HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that it is important to properly advertise your organization while remaining HIPAA compliant. This is especially true with the recent digital transformation in healthcare and the current need to function more remotely. Today, we will determine if Google Ads is HIPAA compliant or not.
About Google Ads
Founded in 1998, Google currently sees more than 70% of worldwide online search requests. There are over 5.6 billion Google searches a day. Soon after its establishment as a search engine, Google expanded into related products and services. This includes a browser, email, cloud storage, entertainment, and even workplace tools.
Many CEs use Google products for patient care, including Google Ads (formerly known as Google AdWords). Google Ads is the biggest provider of search advertising on the market. Started in 2000, Google Ads became the first-ever self-serve online advertising platform. It runs on pay-per-click (PPC) advertising—users pay each time someone clicks an ad.
Google Ads and the business associate agreement
A major part of HIPAA compliance is signing a business associate agreement (BAA) with a business associate (BA). A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. For example, Google Ads would be a business associate if it handles PHI.
RELATED: Is a Name PHI?
|Google Drive||Google Hangouts|
|Hangouts Meet||Google Keep|
|Google Cloud Search||Google Sites|
Unfortunately, Google Ads does not appear on the list.
Google Ads and HIPAA marketing
Another HIPAA Privacy Rule guideline addresses marketing by giving “individuals important controls over whether and how their [PHI] is used and disclosed for marketing purposes.” In most cases, a CE must have a patient’s authorization before marketing to them. Keep in mind that there is a distinction between the types of communication that HIPAA considers marketing and when this permission is necessary.
Targeted PPC advertisements (largely based on keyword searches) are generally allowed under HIPAA. At the same time, retargeting (using cookies to bring your ad to users who visited your website) is not. As a leader in PPC advertising, Google has firm rules when it comes to healthcare ads. According to Google, its policies “are design[ed] not only to abide by laws but to ensure a safe and positive experience for [their] users.”
As Google Ads is not covered under Google's BAA, the company will disapprove of ads that do not meet HIPAA standards or other laws. It does not allow to CEs to retarget ads and frequently disapproves of display advertising (using banners on social media or apps).
Is Google Ads HIPAA compliant?
The BAA is a key component of HIPAA compliance and Google Ads does not appear to be covered under Google's BAA. Google Ads puts restrictions on what can be included in a healthcare ad, and if a breach or HIPAA violation occurs and any PHI is exposed, the CE is liable.
Conclusion Google Ads is not HIPAA compliant.
Paubox Marketing—a sound alternative
While there are many ways that CEs can market to patients or potential patients, one of the best methods today is healthcare email marketing using HIPAA compliant email. Paubox Marketing allows recipients to view marketing emails like regular emails but with strong encryption and email security at all times.
Paubox will not only sign a BAA but will also work tirelessly to keep you and your patients safe. No extra steps for the sender or the receiver and no worry about leaked PHI. Use HIPAA compliant email marketing to not only to create personalized marketing campaigns but also to maintain PHI security.