HIPAA and Online Advertising: Everything You Need to Know
The Health Insurance Portability and Accountability Act (HIPAA) has been a topic of discussion ever since it came into force in August 1996. To date, the statute, alternatively known as the Kennedy-Kassebaum Act, continues to be one of the most contentious legislation ever enacted in US history.
This is because of the Act’s groundbreaking intention to create an intersection between the ever-evolving provision of healthcare and privacy rights enshrined in the constitution. Peculiar provisions such as the HIPAA Omnibus Rule, which extends compliance to business associates and subcontractors, often raise more questions than there to exist answers to.
Add that to the untamed beast that is online advertising, and problems are bound to arise, with the most common being whether a particular action constitutes a violation of the rules. It is for this reason that medical practitioners and their support staff often have their legal advisors on standby to help them navigate through the ever-shifting landmines associated with the Act.
This over-reliance on legal experts can, however, not be extended to most real-time scenarios. In these instances, those in the medical profession have to make split-second decisions that may ultimately come back to haunt them if found to have contravened the law. Therefore, an in-depth understanding of the ordinance is more of a requirement for those privileged to be a part of this noble profession.
Why HIPAA and Its Rules Are Important
Simply put, HIPAA’s primary objective is to provide individuals seeking healthcare with the peace of mind to do the same without worrying about the safety of their medical information. This is guaranteed in HIPAA’s Privacy Rule, which the US Department of Health and Human Services (HHS) formulated to enforce the Act’s provisions at a national level.
The Privacy Rule became the first set of regulations to govern the use and disclosure of a person’s health information (paper and electronic), often referred to as “protected health information” or PHI at a national level. It is also intended to educate individuals on their rights regarding the use of their health information.
The Rule also sets the confines within which the persons and organizations subject to it or “covered entities” can have reasonable access to information to aid them in the execution of their duties. These covered entities include health plans, healthcare providers, healthcare clearinghouses, and, thanks to the Omnibus Rule which came into effect in September 2013, business associates and subcontractors.
On the other hand, HIPAA’s Security Rule sets similar standards but mainly concerns itself with information that is in electronic form. Since the two rules deal with electronic information, they both apply to online advertising and highlight the safeguards covered entities must put in place.
The Security Rule is also flexible and encourages covered entities to embrace new technologies to improve patient care and secure e-PHI, regardless of their size and organizational structure.
HIPAA and Online Advertising
In this digital age, it wouldn’t be incorrect to say that no business can at least survive or thrive without incorporating online advertising or digital marketing in some form. Therefore, it is vital for “covered entities” to adhere to HIPAA’s provisions or simply be HIPAA compliant.
Before the advent of social media, online advertising/marketing was almost exclusively confined to the web. It then evolved into email marketing before social media overtook the former two and began testing the extent to which HIPAA applies.
HIPAA, however, had the foresight to define marketing in its Privacy Rule, which describes it as ” communication about a product or service that encourages the recipients of the information to purchase or use the product or service.”
The Privacy Rule additionally considers marketing to be instances where a covered entity reveals personal health information (PHI) to any other organization in a quid pro quo arrangement meant to benefit it directly or indirectly.
This definition expands to instances where a covered entity reveals said PHI, allowing the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.
In a nutshell, HIPAA’s scope primarily extends to individuals accessing healthcare, healthcare providers, and the entities contracted by the latter to act as its agents, who jointly fall under the category of covered entities.
The Privacy Rule’s definition of marketing strives to cover any looming loopholes by extending HIPAA’s scope to third parties like healthcare marketing firms. Therefore, a covered entity cannot exempt itself from its HIPAA-related responsibilities by simply passing the liability to an “independent” third party.
Designing Your Campaigns
Most covered entities often opt to do their advertising/marketing through conventional marketing mediums such as TV, radio, and print ads because they target a general audience. Running advertising campaigns through such avenues almost automatically guarantees that they are HIPAA compliant since the act directly relates to personal (individual) health information.
These conventional marketing mediums, however, fail to accomplish the targeted advertising that communicates directly to the intended person. Structuring your campaigns beforehand to work within the parameters set by HIPAA is thus necessary.
This is best done by working around or through the three exceptions to HIPAA’s definition of marketing/advertising. These exceptions allow covered entities to engage in advertising without prior consent from a patient.
The first of the three exceptions allow a covered entity to communicate the range of services they provide. This means that a covered entity would remain HIPAA compliant if they were to say send an email to a patient informing them of a new department that specializes in matters relevant to their healthcare.
This approach stays on the right side of HIPAA by appearing to target a wider audience instead of the individual, much like the conventional marketing mediums that were previously mentioned.
The second exception to marketing/advertising involves information communicated in order to further a patient’s care. Therefore, if a covered entity were to offer referrals or recommendations to a patient meant to increase their chances of getting better care, they would remain HIPAA compliant.
The third and final exception is premised on offering alternatives to a patient during the course of their care. Advertising aimed at offering alternative healthcare providers, places of care like nursing homes, therapies, and treatments fall under this category and can thus not be deemed to be HIPAA violations.
HIPAA and Remarketing
Remarketing/retargeting has quickly become one of the most commonly used strategies, since it tends to be aimed at individuals who have already come into contact with a particular brand or, in this case, a covered entity.
Keeping remarketing HIPAA compliant is therefore difficult because a covered entity will almost always have to access an individual’s personal information in the process, which goes against the provisions of the Act. The best way to utilize remarketing and remain HIPAA compliant is to advertise in a general or all-inclusive way.
Say a person searched the World Wide Web for symptoms to a specific condition they think they might have. A covered entity could then only send them an ad offering solutions to the particular condition by first accessing their personal information, which constitutes a HIPAA violation.
A safer way for the covered entity to go about it would be to send the person an ad with a link to their home page or another general landing page. The covered entity’s actions would then be HIPAA compliant since it cannot be accused of having had prior access to the retargeted party’s personal information.
How to Be HIPAA Compliant
For HIPAA compliance to even be a possibility, several security measures have to first be put in place by covered entities in contact with PHI and/or e-PHI. These safeguards are aimed to protect the storage of physical data, online processes, and any related networks.
The first and best way for a covered entity to ensure HIPAA compliance is by always getting a patient’s written consent before using any of their personal information, including dates (birth, admission) and numbers (telephone, social security, fax, medical record number).
This also extends to recordable items such as photographic images, fingerprints, and voiceprints. Additionally, IP and email addresses, URLs to their personal and business websites, and social media handles are also protected under HIPAA.
HIPAA Compliance and Email Marketing
Where email marketing and emails, in general, are concerned, the first rule is to always receive a patient’s written consent. The aforementioned should be done before sending them emails or creating emails or email campaigns of any kind, even if the patient provided their email address during registration.
Emails sent to patients should also be encrypted to limit access to the immediate concerned parties. Covered entities should also ensure that the third-party email marketing firms they engage are HIPAA compliant. All covered entity vendors, including marketing firms, should also sign business associate agreements (BAAs).
HIPAA Compliance and Social Media
Ensuring HIPAA compliance with social media may appear to be a tall order considering the ever-increasing number of platforms and the fact that most platforms have yet to or are not willing to sign BAAs. However, there are measures that a covered entity can put in place to mitigate the chances of a HIPAA violation.
Again, patient consent should be secured before creating ads or posts containing any of their personal information. This includes a patient’s name, photos, and medical/treatment information. Covered entities should also discourage their employees from taking photos while at work.
This reduces the likelihood of a wayward photo capturing personal information from computer screens or print-outs around the workplace. Covered entities should also introduce internal policies that cover the use of social media in marketing/advertising and offer their staff training on the same. Such policies should simply outline what social media practices are allowed or disallowed as regards HIPAA. Contact us for more information.