role in raising prices. Journalists fill every available distribution channel with stories of price-gouging pharmaceutical executives like Martin Shkreli and companies built on vaporware like Theranos. So it is not surprising that consumers have developed a “healthy” cynicism for the industry, which marketers must find creative ways to overcome.

Distrust about sharing of personal information

Most people are skeptical that companies will keep their personal information private rather than sharing it with other companies or using it for purposes other than that intended. According to Consumer Reports, 66% of Americans lack confidence that personal information will remain private after disclosure.

Despite the high level of distrust, many consumers remain willing to exchange personal data for applications that provide useful features. Consider the variety of wearable devices and fitness trackers that continuously monitor and record a wide range of personal health information. Many of these devices exchange personal information with other applications, service providers, and information aggregators. In fact, up to 80% of surveyed patients were willing to share their data with such devices. 

Marketers have the power to create the right circumstances that make customers willing to share data to enhance and improve their services.

Building trust through data privacy compliance

Healthcare consumers are vigilant about data privacy issues. You don’t have to look any farther than the uproars over COVID-tracking applications and vaccine passports to see this sensitivity. And many consumers have learned just enough about data privacy laws to be dangerous. 

To win over health care consumers, marketers must establish a degree of trust. Showing consumers that you respect their privacy rights is a good first step. Determining how to protect those rights requires understanding which laws and regulations apply to the data that marketers intend to collect and use.

HIPAA and the HIPAA Privacy Rule

More than 20 years after its enactment, HIPAA (aka the Health Insurance Portability and Accountability Act) remains one of the most misunderstood data privacy laws in existence, both by consumers and those in the medical and healthcare industries. Healthcare marketers must understand HIPAA and how it applies to their efforts.

Many consumers seem to believe that everyone is subject to HIPAA’s privacy restrictions, but this is far from the case. HIPAA applies only to three defined covered entities and their business associates and the subcontractors of those business associates:

  • Healthcare providers, e.g., doctors, hospitals, assisted care facilities, pharmacies, etc., that electronically transmit health information
  • Health plans, e.g., health insurance providers, health maintenance organizations (HMOs), etc.
  • Healthcare clearinghouses that process and transmit data between providers and health plans

So, where do healthcare marketers fit in? They do not appear to qualify as business associates under the definitions in HIPAA. Enter the HIPAA Privacy Rule, which specifically addresses the use of personally identifiable health information for marketing purposes.

The HIPAA Privacy Rule has a convoluted definition of marketing that requires a few readings to parse. But in simple terms, the Privacy Rule prevents covered entities from selling protected health information to other companies or individuals (e.g., marketers) for their own purposes without express authorization from the protected individual. Covered entities also cannot use protected information for their own marketing purposes without authorization.

Healthcare marketers should also understand the HIPAA Security Rule, which requires covered entities to establish sufficient safeguards against corruption, misappropriation or misuse of protected health information. 

HIPAA contains an essential exclusion – it does not cover de-identified data, i.e., data stripped of certain specific information such as names, addresses, social security numbers and more. R&D scientists already do a substantial amount of work using de-identified data. To the extent that you can make use of de-identified data for things like personas, you should do so.


In 2009, more than a decade after HIPAA, Congress supplemented HIPAA with the Health Information Technology for Economic and Clinical Health Act, or HITECH. HITECH’s purpose was to facilitate healthcare by streamlining the exchange of medical data between healthcare providers and insurers while also strengthening privacy protections and data security.

Regarding marketing, HITECH expanded upon HIPAA and addressed what some had seen as loopholes that diminished patient’s privacy rights. For marketers, HITECH’s message was “make sure you have permission to use health data in your marketing efforts.” Getting that permission shows consumers that you value their data privacy rights, which helps engender trust.


In recent years, California has substantially strengthened its consumer protection laws, including personal information privacy laws. The California Consumer Privacy Act (CCPA), which went into effect in 2020, follows in the steps of Europe’s General Data Protection Regulation (GDPR, see below) in establishing robust protections for private information.

Not long after CCPA entered into force, California enacted the Privacy Rights Act (CPRA), which amends the CCPA and further strengthens data privacy rights for California residents. Although CPRA does not become effective until 2023, it contains a lookback provision to 2022, so healthcare marketers need to be familiar with its operation. Until CPRA takes effect, healthcare marketers still need to be conversant with the CCPA.

Because the CCPA and CPRA are broad, general privacy policies, they apply to a wider range of organizations than HIPAA. Generally, CCPA and CPRA apply to companies that do business in California and meet at least one of the following criteria:


Annual gross revenues of at least $25 million Annual gross revenues of at least $25 million in the preceding year
Buy, receive, sell or share for commercial purposes personal information of 50,000 or more consumers, households or devices Buy, sell or share personal information of 100,000 or more consumers or households
Derives more than 50% of its revenue from selling consumer personal information Derives more than 50% of its revenue from selling or sharing consumer personal information


Significantly, CPRA creates the category of sensitive personal information (SPI), which includes health information. As in the GDPR, SPI receives a greater degree of protection and requires explicit consent for sharing.

Both the CCPA and the CPRA require businesses to provide consumers with simple ways to opt out of sharing or personal information. CPRA also has specific requirements regarding cross-context behavioral advertising that may significantly impact healthcare marketers.

As with HIPAA, the CCPA and the CPRA exclude de-identified data. 


The European Union’s General Data Protection Regulation has become the model for many of the world’s data privacy regimes. While it nominally facilitates the exchange of information across borders for commercial purposes, it is more widely known for implementing some of the strictest privacy protections in the world, along with some of the highest penalties for failure to protect personal information adequately. Unfortunately, the healthcare industry has a generally poor reputation for GDPR compliance.

In addition to having broad privacy protections, the GDPR has broad and extraterritorial application. Any company that controls collection or processing of personal information of EU citizens, whether or not the company has a European presence, falls within the scope of the GDPR.

Well before the CCPA, the GDPR segregated health information into a special category of personal information worthy of higher protection. Under the GDPR, processing of health data requires prior explicit consent except in specific and restricted circumstances. 

The GDPR also recognizes that de-identified data is unlikely to implicate privacy concerns. It splits de-identification into pseudoanonymization and anonymization. Unlike pseudoanonymization, anonymized data cannot be restored to a state where the individual is once again identifiable.

These are just a few of the many privacy laws and regulations worldwide, although they are some of the most applicable for healthcare marketers.

Building rapport with empathetic storytelling

If compliance is the procedural part of the consumer engagement equation, then storytelling is the substance. Compliance can go a long way to establishing a degree of trust between marketers and consumers, but it doesn’t create a relationship. A relationship requires that marketers show empathy for the consumer and their situation (without showing that they know too much about consumers’ conditions). Storytelling provides that opportunity to forge an empathic connection.

Good, relatable storytelling accomplishes several things. First, it creates a sense of community with the consumer, letting them know that others share their concerns. It also provides an opportunity to educate consumers by showing how others addressed the issues facing them. Finally, it shows that the healthcare company cares about helping the members of the community.

How you tell your story all depends on your understanding of your target audience. For example, as healthcare marketing shifts towards the needs of Gen Y, Gen Z and later, marketers will have to make storytelling work in the short formats many social media platforms require. And this will entail more than just pasting a 30-second television spot onto TikTok; younger consumers respond to and interact with media in very different ways than their parents did.

Very few consumers care about the frequently unpronounceable names for the active compounds in pharmaceuticals or about the details of how the underlying science works. What consumers care about is how that unpronounceable compound, which was approved after considerable efforts in those clinical trials, helped make someone’s life better. Someone like them. That is the story they want to hear.

Connect with your users for a healthier world

Healthcare marketers operate in a difficult environment filled with distrustful and cynical consumers. But with the right tools, marketers can effectively engage those consumers in a mutually beneficial relationship. 

Unfortunately, according to research by Forrester and projekt202, more than 60% of businesses don’t understand basic truths about their customers. And if you don’t have that, how can you build trust or empathy?

Our Experience, Strategy, and Insights approach to user research has set the industry standard for uncovering actionable information about your users, their motivations, and how to apply that to your product strategy. To learn more about it, contact us today