The Healthcare Marketer’s Guide to Navigating HIPAA Compliance

Reading Time: 12 minutes

Are you struggling to implement an effective healthcare marketing strategy that’s HIPAA-compliant? You’re far from alone. It’s the wide-reaching minefield of regulations — like HIPAA compliance for patient data security — that caused healthcare to lag behind other industries that quickly adapted modern digital marketing strategies.

Rather than navigating these complexities, many healthcare organizations stick with traditional marketing channels like TV, radio, and print ads, losing out on the digital opportunity to deliver their marketing message directly to the right person. Others make the mistake of using out-of-the-box marketing software, which can lead to HIPAA compliance issues.

It’s a lot to consider. That’s why we’ve compiled this Healthcare Marketer’s Guide to Navigating HIPAA compliance.

Please note: This article is not intended to provide legal advice and should not be relied upon for such purposes. Organizations subject to HIPAA limitations should always consult with their legal teams to assess the risks associated with any of the tools or tactics mentioned here.

What Is HIPAA Compliance and Why Is It So Important?

HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed in 1996. It dictates how healthcare industry organizations may lawfully store, share, manage, and record patients’ protected health information (PHI).

The U.S. Department of Health and Human Services HIPAA Privacy Rule states that any organization that provides healthcare treatments, payment management, or operations is considered a HIPAA “covered entity” — as are their “business associates.” HIPAA defines a business associate as any person or entity that provides services to a covered entity that requires the disclosure of protected health information (PHI). That means software companies that store, share, or have access to PHI must be HIPAA-compliant — or lose healthcare clients.

In a nutshell, HIPAA simply requires that you:

• Put safeguards in place to protect patient health information
• Reasonably limit uses and sharing to the minimum necessary to accomplish your intended purpose
• Have agreements in place with any service providers that perform covered functions or activities for you
• Have procedures in place to limit who can access patient health information, and implement a training program for you and your employees about how to protect your patient health information

What Is Protected Health Information (PHI)?

Protected health information (PHI) is health information contained in any physical record, including health histories (diagnoses and treatments), lab test results, and medical bills. PHI that is created, stored, or transmitted electronically is called ePHI.

The HIPAA Journal defines PHI as “individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.”

Protected health information includes one or more of the following identifiers:

• Full name or last name and initial and gender
• Geographical identifiers smaller than a state
• Dates (other than year) directly related to an individual
• Phone numbers (of patient and emergency contact)
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health insurance beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers (serial numbers and license plate numbers)
• Device identifiers and serial numbers
• Web uniform resource locators (URLs)
• Internet protocol (IP) address numbers
• Biometric identifiers (finger, retinal and voice prints)
• Full-face photos
• Any other unique identifying number or code (except the unique code assigned by the investigator to code the data)

Once these identifiers are removed, the information is considered de-identified and is not subject to the restrictions of the HIPAA Privacy Rule.

What Information Is Not Considered PHI?

The Department of Health and Human Services also define what is not considered PHI:

• Communication about a health-related service or product that is provided by or included in a plan of benefits of the covered entity (CE) making the communication. For example, CEs are allowed to inform clients that a new treatment or facility is coming soon.
• Communication that is part of a treatment plan — prescription refill reminder or a lab test referral — is not considered marketing and does not require patients’ approval.
• Communication that’s part of care coordination, like an alternate provider or treatment recommendation, is not considered marketing.

How Does HIPAA Compliance Affect Your Marketing Campaigns?

The U.S. Department of Health and Human Services’ HIPAA Privacy Rule defines marketing as:

• “… a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
• “… an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients to purchase or use that product or service.” There are no exceptions to this second part.

For example, if a patient is on Warfarin and a reminder is sent to the patient to refill the prescription, it is not considered marketing and does not require a release by the patient as long as the pharma company doesn’t pay for the communication.

However, if Bristol Meyers Squibb wants that patient to try its new anticoagulant, Eliquis, the patient would need to sign an authorization allowing marketing communication to be sent.

You’ll need to obtain a patient’s written authorization before using or disclosing PHI for marketing purposes or for sale to a third party. This means using opt-in email capture forms and not “assuming” it’s okay to market to a patient just because you have their email address on file.

Also, any healthcare provider you do marketing for (a covered entity) cannot sell PHI to a business associate or a third party to be used for that party’s own self-interest without expressed authorization from each patient. You can find a full list of necessary authorizations here: 45 CFR 164.508.

Why Your Healthcare Clients Need HIPAA-Compliant Software

According to the HIPAA Journal, the purpose of HIPAA compliance software is to guide HIPAA-covered entities or business associates to become and remain HIPAA-compliant while following the HITECH Act Rules. Compliant software also helps companies document all good-faith efforts to comply.

This is to protect a healthcare company that may be audited by the HHS’ Office for Civil Rights (OCR) or state attorneys general over a data breach. The software also helps train staff and implement technical, physical, and administrative safeguards. Investing in HIPAA-compliant software is critical for your healthcare organization, as even small offenses can lead to fines anywhere from $100 to $50,000. In 2020 alone, healthcare companies paid as much as $4.3 million in HIPAA penalties.

Implementing a HIPAA-Compliant Healthcare Marketing Strategy

Although healthcare marketing tech lags behind that of other industries, patients still expect dynamic digital experiences. A CDW Corporation Healthcare survey found that 89% of patients want simple, seamless access to their personal health records. And 98% are comfortable communicating with providers digitally — via texting, mobile apps, online chats, or live video.

Regardless of your healthcare digital marketing strategy type, there are steps you can take to minimize your risk of a HIPAA compliance breach.

First: Minimize your risk of a HIPAA compliance breach

Develop a PHI use policy that includes SOPs for:

• Training your marketing departments regularly to make sure they understand HIPAA requirements
• Clarifying who has access to PHI and for what purpose, then monitoring it regularly
• Documenting your marketing campaigns with clear reasoning for why PHI is included
• Ensuring there is a clear way for patients to opt in and opt out of receiving marketing communication
• Monitoring the implementation of the policy

If you want to market to any patient using data from their PHI, you must secure their authorization. This means providing easy-to-use opt-in email capture forms to confirm that a patient approves your use of their email address to send communications and promotions.

To deliver a compelling HIPAA-compliant digital experience, follow these strategies:

Implement HIPAA Compliance for Email Marketing

Email marketing is still one the most effective ways to boost your healthcare marketing ROI. In fact, according to a HubSpot survey, email marketing campaigns generate $38 for every dollar spent — that’s a 3,800% ROI.

The Federal Trade Commission’s (FTC) Bureau of Consumer Protection provides a CAN-SPAM Act compliance guide for email marketers to follow when implementing campaigns.

• Make it easy for your email recipients to unsubscribe
• Include a mailing address where they can write to you
• Identify the business that is sending the email in the email’s “from,” “reply to,” and “routing information” sections
• Explain the email’s content in the subject line
• Clearly and conspicuously identify your message as an advertisement
• Don’t create any emails using PHI without expressed consent from patients
• Encrypt every email that contains any type of PHI (including name or email address) to ensure only you and the recipient have access to the content
• Ensure that servers storing email data with PHI are also encrypted with off-site backup

Implement HIPAA Compliance for Social Media

Social media helps engage patients in their own care by quickly communicating critical information about services, test results, and the latest condition and treatment research. Statistics reported by Pew Research Center show that approximately 72% of internet users seek healthcare information online, often on social media.

Follow these tips to ensure your social media strategy follows HIPAA compliance:

• Don’t share social posts or ads that feature PHI without getting expressed consent
• Make sure staff members aren’t posting practice photos and accidentally sharing PHI; to be safe, use stock photography
• Create a social media strategy that documents what team members can and cannot post, then follow up with training sessions to ensure HIPAA compliance
• Set up controls to flag any keywords or phrases that might indicate a HIPAA compliance breach before posting

Implement HIPAA Compliance for Websites

Your website is the foundation of your healthcare marketing strategy — make sure it’s secure and user-friendly. To remain nimble in the internet’s ever-changing landscape, the language around HIPAA regulations for websites is often intentionally vague.

FullMedia recommends following these tips for ensuring HIPAA compliance on your website:

• Store all web forms, contact forms, and appointment data on an encrypted server with off-site backup
• Purchase and implement an SSL certificate for your website
• Ensure all web forms on your site are encrypted and secure
• Only send emails containing PHI through encrypted email servers
• Partner with web-hosting companies that are HIPAA-compliant
• Sign a BAA with third parties that have access to your patients’ PHI
• Ensure that PHI is only accessible to authorized individuals
• Establish processes to delete, backup, and restore PHI as needed
• Post a HIPAA privacy policy on your site
• Appoint a HIPAA compliance officer to monitor and maintain your policy

Digital Marketing Tools for HIPAA-Compliant Marketers

There are so many healthcare marketing platforms to choose from that it may be quite time-consuming to confirm HIPAA compliance for each one you’re considering. That’s why we’ve compiled a list of tested software that will help enhance your healthcare marketing strategy.

HIPAA-Compliant Analytics and Reporting Tools

Though there are other robust platforms to choose from, Google Analytics is the one healthcare industry professionals still depend on. When using the tool “out of the box,” you’ll need to modify it to meet HIPAA compliance and ensure no unauthorized PHI is being collected. When your website traffic hits a designated level, you’ll want to avoid collecting “sampled” data by upgrading to Google Analytics 360, which will require you to re-modify for HIPAA compliance.

Before you push data from your various sources into a business intelligence tool, try combining them in Google’s Big Query. This is an easy-to-use solution that allows you to join, scrub, and normalize your data so that when you import it into a business intelligence tool like Power BI, you can immediately begin visualizing and analyzing it.

Amazon Redshift is a similar “data warehouse” type tool like BigQuery. Though it’s not HIPAA-compliant out of the box, it is HIPAA-compliance eligible, which means you’ll have to configure it for healthcare industry regulations. You’ll need to review user permissions and keep a log of everyone who accesses it to ensure that all data is stored and encrypted properly.

If you’re looking for a data storage and reporting tool, consider Power BI, Microsoft’s HIPAA-compliant business intelligence software which is included in the price of Microsoft’s 365 Business Suite.

HIPAA-Compliant Marketing Automation Tools

Using software to nurture sales leads and personalize marketing content will save you time and energy. You’ll need to invest in a HIPAA-compliant marketing automation system that allows you to store PHI in a compliant manner so you can personalize your marketing automation campaigns (newsletters, emails, new service announcements) to your personas’ needs and habits.
Look for a marketing automation tool that enables seamless engagement across audiences, personalized conversations, performance insights to direct your spend, and of course, HIPAA compliance to keep all PHI data secure. These platforms all fit the bill:

• Patient Pop
• Keap
• Patient Gain
• Marketo Engage
• Active Campaign (enterprise package only)

HIPAA-Compliant Website Tools

Your website will need an appointment management platform, a healthcare-specific scheduling tool with a smooth user interface, and patient acquisition tracking (tracking campaign conversions with Google Analytics tags is helpful).

To track form submissions, you can implement CallRail, a submission tool that tracks your calls and emails in the same interface. The FormStack tool provides healthcare-specific templates to set up forms for lead generation, patient acquisition, or equipment ordering. You can also collect patient information through Jotform’s HIPAA-compliant forms.

To optimize your user experience, consider Visual Website Optimizer (VWO), which can be configured to be HIPAA-compliant. VWO features detailed instructions for gathering qualitative data about your visitors’ website use and enables you to run A/B tests to improve your conversion rates.

If you’re developing applications, True Vault is an app-developer-friendly solution to HIPAA compliance. The platform combines a secure and compliant healthcare API and data storage to connect, power, and secure healthcare apps, meeting the technical and physical safeguards mandated by HIPAA.

HIPAA-Compliant CRM Tools

After doing plenty of research and testing, CRM.org has compiled this list of some of the best HIPAA-compliant CRM software on the market:

• Salesforce Health Cloud — best healthcare CRM software overall
• Zendesk — best healthcare CRM solution software for customer service
• Onpipeline — top medical CRM software for patient acquisition
• Leadsquared — best HIPAA-compliant CRM software
• IMS —good doctor CRM tools for EHR management
• OperaDDS — top CRM software for dentists
• PatientPop — good healthcare CRM solution for email automation
• HIPAA CRM — good cloud-based healthcare CRM for HIPAA compliance
• Healthgrades — top healthcare CRM contact center solution
• PlayMaker Health — top healthcare CRM for business intelligence
• Enquire’s CRM — taps into Microsoft’s impressive security data

Built especially for HIPAA compliance, MedChat is another chatting and messaging tool that leverages AI and machine learning to optimize two-way texting, website chatting, and automated appointment reminders.

HIPAA-Compliant Social Media Tactics

HIPAA prohibits the use of PHI on social media networks — including text about patients as well as images or videos that could identify the patient — unless they have given consent in writing. If your healthcare marketing ideas include Google and Facebook ad campaigns, don’t expect those platforms to protect PHI.

Facebook, Instagram, Twitter, LinkedIn, and Yelp are not HIPAA-compliant because they will not sign a business associate agreement (BAA) with covered entities. However, you may be able to use the platforms in a HIPAA-compliant manner when additional disclosures and privacy tools are implemented.

For example, the Centers for Medicare and Medicaid Services ruled in 2018 that their use of the Facebook pixel, including for the purposes of retargeting, was fully compliant with all PHI regulations by providing users with the ability to opt-out. CMS is a division of the U.S. Department of Health and Human Services, which serves as the unofficial regulator for HIPAA enforcement.

In 2020, both Apple and Google announced significant updates to their platforms that would limit advertisers’ ability to track users across websites and devices. As these changes go live, we expect to learn more about how they may help protect PHI. Until then, without these stringent security measures and explicit, written permission from users, the use of pixels from Facebook and other third-party providers is risky for anyone subject to HIPAA compliance. Any providers who want to use these tools should work with an attorney specializing in HIPAA compliance to accurately assess their risks and limitations.

HIPAA Compliance Email Marketing Tools

As long as you abide by the CAN-SPAM Act, obtain prior authorization from patients, and leverage a HIPAA-compliant platform, you can use email marketing to grow your business and improve patient outcomes. The only email system that features HIPAA compliance is Paubox.

Paubox Marketing allows recipients to view marketing emails like regular emails without relying on out-dated portal notifications which are terrible for the recipient. You can use it to segment and send secure email (including PHI) to increase engagement and build your business while remaining HIPAA-compliant.

Paubox recommends that before you add a new name to your subscriber list:

• Ask your patients for written authorization to receive marketing emails
• Remind them why they originally opted-in (for care coordination, to get refill reminders, promotional gifts or discount coupons, or to get news about your practice
• Offer an easy-to-use unsubscribe option

For patient polling and persona research, try using the intuitive and HIPAA-compliant SurveyMonkey. It will allow you to send questionnaires or surveys to patients or prospects and collect data.

Reputation.com is a robust tool for managing location listings, online reviews, and social media. This platform manages your location and physician profiles, updates and pushes out changes to bios, secures patient reviews, and manages your social media — all with HIPAA compliance support.

The Dos and Don’ts of HIPAA Compliance

Before creating and executing your marketing plan, ensure you’re abiding by these guidelines.

Do:

• Share general information about the treatments you provide and any healthcare news that patients could use to attract new leads
• Share new certifications and professional honors your care team has earned
• Get your patients’ permission before placing them on an email list that will require disclosure of or reference to their PHI
• Work with a healthcare marketing agency that is versed in HIPAA compliance
• Check all your marketing and social media campaign images to ensure that they don’t contain PHI to prevent fines

Don’t:

• Mention any patient by name or disclose any identifying information in your campaigns
• Allow your staff to take photographs inside your office that could reveal or expose PHI — even computer monitors that may be displaying it in the background
• Collect patient-specific information on social media sites — they are not encrypted or set up for HIPAA compliance
• Work with non-HIPAA-compliant marketing companies or vendors
• Describe specific patients on social media — even if you change their names
• Send your patients emails concerning their PHI without their express written permission — even encrypted emails can be intercepted

For more robust protection, the HIPAA Journal offers this compliance checklist:

1. Determine which annual audits and assessments are applicable to your organization
2. Conduct the required audits and assessments and document any deficiencies
3. Implement your remediation plans and update annually
4. Appoint a HIPAA Compliance, Privacy and/or Security Officer
5. Conduct and document annual HIPAA training for all team members
6. Perform due diligence on business associates annually
7. Review processes for reporting breaches to Health and Human Services

Keep your staff trained on how to lawfully access and use patient PHI as well as how to find third-party vendors who excel at HIPAA compliance education.

Start Implementing HIPAA Compliance Today

You’ve just absorbed a lot of information that may not be so easy to implement on your own. Need additional support for navigating HIPAA compliance? Reach out to our health hive! Our team implements HIPAA compliance regulations for all of our clients every day, so they don’t have to worry about breaking any regulations or incurring unnecessary fines. We can do the same for you.