HIPAA Compliance for Digital Marketing Companies

fortressHere in Cleveland, we have a local pseudo-celebrity named Tim Misny, a personal injury lawyer whose slogan—“Tim Makes Them Pay!”—has gone viral. His bald head and flamboyant lifestyle have brought a sense of fun and humor to an otherwise dismal industry, even inspiring this parody rap video.

When it comes to online healthcare marketing, companies need to approach HIPAA compliance with significant care and due diligence—so they don’t have to be the ones paying at the end. At a recent seminar held by Brian Rosenfeldt of Skoda Minotti, I learned a ton about HIPAA compliance for marketing companies that I wanted to share with Fathom’s loyal blog readers. Of course, I’m a marketer, not a lawyer, and the actual act is 138 pages long, but here is some advice to consider.

To start, HIPAA covers protected health information (PHI), which is defined as any record that contains personal healthcare information and unique personal identification. PHI doesn’t just mean your hospital record or dental chart (by the way, direct service providers are known as “Covered Entities”); under HIPAA, any vendor that could potentially come into contact with PHI is considered a “Business Associate” and must take steps to ensure privacy, security, and regular employee education about the rules and regulations.

As a digital marketer, it is your responsibility to ensure that any PHI you’re collecting for your clients is protected. Not sure what PHI you’re collecting, or how secure it is? Perform a risk assessment to ask all the right questions and understand all the critical factors: Who has access to the data? What type of date are you collecting: form submissions, email click-thrus, etc.? How might your PHI be accidentally or intentionally disseminated, and what would you do in case that awful situation happens? A good risk assessment for digital healthcare marketing would cover your process, procedures, people, and technology. For example, one easy step to protect yourself and your clients is to use encryption for any email that might contain PHI, like a call-tracking report. Moreover, think about signing Business Associate Agreements (BAAs) with the Covered Entities that you work with, so everyone is covered—just in case.

So, I know what you’re thinking, “Matt, that is a boatload of work! Can’t I just go with the old saying, ‘Ignorance is bliss’ and ignore your entire blog post?” Well, unfortunately, ignorance was bliss. The penalties for non-compliance are stiff, including civil penalties, criminal penalties (yes, people have gone to prison for peeking unnecessarily at PHI), and even the State Attorneys General could come after you.

The good news, and also the bad news, is that no company can ever claim full HIPAA compliance or HIPAA certification, because those distinctions simply don’t exist. But together, we can work to ask the right questions about HIPAA, develop answers, and market healthcare organizations more effectively.

After all, the last person any digital healthcare marketer wants to see is Tim Misny knocking on the office door!


Check out Fathom’s white paper on social media in the top 15 health systems.

Healthy Conversations

Photo courtesy of Klearchos Kapoutsis via Flickr.

About Fathom Team Member

No Comments

  • Unique article. Knowledge on the effects of not having proper security and privacy in place will definitely ensure a proper marketing structure.

    Good read, Matt.

  • Great overview, Matt! I’d love to add a couple of things that we’ve seen in doing HIPAA work for a digital and print marketing company:

    (1) The marketing company’s clients may audit the marketing company’s security and privacy. We’ve been on the receiving end of a bunch of these, and they can range from 100 – 500 question surveys followed by site inspections. In fact, many banks and hospitals now have dedicated teams — all they do is audit the security of their third party vendors.

    (2) While it hasn’t happened yet, it’s widely expected that the Department of Health and Human Services will also start to audit Business Associates in the near future as well. And it doesn’t matter whether you’ve signed one of the Business Associate Agreements you mention in your post — if you have the kind of sensitive data you talk about, you can be audited.

    Scary as it all sounds, the good news is that this is stuff that most businesses should be doing anyway. Nobody wants to end up on the front page of a news site or lose a key customer because they were hacked or lost a laptop filled with sensitive data. There’s a pretty methodical way for breaking up the overwhelming task of “improving security” and making steady progress towards better security.

    Great post!

  • […] need to be concerned.  The point of this blog post is to make you think about it.  Here is one marketer’s take on the issue.   If you do a lot of marketing work for medical practices, doctors or hospitals, you should […]

  • Really, no agency can claim to be HIPPA compliant? Interesting.

    Ugh, I just want to collect basic info and not do anything with it. Just report results to the client.

    Very annoying.

    Great post Matthew.

Leave a Reply