HIPAA and marketing: What you need to know to build a modern healthcare marketing strategy
by Rick Kuwahara COO of Paubox
Compared to other industries, healthcare is a slow adopter when it comes to using modern digital marketing strategies.
That’s because of the minefield of regulations, like HIPAA, that organizations have to navigate in order to keep patient data safe.
The result is many organizations stick with traditional marketing channels like TV, radio, and print ads, losing out on what makes digital marketing so special – being able to deliver your marketing message directly to the right person.
Some healthcare organizations make the mistake of using out-of-the-box marketing software, which can lead to compliance issues. After all, the standard marketing tools are created by marketers, not compliance experts.
Paubox Marketing allows recipients to view marketing emails like regular emails without relying on out-dated portal notifications which are terrible for the recipient. With this tool you can segment and send secure email including PHI to increase engagement and build your business while remaining HIPAA compliant.
There are many ways to market to your patients and potential patients, so we put together this quick guide to walk you through everything you need to know about HIPAA compliance and marketing.
Table of Contents:
- How HIPAA defines marketing
- Exceptions to the HIPAA definition of marketing
- How to execute a HIPAA compliant digital marketing strategy
- Increasing revenue with email marketing
- HIPAA compliance and paid social media marketing
- Minimizing your risks from the beginning
How HIPAA defines marketing
The first step is to actually understand which HIPAA regulations affect marketing efforts.
The US Department of Health & Human Services (HHS) HIPAA Privacy Rule defines marketing in two parts. We explain in detail in this post.
It first defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
There are some exceptions to this definition – not all email communication to patients is considered marketing. We’ll cover this in detail below.
But there are NO exceptions to the second part, which states that marketing is “an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.”
In simple terms – a covered entity cannot sell protected health information (PHI) to a business associate or a third party to be used for that party’s own self-interest without expressed authorization from each patient.
This is why there was such an uproar of Google’s Project Nightingale, which involved a partnership with Ascension.
To keep it simple, just remember that in order to market to anyone using PHI as data points requires patient authorization.
This means using opt-in email capture forms and not “assuming” it’s ok to market to a patient just because you have their email address on file.
You can find a full list of necessary authorizations here: 45 CFR 164.508.
Exceptions to the HIPAA definition of marketing
Not all communications that disclose PHI fall under the HIPAA definition of marketing.
There are three exceptions where email communication can be done without prior authorization from the patient.
- First exception: Communication describing the scope of services a healthcare organization provides. An example would be if a hospital notifies patients about a new specialty department.
- Second exception: Communication tailored to the patient for the purpose of furthering his or her care. This includes activities such as referrals, prescriptions, recommendations, and other communications that address how a product or service may relate to an individual’s health. A great example is prescription refill reminders sent by a pharmacy.
- Third exception: Communication to an individual during course of management or care coordination, or for recommending alternative treatments, therapies, providers, or place of care. For example, a social worker at a hospital sharing information to nursing homes in order to get placement for a patient.
In addition, prior authorization is not required for face-to-face communication. For example, a doctor tells a patient about an additional service he or she offers during a checkup, or a hospital provides a free package of baby products to new mothers as they leave the maternity ward.
How to execute a HIPAA compliant digital marketing strategy
For traditional marketing channels (radio, TV, print), it’s relatively easy to stay HIPAA compliant because these are mass marketing tactics.
This means the marketing messages are very general in order to reach a wide audience. They are not customized to a degree where PHI is used to segment and deliver a personalized experience.
Healthcare marketers have understandably been hesitant to implement even some of the most basic digital marketing strategies because of concerns over HIPAA and protecting patient information.
Traditional marketing has its place in the marketing mix, but breaking through the noise requires thoughtful digital marketing strategies, especially as consumers are more empowered in every other aspect of their lives.
Evaluating which digital marketing activities are right for your organization comes down to three simple things:
- Managing marketing authorizations from your patients.
- Securing your patient data.
- If you’re using a third party marketing solution, signing a Business Associate Agreement with them.
If you want to leverage personalized email marketing, Paubox Marketing is the most powerful tool on the market for healthcare providers. You can use it to send email including PHI, segment recipients by any characteristic of your choosing, and send targeted emails with messages tailored to a particular patient.
Increasing revenue with email marketing
Email marketing is a lot more powerful than it used to be. It has transformed from general monthly newsletters to trigger-based automated drip email campaigns that can efficiently drive revenue.
According to a report by eMarketer, nine out of 10 internet users in the US rely on email, and many say it’s a preferred channel for receiving brand communications.
They also report email drives over 120% return on investment, more than 4x other digital marketing channels.
So it’s no wonder email marketing is integral for organizations in every industry to nurture and build relationships.
Before we get into some use cases for utilizing PHI in email marketing campaigns, first let’s establish what’s required:
- Unless the solution is installed on-premise, the email marketing vendor must sign a BAA with its customers.
- Data stored at-rest with the vendor will invariably contain PHI, so careful diligence must be applied to keep it properly safeguarded.
- The solution must be capable of actually sending HIPAA compliant email.
- You must get authorization before you start sending marketing emails to patients. This can easily be done with an opt-in form on your website.
The most common marketing vendors (such as MailChimp, Campaign Monitor, etc.) do not address all of these points, and the vendors that do still send secure messages using out-dated portal notifications which is terrible for the recipient and lowers engagement.
For this reason, we created Paubox Marketing which lets recipients view marketing emails containing PHI like regular emails – with no extra steps.
Segmentation and personalization
At the heart of any good email marketing strategy is segmentation and personalization.
To deliver the most targeted messages, it’s essential that you are able to break up your list of patients into segments.
For example, you could segment your patient list based on how long someone has been a patient, when his or her last visit was, treatment received, etc.
That will allow you to send emails with specific information about new treatments, post-op instructions, and other news specifically to those for whom it is relevant.
This is a much better experience for recipients than getting an email for a treatment that has nothing to do with them, which can lead to unsubscribing and labelling your email as spam.
Automated drip campaigns
A drip email marketing campaign is a series of emails that are sent automatically.
This is a perfect way to easily follow up on treatment and make sure any specific instructions are sent post-visit, as well as send reminders to schedule follow up appointments.
For example, say an oral surgeon’s average procedure generates $10,000 in revenue.
An automated drip campaign can create a series of follow up emails to a patient with post-surgery instructions, wellness tips, any other procedures he or she may be interested in, and so on.
Even if only 1 in 10 responds to the email sequence and does a follow-up procedure, that’s another $10,000 in revenue done on “autopilot.”
Paubox Marketing is the only HIPAA compliant email marketing product on the market which allows you to take advantage of segmenting your recipient lists, automating your drip campaigns, and sending email including PHI.
HIPAA compliance and paid social media marketing
When most organizations think of social media marketing, they think of organic posts that have no direct cost.
Users are most likely to share brand stories, event notices, and other messages that are appropriate for a wide audience, even if they’re not always relevant.
But as organic reach continues to decline across all social media platforms, paid advertising is increasing as more and more organizations fight to stay top of mind.
Healthcare providers can benefit from delivering very targeted messages to specific audiences – but there are a few risks to avoid.
We’ll outline the risks and opportunities with Facebook advertising, since it is the biggest social media platform and has the most robust advertising features. The same risks and opportunities can be applied across other platforms.
At its most basic, retargeting is the process of showing an ad on Facebook or its partner network for someone who has already visited your website.
If you’ve ever browsed an online store for clothes and later saw an ad on Facebook for the exact jacket you were looking at, that’s a retargeting ad.
So if someone were to visit a hospital’s web page about a new treatment, the hospital could retarget that visitor on Facebook.
For healthcare organizations, retargeting is fine for a general audience which is NOT made up of your patients. But once someone is identified as a patient, you must have his or her authorization to market anything to him or her.
There are ways to exclude people from a retargeting campaign based on the page they visit (assuming you have a patient portal or other website page that only patients can access). But that only works if patients visit that specific page, and as we know, patient portal use is extremely low.
A better way would be to have a cookie/pixel acceptance pop-up for all website visitors that includes language which allows you to retarget them. This has become much more common practice since GDPR (EU law on data protection and privacy in the European Union) was passed.
But even this workaround should be done with caution as patients can be missed and it will require a little coding to make it work.
This is perhaps the most powerful feature of the Facebook advertising platform.
You can create custom audiences from different targeting criteria based on people who visit certain pages of your website, or from lists.
When you upload a list of names, emails, addresses, etc, Facebook will put that up against its user data to identify who is a Facebook user.
From there Facebook can create a lookalike audience based on the list you have uploaded.
For many businesses, using a customer list is very powerful because Facebook will basically help you target people who are similar in profile to your current customers, allowing you to be in front of an audience more likely to convert.
But for healthcare organizations, this is extremely dangerous for HIPAA compliance.
And that’s because Facebook advertising was not built with HIPAA regulations in mind, and they will not sign a BAA.
This effectively means that you shouldn’t use patient lists to create custom audiences.
But you can use core targeting filters to narrow an audience that matches your customers such as age, location, occupation, interests, and more.
You can find more detail about the risks of social media marketing here.
Minimize your risk from the beginning
Regardless of what digital marketing strategy you use, there are a few things to keep in mind to minimize your risk of a breach.
- Develop a policy on the use of PHI in your organization’s marketing program, including who has access.
- Train your marketing departments regularly to make sure they understand HIPAA requirements.
- Document your marketing campaigns with clear reasoning on why PHI is included when applicable.
- Make sure there is a clear way for patients to opt-in and opt-out of receiving marketing communication.
- Monitor the implementation of the policy.
Although HIPAA is often seen as a road block to implementing many digital marketing strategies, it doesn’t have to be.
There are lots of ways to utilize cutting-edge marketing and still be HIPAA compliant if you use the right tools, like our email marketing solution, Paubox Marketing.
As long as the right policies and procedures are implemented from the beginning, any healthcare organization can be more efficient and have a bigger return on investment from their marketing strategies.
- HIPAA Compliance and Healthcare Email Marketing: What You Need to Know
- HIPAA Compliant Email Marketing Campaigns Explained
- Patient Engagement and HIPAA Compliance: What You Need to Know
- Secure Email Marketing for Population Health
- Secure Patient Outreach via HIPAA Compliant Email Marketing