How to eliminate sneaky sources of HIPAA violations in your marketing efforts

These three efforts are some basic steps that will go a long way toward ensuring you accomplish your marketing goals while still maintaining patient privacy.

When you think about HIPAA violations, the blatant sharing of patient information probably comes to mind. You may think about instances where providers have chatted with family members or friends about a patient’s medical condition or cases where one patient overhears another patient’s information while in your office.

While both scenarios describe slips in the confidentiality required under the Health Insurance Portability and Accountability Act, there are many more instances when violations are less obvious. One area where slip-ups are common? Marketing.

When you’re planning out your marketing strategy and how to accomplish it, you likely think about details such as ROI and how to repurpose content in the most meaningful way. But it’s also important to consider whether your marketing content and your marketing strategy are HIPAA-compliant.

If you feel a little overwhelmed at even the thought of ensuring HIPAA compliance within your marketing efforts, don’t be. You can take some basic steps that will go a long way toward ensuring you accomplish your marketing goals while still maintaining patient privacy.

Start with these three efforts:

1. Turn an Eye Toward Your Website
In the past decade, health information-seeking has largely moved online. That transition sped up during the COVID-19 pandemic, as more people turned to health organization websites to gather information related to health services, COVID-19 precautions, and other health-related essentials.

There’s no doubt that having an effective and meaningful website is an essential for any health organization or practice in today’s world. It’s important to ensure your website is filled with information that meets patients and prospective patients where they are—online. But it’s also important that your website does so in a HIPAA-compliant way.

You probably recognize the fact that when you create content, you must seek patient authorization before sharing any details about their care. That’s a logical place to ensure HIPAA compliance.

Content creation, though, isn’t where most marketing-related HIPAA violations occur. Instead of revealing patient information when content is created, it’s much more likely that patient information is accidentally compromised when content is gathered.

Consider all the places on your website that ask a person to submit information. That could be a contact form, a sign-up form for an event or a tour of the maternity unit, a payment option, or even a chat bot.

In any instance where you’re asking someone to submit information on a healthcare website, even if the person is not identifying as a patient or giving specific information about a medical condition, that information constitutes Protected Health Information (PHI).

Obviously, gathering information related to patients and prospective patients is an essential part of marketing your services and getting those people the care they need. To collect information within the boundaries of HIPAA compliance:

  • Gain express written consent from the patient
  • Verify that information is being submitted in a safe and encrypted way.
  • Identify who will retrieve that information and anyone who could potentially access it.
  • Ensure that the data is stored in a location or on a server that meets HIPAA standards.

It’s important to recognize that while password protection for PHI is a great first step, it’s not enough to meet the standards for HIPAA compliance. To ensure safety, you should also verify the security of your server with your website host, revoke credentials, and access for anyone who does not have an essential need for the information. You should also implement a system where information is destroyed when it’s no longer needed.

2. Consider the Tools You Use to Gather Data
There’s no doubt about it—data and analytics play a vitally important role in any successful marketing strategy.

Most healthcare marketers use multiple tools to gather meaningful data about patients and prospective patients within their target audience. That opens up multiple avenues where potential HIPAA slip-ups can occur.

Think through the tools your organization uses, including:

  • Customer relationship management (CRM) tools
  • Digital analytics tools
  • Lead tracking tools (e.g., form builders or call tracking systems)
  • Patient or website surveys
  • Website user experience tools

If you’re relying on Google Analytics for data, there’s one safety mechanism already in place; Google aggregates and depersonalizes data sent through the platform. If you upload additional data, such as a customer list, into Google Analytics though, you can run afoul of HIPAA.

When you’re using tools outside of Google, you’ll want to consider the types of information the tool is gathering for your organization and whether that’s considered PHI.

Because the boundaries of HIPAA can easily be blurred, it’s a good idea to choose data tools that are specifically designed for health organizations. Signing a business associate agreement (BAA) with any vendors is also a good way to help cover your bases.

3. Think Through Your Lead Generation Efforts
While the other two tips relate directly to tools and the information-gathering process, this one relates to what’s done with that data and information after it’s collected.

Part of our role as healthcare marketers involves providing people with meaningful information about protecting their health, but there’s another key component tied to your efforts: whether or not your marketing content is driving revenue.

To determine whether your marketing strategy is offering a solid return on investment, you must be able to trace the path of those patients. This requires a careful look at the data related to those patients and typically also includes collaboration with others about patient leads.

If you’re working with people outside your health organization to solidify your lead generation efforts, such as a marketing agency, you’re likely sharing a good bit of information with them. Even information you might not think of as PHI, such as a phone number linked to a name, can be considered PHI under HIPAA.

That means it’s important to not only ensure your team is well-versed in HIPAA compliance, but that those you work with externally are as well.

The best way to do that? Work with a HIPAA-compliant marketing agency through a business associate agreement, or BAA. This verifies that your marketing partner knows how to properly steward the PHI you’re sharing and ensure private patient information remains private. There’s an added benefit, too: this type of relationship also helps to protect your organization by carefully assigning responsibility and liability for any breaches—accidental or otherwise—that may occur.

About the Author
Rachael Sauceman is the Head of Strategic Initiatives for Full Media, a Chattanooga, Tenn.-based digital marketing agency specializing in health care. Full Media offers a full spectrum of HIPAA-compliant digital marketing capabilities within the healthcare space, including website design, online advertising, SEO, patient experience optimization, and analytics.