HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that it is important to properly advertise your organization while remaining HIPAA compliant. This is especially true with the recent digital transformation in healthcare and the current need to function more remotely. Today, we will determine if Facebook Ads is HIPAA compliant or not.
About Facebook Ads
Created in 2004, Facebook is the world’s largest social network with over 3 billion active users today. More than half log on every day.
At present, a variety of services, including the social network, form Facebook:
Given the company’s reach, it makes sense for Facebook to utilize in-app ads as revenue sources. Facebook Ads was introduced in 2007 as a way to connect users with targeted advertising.
RELATED: Is Facebook Pixel HIPAA Compliant?
It uses pay-per-click (PPC) (what Facebook calls costs-per-click) advertising. Users pay each time someone clicks an ad. Facebook Ads generated close to $84.2 billion in 2020.
Facebook Ads and the business associate agreement
A major part of HIPAA compliance is signing a business associate agreement (BAA) with a BA. A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. For example, Facebook Ads would be a business associate if it handles PHI.
RELATED: Is a Name PHI?
Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed BAA. Similar to other social media platforms, Facebook will not sign a BAA.
Facebook Ads and HIPAA marketing
Another HIPAA Privacy Rule guideline addresses marketing by giving “individuals important controls over whether and how their [PHI] is used and disclosed for marketing purposes.” In most cases, a CE must have a patient’s authorization before marketing to them or using their PHI. Keep in mind that there is a distinction between the types of communication that HIPAA considers marketing and when this permission is necessary.
Targeted PPC advertisements (largely based on keyword searches) are generally allowed under HIPAA. At the same time, retargeting (using cookies to bring your ad to users who visited your website) is not. Facebook Ads does not have a firm policy on healthcare advertisements, unlike Google Ads. Moreover, the company did not build its advertising program considering HIPAA regulations.
Facebook Ads also collects data for retargeted campaigns and does not ban this type of marketing done by CEs. Finally, the company also relies on building custom audiences, which uses similar tools to retargeting to create personalized, lookalike audiences from website visitors.
Is Facebook Ads HIPAA compliant?
The BAA is a key component of HIPAA compliance and Facebook does not offer a BAA. Furthermore, Facebook relies on retargeting and collecting user data for its advertising program. While Facebook seems like the ideal platform to share messages and increase brand awareness, if a breach or HIPAA violation occurs and any PHI is exposed, the CE is liable. And such breaches do occur, such as that in 2018 which affected almost 50 million Facebook accounts.
Conclusion Facebook Ads, like all Facebook services, is not HIPAA compliant.
Paubox Marketing—a sound alternative
While there are many ways that CEs can market to patients or potential patients, one of the best methods today is healthcare email marketing using HIPAA compliant email. Paubox Marketing allows recipients to view marketing emails like regular emails but with strong encryption and email security at all times.
Paubox will not only sign a BAA but will also work tirelessly to keep you and your patients safe. No extra steps for the sender or the receiver and no worry about leaked PHI. Use HIPAA compliant email marketing to not only create personalized marketing campaigns but to also maintain PHI security.
RELATED: Healthcare Email Marketing Use Cases