The Healthcare Marketer’s Guide to Navigating HIPAA Compliance

The Healthcare Marketer’s Guide to Navigating HIPAA Compliance

Are you struggling to implement an efficient healthcare advertising and marketing technique that’s HIPAA-compliant? You’re removed from alone. It’s the wide-reaching minefield of laws — like HIPAA compliance for affected person knowledge safety — that brought about healthcare to lag behind different industries that shortly tailored fashionable digital advertising and marketing methods.

Moderately than navigating these complexities, many healthcare organizations follow conventional advertising and marketing channels like TV, radio, and print adverts, dropping out on the digital alternative to ship their advertising and marketing message on to the best individual. Others make the error of utilizing out-of-the-box advertising and marketing software program, which may result in HIPAA compliance points.

It’s loads to contemplate. That’s why we’ve compiled this Healthcare Marketer’s Information to Navigating HIPAA compliance.

Please observe: This text just isn’t meant to offer authorized recommendation and shouldn’t be relied upon for such functions. Organizations topic to HIPAA limitations ought to at all times seek the advice of with their authorized groups to evaluate the dangers related to any of the instruments or techniques talked about right here.


What Is HIPAA Compliance and Why Is It So Essential?

HIPAA stands for the Well being Insurance coverage Portability and Accountability Act, which was handed in 1996. It dictates how healthcare business organizations could lawfully retailer, share, handle, and report sufferers’ protected well being data (PHI).

The U.S. Division of Well being and Human Companies HIPAA Privateness Rule states that any group that gives healthcare therapies, cost administration, or operations is taken into account a HIPAA “lined entity” — as are their “enterprise associates.” HIPAA defines a enterprise affiliate as any individual or entity that gives companies to a lined entity that requires the disclosure of protected well being data (PHI). Meaning software program firms that retailer, share, or have entry to PHI have to be HIPAA-compliant — or lose healthcare purchasers.

In a nutshell, HIPAA merely requires that you just:

  • Put safeguards in place to guard affected person well being data
  • Fairly restrict makes use of and sharing to the minimal essential to perform your meant goal
  • Have agreements in place with any service suppliers that carry out lined capabilities or actions for you
  • Have procedures in place to restrict who can entry affected person well being data, and implement a coaching program for you and your workers about tips on how to defend your affected person well being data


What Is Protected Well being Data (PHI)?

Protected well being data (PHI) is well being data contained in any bodily report, together with well being histories (diagnoses and coverings), lab check outcomes, and medical payments. PHI that’s created, saved, or transmitted electronically known as ePHI.

The HIPAA Journal defines PHI as “individually identifiable data regarding the previous, current, or future well being standing of a person that’s created, collected, transmitted, or maintained by a HIPAA-covered entity in relation to the supply of healthcare, cost for healthcare companies, or use in healthcare operations.”

Protected well being data contains a number of of the next identifiers:

  • Full title or final title and preliminary and gender
  • Geographical identifiers smaller than a state
  • Dates (apart from yr) immediately associated to a person
  • Telephone numbers (of affected person and emergency contact)
  • Fax numbers
  • E mail addresses
  • Social Safety numbers
  • Medical report numbers
  • Medical health insurance beneficiary numbers
  • Account numbers
  • Certificates/license numbers
  • Car identifiers (serial numbers and license plate numbers)
  • Gadget identifiers and serial numbers
  • Net uniform useful resource locators (URLs)
  • Web protocol (IP) handle numbers
  • Biometric identifiers (finger, retinal, and voice prints)
  • Full-face photographs
  • Some other distinctive figuring out quantity or code (besides the distinctive code assigned by the investigator to code the information)

As soon as these identifiers are eliminated, the knowledge is taken into account de-identified and isn’t topic to the restrictions of the HIPAA Privateness Rule.


What Data Is Not Thought-about PHI?

The Division of Well being and Human Companies additionally outline what just isn’t thought of PHI:

  • Communication a couple of health-related service or product that’s offered by or included in a plan of advantages of the lined entity (CE) making the communication. For instance, as are allowed to tell purchasers {that a} new therapy or facility is coming quickly.
  • Communication that’s a part of a therapy plan — prescription refill reminder or a lab check referral — just isn’t thought of advertising and marketing and doesn’t require sufferers’ approval.
  • Communication that’s a part of care coordination, like an alternate supplier or therapy suggestion, just isn’t thought of advertising and marketing.


How Does HIPAA Compliance Have an effect on Your Advertising and marketing Campaigns?

The U.S. Division of Well being and Human Companies’ HIPAA Privateness Rule defines advertising and marketing as:

  • “… a communication a couple of services or products that encourages recipients of the communication to buy or use the services or products.”
  • “… an association between a lined entity and some other entity whereby the lined entity discloses PHI to the opposite entity, in change for direct or oblique remuneration, for the opposite entity or its affiliate to make a communication about its personal services or products that encourages recipients to buy or use that services or products.” There aren’t any exceptions to this second half.

For instance, if a affected person is on Warfarin and a reminder is shipped to the affected person to refill the prescription, it’s not thought of advertising and marketing and doesn’t require a launch by the affected person so long as the pharma firm doesn’t pay for the communication.

Nonetheless, if Bristol Meyers Squibb needs that affected person to strive its new anticoagulant, Eliquis, the affected person would wish to signal an authorization permitting advertising and marketing communication to be despatched.

You’ll must receive a affected person’s written authorization earlier than utilizing or disclosing PHI for advertising and marketing functions or on the market to a 3rd celebration. This implies utilizing opt-in e mail seize varieties and never “assuming” it’s okay to market to a affected person simply because you’ve their e mail handle on file.

Additionally, any healthcare supplier you do advertising and marketing for (a lined entity) can not promote PHI to a enterprise affiliate or a 3rd celebration for use for that celebration’s personal self-interest with out expressed authorization from every affected person. Yow will discover a full listing of essential authorizations right here: 45 CFR 164.508.


Why Your Healthcare Shoppers Want HIPAA-Compliant Software program

In response to the HIPAA Journal, the aim of HIPAA compliance software program is to information HIPAA-covered entities or enterprise associates to develop into and stay HIPAA-compliant whereas following the HITECH Act Guidelines. Compliant software program additionally helps firms doc all good-faith efforts to conform.

That is to guard a healthcare firm that could be audited by the HHS’ Workplace for Civil Rights (OCR) or state attorneys normal over an information breach. The software program additionally helps prepare employees and implement technical, bodily, and administrative safeguards. Investing in HIPAA-compliant software program is crucial on your healthcare group, as even small offenses can result in fines wherever from $100 to $50,000. In 2020 alone, healthcare firms paid as a lot as $4.3 million in HIPAA penalties.


Implementing a HIPAA-Compliant Healthcare Advertising and marketing Technique

Though healthcare advertising and marketing tech lags behind that of different industries, sufferers nonetheless count on dynamic digital experiences. A CDW Company Healthcare survey discovered that 89% of sufferers need easy, seamless entry to their private well being data. And 98% are comfy speaking with suppliers digitally — by way of texting, cellular apps, on-line chats, or dwell video.

No matter your healthcare digital advertising and marketing technique sort, there are steps you may take to reduce your threat of a HIPAA compliance breach.


First: Reduce your threat of a HIPAA compliance breach

Develop a PHI use coverage that features SOPs for:

  • Coaching your advertising and marketing departments commonly to verify they perceive HIPAA necessities
  • Clarifying who has entry to PHI and for what goal, then monitoring it commonly
  • Documenting your advertising and marketing campaigns with clear reasoning for why PHI is included
  • Guaranteeing there’s a clear means for sufferers to opt-in and opt-out of receiving advertising and marketing communication
  • Monitoring the implementation of the coverage

If you wish to market to any affected person utilizing knowledge from their PHI, you need to safe their authorization. This implies offering easy-to-use opt-in e mail seize varieties to substantiate {that a} affected person approves your use of their e mail handle to ship communications and promotions.


To ship a compelling HIPAA-compliant digital expertise, comply with these methods:


Implement HIPAA Compliance for E mail Advertising and marketing

E mail advertising and marketing remains to be one the best methods to spice up your healthcare advertising and marketing ROI. In truth, in response to a HubSpot survey, e mail advertising and marketing campaigns generate $38 for each greenback spent — that’s a 3,800% ROI.

The Federal Commerce Fee’s (FTC) Bureau of Shopper Safety gives a CAN-SPAM Act compliance information for e mail entrepreneurs to comply with when implementing campaigns.

  • Make it simple on your e mail recipients to unsubscribe
  • Embody a mailing handle the place they will write to you
  • Determine the enterprise that’s sending the e-mail within the e mail’s “from,” “reply to,” and “routing data” sections
  • Clarify the e-mail’s content material within the topic line
  • Clearly and conspicuously establish your message as an commercial
  • Don’t create any emails utilizing PHI with out expressed consent from sufferers
  • Encrypt each e mail that incorporates any sort of PHI (together with title or e mail handle) to make sure solely you and the recipient have entry to the content material
  • Be certain that servers storing e mail knowledge with PHI are additionally encrypted with off-site backup


Implement HIPAA Compliance for Social Media

Social media helps have interaction sufferers in their very own care by shortly speaking crucial details about companies, check outcomes, and the newest situation and therapy analysis. Statistics reported by Pew Analysis Heart present that roughly 72% of web customers search healthcare data on-line, typically on social media.

Observe the following tips to make sure your social media technique follows HIPAA compliance:

  • Don’t share social posts or adverts that characteristic PHI with out getting expressed consent
  • Be certain employees members aren’t posting follow photographs and by chance sharing PHI; to be secure, use inventory images
  • Create a social media technique that paperwork what group members can and can’t publish, then comply with up with coaching periods to make sure HIPAA compliance
  • Arrange controls to flag any key phrases or phrases which may point out a HIPAA compliance breach earlier than posting


Implement HIPAA Compliance for Web sites

Your web site is the inspiration of your healthcare advertising and marketing technique — make certain it’s safe and user-friendly. To stay nimble within the web’s ever-changing panorama, the language round HIPAA laws for web sites is commonly deliberately obscure.

full media recommends following the following tips for guaranteeing HIPAA compliance in your web site:

  • Retailer all net varieties, contact varieties, and appointment knowledge on an encrypted server with off-site backup
  • Buy and implement an SSL certificates on your web site
  • Guarantee all net varieties in your web site are encrypted and safe
  • Solely ship emails containing PHI via encrypted e mail servers
  • Associate with web-hosting firms which might be HIPAA-compliant
  • Signal a BAA with third events which have entry to your affected person’s PHI
  • Be certain that PHI is just accessible to licensed people
  • Set up processes to delete, backup, and restore PHI as wanted
  • Submit a HIPAA privateness coverage in your web site
  • Appoint a HIPAA compliance officer to observe and keep your coverage


Digital Advertising and marketing Instruments for HIPAA-Compliant Entrepreneurs

There are such a lot of healthcare advertising and marketing platforms to select from that it might be fairly time-consuming to substantiate HIPAA compliance for each you’re contemplating. That’s why we’ve compiled an inventory of examined software program that may assist improve your healthcare advertising and marketing technique.


HIPAA-Compliant Analytics and Reporting Instruments

Although there are different strong platforms to select from, Google Analytics is the one healthcare business professionals nonetheless rely upon. When utilizing the software “out of the field,” you’ll want to switch it to fulfill HIPAA compliance and guarantee no unauthorized PHI is being collected. When your web site visitors hits a chosen stage, you’ll wish to keep away from accumulating “sampled” knowledge by upgrading to Google Analytics 360, which would require you to re-modify for HIPAA compliance.

Earlier than you push knowledge out of your varied sources right into a enterprise intelligence software, strive combining them in Google’s Huge Question. That is an easy-to-use answer that permits you to be part of, scrub, and normalize your knowledge in order that whenever you import it right into a enterprise intelligence software like Energy BI, you may instantly start visualizing and analyzing it.

Amazon Redshift is an analogous “knowledge warehouse” sort software like BigQuery. Although it’s not HIPAA-compliant out of the field, it’s HIPAA-compliance eligible, which implies you’ll should configure it for healthcare business laws. You’ll must overview person permissions and hold a log of everybody who accesses it to make sure that all knowledge is saved and encrypted correctly.

In case you’re on the lookout for knowledge storage and reporting software, think about Energy BI, Microsoft’s HIPAA-compliant enterprise intelligence software program which is included within the worth of Microsoft’s 365 Enterprise Suite.


HIPAA-Compliant Advertising and marketing Automation Instruments

Utilizing software program to nurture gross sales leads and personalize advertising and marketing content material will prevent time and vitality. You’ll must put money into a HIPAA-compliant advertising and marketing automation system that permits you to retailer PHI in a compliant method so you may personalize your advertising and marketing automation campaigns (newsletters, emails, new service bulletins) to your personas’ wants and habits.
Search for a advertising and marketing automation software that permits seamless engagement throughout audiences, personalised conversations, efficiency insights to direct your spending, and naturally, HIPAA compliance to maintain all PHI knowledge safe. These platforms all match the invoice:

  • Affected person Pop
  • Hold
  • Affected person Acquire
  • Marketo Interact
  • Energetic Marketing campaign (enterprise bundle solely)


HIPAA-Compliant Web site Instruments

Your web site will want an appointment administration platform, a healthcare-specific scheduling software with a easy person interface, and affected person acquisition monitoring (monitoring marketing campaign conversions with Google Analytics tags is useful).

To trace type submissions, you may implement CallRail, a submission software that tracks your calls and emails in the identical interface. The FormStack software gives healthcare-specific templates to arrange varieties for lead technology, affected person acquisition, or gear ordering. You may also gather affected person data via Jotform’s HIPAA-compliant varieties.

To optimize your person expertise, think about Visible Web site Optimizer (VWO), which could be configured to be HIPAA-compliant. VWO options detailed directions for gathering qualitative knowledge about your guests’ web site use and allows you to run A/B exams to enhance your conversion charges.

In case you’re growing functions, True Vault is an app-developer-friendly answer to HIPAA compliance. The platform combines a safe and compliant healthcare API and knowledge storage to attach, energy, and safe healthcare apps, assembly the technical and bodily safeguards mandated by HIPAA.


HIPAA-Compliant CRM Instruments

After doing loads of analysis and testing, has compiled this listing of a number of the greatest HIPAA-compliant CRM software program available on the market:

  • Salesforce Well being Cloud — greatest healthcare CRM software program general
  • Zendesk — greatest healthcare CRM answer software program for customer support
  • Pipeline — high medical CRM software program for affected person acquisition
  • Leadsquared — greatest HIPAA-compliant CRM software program
  • IMS —good physician CRM instruments for EHR administration
  • OperaDDS — high CRM software program for dentists
  • PatientPop — good healthcare CRM answer for e mail automation
  • HIPAA CRM — good cloud-based healthcare CRM for HIPAA compliance
  • Healthgrades — high healthcare CRM contact middle answer
  • PlayMaker Well being — high healthcare CRM for enterprise intelligence
  • Enquire’s CRM — faucets into Microsoft’s spectacular safety knowledge

Constructed particularly for HIPAA compliance, MedChat is one other chatting and messaging software that leverages AI and machine studying to optimize two-way texting, web site chatting, and automatic appointment reminders.


HIPAA-Compliant Social Media Techniques

HIPAA prohibits the usage of PHI on social media networks — together with textual content about sufferers in addition to photos or movies that might establish the affected person — until they’ve given consent in writing. In case your healthcare advertising and marketing concepts embody Google and Fb advert campaigns, don’t count on these platforms to guard PHI.

Fb, Instagram, Twitter, Linked In, and Yelp are usually not HIPAA-compliant as a result of they won’t signal a enterprise affiliate settlement (BAA) with lined entities. Nonetheless, you could possibly use the platforms in a HIPAA-compliant method when extra disclosures and privateness instruments are applied.

For instance, the Facilities for Medicare and Medicaid Companies dominated in 2018 that their use of the Fb pixel, together with for the needs of retargeting, was absolutely compliant with all PHI laws by offering customers with the flexibility to choose out. CMS is a division of the U.S. Division of Well being and Human Companies, which serves because the unofficial regulator for HIPAA enforcement.

In 2020, each Apple and Google introduced vital updates to their platforms that will restrict advertisers’ capacity to trace customers throughout web sites and gadgets. As these modifications go dwell, we count on to be taught extra about how they might assist defend PHI. Till then, with out these stringent safety measures and express, written permission from customers, the usage of pixels from Fb and different third-party suppliers is dangerous for anybody topic to HIPAA compliance. Any suppliers who wish to use these instruments ought to work with an legal professional specializing in HIPAA compliance to precisely assess their dangers and limitations.


HIPAA Compliance E mail Advertising and marketing Instruments

So long as you abide by the CAN-SPAM Act, receive prior authorization from sufferers, and leverage a HIPAA-compliant platform, you should use e mail advertising and marketing to develop your small business and enhance affected person outcomes. The one e mail system that options HIPAA compliance is Paubox.

Paubox Advertising and marketing permits recipients to view advertising and marketing emails like common emails with out counting on outdated portal notifications that are horrible for the recipient. You need to use it to phase and ship a safe e mail (together with PHI) to extend engagement and construct your small business whereas remaining HIPAA-compliant.

Paubox recommends that earlier than you add a brand new title to your subscriber listing:

  • Ask your sufferers for written authorization to obtain advertising and marketing emails
  • Remind them why they initially opted-in (for care coordination, to get refill reminders, promotional presents, or low cost coupons, or to get information about your follow
  • Provide an easy-to-use unsubscribe possibility

For affected person polling and persona analysis, strive utilizing the intuitive and HIPAA-compliant SurveyMonkey. It can can help you ship questionnaires or surveys to sufferers or prospects and gather knowledge. is a sturdy software for managing location listings, on-line critiques, and social media. This platform manages your location and doctor profiles, updates and pushes out modifications to bios, secures affected person critiques, and manages your social media — all with HIPAA compliance help.


The Dos and Don’ts of HIPAA Compliance

Earlier than creating and executing your advertising and marketing plan, make sure you’re abiding by these pointers.



  • Share normal details about the therapies you present and any healthcare information that sufferers may use to draw new leads
  • Share new certifications {and professional} honors your care group has earned
  • Get your sufferers’ permission earlier than inserting them on an e mail listing that may require disclosure of or reference to their PHI
  • Work with a healthcare advertising and marketing company that’s versed in HIPAA compliance
  • Verify all of your advertising and marketing and social media marketing campaign photos to make sure that they don’t include PHI to forestall fines



  • Point out any affected person by title or disclose any figuring out data in your campaigns
  • Enable your employees to take images inside your workplace that might reveal or expose PHI — even laptop displays that could be displaying it within the background
  • Accumulate patient-specific data on social media websites — they don’t seem to be encrypted or arrange for HIPAA compliance
  • Work with non-HIPAA-compliant advertising and marketing firms or distributors
  • Describe particular sufferers on social media — even should you change their names
  • Ship your sufferers emails regarding their PHI with out their specific written permission — even encrypted emails could be intercepted


For extra strong safety, the HIPAA Journal affords this compliance guidelines:

  1. Decide which annual audits and assessments are relevant to your group
  2. Conduct the required audits and assessments and doc any deficiencies
  3. Implement your remediation plans and replace them yearly
  4. Appoint a HIPAA Compliance, Privateness, and/or Safety Officer
  5. Conduct and doc annual HIPAA coaching for all group members
  6. Carry out due diligence on enterprise associates yearly
  7. Overview processes for reporting breaches to Well being and Human Companies

Hold your employees educated on tips on how to lawfully entry and use affected person PHI in addition to tips on how to discover third-party distributors who excel at HIPAA compliance schooling.


Leave a Reply