The Importance of HIPAA-Compliance in Healthcare Marketing

Healthcare providers live and breathe by HIPAA regulations. Unfortunately many don't realize how much HIPAA regulations also tie into their marketing efforts. If you or your marketing company is capturing patient data, double check that you are doing so in a secure, HIPAA-compliant environment. Below are a couple of common marketing tactics that are often not compliant under HIPAA regulations.

Website Contact Forms

The most common issue we see on a daily basis are website contact forms that is not HIPAA compliant. As soon as someone visits your site, enters their information into the contact form and presses submit, you are liable for that information. We've all filled out the standard contact form (name, email, phone, message) without a second thought. But think about where your information is going. Contact forms can send information to anyone: your appointment scheduler, the doctor, the marketing company you used 5 years ago who built the site, an old employee's email address, and the list goes on and on. Without securing your contact form submissions, all of those people mentioned above now have access to protected health information (PHI).

So how do you protect your patients and your business from this liability? Luckily there are HIPAA-compliant form systems available that not only utilize encryption but are completely HIPAA compliant, so you can be assured that your patient data is secure.

A good option is Jotform, which is reasonably priced and 100% HIPAA compliant.

Call Tracking & Recording

Call tracking is a valuable tool for any marketer. You can track where calls came from and listen to all recorded calls to determine if a specific marketing campaign lead to a new patient. Depending on your state, call recording has specific requirements, but for healthcare companies anywhere, it's obvious that recording calls falls under PHI and HIPAA regulations. We're lucky that there is now HIPAA-compliant call tracking software available. But some companies utilize call tracking software that is not HIPAA compliant and doesn't store data in a secure manner. By utilizing HIPAA-compliant call tracking and recording, you can be certain that your patient data is secure and that only those with access to the call tracking program will have access to PHI.

A good option is CallRail, which charges per phone number and is 100% HIPAA compliant.

Responding to Online Review

This is a truly grey area when it comes to HIPAA compliance. Some say not to reply to reviews at all because that establishes that the reviewer is a patient. Others say that as long as you don't offer any protected health information, you are following HIPAA guidelines. We tend to fall somewhere in the middle. When we respond to patient reviews, we never offer any PHI or reference any procedure or condition that may have been referenced by the reviewer. Here's an example:

Patient Review: "I had a wonderful experience during my last visit. I feel much better after visiting Dr. Smith."

Response: "Thank you for the kind words. We strive to provide the best care to each of our patients."

Though this is not as warm of a response as it could be, we like to take a bit of a conservative approach so as not to give any details about the patient's visit.

As with anything, it's often wise to double check your marketing efforts to make sure you are fully HIPAA compliant.  Just remember that anytime you store or exchange patient data, you must do so with HIPAA guidelines in mind. This could fall under the realm of emails, social media reviews, call tracking, online forms and other online sources.

If you have questions about any of your marketing efforts, please feel free to reach out to Crosby Digital Marketing and we'll be happy to take a look.