As medical practice owners, you understand the significance of protecting patient data and maintaining legal compliance while providing top-notch care. In this digital era, where information flows seamlessly across platforms, ensuring HIPAA compliance is paramount.
HIPAA is not just limited to your IT and office operations. It also applies to your healthcare marketing operations. As HIPAA requirements evolve, so must your marketing efforts.
Most recently, the Office of Civil rights (OCR) at the US Department of Health & Human Services (HHS) issued a statement that warned of HIPAA violations with regards to online tracking technologies that are commonly used by healthcare websites & apps. According to the new HIPAA guidelines, identifiable electronic protected health information (ePHIs) may be collected from your website that are introduced by third-party tracking code and may implicate you of HIPAA violations.
Online tracking may not be the only technology that may be exposing you to HIPAA violations. Here is a list of things your marketing team should be doing to keep your digital tech stack compliant in 2024.
HIPAA Checklist for 2024
Website & HTTPS Protocol – The use of HTTPS (Hypertext Transfer Protocol Secure) protocol strengthens your website’s security by encrypting data transmitted between the client and the web server by using Secure Sockets Layer or Transport Layer Security (SSL/TLS) convention. This ensures that patient information submitted on your website browser remains confidential during online transmissions.
However, it’s important to understand that while an https protocol protects data transmission from the client (your web browser or email client, for instance) to your web server, it does not provide end-to-end security for email transmission (more on this later). For that reason, you will need to enable a separate email security protocol to make data transmission from client to web server and back is secure and HIPAA-compliant.
Compliant ePHI Data Encryption & Transmission – Many medical websites have contact forms that allow patients & potential patients to contact them, set up appointments, complete patient registration, release or request medical records, and others.
This contact form is typically emailed to your staff upon submission. It may also be stored in a database on your web server. You may also send a reply e-mail or SMS to the individual who filled out the form. So there are several data communication streams that are enabled when a contact form is filled and submitted on your healthcare website.
Even with an HTTPS site with SSL/TLS certificates in place, when this data is either stored in a database (at rest) or emailed to a recipient email address in your organization (in transit), protected health information (PHI or ePHI) may not be secure and expose you to a HIPAA violation.
To make it easier to understand, think of SSL/TLS as encrypting the communication channel. However, it does not encrypt the message. So when the email reaches the receiver’s email server, it can be hacked into and PHI can be retrieved.
In order to be truly HIPAA compliant, you should either enable end-to-end email encryption by integrating S/MIME or a PGP Network, which should be built into your website or applications, along with SSL/TLS. Alternatively, you could set up a custom HIPAA-compliant application that encrypts data at-rest and in-transit while allowing for secure links that can then be shared via email or SMS with the desired audience.
Analytics Tracking – A red hot topic in healthcare marketing in 2024 is whether website analytics that you may have set up for your website and your marketing campaigns is HIPAA compliant. On July 21, 2023, the office of Civil Rights (OCR) at Department of Health & Human Services issued a warning to all hospitals and healthcare providers to guard against “impermissible disclosures of health information to third parties.”
What are these identifiable ePHIs that may be collected from your website that may be introduced by third-party tracking code and may implicate you of HIPAA violations?
Let’s consider Google Analytics 4 (GA4) as a reference point here to understand how Google Analytics tracking code could link a patient with a past, present, or future medical condition, considered protected health information. We know that Google Analytics collects IP information (though temporarily now under the revamped Google Analytics 4 (GA4)) when a visitor visits your website. They may visit treatment or disease specific pages on your website that may connect the individual with the regulated entity, i.e., your healthcare organization. As per the OCR, this “relates to the individual’s past, present, or future health or health care or payment for care” thus making impermissible PHI available to third party technology vendors, such as GA4.
As a healthcare technology & marketing company, we are erring on the side of caution while we set up GA4 for our healthcare clients. While GA4, a positive upgrade for privacy concerns, compared to the earlier Google’s Universal Analytics (UA), makes it closer to being HIPAA compliant, there are additional steps that you need to take to ensure full compliance.
Server-side tag managers, customer data protection (CDP) platforms, and recommended analytics platform settings are some options available to make analytics tracking HIPAA-compliant.
We are strong proponents of server side tag management setup that allows you control of your data and what is shared with third-party marketing platforms, thus meeting compliance requirements. And that’s not all, a server side setup also creates a first-party cookie context, improves your data collection, and allows you to circumvent ad blockers (although in the world of privacy-first world, we do NOT recommend circumvention).
Talk to us to see how we can customize your tag management setup to make your analytics and marketing pixels HIPAA compliant.
Retargeting & Other Marketing Pixels – Another aspect of third-party tracking includes pixel codes, such as Meta Pixels or Google Ad codes that allow for retargeting of your top funnel audience to lead them closer to making an appointment or completing a purchase, is no longer HIPAA compliant.
Just like web analytics code can relay and store impermissible & identifiable PHI, so can other marketing and retargeting pixels, such as Meta. Furthermore, like Go ogle, Facebook is not willing to sign a Business Associate Addendum (BAA), which is required to keep the covered entity and all its all business associates HIPAA compliant.
This unfortunately means that retargeting ads are currently out of bounds for healthcare organizations, unless PHI identifiers are transformed into anonymized data points before it reaches a third-party tracking or marketing platform. These PHI could be anything from IP addresses, page URLs that contain health information, including health conditions
This solution creates an obvious dilemma – the more anonymized the data that you send over to marketing platforms, the less useful that data becomes. For instance, a simple solution of redacting or encrypting HIPAA identifiers, such as IP addresses and page location/path/referrers that can connect an individual to a past, present, or future health condition, treatment or payment plan also removes important data points that are needed to optimize or initiate targeted campaigns.
At Webtage, we are implementing server side tag management solutions that allow for creation of PHI-free custom audiences that are then sent to third-party marketing platforms, keeping marketing campaigns free of any HIPAA identifiers.
Social Media Compliance – Social media channels can be a landmine of non compliance covered entities under HIPAA, unless the channels are navigated carefully and cautiously. There are plenty of cautionary tales about healthcare social media marketing gone awry.
Bottom line – you never want to post testimonials, pictures, before & afters, or any other information that may link a patient or even a prospective patient with their past, current, or even future health condition.
If you plan to use user generated content (UGC) or your own content that contains identifiable PHI, do request a media waiver form to be signed by them prior to any social media posting.
Beware that even private messaging to your colleagues on social media will violate HIPAA unless you know for certain that those messages are encrypted end-to-end. Even acknowledging a social post from a patient by stating that your organization treated them or is going to treat them for a condition is a violation of HIPAA.
Some common precautions we take at Webtage is we require our healthcare clients to always have a Media Waiver form signed by patients before their faces, names or other forms of identity is released on social media or on the website. We also never add names of patients to testimonial posts or imagery. Rather, we simply add their initials, thereby removing any identifiers.
Remember that deliberate or thoughtless disclosures of PHI are both HIPAA violations and can result in distress, citations, fines & punitive actions. Work with a marketing team that understands the tightrope of protecting PHI while building trust and marketing your organization.
Review Management – When it comes to review management and HIPAA compliance, businesses in the healthcare industry face unique challenges. With the rise of online platforms and social media, publicly-posted reviews can have a significant impact on a healthcare provider’s reputation. However, it is crucial for these organizations to navigate this landscape while ensuring compliance with HIPAA regulations. This includes any information that could potentially identify an individual’s health condition or treatment.
Negative reviews can be particularly problematic in terms of HIPAA compliance. While businesses need to address customer concerns and feedback, they must do so without violating patient privacy rights. This requires careful monitoring and response strategies that prioritize both reputation management and adherence to HIPAA regulations.
Here’s the golden rule for maintaining HIPAA compliance on publicly-posted reviews. Even if the patient acknowledges that they are your patient, your response should not indicate a patient-provider relationship. In case of a negative review, Aledade.com, a healthcare accountable care organization (ACO) suggests the following:
- Use neutral, professional language
- Thank the reviewer for providing feedback
- Stress that a great experience and patient satisfaction is of importance
- Detail any changes implemented within the practice, if appropriate
- Request that the reviewer contact the office if they have questions; however, do not acknowledge if the reviewer was or was not a patient
- Never post information about a patient or their condition without their authorization
Business Associate Agreement (BAA) – A final word of recommendation. When working with a marketing technology (MarTech) or marketing agency, signing a Business Associate Agreement (BAA) with them is crucial for ensuring HIPAA compliance when handling protected health information (PHI). By entering into a BAA, your marketing providers agree to safeguard ePHI and adhere to HIPAA regulations. This agreement outlines the responsibilities and obligations of the provider, such as maintaining data security measures, reporting breaches, and ensuring compliance with HIPAA rules.
For instance, while choosing an email marketing automation platform, look for those that offer BAAs to healthcare organizations to help them securely manage PHI within their email campaigns. By partnering with BAA-compliant marketing providers, healthcare businesses can confidently navigate the complexities of HIPAA regulations and protect sensitive patient data.
Conclusion
At Webtage, we are committed to helping medical businesses create compliant marketing and web technologies solutions that provide peace of mind while enhancing patient care.
Talk to us about our HIPAA-compliant web technologies, marketing analytics and digital marketing protocols that provide an end-to-end solutions for your healthcare business.
Solutions we offer:
- Custom server-side tag management solutions for HIPAA-compliant analytics & marketing tracking
- HIPAA-compliant applications that encrypt data at-rest and in-transit
- HIPAA-compliant communication protocols for social media and review management platforms
