How HIPAA and Marketing Intersect
Dear House Rules,
I work in marketing and received information from my pharma client about patients who have benefitted from one of their products. Can I use some of these patient stories in an ad campaign?
Not Hip to HIPAA
Dear Not Hip to HIPAA:
Let’s break down the answer into parts, starting with a brief history lesson.
The Health Insurance Portability and Accountability Act, or HIPAA, was established in 1996 to protect the privacy of patients and the security of healthcare data. It preceded similar rules in other industries and went into effect years before the era of “big data.” Now that the Internet is ubiquitous, HIPAA is something we all count on.
Compliance is not just for clients.
Are you aware that any entity providing communication, marketing, and sales services to a HIPAA-compliant organization is also required to be HIPAA compliant?
In the scenario you asked about, it makes sense that you and your client would want to present positive patient stories in an ad campaign. Under the HIPAA Privacy Rule, however, you may not do so without the patients’ explicit consent and other necessary authorizations.
Privacy is paramount.
It’s paramount for you to maintain the privacy of PHI, or protected health information. Nothing that can lead to a patient’s identity can be promoted–no photos, captions, records, treatment, or health condition connected to a specific person, no account numbers and, of course, no Social Security number. In short, no data that can connect a third party to a patient’s identity can be published without the patient’s consent.
Serious about security
Not only privacy but security is required. All outbound emails and website forms must be encrypted, and an off-site server is required for data backup.
Much of HIPAA compliance is common sense but, because there is so much at stake, a Business Associate Agreement, or BAA, is necessary between HIPAA-compliant organizations and their contractors. This assures that all stakeholders have the same understanding of rules and parameters. BAAs are legally binding contracts.
Still unsure? Consult with an expert.
If you have any uncertainty about handling PHI or see potential for a data breach, follow the adage, “Better safe than sorry.” Double-check your company’s systems, processes, databases, and content.
You can also enlist the help of a consulting firm that focuses on HIPAA compliance. They offer products and services to take the guesswork out of what you can and cannot do.
In this age of big data, little mistakes can lead to big things going wrong. Play it safe and engage in due diligence to ensure your agency is HIPAA compliant.
Our expertise is no secret.
Xavier Creative House is dedicated to keeping you current with important information that affects your business. We know how to combine compliance with creativity to educate, excite, and engage your audience. Give us a call or reach out to us on social media. We’re here to help.