Tuesday, January 26, 2016

Healthcare Marketing that is HIPAA Compliant

The marketing strategies that the healthcare industry uses to acquire new patients have been evolving alongside government regulations and marketplace trends in the past few years.

For example, prior to the creation of healthcare exchanges, consumers had few options to choose from when it came to their health insurance; based on your circumstances, you chose one of the plans your employer offered or were part of Medicare or Medicaid.

Healthcare Marketing for HIPAA Compliance

Fast forward to 2016 and many consumers are using search engines, like Google or Bing, to find health insurance options and providers that better fulfills their needs — and fit within their budget. This shift has forced the healthcare marketing industry to change their tactics in order to keep their product/services in front of prospective patients.

By using local online marketing tactics, such as email, social media and search engine optimization, for your healthcare organization, you will reach a new, empowered group of patients who will take action based on their Internet research. If you aren’t using Internet marketing to reach this group of patients in your practice area, these patients aren’t finding you and are, most likely, choosing your competitor.

Most healthcare marketing tactics that providers use will not involve the use of patient (existing or potential) data. However, you should still be aware of where the public data line ends and private data starts so you are positive your healthcare marketing is HIPAA compliant.

Keep reading for the steps your healthcare organization should follow in order to be HIPAA compliant and maintain the protection of private patient data, while growing your practice through Internet marketing.

Healthcare digital marketing data components

When using Internet marketing to reach prospective patients, your healthcare practice can collect certain types of data to help create a stronger connection (and thus, more effective marketing).

Data that you collect through online forms, email communications or social media interactions is usually very basic (i.e.: name, email address, phone number). Prospective patients or current patients are filling out these forms to receive something in turn that is marketing oriented and not focused on their relationship with your organization or their healthcare interactions with your organization.

When prospective or current patients fill out forms on your website, they expect to receive something in return — usually a follow up from your office. Since the information a patient is providing you is “marketing-oriented,” and has nothing to do with their relationship with your practice, you can use this information to contact them.

Can private healthcare data be used in online marketing?

In a word, no.

Not only can you not use private patient data in digital marketing for your healthcare company, but you also need to take steps to ensure this never happens. Practices that break HIPAA’s rules face penalties, from losing their license to jail time.

The easiest way to ensure that private patient data isn’t accidently used in your digital marketing is to use two separate systems that manage the data. For example, if your organization uses a customer relationship management software (CRM) for scheduling appointments, you need to make sure this software isn’t linked to the software that contains your patients private health data and records.

For example, at LocalVox we use a system called Salesforce that manages our current client information. To collect information from prospective customers, we use a different software system. While the two systems can speak to each other, we keep the information separate. By keeping the systems separate, we ensure that people filling out our website forms are new prospects, not existing clients.

While LocalVox’s industry (SaaS) is clearly different than healthcare, keeping client information private and secure is a priority for both.

When do HIPAA compliance issues arise?

When your digital marketing efforts involve Protected Health Information (PHI), you enter murky waters. I recommend reading the code in its entirety, but I’ll break down what it says for you.

PHI has two critical elements:

  1. Data must be individually identifiable, specifically referring to last name, address, dates associated with a patient’s health, telephone number, email address, social security number, health plan, medical record number, fingerprints, voiceprints or photographs.
  2. The data must be health-related information which includes any information related to past, present or future physical or mental health, the care a patient received and any payment associated with that care.

For PHI issues in compliance to occur, data must be used from both elements.

Confusing enough? If you feel like you are entering into a non-compliance zone, the simple answer is to scrap the digital marketing campaign in question. However, that doesn’t stop campaigns from feeling like they could be riding the line of legal and illegal, so I’ll offer a few examples.

Scenario #1

When creating your email list to send to current clients, you collect emails in two places: on your website and in a form in the office.

On the website and in the form you state that patients aren’t required to share this information and it will be used solely for marketing purposes. You don’t ask for any sort of private patient information and state that the email is not necessary for patients to share. You also state that this information will be used for marketing purposes and do not ask for this information on any form taking private patient information.

This email list creation is compliant with HIPAA and can be used to send new information to patients who signed up.

Scenario #2

You have a famous client from your local NFL team and you want to promote the fact that you are his healthcare provider.

You want to share the fact that the NFL player is a patient of yours on your social media accounts, in hopes that it will add credibility to your practice and bring in new patients.

Since you didn’t ask the NFL player for permission to share this information on social media or receive any form of signed consent, this is an illegal use of your patient’s private data.

While it is flattering to have a celebrity in your practice, at the end of the day they are a person and covered by HIPAA. The UCLA Medical Center got into a lot of trouble when staff members leaked private patient information to the media (a blatant violation of HIPAA, not to mention how unethical it was). As a healthcare provider, if you can’t keep a celebrity’s private information confidential, don’t accept them as a new patient.

Scenario #3

Your healthcare organization has a lot of chronic Lyme disease patients and you want to create a support group newsletter specifically for them. Many of your patients have already gone to your website and signed up for the newsletter. When you mention it during appointments, others express interest in receiving the newsletter.

Healthcare marketing HIPPA compliant newsletterYou compile the email list from those who signed up online and those who said they were interested in their last appointment.

Half of this scenario is HIPAA compliant (website) and the other half violates HIPAA (verbal).

While a patient may verbally indicate interest to you, they did not give you written consent to include them in this newsletter.


Successful healthcare marketing is entirely possible without sharing private patient data, but still using health information to attract new patients. By taking safety precautions in all steps of receiving potential patient or current patient data, you can make sure your organization’s marketing efforts are following HIPAA rules.

Start connecting with potential patients with the help of LocalVox, which can help you push out marketing material consumers in your area with the click of a button. Easily manage the messages you are using to guarantee no PHI is being used in marketing activities, protecting your organization and the patients which visit it.

subscribe to our blog

The post Healthcare Marketing that is HIPAA Compliant appeared first on LocalVox.

1 comment: