3 Ways Your Marketing Efforts May Violate HIPAA
If you’ve worked in a healthcare practice for any length of time, odds are you’re very familiar with the Health Insurance Portability and Accountability Act, commonly known as HIPAA. But have you ever thought about where your marketing efforts and HIPAA may collide?
You probably recognize the need to be cautious when using patient testimonials or photos in your marketing materials. Securing the appropriate documents authorizing you to use identifying details about patients is important in those cases.
But HIPAA concerns related to marketing don’t end there. In fact, HIPAA violations are far more likely to occur in relation to the ways in which you gather and store data from your marketing campaigns.
With an ever-changing landscape both in healthcare and in HIPAA compliance, it can be difficult to keep up with everything you need to know. That’s why we’re taking a few minutes to walk through some common pitfalls and how to avoid them.
Potential HIPAA Pitfall #1: Your Website
Healthcare websites today are one of the more common sources of HIPAA marketing concerns.
Stop to consider how many different spots on your website solicit information from patients or even prospective patients. If your website has a contact form, event sign-up, payment option, chat or any number of other ways to interact, you may be collecting patient information protected by HIPAA.
Even if a patient doesn’t report anything in particular about a medical concern or condition, their information may still be considered Protected Health Information (PHI.) For example, an event sign-up for a bariatrics class indicates a potential health condition, even if the information the patient sent through the form is fairly standard.
When you’re collecting information about patients on your website, it is essential to consider a few details:
- Is the information being sent in a secure, encrypted manner?
- Who is the information being sent to, and who could potentially access it?
- Is the data being stored in a location or on a server that meets HIPAA standards?
Simply password protecting this data does not meet the strict standards of HIPAA. But you should take other steps, too — check with your website host about the security of your server, ensure only those in need of the information can access it, and implement a system that destroys data once it’s no longer necessary.
Potential HIPAA Pitfall #2: Other Tools Gathering Data
When it comes to HIPAA, you also have to consider the other marketing tools you may be utilizing to measure and improve your marketing efforts. This could include:
- Digital analytics tools
- Customer relationship management (CRM) tools
- Website UX tools
- Patient or website surveys
- Lead tracking tools, like form builders or call tracking
Google Analytics is usually a safe bet because it aggregates and depersonalizes all data sent into the platform; however, you have to be careful if you are sending additional data into Google Analytics or uploading customer lists into the platform. Not only can this run afoul of HIPAA laws, it can also break Google’s strict standards for how businesses use their platform.
With other tools, it’s essential to consider what types of information the tool collects and whether it would be considered PHI. For example, a heatmapping tool that aggregates thousands of website visitors together to show general trends should be fine, whereas session recording where you watch an individual user’s clicks as they navigate your website may merit additional consideration.
The best bet is to specifically seek out tools that are made for healthcare, especially tools that offer HIPAA-compliant account options. Seek out information about how patient data is handled, and look into signing a business associate agreement (BAA) with the vendor to cover your bases.
Potential HIPAA Pitfall #3: Lead Generation
Healthcare marketing should ultimately link straight back to the bottom line — are more patients coming in for services and procedures? Are you seeing a return on investment from your marketing spend?
Often, tracking down these statistics on patients coming in through your marketing efforts and linking those back with your marketing budget requires a team effort. This type of conversation and data analysis is critical to a truly strategic marketing effort, but it requires candid conversations about patient leads.
If you are reviewing patient phone calls, appointment requests or form submissions with your marketing agency, or if you are discussing this information over meetings, it’s smart to ensure that your marketing agency has a working knowledge of HIPAA compliance so they can be a partner to you in the stewardship of your patients’ private and protected information.
Data that may not even seem like it should be protected, like a phone number and a name, can in fact be PHI, even if it’s never put into a patient record. Between a great marketing agency and an internal marketing team, that level of collaboration can take your marketing strategy to the next level, but it requires a deep understanding of HIPAA regulations.
By working with a HIPAA compliant marketing agency and establishing a BAA between your two organizations, you can help protect your patients and also protect your organization by assigning expectations and liability for any breaches.
A Final Word
HIPAA regulations can be very complex, especially when it comes to how those should apply to the Internet and marketing efforts. We recommend to all of our clients that they develop a relationship with an attorney or their internal compliance director if that resource is available to them.
Because it can be challenging to stay on top of all the information — or even keep track of all the acronyms — working with a marketing vendor who’s in the know about HIPAA can be extremely beneficial. Across the globe, online consumer privacy and data security is becoming a more protected and regulated space. But ultimately, healthcare organizations have a lot more to lose — both in terms of the price tag of HIPAA breach settlements and the loss of patient confidence.
At Full Media, our entire team of digital marketers is well-versed in HIPAA compliance and can help you develop a strategy that delivers a strong return on investment while keeping patient data secure.
As a HIPAA-compliant digital marketing agency, our team is here to help ensure your marketing efforts are both effective and secure. Ready to learn more? Contacting us is easy.
This article is for general information only and is not formal legal advice.
Rachael develops and executes the strategic priorities and vision for Full Media’s Internet marketing department, serves as the in-house subject matter expert in healthcare Internet marketing, and identifies ongoing opportunities to add value to healthcare organizations through innovation and team member development.
A member of the team since 2013, Rachael began as an Internet Marketing Analyst, eventually becoming an Internet Marketing Team Leader before piloting her current role. She has a wide array of expertise in developing marketing strategies for healthcare clients and different medical specialties, with specific experience in developing strategies for MD referrals, YouTube TrueView campaigns and building reports to compare the effectiveness of traditional media to digital media.Read Full Bio