HIPAA compliant marketing is a must for all medical practices

As a doctor, you know about HIPAA and how important it is to keep your patients’ protected health information (PHI) secure and private. However, you might not know how the HIPAA Privacy Rule applies to your marketing efforts. As a result, you might be in violation of HIPAA as you promote your practice and services. To help you stay on the right side of the law, Catalyst Healthcare Marketing is explaining the basics of HIPAA compliant marketing.

What is the HIPAA Privacy Rule and how does it apply to marketing?

Before you can know if your marketing is compliant, you need to know the law. The best way to understand the HIPAA Privacy Rule is to look at it as two parts.

• The first part of the rule states that marketing is “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
• The second part of the rule states that a covered entity (like a medical practice) can’t sell protected health information (PHI) to a third party without express authorization from each patient.

When it comes to authorization, the fact that someone provided their email address or opted in to receive marketing does NOT count as express authorization.

Examples of HIPAA compliant marketing for email, social media and websites

Now that you know a bit more about the HIPAA Privacy Rule, you might have questions about how it applies to your marketing efforts. To give you a clearer understanding, here are some examples of HIPAA compliant marketing.

• Social media. Our biggest recommendation is to avoid creating ads or posts that include PHI of any kind, unless you have explicit permission from the patient. PHI in this situation includes patient names, photos and any information about diagnosis or treatment. For example, if you’re a fertility specialist, you might be tempted to post that cute baby photo that your grateful patient sent. However, make sure you have the patient sign a consent form first.
• Email marketing. Before you or your marketing firm send an email to patients, make sure it has end-to-end encryption. This means only the sender and the recipient can see the email’s content. Also, make sure you don’t send any marketing messages to a patient unless he or she opted in to receive your emails. Simply providing an email address as part of patient registration doesn’t count.
• Websites and web hosting. Encryption can also be important for websites, especially when it comes to data you collect through contact and web forms. Furthermore, you must store any website information that includes PHI on an encrypted server that offers off-site backup. Our team can work with your HIPAA consultant to help you deal with these issues.

You don’t have to handle HIPAA and marketing alone

Even after you understand the requirements of the HIPAA Privacy Rule, it can still seem overwhelming to adhere to it. This is especially true if you’re busy trying to run a practice and treat your patients. However, you don’t have to do it alone.

Catalyst Healthcare Marketing offers HIPAA compliant marketing and works with third party HIPAA consultants, helping you develop effective and compliant marketing campaigns. Contact us to learn more.