As healthcare marketers grow their reach through online avenues and serve more personalized experiences through targeted advertisements, the need for understanding HIPAA regulations grows as well. The fines for HIPAA incompliance are harsh – up to $50,000 per complaint. As of January 2020, there have been a recorded 222,175 HIPAA violations, with third-party error being one of the top three reasons for complaints. Some healthcare marketers needlessly shy away from strong advertising techniques and the use of data for fear of violating HIPAA. While it’s important to be aware of HIPAA’s regulations, it’s still possible to advertise to healthcare providers (HCPs) and patients in a direct and targeted way. Compliance can be achieved quite easily if you have an understanding of HIPAA’s objective, who it applies to and how data is protected by HIPAA. It can also be useful to work with HIPAA compliant partners to ensure that each step of your advertising process is compliant. As CEO Valerie Jackson of Futures of Palm Beach put it, “These rules are mostly about patient confidentiality…Complete patient anonymity is the key. Once marketers understand that, they can plan their campaigns accordingly.”
HIPAA’s Objective
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, aims to provide complete anonymity to patients, meaning nothing can be disclosed that matches patients with their health records. Patient records and data, conversations between doctors or nurses and patients, health insurance information, billing information and most other information given by a client to a covered entity can not be shared.
Data Compliance
The Privacy Rule
Under the privacy rule, it’s unlawful to share information about any patient that could be used to identify them, known as Protected Health Information (PHI), unless the patient explicitly gives their permission. In order to completely anonymize a patient, you must ensure identifiers from 18 categories can not be included within your data. These identifiers include:
- Names
- Location Identifiers (addresses, zip codes, etc.)
- Administrative Data (health plan numbers, driver’s license numbers, etc.)
- Biometric Identifiers (pictures, fingerprints, etc.)
The Security Rule
HIPAA also aims to protect patient privacy by ensuring that patient data is stored securely. The security rule requires that PHI which is digitally stored or sent is protected from data breaches, leaks, and unwanted disclosures. This means that marketers must ensure that any protected information stored in their systems is secured at all times and any email marketing that includes identifiers is end-to-end encrypted.
The HIPAA Breach Notification Rule
In case of a breach in security that puts PHI at risk, the breach notification rule outlines the procedures to be followed in reporting the incident. The rule separates incidents into two main categories: minor (fewer than 500 individuals’ PHI at risk) and meaningful (more than 500 individuals’ PHI at risk.) For meaningful breaches, covered entities will have to report the incident to individuals, the media and the Secretary of Breaches. Business associates will have to report any breaches, along with information about what individuals were affected, to the covered entity they are working with within 60 days of the incident.
Regulating Creatives
If you’re utilizing patient experiences in your creatives – you need to be aware of HIPAA regulations to see that you’re in full compliance. The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This definition covers digital advertisements that are displayed to potential patients or clients.
To use patient stories or testimonials you need to gain authorization from patients ahead of time. Effective HIPAA compliance programs within marketing firms and ad agencies seek to gain authorization for all uses and disclosures of patient information before starting work on campaigns that may utilize them. Having authorization protects you from violations and patients from unwanted exposure. The entire list of Authorization standards directed by the HIPAA privacy rule can be read here.
The Good News – You Can Target HCPs and Still Reach Patients
HIPAA regulates that any information gained by covered entities about patients cannot be sold or given to third-party entities, but it does not regulate information about healthcare providers. Advertisers can target specific segments of HCPs and therefore indirectly reach patients. While using patient information to target patients in advertising campaigns without authorization is not permitted and would result in a HIPAA violation, there are other ways to successfully target audiences within the guidelines of HIPAA.
If you wanted to target doctors, such as cardiovascular surgeons, to let them know about a new drug trial in the Los Angeles area, you could set parameters on specific zip codes and use data provided on public sites to target cardiovascular surgeons in your area. After seeing the success of your organization’s drug, the doctor will most likely recommend it to patients. In this way, you are indirectly targeting patients, without violating HIPAA in any way.
HIPAA protections only apply to doctor generated information and information given directly by the client to a covered entity. This means that any data generated by the patient on third-party sites or in apps are not covered under HIPAA. For example, if a patient enters their email address and heart rate information into a health tracker app, it is not covered by HIPAA. This data can be used to serve more highly target advertisements.
Another way to target patients is to use what they have been viewing or searching for online. For example, you can retarget a patient who has searched for ‘back pain relief’ with your pain relief pharmaceutical.
The information provided by consumers through opt-in services is also not protected by HIPAA. For example, if a company runs a lead-generation campaign that asks patients’ email addresses to send them more information about a new blood-pressure medication, this data can be used for marketing purposes as it was given by the user voluntarily. You can then advertise to these patients later on with creatives that are relevant to the original material they were interested in – in this case, blood-pressure products and topics.
Creating HIPAA Compliant Campaigns
One of the easiest ways to reach patients without worrying about HIPAA violations is to simply advertise to HCPs. In this way, you can indirectly target patients without needing any data about them. As long as you don’t include any unauthorized PHI in your creatives, you will be compliant.
Some good strategies for marketing to HCPs include
- Use clean data: Data about HCPs is public, but not all databases are ‘clean,’ meaning they may have mistakes and can result in loss of spend. Adfire Health’s proprietary database of 8 million health professionals is consistently monitored for accuracy.
- Geo-fencing: Reach doctors and patients in a particular area by limiting your ads to particular zip codes.
- Retarget based on search terms: If you want to market open positions to nurses, you can target those who have searched for ‘open nursing jobs in [city],’ based on where you are located.
Whether you’re marketing to patients directly or indirectly through HCPs, it’s necessary to ensure you’re not breaching any of the HIPAA rules within the creation of your materials or while targeting. Again, keeping patient anonymity top of mind will help keep you within HIPAA compliance.
Always Trust Your Partners
As you move forward with your digital advertising campaigns, it’s important to have a strategic partner who you can trust. Adfire Health’s database of over 8 million healthcare providers is clean and gained from public records. This means that targeted campaigns won’t breach HIPAA violations.
If you need help creating HIPAA compliant campaigns and targeting the right healthcare professionals, reach out to us at sayhello@adfirehealth.com.