Dear Good Guys:

Your company is absolutely right to be increasing its percentage of digital advertising and its social media presence, given what we’re learning about how both clinicians and consumers are using the internet. To cite one example, Pew Research Center data recently showed that 72% of internet users look for healthcare information online.1 That fact alone underscores the importance of staying in compliance with the federal government’s Health Insurance Portability and Accountability Act (HIPAA.) 

Simply put, HIPAA is in place to protect the confidentiality of sensitive patient health information. Marketers must either avoid using information that could identify a patient, known as?protected health information?(PHI), get written authorization from the patient to use the information, or completely anonymize it by removing identifiers from multiple categories, including: (2)

• Names 
• Geographic Identifiers (county, city, address, zip code, phone numbers, etc.) 
• Dates (admission date to a hospital, birth date or year, etc.) 
• Administrative Details (health plan numbers, driver’s license number, etc.) 
• Biometric Identifiers (photos, fingerprints, voice prints, etc.) 

Of course, there are plenty of other ways patients can be identified online (which may not be covered by categories listed above), so companies like yours must use caution when developing patient-generated marketing initiatives like real-life success stories or endorsements, for example. (2) That’s why you see so many “hypothetical patient” disclaimers in pharmaceutical ads. It’s much safer (and helps your company avoid a potentially hefty fine) to use stock photography or paid models instead of actual patients. 

Here are some other real-world tips to help you stay on the right side of the HIPAA law: 

Make Sure You Know the Details – Using treatment success stories for marketing purposes is only okay if it doesn’t violate HIPAA rules. Be careful about what information you’re sharing, and how you’re sharing it. Even sharing patient case history and other details through direct messages are considered a violation of HIPAA.1 

Train Your Team – It’s not just you who has to know the HIPAA rules – it’s everyone on your team. In addition, they need to understand not only the regulations, but also the punishment details. Those behind the scenes on the development of any healthcare social media campaign such as scheduled blogs, the above-mentioned Facebook, Instagram, or Twitter presence, or any other web-based marketing campaigns must be able to pass the compliance test for their brand. The same goes for any third-party vendors you employ as well. Even if the mistake is theirs, the liability will be yours. (1)

The Good News – Even though HIPAA has made it more difficult for healthcare marketers to get their messages across, it’s still possible to develop and deliver effective promotional campaigns while remaining HIPAA-compliant. General topics such as healthcare tips, educational documents, and even unbranded web communications can do a lot to make sure your message gets across without posing any security threats to electronically stored patient data. (2)

Xavier Creative House has helped many companies maintain HIPAA compliance while developing effective and exciting brand messaging campaigns. We’d love to work with you and help you manage your brand. Contact us today!  

 

 References: 

1. https://tech.co/marketing-campaigns-hipaa-healthcare-2017-06. Accessed September 18, 2017.

2. https://www.mdconnectinc.com/medical-marketing-insights/digital-ad-campaign-hipaa-compliant. Accessed September 19, 2017.