HIPAA and Healthcare Marketing | What is HIPAA Compliant Marketing

When navigating restrictions in healthcare marketing, it can be difficult to find the answers to what you’re looking for. This is because marketing can be HIPAA compliant, but it can also not be. It all comes down to how you are using marketing, what tools you use, and if you have consent from the patient. In an effort to clear up the confusion surrounding HIPAA compliant marketing, HIPAA marketing guidelines and HIPAA marketing FAQs are provided below. 

HIPAA Marketing Guidelines

HIPAA marketing rules differ based on what type of marketing you are doing. If you are targeting your audience based on basic demographics such as age, gender, or location, this type of marketing does not fall under HIPAA’s jurisdiction.

Healthcare Marketing

However, once you start using direct marketing to target patients through remarketing, or if you’re using actual patient data to filter through marketing software, you need to comply with HIPAA, and make sure the tools you use are also HIPAA compliant.

HIPAA Marketing Policy

Developing a HIPAA marketing policy is an important part of ensuring that your communications are HIPAA compliant. Your HIPAA marketing policy should include procedures for receiving patient authorization for marketing communications, what to do if you’d like to use patient testimonials or reviews for marketing, and opt out procedures.

HIPAA Marketing Opt Out

Part of HIPAA compliant marketing is giving patients the ability to easily opt out of marketing communications. All of your marketing communications should include a way to easily unsubscribe from them. This may include an unsubscribe link in marketing emails, or the option to text STOP to opt out of text message marketing.

HIPAA Marketing Restrictions

The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.”

The HIPAA Privacy Rule dictates certain HIPAA marketing restrictions, “The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So as not to interfere with core health care functions, the Rule distinguishes marketing communications from those communications about goods and services that are essential for quality healthcare.”

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With Summer 2024

Using PHI for Marketing

So how can you market to existing patients, and how can you use patient information for your marketing efforts? Well, there are a couple of ways to do this.

HIPAA Marketing Authorization Form

HIPAA requires healthcare organizations to have signed authorization forms from patients when their protected health information (PHI) will be used for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

There are certain instances in which a HIPAA marketing authorization form is not required. This includes when communication occurs face to face between the covered entity and the individual; or when the communication involves a promotional gift of nominal value.

Using Look-a-Like Audiences 

Another way that you can market to patients is by using a look-a-like audience. However, this requires you to use a HIPAA compliant marketing tool to do so. Many popular tools such as Facebook Ads and Hubspot are not HIPAA compliant, so patient data cannot be input into these platforms. This can be a huge obstacle to your marketing efforts. But there may be a work around to this, although it requires a little extra work on your part. 

Instead of setting a look-a-like audience for digital marketing, you could analyze your patient data on your own by using a spreadsheet, and input ONLY the demographics that you identified as your target audience into your marketing tools. For instance, if you find that most of your patients are males between the ages of 45 – 60, you can set this demographic as your target audience without having to filter any PHI through the software. 

*When using a spreadsheet for PHI, you must ensure the spreadsheet software is HIPAA compliant, and you have a signed business associate agreement (BAA) with the software provider. Some HIPAA compliant spreadsheet providers include Microsoft Excel and Google Sheets, but they are ONLY considered HIPAA compliant if you have a BAA signed with Microsoft or Google before their use.

HIPAA Compliant Marketing Tools

There are certain things to look for when determining whether or not a marketing tool is HIPAA compliant.

HIPAA Compliant Security Features 

When a healthcare organization uses a marketing tool to input patient information, that tool is considered a business associate. Business associates are required to have certain safeguards in place to ensure the confidentiality, integrity, and availability of PHI shared with them.

These include, at minimum:

  • User Authentication. HIPAA compliant marketing tools allow each employee to have unique login credentials to access the platform. For increased security, the platform should enable two-factor authentication (2FA). 2FA requires users to input their username and password, in combination with another unique identifier (i.e. security questions or one-time PIN) to access sensitive data.
  • Access Controls. With the use of unique login credentials, access controls can be set. Access controls limit access to sensitive data, and should be set based on an employee’s job function. Not all employees should have full access to the platform, they should only be granted access to the data that they need to perform their job. 
  • Audit Logs. An important part of HIPAA is ensuring that data is only accessed when it should be. Audit logs can be used to determine access patterns for each employee, enabling administrators to identify when an employee is accessing data excessively. This allows both insider and outsider breaches (i.e. when an unauthorized party uses stolen login credentials to access PHI) to be detected quickly. Audit logs should list who accesses what data and how long they access it for.
  • End-to-end Encryption. When electronic PHI is created, stored, transmitted, or received using a software platform, that platform should enable end-to-end encryption (E2EE). E2EE prevents unauthorized access to data at rest and in motion by converting it to a format that can only be read with a decryption key.

HIPAA Business Associate Agreements

Even the most secure platform cannot be considered HIPAA compliant if they are unwilling or unable to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant, and to be responsible for maintaining their compliance. A BAA limits the liability of both signing parties in the event of a breach or HIPAA audit as only the negligent party will be held responsible.

HIPAA Compliant Marketing Agency

Marketing agencies are also considered business associates when doing targeted marketing for healthcare clients. As a business associate, you yourself will need to be HIPAA compliant. 

To be HIPAA compliant, you must:

  • Conduct annual self-audits
  • Implement remediation plans to address risks and vulnerabilities to PHI
  • Conduct annual HIPAA training for employees with the potential to access PHI
  • Implement HIPAA policies and procedures
  • Be willing to sign a business associate agreement, and have signed BAAs with your business associates
  • Have a process for responding to and tracking incidents affecting PHI

Additionally, when healthcare businesses use a marketing agency for their marketing efforts, they expect their marketing agencies to be aware of how patient information can and cannot be used. As their trusted marketing advisor, you will be responsible for ensuring that your communications with their patients are HIPAA compliant. For instance, if you’d like to use patient testimonials or reviews on your healthcare clients website, in direct mail, or in email campaigns, you must have written consent from the patients before doing so. 

HIPAA Marketing FAQ: Questions Answered

HIPAA compliant email marketing requires each of the following:

  • Prior written authorization from the patient before using PHI in marketing communications.
  • Explicit patient consent to receive marketing emails.
  • Encryption for ANY email sent to patients. Emails and any electronic transmissions must be end-to-end encrypted, which means that only the sender and recipient have access to the email’s contents. Additionally, any servers that store emails or email data containing PHI must be backed up using offsite backup facilities.
  • Signed business associate agreement from your email provider before emailing PHI. If you are using a third-party email marketing provider, also have a signed BAA with them.
  • The ability to easily opt out of marketing emails.

HIPAA compliant social media marketing requires each of the following:

  • Prior written authorization from the patient before using PHI in social media posts.
  • Prior written authorization from the patient before sharing photos or videos on social media, even if they are in the background.
  • Policies and procedures for the use of social media by employees.

HIPAA compliant websites require each of the following:

  • Encryption for any data gathered on your website.
  • Storing PHI on an encrypted offsite data backup server.
  • A HIPAA privacy policy on the website to ensure patients are up-to-date with efforts to keep any collected data safe.
  • Signed business associate agreement from your website hosting provider.

No, Marketo is not HIPAA compliant. Although they have adequate security measures to protect sensitive data, they are not willing to sign a BAA.

Yes, Salesforce can be HIPAA compliant. However, you must also use Salesforce Shield to provide you with encryption, audit logs, and incident monitoring. You must also have a signed BAA which is available to users upon request.

No, Facebook is not HIPAA compliant as they will not sign a BAA with healthcare organizations. Additionally, they specifically ask users not to input patient information into their platform. If you’d like to use Facebook for marketing efforts, this is possible as long as no patient information is uploaded to Facebook.

No, Twitter is not HIPAA compliant as they will not sign a BAA with healthcare organizations. Twitter’s terms of service state, “You are responsible for your use of the Services and for any Content you provide, including compliance with applicable laws, rules, and regulations. You should only provide Content that you are comfortable sharing with others.” You may use Twitter for healthcare marketing purposes as long as no patient information is uploaded to their platform.

No, Instagram is not HIPAA compliant as they will not sign a BAA with healthcare organizations. You may use Instagram for healthcare marketing purposes as long as no patient information is uploaded to their platform.

No, LinkedIn is not HIPAA compliant as they will not sign a BAA with healthcare organizations. You may use LinkedIn for healthcare marketing purposes as long as no patient information is uploaded to their platform.

Complete Compliance Solution

Make sure your business and the tools you use to run it are compliant.

Global CTAs Image