Because ON Digital Agency specializes in digital marketing for physicians, the question “Do I need HIPAA compliant marketing?” sooner or later comes up in every introductory call with potential clients. In this post, we will talk about who needs HIPAA compliant marketing and share the top two questions to ask your healthcare marketing agency.
Disclaimer: on this blog, I share my personal experience, knowledge, and recommendations. I am not a HIPAA lawyer, and I strongly encourage you to seek the guidance of a legal HIPAA expert when it comes to your HIPAA compliance questions.
It’s a very common scenario that I set up a Zoom call with a potential client to discuss their needs, opportunities, and goals when it comes to healthcare marketing. It’s important to understand that healthcare marketing and HIPAA compliance do not always go hand in hand.
Do I Need HIPAA Compliant Marketing?
First of all, not every physician or clinic needs to be HIPAA compliant. Contrary to the popular opinion, medical practices are subject to HIPAA compliance only when they bill health insurance companies for services provided to their patients. If you are in a cash only business (like a cosmetic surgeon, med spa, or any other specialty accepting cash only or financing), technically, you are not subject to HIPAA compliance; hence, you do not need HIPAA compliant marketing.
Right here, I would like to emphasize that I firmly believe that patient privacy and data protection should be top of mind no matter what type of practice we are talking about. Cash pay or not cash pay, patient’s health information and personal information must be handled and stored securely. This is the reason I always advocate for HIPAA compliant marketing.
What Is HIPAA Compliant Marketing?
As a digital marketer, I will speak to HIPAA compliant digital marketing, not all marketing in general. It’s a big question, and the answer to it consists of multiple factors. We won’t be able to cover all of it, but I will share the top two questions (in my opinion) to ask a healthcare marketing agency to quickly understand whether or not they can meet your needs:
- Ask them how your patients’ and leads’ data are gathered, processed, and stored. Does it meet HIPAA requirements?
8 out of 10 times I raise this question on a call, I hear: “But leads are not patients yet!”. Even though it’s true, even though leads are only potential patients and may never become patients in the first place, HIPAA requirements are applicable to them as well (from the data perspective at the very least).
Let’s look at a simple example: a physician has a website, and the website has a form called “Make an Appointment”. This is a very basic form asking for 3 points of data: name, email address, and mobile phone number. If this physician is subject to HIPAA compliance, then the form collecting and transmitting these 3 points of data should be HIPAA compliant, and so is the database where this information will be stored. It means that using a simple WordPress or Wix form to collect this information will not work, and storing the information in a WordPress database will not work. The best solution is equipping your team with a HIPAA compliant CRM that will also provide HIPAA compliant forms that can be easily embedded on the physician’s website.
We equip our clients with VIP HIPAA Compliant CRM that makes the website integration a breeze, and allows the front desk team to quickly follow up with the incoming inquiries. It also offers advanced HIPAA compliant marketing automation that simply makes this solution a win-win for all 3 parties involved: the physician, the marketer, and the potential patient.
2. Your healthcare marketing agency, software providers (for example, a HIPAA compliant CRM or EHR provider), and all third-party vendors participating in your digital marketing execution and obtaining access to any PHI or PII must provide you with a signed BAA (Business Associate Agreement). Ask the agency to send their BAA to you for review.
Don’t know what a BAA is? Trust only reliable resources! This HHS guide explains the nature of a BAA and provides sample BAA provisions.
As I mentioned before, there are many more components to HIPAA compliant digital marketing,
but these two simple questions will help you ensure that you are starting a meaningful conversation with a healthcare marketing agency.
Laws and regulations continue evolving, especially in regards to the new marketing technologies, artificial intelligence, and other fast-changing aspects. It’s absolutely necessary to openly ask questions to your healthcare marketing agency about HIPAA compliance early on in the process, before you engage them for your marketing planning and execution.