What You Need to Know About Healthcare Marketing & HIPAA

September 24, 2020
There are many do's and don'ts when it comes to marketing healthcare services yet complying with HIPAA. Learn about the challenges (and solutions) here!

What You Need to Know About Healthcare Marketing & HIPAA

Marketing is an essential part of any business's operations. There are some aspects of healthcare marketing that are the same as marketing in any other industry - you should be focusing on gaining the attention of and providing content for your desired audience so that in turn you will receive a ROI for those efforts. However, healthcare marketing also has some unique challenges that make it distinctly different from marketing in other industries. 

The main thing that sets it apart is that healthcare marketers are not allowed to freely tell stories about patients without that person’s written permission. This all comes back to their need to comply with HIPAA and its rules and requirements to keep patient’s protected health information (PHI) safe. 

Before any marketing communication is sent, authorization needs to be obtained from any person whose information was accessed or used for that campaign. The need for written consent from patients makes it very important for us to have a clear understanding of what is and what is NOT considered healthcare marketing. 

What's the Health Insurance Portability and Accountability Act (HIPAA)? 

If you work in the healthcare field in any role from being a physician to working in healthcare marketing, it’s important to have an understanding of HIPAA and all of its rules and policies. 

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 which is the law that aims to improve the efficiency of the healthcare industry and set the national standards for how protected health information (PHI) must be secured. PHI, which refers to any information that can be used to identify a patient from their medical file, such as address, identifiable photos and many other forms of data.

Since HIPAA compliance deals primarily with how organizations access, share and dispose of PHI, healthcare marketers will encounter these requirements and must abide by then when creating their campaigns and communications. HIPAA helps to give individuals greater access to and control over their health information which is why they must give written authorization before their PHI or patient story can be used in healthcare marketing. 

What is Healthcare Marketing?

The HHS, which implements, enforces and offers helpful information about HIPAA and related topics, has provided specific information on healthcare marketing to help clear up some confusion. They define marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” 

The key function of marketing is telling a story that compels someone to purchase a product or service. However, healthcare marketers are not able to access these stories to tell without consent from that person since that would mean using their protected health information (PHI). 

Beyond this central definition, marketing can also refer to an arrangement between a covered entity (CE) and another organization where the CE gives PHI to the other organization in exchange for payment, whether direct or indirect, so that the other entity can then make a communication about their products or services. This part of the definition doesn’t have any exceptions but the individual must authorize this usage before that exchange can happen. CEs cannot sell these lists under any circumstances without approval from each and every person on the list. 

Within the scope of the definition of healthcare marketing by the HHS, organizations are still required to receive clear and direct consent from the patient before their protected health information is used in any of these ways. 

What is NOT considered Healthcare Marketing 

Just as the HHS has clearly defined what marketing is in the context of healthcare & PHI, they have also laid out the exceptions to this definition. There are three exceptions to the marketing definition laid out above which allows these communications to occur without approval from the patient, assuming that they comply with HIPAA in any other ways as necessary. 

The first exception is that a communication is not considered marketing if it describes a health-related service or product that is provided by or included in a plan of benefits of the CE making the communication. This means that an email or posting from a covered entity can include a product and service that they offer without being considered marketing. CEs are allowed to let their client lists know about a new piece of equipment they have or a new facility that is being built. 

Another exception to the HHS definition of marketing is that if a form of communication is created for the treatment of the individual that it is sent to, then it is not considered marketing and does not need their approval. This often looks like a healthcare provider sending the patient a prescription refill reminder or a referral for a discussed follow-up testing. Since these types of correspondence are regular parts of the treatment of that individual, they are not marketing. 

The last exception from marketing is a communication that occurs during the care coordination case management process of working with a patient. This is typically where a recommendation for an alternate provider or treatment is suggested and presented. As long as that is part of their treatment and is their genuine recommendation for their patient, then it is not considered marketing but merely a part of caring for the patient. 

HIPAA Compliant Healthcare Marketing

If you are having trouble distinguishing between marketing activities and typical treatment activities, there are a few things to keep in mind. Sometimes in the course of recommending a treatment, a doctor or healthcare provider recommends the purchase of a medicine or product of some sort. This is not considered marketing by the HHS, as the benefit of this product is being portrayed and it is within the regular operations of the healthcare industry. 

Specifically for marketing, the main thing to keep in mind is getting written authorization for any uses of PHI in a campaign or communication that you may be sending out. 

There are many do’s and don’ts to healthcare marketing and complying with HIPAA as a whole that it may seem complicated at times. That is why Accountable exists to simplify the process and steps of achieving HIPAA compliance. Getting written authorization for use of PHI in marketing is important, but there are many other steps that need to be taken for complete compliance.  
If you are a marketing agency or a healthcare provider that is looking to have HIPAA compliant healthcare marketing or employee training and complete compliance, it is free to try us out today!

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
Expert guidance
Build trust
Dedicated Compliance Success Managers
HIPAA Training
Decrease risk
Close more deals