The Privacy Rule
- Location Identifiers (addresses, zip codes, etc.)
- Administrative Data (health plan numbers, driver’s license numbers, etc.)
- Biometric Identifiers (pictures, fingerprints, etc.)
The Security Rule
The HIPAA Breach Notification Rule
If you’re utilizing patient experiences in your creatives – you need to be aware of HIPAA regulations to see that you’re in full compliance. The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This definition covers digital advertisements that are displayed to potential patients or clients.
To use patient stories or testimonials you need to gain authorization from patients ahead of time. Effective HIPAA compliance programs within marketing firms and ad agencies seek to gain authorization for all uses and disclosures of patient information before starting work on campaigns that may utilize them. Having authorization protects you from violations and patients from unwanted exposure. The entire list of Authorization standards directed by the HIPAA privacy rule can be read here.
The Good News - You Can Target HCPs and Still Reach Patients
HIPAA regulates that any information gained by covered entities about patients cannot be sold or given to third-party entities, but it does not regulate information about healthcare providers. Advertisers can target specific segments of HCPs and therefore indirectly reach patients. While using patient information to target patients in advertising campaigns without authorization is not permitted and would result in a HIPAA violation, there are other ways to successfully target audiences within the guidelines of HIPAA.
If you wanted to target doctors, such as cardiovascular surgeons, to let them know about a new drug trial in the Los Angeles area, you could set parameters on specific zip codes and use data provided on public sites to target cardiovascular surgeons in your area. After seeing the success of your organization’s drug, the doctor will most likely recommend it to patients. In this way, you are indirectly targeting patients, without violating HIPAA in any way.
HIPAA protections only apply to doctor generated information and information given directly by the client to a covered entity. This means that any data generated by the patient on third-party sites or in apps are not covered under HIPAA. For example, if a patient enters their email address and heart rate information into a health tracker app, it is not covered by HIPAA. This data can be used to serve more highly target advertisements.
Another way to target patients is to use what they have been viewing or searching for online. For example, you can retarget a patient who has searched for ‘back pain relief’ with your pain relief pharmaceutical.
The information provided by consumers through opt-in services is also not protected by HIPAA. For example, if a company runs a lead-generation campaign that asks patients’ email addresses to send them more information about a new blood-pressure medication, this data can be used for marketing purposes as it was given by the user voluntarily. You can then advertise to these patients later on with creatives that are relevant to the original material they were interested in – in this case, blood-pressure products and topics.
Creating HIPAA Compliant Campaigns
Some good strategies for marketing to HCPs include
- Use clean data: Data about HCPs is public, but not all databases are ‘clean,’ meaning they may have mistakes and can result in loss of spend. Adfire Health’s proprietary database of 8 million health professionals is consistently monitored for accuracy.
- Geo-fencing: Reach doctors and patients in a particular area by limiting your ads to particular zip codes.
- Retarget based on search terms: If you want to market open positions to nurses, you can target those who have searched for ‘open nursing jobs in [city],’ based on where you are located.
Always Trust Your Partners
As you move forward with your digital advertising campaigns, it’s important to have a strategic partner who you can trust. Adfire Health’s database of over 8 million healthcare providers is clean and gained from public records. This means that targeted campaigns won’t breach HIPAA violations.
If you need help creating HIPAA compliant campaigns and targeting the right healthcare professionals, reach out to us at email@example.com.