By Jonathan Bryant on Sep 9, 2020 8:00:00 AM
Digital marketing for healthcare has become a lot more complex since the passage of the Health Insurance Portability and Accountability Act of 1996. The HIPAA Privacy Rule, regulating how protected health information is managed, includes marketing. In fact, the Rule actually defines what marketing is under HIPAA, as well as what it is not. Here’s a look at how marketing is covered under HIPAA and strategies for staying compliant.
Understanding Marketing and HIPAA
According to the Rule, marketing is “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” The Rule provides that, “Generally, if the communication is “marketing,” then the communication can occur only if the covered entity first obtains an individual’s “authorization.””
For example, this prior authorization would be required for “A communication from a hospital informing former patients about a cardiac facility, that is not part of the hospital, that can provide a baseline EKG for $39, when the communication is not for the purpose of providing treatment advice.”
Exceptions to this definition do exist and are defined in three sections:
(1) A communication is not “marketing” if it is made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication …”
(2) A communication is not “marketing” if it is made for treatment of the individual.”
(3) A communication is not “marketing” if it is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.”
But wait, there’s more! The Rule also defines marketing as “An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.” More precisely, “If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. See 45 CFR 164.508(a)(3).”
An example of a covered situation is when “A health plan sells a list of its members to a company that sells blood glucose monitors, which intends to send the plan’s members brochures on the benefits of purchasing and using the monitors.” Unlike the first definition of marketing, there are no exceptions for this part of the Rule.
This portion of the Rule covers what marketing is under HIPAA and when prior authorization is required. Now let’s look at other requirements for safely marketing healthcare digitally.
HIPAA Email Marketing
Email remains one of the easiest ways to market healthcare, but it is also one of the most breached forms of communication under HIPAA. According to paubox.com, of the 418 HIPAA breaches reported to the U.S. Department of Health & Human Services in 2019, email was most often cited as the culprit at 39% of the total.
One of the most common ways to address email security is through encryption, which HIPPA considers “addressable” rather than required. This means it’s up to the covered entity to decide if its use is “reasonable and appropriate” or not. To do this a risk assessment should be conducted and, according to HHS, must consider:
- Access control (45 CFR § 164.312(a)),
- Integrity (45 CFR § 164.312(c)(1)), and
- Transmission security (45 CFR § 164.312(e)(1)) including addressable specifications for integrity controls and encryption.
Keep in mind that when email marketing using PHI is provided by another company, a HIPAA Business Associate Agreement must be in place. This is not only required by the regulation, but is a testament to the commitment and due diligence of that company to maintain strict HIPAA compliance.
Learn more about HIPAA and email in the HIPAA Journal article, “HIPAA Compliance for Email.”
HIPAA Compliant Website
When a website is used to collect, transmit or store PHI, it must be HIPAA compliant. This can be accomplished using encryption, but also through the use of HIPPA-compliant web forms that are encrypted.
Many popular web form creation platforms can help make a nice neat form, but not one that is HIPAA compliant. Again, this requires working with a company that is willing and able to complete a HIPAA Business Associate Agreement and can provide forms that are encrypted and can only be accessed by authorized persons.
Also important is your server. If your website is on your server, it is your responsibility to ensure security. If it is hosted on a third-party server, it is that provider’s responsibility to provide security. This means a Business Associate Agreement must be in place.
For more about HIPAA-compliant web forms, Compliancy Group’s article, “Are Web-Forms HIPAA Compliant?” is a great place to start, while their article, “How to Make Your Website HIPAA Compliant” takes a look at the big picture.
HIPAA Compliant Live Chat
As with email and website security, live chat can and must be HIPAA compliant if PHI is collected, transmitted or stored. The easiest way to accomplish this is through the use of a live chat provider that takes HIPAA security seriously from start to finish.
This commitment to HIPAA compliance should span the entire breadth of services provided from administrative to physical to technical as prescribed by the Rule. One way to gauge the depth of a live chat provider’s commitment is by the level of HIPAA training provided to staff and hosts. Another is the willingness to sign a HIPAA Business Associate Agreement. If a service provider isn’t ready and willing to sign, take your business elsewhere.
And a third is their ability to “talk the talk.” HIPAA compliance is complicated, but a knowledgeable live chat provider will not hesitate to address topics such as encryption or authentication. It just goes with the territory. Learn more about HIPAA-compliant live chat in our blog, “Four HIPAA Compliant Live Chat Factors.”
HIPAA compliance for digital marketing requires constant attention to detail, something we at Site Staff have engrained in our culture. Find out how our expertise can benefit your healthcare company by taking our 30-Day Free Trial; Do it for your patients, and your bottom line.