Hip, HIPAA, Hooray – Keeping Your Digital Marketing Compliant

HIPAA has long been the privacy protection measure for health-related information. This effort has been widely known as applicable to printed documentation or verbal disclosures, but now the requirement to comply has moved online.  As we move more and more to a digital platform, health care providers and marketers must ensure that their digital marketing campaigns are competitive, relevant, and, most importantly, in compliance with HIPAA guidelines. A 2018 study reports that 80% of participants said they had used the internet to do a healthcare-related search in the previous year. This trend will only continue, so how can you maximize your marketing while ensuring that you are HIPAA compliant? Our team is here to help you get started.

What Is HIPAA?

The Health Insurance Portability and Accountability Act, or HIPAA, was enacted  in 2002 to protect workers’ health insurance coverage when they change or lose their jobs. In the health industry, HIPAA is primarily concerned with safeguarding health data, integrity, confidentiality, and availability.

Who Is Required to Comply With  HIPAA?

It is common knowledge that medical providers must adhere to  HIPAA rules. However, medical providers are not alone, and medical business associates are also required to follow HIPAA. Business associates are defined as any person or organization other than a member of a covered entity’s workforce using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. As related to  marketing, this includes websites, CRMs, and marketing agencies.

Is Your Website HIPAA Compliant?

In today’s healthcare industry, the most considerable attribute of a successful digital marketing strategy is a quality website. But, is it necessary for your website to be HIPAA compliant? How do you determine if you are following HIPAA requirements?

Here are a few questions to ask yourself.  

• Does your website collect any personal medical information, such as diagnosis, disorders, or health concern data through your forms? 
• Do you store that personal information data on your website? 
• Do you transmit any of that personal information data through your website? 

If you answered yes to any of these questions, then you need to consider HIPAA compliance for your website. 

Forms on your website are among the most critical aspects of a healthcare provider’s website and therefore need delicate care. The most common types used are appointment requests and contact forms. 

To be HIPAA compliant, any data gathered from your website must be encrypted.  Data should be stored on an encrypted server with off-site backup. You can establish an encrypted link between your server and your client using your website’s Secure Socket Layer (SSL). This measure ensures that any data passed between the client and the server remains encrypted at all times.

HIPAA Compliant Email Marketing 

Email marketing is an effective strategy to keep clients engaged. However, when the product is their health, how do we ensure our marketing complies with HIPAA? 

The first step in ensuring your email marketing is HIPAA compliant is verifying that your email list contacts have opted-in to receive marketing emails from your company. A simple way to ask for opt-ins is to create a “Sign-up for emails” section on your website or forms. If your contacts have requested not to receive emails or opt-outs, it is crucial to add them to a separate contact list labeled “do send marketing emails.”

According to the U.S. Department of Health and Human Services, a wellness department creating communication that merely promotes health in a general manner is acceptable. When you create an email campaign or email, be sure not to include any of the patient’s information without obtaining their written permission first. General health promotion materials include reminding patients about annual check-ups, providing information about new industry developments, support groups, or health fairs. 

To ensure that every email is HIPAA compliant, encrypt any email containing personal information, including an email address with an off-site backup. This allows only the sender and recipient access to the email contents.

Social Media Marketing and HIPAA

When HIPAA was first enacted in 2002, social media was not such a consideration. Social media can be a great tool to engage and connect with current and potential patients, but social media should be utilized with a veil of caution. Be sure to follow these few tips to make sure your social media is always HIPAA compliant. 

Campaign Targeting on Social Media

For any business, a majority of your audience reach can result from advertising campaigns. It can seem easy to create a target audience based on the information you have received from potential clients.  Similar to email, you want your advertising target audience to be more of a general target audience. Advertising to a specific audience because of their medical information such as diagnosis or disorders is a violation of HIPAA. For that reason, it is smartest to target off general interest.  

Pictures on Social Media

Pictures posted on social media are one of the most common ways to commit a HIPAA violation. Posting a picture of a patient without written consent is a blatant error. Using images from inside your facility where a patient’s personal information is visible is also a HIPAA violation.  

If your practice’s advertising needs images, it is ideal to use stock photography . However, using stock photos is not optimal. In this case, it might be in your best interest to invest in a photography shoot or if you want to use your current clients, have them sign a photo consent form.

Posting On Social Media

The more information you provide in your social media posts, the more likely your followers will be able to identify your patient. The easiest rule of thumb will always be to leave out any identifiable information when you post.  While you might want to have a marketing strategy to be active and engaged with your followers, be sure not to post directly on a patient’s social media profile or tag them in any posts.. 

Ideal posts for someone working in the health industry are centered around upcoming events, new industry findings, advertisements of your services, and special offers. The overall best tip for making sure your social media is HIPAA compliant is to ensure your marketing team is trained on HIPAA and given refresher courses annually. Further, creating procedures for managing social media accounts can avoid any potential violations.

How Should I Respond to a Patient’s Review?

Patient reviews are crucial to your online presence. In a recent survey, 81% of participants said they read reviews about the provider before choosing them. When a patient writes positive or negative reviews, it is essential to respond. The challenge for medical providers is addressing review concerns without breaking HIPAA laws. Here are a few tips to keep in mind while responding. 

Don’t Ignore the Patient’s Review

When a patient is upset with their experience, it is only natural that they will lash out. They are dissatisfied with the incident  and want you to be aware of it. Responding to both positive and negative reviews exhibits a sense of accountability in your practice. By responding, you display concern for your patients’ feedback. 

Keep Reviewer’s Status Anonymous

The most important concept to keep top of mind when interacting with reviews is to not confirm the reviewer’s status as a patient. What does that mean? If a patient leaves a review talking about their personal health information, you still need to be cautious of HIPAA laws in your response. According to HIPAA compliance, you cannot outwardly confirm that the person is a patient.  

Move the Conversation Offline

If a patient decides to publicly express more information than necessary, what should your response be? Keeping in mind our first tip, you  cannot confirm their status as a patient. The best course of action is to move the conversation offline. Provide the contact information of someone at your practice with whom patients can discuss their issues. For example, imagine  a patient left a negative review stating:

“I was scheduled with Dr. Gary for a routine visit and had to wait more than an hour to be seen, and the front desk receptionist didn’t seem concerned with my long wait at all. When I finally saw Dr. Gary, he only spent a few minutes with me, and it seemed rushed.”

The correct response will be to thank the patient for their feedback, address the practice’s policy, and direct them to a specific contact to discuss their concerns.  

“When scheduling, it’s our policy to allow plenty of time with the doctor so we can keep our schedule running on time. However, because of emergencies, it is possible to be behind schedule occasionally. We appreciate your feedback and are committed to providing the best patient care. We encourage you to reach out to our practice business manager Debbi at [insert email]. She would be happy to address any concerns you have.”

Keep Responses Short

Keep your review responses short and sweet. Your patients seek a genuine reply, but providing too much information can be overwhelming. Always keep your response pleasant but don’t get too personable.

HIPAA Compliant Marketing 

HIPAA regulation forbids the use of personal information in any marketing campaign, so marketing strategies for the health industry should actively err on the side of caution. Developing procedures for your marketing efforts will allow you to ensure that your practice is not in danger of violating HIPAA.

At PHOS Creative, we diligently monitor our digital marketing efforts to comply with every industry. To learn more about HIPAA compliant marketing, connect with our knowledgeable team.