Navigating the complex realm of HIPAA compliance in healthcare marketing is a challenge, especially when considering the legal intricacies involved.
For those in the healthcare industry, finding a marketing agency that not only understands your specific needs but is also well-versed in
HIPAA (Health Insurance Portability and Accountability Act) compliance is crucial. Violating HIPAA can lead to severe consequences, huge fines, costly lawsuits, and the business' reputation.
The good news is that in this article, I will help guide you through the complexity of finding a HIPAA-compliant marketing agency that has your best interests at heart, and helps you prevent enforcement action by HHS' Office for Civil Rights.
Before diving into the search, it's essential to have a basic understanding of HIPAA compliance and how it relates to marketing. The primary goal of HIPAA is to protect patients' sensitive health information. When it comes to marketing, any communications that involve patient data must adhere to HIPAA's strict guidelines. At all times, PHI (protected health information) must be protected, and safeguards must be put in place to ensure PHI stays protected.
Any unauthorized use or disclosure of PHI is presumed to be a breach under HIPAA, and the covered entity must be able to demonstrate that breach notification letters have been sent to all those potentially affected within 60 days of the date the breach was discovered, or prove through an extensive risk analysis that the probability of compromise was sufficiently low that it wouldn't be considered a breach. Either way, everything must be documented and retained for at least six years. Failing to do so violates the breach notification rule, which will lead to severe consequences.
When thinking about a breach, most assume that a breach would be something like a data server that gets hacked and where thousands or millions of health records have been stolen. While this would absolutely be a breach, many more minor incidents that happen with healthcare marketing are considered breaches, too.
For example, responding to online reviews (positive or negative reviews) where PHI has been disclosed or replying to comments on social media posts would be a breach if it includes PHI, or even acknowledging that they have been a patient. Sending promotional emails to patients (or leads) using their contact details without explicit consent breaches HIPAA regulations. Hence, healthcare providers must ensure that any agency they work with knows these rules inside and out.
A common misconception is that PHI would only consist of actual health records that involve treatment and billing data, but this is not the case. Any identifier that can be used to identify an individual, otherwise known as PII (personally identifiable information), in combination with any health data, such as a URL of a web page with condition-specific information like 'depression' or 'abortion,' is considered PHI. When PII and health data are in the same data set, it becomes protected health information regardless of any nuance.
If a data set contains any identifiers listed above or parts of the identifier, the data is considered “identified.” To be considered “de-identified,” All
18 HIPAA identifiers listed above must be removed from the data set. The best course of action regarding marketing would be to prevent these identifiers from being collected and added to any data set that contains health information.
When searching for a HIPAA-compliant marketing agency, be cautious of the following:
Tracking scripts are a crucial component in any marketing campaign for marketers to track and measure the performance and be able to report on their KPIs. Unfortunately, standard tracking technologies provided by advertising platforms such as Google, Facebook, Microsoft, TikTok, and any other platform are not HIPAA compliant, and the use of these technologies on websites and landing pages of covered entities is strictly prohibited under HIPAA.
In December 2022, HHS' Office for Civil Rights issued a bulletin that highlighted the obligations of the HIPAA Privacy, Security, and Breach Notification Rules for covered entities when using online tracking technologies.
Tracking technologies track, collect, and analyze information about how users interact with the website and landing pages of the organization. The data collected by these tracking pixels gets sent directly to third-party platforms, which constitutes a data breach and a clear HIPAA violation. Depending on the size of the marketing campaigns and the number of people reached, this has the potential to be a massive data breach. OCR made it abundantly clear that even IP addresses would be considered PHI if an individual visits a treatment-specific web page on a converted entity's website, even if the individual does not have an existing relationship with the regulated entity.
The bulletin clarified a topic that has long been a hot topic of debate. It has sent shockwaves throughout the healthcare industry, with many hospitals, healthcare systems, and private organizations realizing they are affected by having these tracking technologies on their websites and portals. Some have had these on there for many years. The implications of this are huge, and the American Hospital Association sent a letter to OCR in May of 2023 on behalf of their nearly 5,000 member hospitals, 270,000 affiliated physicians, 2 million nurses, and 43,000 healthcare leaders that treating a mere IP address as protected health information will reduce public access to credible health information.
In July 2023, HHS' OCR responded by releasing a statement warning 130 hospital systems and telehealth providers about the Privacy and Security risks posed by online tracking technologies. It reiterated the obligations under HIPAA by referring back to its bulletin issued in December of 2022.
The FTC has since clarified that similar rules apply to entities not covered by HIPAA, and it will enforce its rules accordingly, as it has done with BetterHelp and GoodRx under its Health Breach Notification Rule. Both BetterHelp and GoodRx must pay $7.8 million and $1.5 million, respectively, due to tracking technology data breaches.
The HIPAA Journal reported in August of 2023 that Advocate Aurora Health was one of the first HIPAA-regulated entities to report a pixel-related data breach to HHS' OCR: Advocate Aurora Health proposed a $12.25 million settlement to resolve its class action.
Back in July of 2022, a class action was filed against the University of San Francisco (UCSF) and Dignity Health Medical Foundation for their use of Meta tracking technologies (pixels) on their patient portals and websites.
The use of standard tracking technologies by covered entities must be avoided at all costs, and safeguards must be put in place to protect health information. There are simple yet effective ways to limit the collection of PHI by tracking technologies such as Google Analytics, which I explain in detail in one of my other blogs called "How to Make Google Analytics HIPAA Compliant." Similarly, there are ways to de-identify data collected by tracking technologies before sending the data to Meta Ads, Google Ads, and any other advertising platform by using a HIPAA-compliant tracking pixel called Metro, which I helped develop.
Now that you have a firm understanding of HIPAA compliance in marketing and what to look out for when choosing a marketing agency, the next concern is the even more complicated landscape of the different privacy laws in each State.
HIPAA as a Federal minimal standard preempts State law, which means that if a State privacy law is more stringent than HIPAA, the privacy law, or parts of it, take precedence. For example, The California Privacy Rights Act (CPRA) imposes some stricter provisions that are important to be aware of. Another example is the new My Health My Data Act in Washington State that has recently been enacted. The MHMD Act is currently the strictest privacy law in the United States, and its goal is to provide more robust coverage for consumer data beyond HIPAA-covered healthcare providers.
Finding a HIPAA-compliant marketing agency is crucial for healthcare providers, but there are many pitfalls to be aware of, as discussed in this article. Following the 10 steps outlined above and keeping a vigilant eye out for potential red flags ensures your organization's marketing efforts are not only practical but also legally sound, avoiding enforcement action from HHS' OCR.
Remember, while marketing is about reaching and influencing your target audience and solving their problems, it should never compromise patient data or trust. Working with a knowledgeable, competent, and compliant marketing agency is critical to building a successful healthcare organization. It takes years to build a great reputation, but it only takes one breach to undo years of hard work.
Thank you for reading this blog. I hope it provides clarity on the importance of choosing a HIPAA-compliant marketing agency. By selecting us, you not only ensure the trust of your patients but also avoid potential legal and reputational risks. If you're ready to make this beneficial decision, please apply to work with us today. I'm looking forward to it.
Lesley is a CDMP-certified digital marketing consultant and a CHPSE® Certified HIPAA Privacy Security Expert. With over seven years of in-depth experience building profitable HIPAA-compliant patient acquisition systems for private healthcare organizations across the United States, Lesley has worked, and still works, with some of the leading healthcare organizations in their respective field and has helped several of them scale their organization across multiple cities and states by leveraging high-performance, HIPAA-compliant patient acquisition systems.
Acquiring New Patients With Consistency & Predictability In Full Compliance With HIPAA & All Current Data Privacy Laws
LEZ VAN DE MORTEL LTD
Company Reg: 15503599
VAT Reg: 463 2853 81
Registered in the UK, serving clients in the US.
Email: Lez@lezvandemortel.com
Copyright 2017-2024 | Privacy Policy