HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that it is important to properly advertise your organization while remaining HIPAA compliant. This is especially true with the recent digital transformation in healthcare and the current need to function more remotely. Today, we will determine if LinkedIn Ads is HIPAA compliant or not.
About LinkedIn Ads
LinkedIn was founded in 2002 and is one of the largest social networks in the world.
The company connects business professionals and/or job searchers together. In 2014, there were over two million active North American CEs on LinkedIn. The first LinkedIn advertisement ran in 2005. Advertisements are on the LinkedIn feed or its messenger, through pointed texts or by targeting an audience, or a combination of all four. The actual format depends on an organization’s need. And like other social media platforms, ads can run on pay-per-click (PPC) or cost-per-impression advertising—users pay each time someone clicks an ad.
LinkedIn Ads and the business associate agreement
A major part of HIPAA compliance is signing a business associate agreement (BAA) with a BA. A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. For example, LinkedIn Ads would be a BA if it handles PHI.
RELATED: Is a Name PHI?
Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed BAA. LinkedIn will not sign a BAA. This includes LinkedIn Ads.
LinkedIn Ads and HIPAA marketing
Another HIPAA Privacy Rule guideline addresses marketing by giving “individuals important controls over whether and how their [PHI] is used and disclosed for marketing purposes.” In most cases, a CE must have a patient’s authorization before marketing to them. Keep in mind that there is a distinction between the types of communication that HIPAA considers marketing and when this permission is necessary.
Targeted PPC advertisements (largely based on keyword searches) are generally allowed under HIPAA. At the same time, retargeting (using cookies to bring your ad to users who visited your website) is not. LinkedIn Ads does not have a firm policy on healthcare advertisements. Moreover, LinkedIn uses both targeting and retargeting campaigns.
While a LinkedIn blog addresses marketing for healthcare, there is no mention of HIPAA, PHI, or patient privacy.
Is LinkedIn Ads HIPAA compliant?
The BAA is a key component of HIPAA compliance and LinkedIn will not sign a BAA. Furthermore, LinkedIn Ads relies on both targeting and retargeting in its marketing campaigns. LinkedIn Ads puts no restrictions on what can be included in an advertisement. If a breach or HIPAA violation occurs and any PHI is exposed, the CE is liable.
Conclusion LinkedIn Ads is not HIPAA compliant.
Paubox Marketing—a sound alternative
While there are many ways that CEs can market to patients or potential patients, one of the best methods today is healthcare email marketing using HIPAA compliant email. Paubox Marketing allows recipients to view marketing emails like regular emails but with strong encryption and email security at all times.
Paubox will not only sign a BAA but will also work tirelessly to keep you and your patients safe. No extra steps for the sender or the receiver and no worry about leaked PHI. Use HIPAA compliant email marketing not only to create personalized marketing campaigns but also to maintain PHI security.