What medical practices need to know about HIPAA and healthcare marketing

A marketing plan — how you’ll attract your ideal patients — is essential to growing a medical practice. But before you execute it, you should understand HIPAA, its rules around healthcare marketing, and how your practice can carry out HIPAA-compliant marketing. 

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 to protect patient information. Its Privacy Rule covers the use and disclosure of patient-identifiable information — referred to as protected health information (PHI) — by individuals and organizations called covered entities (CEs). 

CEs include healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers are considered CEs if they transmit health information electronically. For instance, a dermatologist who does not bill insurance is not considered a CE.

HIPAA’s Privacy Rule also applies to business associates to whom CEs give PHI in exchange for payment to market products or services. 

HIPAA mandates that CEs get prior written consent from all individuals whose PHI is to be used or disclosed. However, there are exceptions, such as in the course of treatment, payment, or when required by law or needed for healthcare operations.

Here are some key aspects of HIPAA that doctors should be aware of:

PHI is any health information. It includes demographic data that relates to a patient's past or present physical or mental health or condition.

It also includes information that relates to the provision of healthcare to the patient. Payment for the provision of healthcare to the patient and that identifies the patient or could identify the patient is also included. 

Some examples of PHI include: 

Aside from requiring patient consent for PHI use or disclosure, HIPAA’s Privacy Rule gives patients the right to access their medical records. It also gives them the right to correct inaccuracies and know who has accessed their information. 

The Privacy Rule also mandates CEs and business associates of CEs to appoint a ‘Privacy Officer.’ This person will develop and implement HIPAA-compliant privacy policies and procedures.

The HIPAA Security Rule sets out standards to protect individuals' electronic personal health information (ePHI) that is created, received, used, or maintained by a CE. It establishes the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. These safeguards include implementing necessary measures, such as encryption, to prevent unauthorized access, use, or disclosure of data.

Conducting risk assessments to ensure ongoing compliance is another safeguard. It's also essential that any business associates who handle ePHI also stick to these security standards.

Under the HIPAA Privacy Rule, a "Business Associate" is an individual or entity that performs functions or activities involving the use or disclosure of protected health information (PHI). This person or entity does so either on behalf of or in the provision of services to a covered entity such as a medical practice. 

These activities can be anything from marketing and data analysis to billing services. As long as the activities involve handling or accessing PHI, then the entity or person executing them is considered a business associate.

Healthcare marketing is the process of outreach and communication with prospective and existing patients. Healthcare marketing strategies can range from digital advertising, email marketing, and social media campaigns to traditional marketing through print, television, and billboards.

The HIPAA Privacy Rule says, “Marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

There are some exceptions to this HIPAA definition of marketing. The exceptions provide a framework within which your practice can communicate effectively with patients.

The exceptions are communication that:

An important element to remember about HIPAA’s Privacy Rule is that practices must always receive consent from patients if they want to disclose the patient’s PHI outside of the organization. It doesn’t matter if it’s for marketing or non-marketing purposes.

HIPAA’s Privacy Rule considers most marketing activities, including analytics or HIPAA-compliant patient reviews, as disclosures of PHI. Consequently, prior written authorization from patients is generally required. 

Written authorization can take many forms. With email marketing, for example, you must get express email consent from patients whenever you collect their email addresses for marketing purposes. They must also be able to easily opt out of receiving marketing emails anytime.

However, patient prior authorization is not needed if the marketing is in the form of face-to-face communication and promotional gifts of nominal value.

For instance, suppose your practice holds a health fair. During the event, your staff approaches attendees — some of whom are patients — face-to-face to discuss new health services or medical procedures your practice offers.

As a token of appreciation for listening, they give attendees a branded pen or notepad. The marketing is conducted face-to-face, and the promotional items (pens or notepads) are of nominal value. As a result, your practice does not need patients' prior authorization for either of these actions.

Another scenario where this exception could apply is during an office visit. A patient visits your practice for a routine check-up, and during the appointment, you talk to the patient about a new wellness program that their healthcare plan is offering. 

As the patient leaves, your front office staff hands them a brochure about the program along with a branded stress ball. Your recommendation about the wellness program is made face-to-face during the appointment, and the stress ball is a promotional item of nominal value, so the patient’s prior authorization is not needed.

Maintaining HIPAA compliance in all marketing activities is non-negotiable. Non-compliance can result in substantial fines, penalties, reputational damage, and potentially reduced patient outcomes. 

According to a recent study on medical record privacy perception, patients with concerns about their electronic health records being compromised are 3 times more likely to withhold information from their physicians.

Here are 6 standards and habits that your practice should adhere to for HIPAA-compliant marketing:

You should ensure that all employees — from front office staff to nurses — are regularly trained on HIPAA rules and your specific practice policies. For staff involved in marketing and communications in any form, training related to the Privacy Rule and PHI should be thorough. 

The United States Department of Health and Human Services (HHS) regularly updates HIPAA rules. As such, keeping abreast of HIPAA rules and cultivating a culture of compliance within your medical practice can help mitigate the risk of violation. 

You should also periodically review and update policies and procedures at your practice to ensure ongoing compliance. 

Your practice should provide patients with a clear and detailed notice about how their information is used and protected. This notice should be available and provided to patients during their first practice visit. 

The HIPAA Privacy Rule specifies that CEs with a physical office should post their entire notice in a clear and prominent location. It does not, however, stipulate any specific format for the posted notice. It just stipulates that it should include the same information that is given directly to the patient.

Your practice should retain documentation of all your HIPAA-related policies, procedures, risk assessments, and training sessions (including patients’ disclosure authorizations). HIPAA requires these records to be kept for at least 6 years. 

For policies specifically, though, records must be kept for a minimum of 6 years since they were last in effect. So, if a policy is implemented for 2 years before being revised or scrapped, a record of the original policy must be kept for at least 9 years after it was created.

In the event of a breach of unsecured PHI, HIPAA requires practices to notify the affected patients, the HHS, and, in some cases, the media. While the goal is prevention, PHI breaches are common and are, in fact, on the rise. 

As of July 2023, healthcare organizations had reported 330 breaches of sensitive health information to HHS’ Office for Civil Rights. These breaches affected 41.4 million individuals. 

In 2022, the total annual number of individuals affected was 52 million. Consequently, your practice needs to prepare in advance for the possibility of breaches. It's essential to have a clear process for identifying and responding to them.

Many practices use 3rd-party companies to manage marketing and communications activities with patients. Under HIPAA, these 3rd parties are considered business associates. 

To ensure that patient data is appropriately safeguarded, you should recognize and manage relationships with business associates by entering into a Business Associate Agreement (BAA) with any entity or individual that handles PHI on your behalf. This agreement typically outlines the permissible uses and disclosures of PHI and mandates the business associate to implement necessary safeguards and report any breaches of PHI to the covered entity.

Balancing HIPAA compliance and marketing can be challenging. Still, with a solid understanding of the rules and their nuances, your medical practice can devise and implement strategies that not only attract and retain patients but also foster trust and compliance.