How to Find a HIPAA Compliant Marketing Agency

How to Find a HIPAA-Compliant Marketing Agency And Why Compliance is Important

Navigating the complex realm of HIPAA compliance in healthcare marketing is a challenge, especially when considering the legal intricacies involved.

For those in the healthcare industry, finding a marketing agency that not only understands your specific needs but is also well-versed in HIPAA (Health Insurance Portability and Accountability Act) compliance is crucial. Violating HIPAA can lead to severe consequences, huge fines, costly lawsuits, and the business' reputation.

The good news is that in this article, I will help guide you through the complexity of finding a HIPAA-compliant marketing agency that has your best interests at heart, and helps you prevent enforcement action by HHS' Office for Civil Rights.

Before diving into the search, it's essential to have a basic understanding of HIPAA compliance and how it relates to marketing. The primary goal of HIPAA is to protect patients' sensitive health information. When it comes to marketing, any communications that involve patient data must adhere to HIPAA's strict guidelines. At all times, PHI (protected health information) must be protected, and safeguards must be put in place to ensure PHI stays protected.

Any unauthorized use or disclosure of PHI is presumed to be a breach under HIPAA, and the covered entity must be able to demonstrate that breach notification letters have been sent to all those potentially affected within 60 days of the date the breach was discovered, or prove through an extensive risk analysis that the probability of compromise was sufficiently low that it wouldn't be considered a breach. Either way, everything must be documented and retained for at least six years. Failing to do so violates the breach notification rule, which will lead to severe consequences.

When thinking about a breach, most assume that a breach would be something like a data server that gets hacked and where thousands or millions of health records have been stolen. While this would absolutely be a breach, many more minor incidents that happen with healthcare marketing are considered breaches, too.

For example, responding to online reviews (positive or negative reviews) where PHI has been disclosed or replying to comments on social media posts would be a breach if it includes PHI, or even acknowledging that they have been a patient. Sending promotional emails to patients (or leads) using their contact details without explicit consent breaches HIPAA regulations. Hence, healthcare providers must ensure that any agency they work with knows these rules inside and out.

A common misconception is that PHI would only consist of actual health records that involve treatment and billing data, but this is not the case. Any identifier that can be used to identify an individual, otherwise known as PII (personally identifiable information), in combination with any health data, such as a URL of a web page with condition-specific information like 'depression' or 'abortion,' is considered PHI. When PII and health data are in the same data set, it becomes protected health information regardless of any nuance.

1. Name (first, last, or any initials)
2. Address (including street, city, county, and zip)
3. All elements of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if the individual is over 89)
4. Telephone numbers
5. Fax number
6. Email address
7. Social Security Number
8. Medical record number
9. Health plan beneficiary number
10. Account number
11. Certificate or license number
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web URL
15. Internet Protocol (IP) Address
16. Finger or voice print
17. Photographic image - Photographic images are not limited to pictures of the face
18. Any other number, identifier or characteristic that could uniquely identify the individual

If a data set contains any identifiers listed above or parts of the identifier, the data is considered “identified.” To be considered “de-identified,” All 18 HIPAA identifiers listed above must be removed from the data set. The best course of action regarding marketing would be to prevent these identifiers from being collected and added to any data set that contains health information.

1. Research and Recommendations: Gather a list of potential agencies. Seek recommendations from peers in the healthcare industry. They may have first-hand experience with HIPAA-compliant marketing agencies. They can provide insights into agencies they have worked with that they recommend or which agencies to avoid if the experience wasn't positive.
   
   
2. Check Expertise in Healthcare: Not all marketing agencies know the healthcare domain. Ensure the agency has experience and a good track record of serving healthcare clients. This background ensures they understand the unique challenges of this industry.
   
   
3. Ask About Specific HIPAA Training: It needs more for an agency to say they are HIPAA compliant. They should be able to demonstrate that their team has undergone specific HIPAA compliance training and stays updated with any changes to the regulations.
   
   
4. Are They Willing to Sign a Business Associate Agreement (BAA): The Privacy Rule strictly prohibits the sharing of PHI with third-parties unless there is a valid business associate agreement outlining the responsibilities and duties of the business associate, the limitations of their access to PHI, and the duration of their involvement. A detailed BAA must be put in place between the covered entity and the business associate (vendor) before any work commences. To be sure that your BAA is legally sound, it is best to ask your legal counsel to review the BAA or engage a law firm specializing in HIPAA. You should also ask the agency for copies of the BAAs they have signed with their vendors to validate their commitment to HIPAA compliance further.
   
   
5. Review the Software Systems They Use: As mentioned above, not only does the marketing agency and its team have to be compliant, the software systems they use must be HIPAA-compliant too. There are many HIPAA-compliant marketing solutions that will sign a BAA although they are often costlier than their non-compliant versions. Asking the agency for copies of the BAAs they have signed with their software vendors is another great way of verifying their commitment to HIPAA compliance.
   
   
6. Review Case Studies and Testimonials: Most reputable agencies will have case studies or testimonials highlighting their work. Review these to understand their approach to healthcare marketing and any successes they've had in the past. Particularly, look for mentions of maintaining compliance during campaigns regarding the collection and usage of marketing data.
   
   
7. Discuss Data Handling Protocols: Inquire about their data handling and storage practices. They should have secure systems to manage patient data, including encryption and regular audits. A HIPAA-compliant agency will prioritize data protection.
   
   
8. Seek Legal Assurance: Request documentation outlining compliance procedures. Some agencies may even have certifications or endorsements from HIPAA compliance training programs. It's also a good idea to include a clause in your contract that holds the agency accountable for any HIPAA violations that may arise from their actions.
   
   
9. Plan for Crisis Management: Mistakes can happen. It's essential to know how the agency will handle any potential breaches. They should have a crisis management plan that outlines the steps to take if there's a suspicion of a HIPAA violation or breach. If you're interested in learning the ten most common HIPAA breaches and violations that typically occur in healthcare marketing, and how to avoid them, you can download my free HIPAA Marketing Checklist.
   
   
10. Continuous Monitoring: Once you've selected an agency, the work doesn't stop there. Regularly review the agency's practices to ensure they remain compliant. Set up periodic check-ins to discuss regulation changes and how they might impact the overall marketing strategies.
    

When searching for a HIPAA-compliant marketing agency, be cautious of the following:

• No Mentions of HIPAA Compliance on Their Website: Agencies or contractors who specialize in HIPAA-compliant marketing will have prominent references regarding HIPAA compliance on their website. If these aren't visible on their website, that often indicates that HIPAA compliance isn't their priority. If there are specific mentions, ask the agency to elaborate on these and find out if they are meaningful or even legitimate.
  
  
• Lack of Previous Healthcare Clients: An agency without a demonstrable history of serving healthcare clients is probably not a great fit due to the complexity of the healthcare industry and their inexperience in managing marketing campaigns compliant with HIPAA regulations.
  
  
• Overpromising Results: Any agency that promises high returns without considering HIPAA compliance should be a red flag. Achieving marketing results is hard enough without having to worry about electronic protected health information. Better agencies always underpromise and overdeliver.
  
  
• Vague Answers: If an agency is ambiguous about its HIPAA compliance or avoids discussing its compliance protocols in depth, it's a red flag and probably best to avoid.

Tracking scripts are a crucial component in any marketing campaign for marketers to track and measure the performance and be able to report on their KPIs. Unfortunately, standard tracking technologies provided by advertising platforms such as Google, Facebook, Microsoft, TikTok, and any other platform are not HIPAA compliant, and the use of these technologies on websites and landing pages of covered entities is strictly prohibited under HIPAA.

In December 2022, HHS' Office for Civil Rights issued a bulletin that highlighted the obligations of the HIPAA Privacy, Security, and Breach Notification Rules for covered entities when using online tracking technologies.

Tracking technologies track, collect, and analyze information about how users interact with the website and landing pages of the organization. The data collected by these tracking pixels gets sent directly to third-party platforms, which constitutes a data breach and a clear HIPAA violation. Depending on the size of the marketing campaigns and the number of people reached, this has the potential to be a massive data breach. OCR made it abundantly clear that even IP addresses would be considered PHI if an individual visits a treatment-specific web page on a converted entity's website, even if the individual does not have an existing relationship with the regulated entity.

The bulletin clarified a topic that has long been a hot topic of debate. It has sent shockwaves throughout the healthcare industry, with many hospitals, healthcare systems, and private organizations realizing they are affected by having these tracking technologies on their websites and portals. Some have had these on there for many years. The implications of this are huge, and the American Hospital Association sent a letter to OCR in May of 2023 on behalf of their nearly 5,000 member hospitals, 270,000 affiliated physicians, 2 million nurses, and 43,000 healthcare leaders that treating a mere IP address as protected health information will reduce public access to credible health information.

In July 2023, HHS' OCR responded by releasing a statement warning 130 hospital systems and telehealth providers about the Privacy and Security risks posed by online tracking technologies. It reiterated the obligations under HIPAA by referring back to its bulletin issued in December of 2022.

The FTC has since clarified that similar rules apply to entities not covered by HIPAA, and it will enforce its rules accordingly, as it has done with BetterHelp and GoodRx under its Health Breach Notification Rule. Both BetterHelp and GoodRx must pay $7.8 million and $1.5 million, respectively, due to tracking technology data breaches. 

The HIPAA Journal reported in August of 2023 that Advocate Aurora Health was one of the first HIPAA-regulated entities to report a pixel-related data breach to HHS' OCR: Advocate Aurora Health proposed a $12.25 million settlement to resolve its class action.

Back in July of 2022, a class action was filed against the University of San Francisco (UCSF) and Dignity Health Medical Foundation for their use of Meta tracking technologies (pixels) on their patient portals and websites.

The use of standard tracking technologies by covered entities must be avoided at all costs, and safeguards must be put in place to protect health information. There are simple yet effective ways to limit the collection of PHI by tracking technologies such as Google Analytics, which I explain in detail in one of my other blogs called "How to Make Google Analytics HIPAA Compliant." Similarly, there are ways to de-identify data collected by tracking technologies before sending the data to Meta Ads, Google Ads, and any other advertising platform by using a HIPAA-compliant tracking pixel called Metro, which I helped develop.

Now that you have a firm understanding of HIPAA compliance in marketing and what to look out for when choosing a marketing agency, the next concern is the even more complicated landscape of the different privacy laws in each State.

HIPAA as a Federal minimal standard preempts State law, which means that if a State privacy law is more stringent than HIPAA, the privacy law, or parts of it, take precedence. For example, The California Privacy Rights Act (CPRA) imposes some stricter provisions that are important to be aware of. Another example is the new My Health My Data Act in Washington State that has recently been enacted. The MHMD Act is currently the strictest privacy law in the United States, and its goal is to provide more robust coverage for consumer data beyond HIPAA-covered healthcare providers.

Finding a HIPAA-compliant marketing agency is crucial for healthcare providers, but there are many pitfalls to be aware of, as discussed in this article. Following the 10 steps outlined above and keeping a vigilant eye out for potential red flags ensures your organization's marketing efforts are not only practical but also legally sound, avoiding enforcement action from HHS' OCR.

Remember, while marketing is about reaching and influencing your target audience and solving their problems, it should never compromise patient data or trust. Working with a knowledgeable, competent, and compliant marketing agency is critical to building a successful healthcare organization. It takes years to build a great reputation, but it only takes one breach to undo years of hard work.

Thank you for reading this blog. I hope it provides clarity on the importance of choosing a HIPAA-compliant marketing agency. By selecting us, you not only ensure the trust of your patients but also avoid potential legal and reputational risks. If you're ready to make this beneficial decision, please apply to work with us today. I'm looking forward to it.