HIPAA…

Are we talking about bureaucratic red tape? Sorry, no. We’re talking about a necessary reality for US healthcare operations. Yes, even marketing operations.

If you’re in the business of healthcare practice, you’ve bumped into HIPAA by now. If you find it confusing, that’s completely normal. HIPAA is notorious for being vague. As a result, full HIPAA compliance is bound to feel elusive at least some of the time.

And so, we’ve compiled a straightforward guide to HIPAA and its many requirements. Here, we’ll cover what the law entails, what it means to be HIPAA compliant, and what the potential consequences will be if your practice comes up short.

HIPAA: the absolute basics

“HIPAA” stands for the Health Insurance Portability and Accountability Act.

On the books since 1996, the law—and its accompanying amendments—helped develop a system of national standards for fortifying personal patient health information (usually referred to as “protected health information” or “PHI”) against unauthorized disclosure.

HIPAA’s ultimate aim is to improve “the efficiency and effectiveness” of the US healthcare system.

HIPAA enforcement is in the hands of the US Department of Health and Human Services (HHS). Organizations subject to HIPAA rules include:

  • Health insurance companies
  • Businesses that require access to medical records in order to complete operations (think: billing agencies);
  • Healthcare practices

These organizations, known as “covered entities,” are all obligated to meet federal regulations for HIPAA compliance.

The crucial details

If we dig deeper, we find HIPAA can be broken down into five “rules”:

1. Privacy

The Privacy Rule looks to establish a balance between the necessary flow of PHI among covered entities and an individual’s general right to privacy. The rule standardizes the usage and disclosure of PHI and requires specific safeguards for patient data, all subject to HHS oversight.

The rule also empowers individuals to “understand and control” the methods used when viewing or sharing their PHI. (It even demands patient authorization for certain types of disclosure.)

2. Security

In essence, the Security Rule extends the terms and protections of the Privacy Rule to include all PHI made available in electronic format (ePHI). This rule details precautionary physical, technical, and administrative measures to ensure against ePHI breach. It’s also the point at which standards and practices for data encryption, confidentiality, and risk analysis come firmly into play.

3. Breach notification

The Breach Notification Rule, as the name implies, requires covered entities to report any PHI/ePHI breach to both patients and the HHS. These notifications should be made as swiftly as possible and cover the “who/what/how” of each disclosure incident, as well as any steps being taken to address fallout damage.  

4. Enforcement

This rule finalizes the penalties and processes for an investigation surrounding violations of HIPAA provisions for Administrative Simplification (which optimize the flow of PHI).

5. Omnibus

The Omnibus Rule is a catch-all amendment that marries HIPAA to the Health Information Technology for Economic and Clinical Health Act (HITECH), enacting measures for further protection of PHI. Registered in 2013, the Omnibus Rule placed additional restrictions on the use of PHI and ePHI for marketing strategy.

What HIPAA compliance means for providers and practices

Healthcare providers fall directly under the auspices of HIPAA compliance. This means your practice is legally bound to comply with all five HIPAA rules, as well as each rule’s subsequent components.

It also means your practice is required to implement ongoing processes for HIPAA risk assessment through regular security audits and by identifying any gaps in security coverage (while highlighting plans to fill them in as needed).

Similarly, your practice is obliged to ensure all personnel takes appropriate steps to maintain “the integrity and confidentiality” of patient/prospect PHI across all technical, physical, and administrative systems for storage, transmission, etc. As such, HIPAA dictates that each entity designate a “compliance officer” to help train organizational staff and oversee company-wide procedures for toeing HIPAA lines.

“Okay…but why?” you ask.

Well, outside the fact each patient in the US is legally entitled to a certain level of privacy, there’s an awful lot at stake for your business.

Failure to meet HIPAA demands—even in cases where there’s no verifiable breach—can have debilitating consequences, including federal investigation, class action lawsuits, hefty personal fines, and even jail time. HIPAA Journal suggests violations can cost your company around $200 per victim, with state-level fines running up to $25,000 per incident category and fines for intent to sell/utilize information for personal gain amounting to up to $250,000.

And that’s just inside your own organization.

Your clinic is also on the hook for HIPAA-compliant operations concerning every single tool you employ—from point-of-sale software to patient/customer relationship management platforms (CRMs) and email servers–—as well as every third-party entity that provides you with added assistance.

To avoid devastating penalties, it’s imperative you establish a business associate agreement (BAA) with each third-party vendor that handles your PHI/ePHI. These agreements should come with two fundamental guarantees:

  1. Protection (i.e, data encryption) against unlawful disclosure of your PHI, and
  2. A plan for regularly scheduled system audits (to help reinforce security measures).


What HIPAA compliance means for marketers

When HIPAA’s fifth and final Omnibus Rule made its way into the federal registry, marketers encountered newer, stronger limitations regarding PHI and other personal identifiers for patients and prospects.

Most notably, healthcare marketers were suddenly required to:

“…obtain a valid authorization from individuals before using or disclosing protected health information to market a product or service…”

To which most marketers might be inclined to say: Now what?”

This stipulation obviously puts a strain on most typical marketing programs, particularly those focused on inbound strategy.

So, game over? Pack up your marketing plans and go home?

Not quite.

Instead, the Omnibus Rule only demands a few tweaks to normal inbound efforts. Many lead-nurturing strategies keep well within the bounds of HIPAA compliance; you just have to proceed with caution.

Consider these examples:  

You CAN…

Reach out to previous patients with information that’s applicable to their ongoing care or to an ongoing value your practice offers as part of your overall services.

But you CANNOT…

Serve up personal data regarding patient demographics, health histories, or any other health-related identifiers to a third party for the purpose of selling a product/service, raising money for an organization, or conducting research without prior written authorization from the patient in question. These authorizations must also be upfront about any compensation you’ve received for sharing patient information.

Put in more practical terms:

Sending a patient an encrypted email with follow-up treatment ideas for a recent diagnosis or alerting them to newly available practice services? Congrats: You’re good to go.

Sending a patient an email pitch about a new pharmaceutical drug not offered as part of their ongoing care? Nope. That’s illegal.  

Thankfully, HIPAA rules allow most typical inbound activities to continue unabated. But be careful—especially when it comes to personal health information of the electronic or analog kind.

HIPAA allows most typical inbound activities to continue unabated––but be careful.

“Careful” should translate to codified systems for safeguarding all patient data and for regular reviews of all PHI activity. Plus, as mentioned above, you should have a BAA in place for any third-party service you deploy, particularly any email providers or web hosting services you use to collect, transfer, or store patient information at various points in the sales funnel.  

Helpful resources:

Still feeling HIPAA helpless?

If any of the above seems too complicated or you’re at a loss for how to get started on compliance, HIPAA-compliant CRM might just be your new best friend.

With a customer relationship management platform designed for HIPAA compliance, much of your due diligence work is done for you. An end-to-end solution such as LeadSquared, can assist in creating a secure, single-source overview for patient profiles, health histories, appointment schedules, and more.

It can also help facilitate:

  • Lead capture and management, allowing you to safely house, search, and share information on potential patients with members of your team.
  • Marketing automation, enabling compliant outreach through automated communications with existing/prospective clients.
  • Engagement scoring, providing the tools to trace engagement behavior and help nurture ongoing customer relationships.

And with compliant solutions like LeadSquared, a HIPAA BAA always comes standard. (No need to worry about ticking an endless amount of legal boxes before launching your next campaign.)

The takeaway…

HIPAA, like all legal provisions, can be a complex animal.

To achieve HIPAA compliance in marketing, you’ll have to watch your step when it comes to the content of your message and the trafficking of patient data.

If you’re just learning the HIPAA ropes, a HIPAA-compliant CRM is an exceptionally good place to begin your practice- and department-wide compliance plan.