digital hippo compliance
Things you might not have considered
by Rachael Sauceman

Whether you’ve worked in the homecare space for decades or have joined the ranks more recently, you’ve likely learned about the Health Insurance Portability and Accountability Act (HIPAA). After all, HIPAA requires adherence to a very specific set of privacy-related standards, designed to protect patients and their private health information.

When you think of HIPAA, details related to a homecare patient’s health file probably come to mind. You recognize and understand the importance of keeping that clinical record secure and away from the eyes of those who are not authorized to see it.

But you might be surprised to know that HIPAA’s purview goes well beyond day-to-day clinical practices or even in-office information. Your homecare organization’s digital presence—including your marketing efforts—must also maintain HIPAA compliance.

Why & How HIPAA Affects Marketing

When it comes to marketing, “storytelling” has been a buzzword for a few years now. Odds are you’ve included a patient testimonial or two in your marketing efforts, whether in print or on your website.

After all, telling a patient’s story—and even sharing his or her family’s experience with your company’s homecare services—makes a compelling case for what other prospective customers could expect.

When you use a patient testimonial or patient photo in your marketing materials, you likely know that you need to have the patient sign off on appropriate documentation allowing you to share that information.

But it’s important to note that you need this authorization even if you’re not sharing health-related details about the patient. The simple act of including them in your marketing collateral identifies the person as a potential patient, which is considered protected health information (PHI).

More Than Meets the Eye

Although sharing patient information feels like the most obvious way in which HIPAA compliance overlaps with marketing, there’s more to it. In fact, most HIPAA violations that emerge from marketing efforts don’t relate to the content you’re creating.

Instead marketing-related HIPAA infractions often occur from the information you’re gathering as part of your marketing efforts, rather than information you’re giving out. 

What is meant by that—and more importantly, where should you focus your attention to prevent any HIPAA compliance mishaps? First, think about where you’re seeking to collect information from patients or potential patients, such as contact forms or event signups.

Evaluate the below for potential HIPAA violations:

  • Your website. Websites are one of the most common sources of HIPAA marketing violations. After all, that’s where you spread the word about what sets your homecare organization apart—and it’s where you seek interaction from your audience. Any portion of your website that solicits information can present a potential HIPAA pitfall. After all, even a person’s address and phone number are considered PHI. To combat any potential issues, check with your website vendor to be sure all of your forms are encrypted and that the website itself is secure.
  • Any data collection tools you use. If you’re collecting information through tools on your website or in other marketing efforts, it’s a potential HIPAA hazard. This would include patient satisfaction surveys, user experience tools and even your analytic system. While mainstream tools like Google Analytics are usually secure, if you’re using other data collection tools, it’s worth talking with the vendor about how data is handled.
  • The people touching the data. This component of HIPAA compliance in marketing is often overlooked but is extremely important. All data related to patients, regardless of whether it’s health-related, is considered PHI. That means it must be protected to remain in HIPAA compliance. Carefully review all sources that provide you with data and determine who within your homecare organization actually needs to see that information. Make sure the data can only be accessed by those with permission—and end that permission when a person’s need for the information ends.
  • The length of time you’re keeping data. It’s unlikely that you need to hold on to most data you’re collecting for a long period of time. Patient information shouldn’t be stored past when it’s useful, so having some sort of system that destroys data once you’re past a certain point is important. This could come in the form of a digital process that can remove old information, or it could be as simple as a manual process performed at set intervals to ensure only currently relevant and necessary information is stored.

While it may feel as though staying on top of HIPAA compliance rules is an ever-evolving task, HIPAA compliant agency partners can help you ensure your efforts are within bounds. There are numerous HIPAA-compliant marketing tactics that can drive measurable gains for your business, while still protecting your patients and your business.

Rachael Sauceman is the head of strategic initiatives for Full Media, a Chattanooga, Tennessee-based digital marketing agency specializing in health care. Full Media offers a full spectrum of HIPAA-compliant digital marketing capabilities within the health care space, including website design, online advertising, SEO, patient experience optimization and analytics.