HIPAA Compliance 101: Digital Marketing Strategies for Healthcare
June 19, 2019
By Kristen Deyo
Friendly reminder: We are not attorneys and this should not be interpreted as legal advice. Please seek legal your own legal counsel for all compliance matters.
For healthcare industry professionals and marketers, there is perhaps nothing as top of mind as compliance. Understanding healthcare marketing and the importance of complying with strict regulations and industry guidelines is a necessity for healthcare marketers.
But with 89 percent of consumers turning immediately to an online search engine when they’re looking to answer their healthcare queries, how can healthcare marketers leverage their digital footprints and social media channels to grow their patient base? Here are some strategies to help you maximize your marketing efforts while ensuring HIPAA compliance.
What Is HIPAA?
In 1966, U.S. Congress passed the Health Information Portability and Accountability Act (HIPAA). This legislation “provides data privacy and security provisions for safeguarding medical information.” The HIPAA Privacy Rule gives individuals important control over how their protected health information is used and disclosed for marketing purposes. A couple things worth noting about HIPAA:
- Under HIPAA, a patient’s expressed consent is required before a hospital or health plan can market products or services that are outside of the patient’s treatment or benefit plan. This includes contractors and/or business associates.
- Hospitals can “communicate with patients about health services that are included in, or add value to, the member’s plan.”
Cost of Non-Compliance
The truth is, HIPAA violations are expensive. In fact, it is estimated that last year alone, healthcare companies paid as much as $4.3 million in penalties from HIPAA infractions. The penalties for noncompliance can range from $100 to $50,000 per infraction, with a maximum penalty of $1.5 million per year depending on the level of negligence. In some more extreme cases, violations can also carry criminal charges that can result in jail time.
With the HIPAA stakes being so high, it is important for organizations to do their research and consult legal counsel if they have any questions. There are also a number of HIPAA compliance partners that work with healthcare marketers directly to ensure that their efforts are compliant.
HIPAA Compliant Marketing Strategies for Healthcare Marketers
Although healthcare marketing often lags behind that of other industries, patients want a better digital experience from healthcare organizations. In fact, in a CDW Healthcare survey, it was estimated that 89 percent of patients want easier, seamless access to their personal health records. And they’re willing to do so digitally—98 percent say they are comfortable communicating with providers via technology whether it be texting, mobile apps, online chats, or live video. So, as a healthcare marketer, how can you deliver a compelling digital experience and remain HIPAA compliant? Here are some strategies:
HIPAA Email Marketing
Email marketing is a powerful channel for driving real business results and achieving measurable ROI. In fact, according to Sikich, 70 percent of digital marketers see email as the top medium for ROI, yielding a 4,400 percent ROI and $44 for every $1 spent. Follow these tips for HIPAA compliant email marketing:
- Don’t create any emails or email campaigns using patient information or Personal Health Information (PHI) of any kind without obtaining expressed permission first.
- If you use a third-party email marketing tool or platform, ensure that it is also HIPAA compliant.
- Encrypt every email sent to patients containing any type of PHI (including name or email address). Emails must be encrypted, which means that only the sender and recipient have access to the email’s contents.
- Ensure that any servers that store emails or email data containing PHI are also encrypted with off-site backup.
HIPAA Social Media
There are many benefits to be gained from using social media in healthcare. Social media allows healthcare organizations to engage with patients and get them more involved in their own healthcare. Healthcare organizations can also easily communicate important messages or information about new services with expediency.
Statistics reported by Pew Research Center show that approximately 72 percent of internet users have been found looking for healthcare information online, including social media. Here are some things to consider for HIPAA compliant social:
- Much like email, it is important that your social posts or ads do not use any patient information or PHI of any kind without expressed consent.
- When using images on social media, make sure staff members are not taking photos within the practice that could lead to PHI being shared by accident. To keep things safe, stick with relevant stock photography.
- Create a well-documented social media strategy that clearly outlines what team members can and cannot post. Hold routine training sessions to ensure your team is aware of best practices and can ask any questions they may have.
- Set up controls to flag any keywords or phrases that might indicate HIPAA non-compliance before posting so that your team has a chance to review beforehand.
- Create benchmarks and metrics that will help your team measure whether or not your social media efforts have been successful. Use that data and insights to refine your efforts as you go.
Your company’s website is its digital business card—the cornerstone of your digital marketing strategy. If you’re wondering whether or not your website needs to be HIPAA compliant, ask yourself the following questions:
1. Are we collecting any PHI data on our website via forms?
2. Are we storing any PHI data connected to our company website?
3. Are we transmitting any PHI data through our website?
If you answered “yes” to any of these questions, then you need to seriously think about HIPAA compliance for your website. Here are some great HIPAA compliant website tips from Compliancy Group:
- Be sure to encrypt any data gathered on your website. This includes: web forms, appointment requests, and contact forms. HIPAA compliant CRM software solutions can help big-time here!
- When collecting data containing sensitive PHI, you should make sure that data is stored on an encrypted server with off-site backup.
- Appoint a compliance officer or have your compliance team involved in the process.
- Make sure your website is SSL protected. This networking protocol helps ensure that data passed between client and server authentication is encrypted at all times.
When it comes to HIPAA compliance, it really is better to be safe than sorry. Having said that, there are lots of ways healthcare marketers can stay on the cutting edge of marketing and leverage their digital footprint to attract new patients and deliver the type of tailored experience they expect while still remaining compliant.
Are you a seasoned healthcare marketer? Let us know your tips and best practices by tweeting us at @smartbugmedia.
About the author
Kristen Deyo is a Director of Marketing Strategy at SmartBug based in Kingston, Ontario, Canada. She has 8+ years experience developing strategies for primarily B2B SaaS/technology companies and hyper-growth startups. She holds degrees from Queen's University (Cha'Gheill!) and the St. Lawrence School of Business. When not digitally plugged in, you can find her enjoying a good happy hour or planning her next adventure. Read more articles by Kristen Deyo.