Here in Cleveland, we have a local pseudo-celebrity named Tim Misny, a personal injury lawyer whose slogan—“Tim Makes Them Pay!”—has gone viral. His bald head and flamboyant lifestyle have brought a sense of fun and humor to an otherwise dismal industry, even inspiring this parody rap video.
When it comes to online healthcare marketing, companies need to approach HIPAA compliance with significant care and due diligence—so they don’t have to be the ones paying at the end. At a recent seminar held by Brian Rosenfeldt of Skoda Minotti, I learned a ton about HIPAA compliance for marketing companies that I wanted to share with Fathom’s loyal blog readers. Of course, I’m a marketer, not a lawyer, and the actual act is 138 pages long, but here is some advice to consider.
To start, HIPAA covers protected health information (PHI), which is defined as any record that contains personal healthcare information and unique personal identification. PHI doesn’t just mean your hospital record or dental chart (by the way, direct service providers are known as “Covered Entities”); under HIPAA, any vendor that could potentially come into contact with PHI is considered a “Business Associate” and must take steps to ensure privacy, security, and regular employee education about the rules and regulations.
As a digital marketer, it is your responsibility to ensure that any PHI you’re collecting for your clients is protected. Not sure what PHI you’re collecting, or how secure it is? Perform a risk assessment to ask all the right questions and understand all the critical factors: Who has access to the data? What type of date are you collecting: form submissions, email click-thrus, etc.? How might your PHI be accidentally or intentionally disseminated, and what would you do in case that awful situation happens? A good risk assessment for digital healthcare marketing would cover your process, procedures, people, and technology. For example, one easy step to protect yourself and your clients is to use encryption for any email that might contain PHI, like a call-tracking report. Moreover, think about signing Business Associate Agreements (BAAs) with the Covered Entities that you work with, so everyone is covered—just in case.
So, I know what you’re thinking, “Matt, that is a boatload of work! Can’t I just go with the old saying, ‘Ignorance is bliss’ and ignore your entire blog post?” Well, unfortunately, ignorance was bliss. The penalties for non-compliance are stiff, including civil penalties, criminal penalties (yes, people have gone to prison for peeking unnecessarily at PHI), and even the State Attorneys General could come after you.
The good news, and also the bad news, is that no company can ever claim full HIPAA compliance or HIPAA certification, because those distinctions simply don’t exist. But together, we can work to ask the right questions about HIPAA, develop answers, and market healthcare organizations more effectively.
After all, the last person any digital healthcare marketer wants to see is Tim Misny knocking on the office door!
Check out Fathom’s white paper on social media in the top 15 health systems.
Photo courtesy of Klearchos Kapoutsis via Flickr.