HIPAA Compliance for Marketers

By Allison Trapp

How to create engaging HIPAA-compliant campaigns

It’s a tough challenge: as good marketing becomes increasingly more reliant on good data and online marketing, how can healthcare marketers create great digital campaigns while still remaining HIPAA compliant?

1 in every 20 Google searches is for health-related information, and 59% of all U.S. adults looked online for health information in the last year. It’s never been more vital for healthcare organizations to have an engaging online presence and platforms for patient and prospect communication, but with HIPAA rules and restrictions, it can be daunting to communicate with patients online.

Violating HIPAA and disclosing patients’ personal health information (PHI) can result in heavy fines and even criminal penalties, but it can also severely damage your brand’s reputation and break the trust of your audience. However, by following a few simple guidelines and being careful about how you collect, use and store patients’ PHI, you can still engage your patients and prospects online while remaining HIPAA compliant.

Compliance starts with collecting data the right way

Before you start collecting data, it’s important to know what is PHI and what isn’t. Broadly, PHI is any health information that can be connected to an individual. That includes data that could be used in your marketing efforts such as names, geographical identifiers smaller than a state, email addresses, images of the patient, phone numbers and device identifiers.

To collect prospects’ and patients’ health information the right way:

  • Transmit and store form data securely. Most online forms encrypt data, but you’ll need a form solution that offers end-to-end encryption JotForm and Formstack are two popular form software options that meet HIPAA requirements right out of the box.
  • Ask your form service to sign a Business Associate Agreement promising to legally protect your patients’ data.
  • Make sure your form software doesn’t send unencrypted emails, such as a notification to a marketing team member that a new patient or prospect has filled out a form.  
  • Tell patients how the data you collect will be used and give them control over the privacy of their own data (tip: this is a best practice for other reasons, too!).  

Sending HIPAA-compliant emails

Email is an incredibly effective way to reach patients and prospects, with an average ROI of 4,400%. But because emails could potentially expose PHI, it’s important to carefully plan campaigns that don’t rely on personal information.

To create and send HIPAA-compliant campaigns:

  • Get explicit permission before emailing any patients or prospects. Any email or intake forms on your website should let users know that you will send them emails, what types of communication they can expect from you, a rough idea of email frequency and how to opt out. Ideally, you should also use a double opt-in, which asks users to verify their email address and confirm interest in receiving your emails.
  • Encrypt any email sent to current patients containing any type of PHI (such as name or information relevant to their health). Some popular email platforms offer encryption but won’t sign a Business Associate Agreement, so it’s important to research your email platform thoroughly before signing up.
  • Resist the urge to personalize your email campaigns. While greeting someone by name or offering them highly relevant information are generally considered email best practices, you could expose their PHI, including specific health conditions or concerns—a big HIPAA no-no.
  • If you’d like to use PHI (such as a patient’s name and image for a testimonial) in your email marketing, make sure you get permission from the patient in writing and a signed consent form detailing exactly how and where their PHI will be used.

Engaging with patients on social media

HIPAA was around long before social media arrived on the marketing scene, but HIPAA rules still apply to these channels and social media offers many opportunities to accidentally expose a patient’s PHI.

To create engaging social posts without violating HIPAA rules:

  • Get explicit permission for any PHI you use on social channels. Just like email, if you want to share a patient testimonial or any imagery or video that includes patients, you need to get permission from each patient, in writing, agreeing to both the content and the channel on which it will be shared.
  • Post more general marketing content like health tips, upcoming patient or prospect events and information about team members.
  • Train your team members and provide examples of compliant and non-compliant social posts. A good social post promotes your brand without disclosing PHI. You can use real examples from recent cases to show team members what not to do. Make sure everyone who posts understands HIPAA rules—not just those who post on your organization’s page but also for their own personal posts.
  • Review all social posts for PHI prior to publication. Are any patients visible in your clinic photo? Is there a patient file sitting out in the background of an image?
  • If a patient posts their own PHI, do not respond to them on social media. You can also moderate or limit commenting on your social media channels to avoid this type of interaction.
  • Review your social media policy annually and retrain your team frequently.

What challenges have you faced with HIPAA compliance and online marketing? Let us know how we can help you stay compliant while still creating engaging online content and campaigns for your patients and prospects.

Resource
Navigating towards web equity: A guide to inclusive design 
Webinar
Webinar: Attract and Develop the Next Generation of Values-Driven Leaders