Last week I saw a quote that resonated with me:
“All behavior makes sense with enough information.”
It’s a simple way of illustrating the B2me approach we use at White Rhino. Behind every choice or belief is a person with a history of personal and emotional experiences. And the actions we take - no matter how they come across to other people - are a result of those experiences.
So, if you want to understand why someone behaves in a certain way it helps to know how they think and see the world.
In the case of navigating digital privacy, it’s important for healthcare marketers to understand how their compliance team thinks.
And almost without fail, compliance teams are thinking about three things:
Risk, impact and likelihood.
For a compliance person, Impact is the negative effect when something goes wrong (e.g. a cyber attack puts patient data in the hands of a bad actor or failure to comply with HIPAA results in a lawsuit). Your compliance team wants to know the nature of the impact and how significant it is.
Likelihood is the chance that something will happen (e.g. are your security measures high enough to prevent a cyber attack? How likely is it that a bad actor would target you over another opportunity? Is there precedent for lawsuits related to the issue at hand?).
Risk (which is what compliance teams think about the most) sits right where the two intersect. It is the combined score. If something has low impact but high likelihood, it may have a similar risk score as something with low likelihood but high impact.
Interestingly, healthcare marketers also think about impact and likelihood but with different definitions. And the intersection we care about isn’t typically risk, it’s opportunity. For a marketer, impact is what happens when something goes right and likelihood is the chance that it does. Opportunity (which is what marketing teams think about the most) sits right where the two intersect.
The challenge we face when communicating with our compliance partners is to remember that they’re viewing the same ideas as we are with a drastically different perspective. And if we’re going to build better relationships and make progress more quickly, we need to frame our work around their interpretations of impact and likelihood.
For example, consider these two scenarios:
- You ask your compliance team for their perspective on sharing PHI with third-parties. Their response: HHS is very clear that PHI should not be shared with third-parties and there is a precedent for costly lawsuits. This is high likelihood and high impact and, therefore should be considered high risk.
- You make the same ask, but you explain to your compliance team that you are looking to share IP addresses with a trusted third party tracking tool (e.g. FreshPaint or Zaraz) that will sign a BAA and mask the IP before sharing it with other third parties such as Google.
In the second scenario, with improved framing, the perceived impact and likelihood are both much lower:
- IP addresses are not as highly sensitive as other forms of PHI such as patient name, email, date of birth. And, depending on your compliance team’s stance on recent lawsuits and court rulings, they may be OK sharing an IP address with a vendor like Zaraz as long as it's masked from other third-parties.
- The BAA is an additional precaution. It ensures the third-party has agreed to certain security measures to protect information (decreasing likelihood) and your MSA, if set up correctly, should minimize the impact to your business if something does happen.
Keep in mind, however, paperwork doesn’t fully minimize risk. Despite their best efforts, Change Healthcare experienced a significant security event. And even with completed BAAs, hospitals around the country felt the impact on patient trust. One consumer lawsuit that questions your cookies acceptance policy may be a low financial burden, but the impact to your brand reputation could be significant.
Top 3 Best Practices for Working with Compliance
1. When speaking with compliance, be specific about the types of PHI that are involved and the level of trust you have in the companies you are sharing it with (and if they’ll sign a BAA).
2. Get into the habit of discussing impact and likelihood separately. A good first step is to make a list of potential negative impacts and a separate list of things that increase or decrease your sense that a given event is likely to happen
3. Ask your compliance team for advice on things you can do to lower the likelihood or impact. They might suggest a different set of terms in your MSA or help you identify more trustworthy tools.
If you want to innovate - or make change at nearly any level - you need to understand what your audience values today and show the connection between what you’re trying to achieve and their goals. In other words, you need to meet them where they are.
When it comes to making progress with healthcare compliance teams, framing your innovations and new ideas around their definitions of impact, likelihood, and risk will help them make more informed decisions and help your entire organization move forward faster.