Main Menu

Fathom's Blog

A Sales Acceleration & Digital Marketing Blog


HIPAA Compliance for Digital Marketing Companies

By | May 2, 2013

fortressHere in Cleveland, we have a local pseudo-celebrity named Tim Misny, a personal injury lawyer whose slogan—“Tim Makes Them Pay!”—has gone viral. His bald head and flamboyant lifestyle have brought a sense of fun and humor to an otherwise dismal industry, even inspiring this parody rap video.

When it comes to online healthcare marketing, companies need to approach HIPAA compliance with significant care and due diligence—so they don’t have to be the ones paying at the end. At a recent seminar held by Brian Rosenfeldt of Skoda Minotti, I learned a ton about HIPAA compliance for marketing companies that I wanted to share with Fathom’s loyal blog readers. Of course, I’m a marketer, not a lawyer, and the actual act is 138 pages long, but here is some advice to consider.

To start, HIPAA covers protected health information (PHI), which is defined as any record that contains personal healthcare information and unique personal identification. PHI doesn’t just mean your hospital record or dental chart (by the way, direct service providers are known as “Covered Entities”); under HIPAA, any vendor that could potentially come into contact with PHI is considered a “Business Associate” and must take steps to ensure privacy, security, and regular employee education about the rules and regulations.

As a digital marketer, it is your responsibility to ensure that any PHI you’re collecting for your clients is protected. Not sure what PHI you’re collecting, or how secure it is? Perform a risk assessment to ask all the right questions and understand all the critical factors: Who has access to the data? What type of date are you collecting: form submissions, email click-thrus, etc.? How might your PHI be accidentally or intentionally disseminated, and what would you do in case that awful situation happens? A good risk assessment for digital healthcare marketing would cover your process, procedures, people, and technology. For example, one easy step to protect yourself and your clients is to use encryption for any email that might contain PHI, like a call-tracking report. Moreover, think about signing Business Associate Agreements (BAAs) with the Covered Entities that you work with, so everyone is covered—just in case.

So, I know what you’re thinking, “Matt, that is a boatload of work! Can’t I just go with the old saying, ‘Ignorance is bliss’ and ignore your entire blog post?” Well, unfortunately, ignorance was bliss. The penalties for non-compliance are stiff, including civil penalties, criminal penalties (yes, people have gone to prison for peeking unnecessarily at PHI), and even the State Attorneys General could come after you.

The good news, and also the bad news, is that no company can ever claim full HIPAA compliance or HIPAA certification, because those distinctions simply don’t exist. But together, we can work to ask the right questions about HIPAA, develop answers, and market healthcare organizations more effectively.

After all, the last person any digital healthcare marketer wants to see is Tim Misny knocking on the office door!


Check out Fathom’s white paper on social media in the top 15 health systems.

Healthy Conversations

Photo courtesy of Klearchos Kapoutsis via Flickr.



About Matthew Fieldman

With 12 years of experience working in nonprofits all over the world, Matt became a leader in Fathom’s healthcare practice in 2012. Matt’s healthcare clients include organizations from small regional addiction recovery centers to massive hospital systems, from regional health insurance providers to the nation’s largest provider of senior assisted living solutions. Matt’s educational background includes earning a Bachelor’s of Science in Psychology from the University of Florida in 2000, a Master’s in Business Administration from The George Washington University in 2005, and a Certificate in Nonprofit Management from Case Western Reserve University in 2010. He attended the 2013 Mayo Clinic Social Media Residency in June 2013 and spoke at the Greystone Healthcare Internet Conference in November 2013. Matt is an alum of Cleveland Bridge Builders 2011, was named as an Ariane de Rothschild Fellow, and was selected to Cleveland’s “25 Under 35.”


  • Lawyer James

    Unique article. Knowledge on the effects of not having proper security and privacy in place will definitely ensure a proper marketing structure.

    Good read, Matt.

  • Josh Ablett

    Great overview, Matt! I’d love to add a couple of things that we’ve seen in doing HIPAA work for a digital and print marketing company:

    (1) The marketing company’s clients may audit the marketing company’s security and privacy. We’ve been on the receiving end of a bunch of these, and they can range from 100 – 500 question surveys followed by site inspections. In fact, many banks and hospitals now have dedicated teams — all they do is audit the security of their third party vendors.

    (2) While it hasn’t happened yet, it’s widely expected that the Department of Health and Human Services will also start to audit Business Associates in the near future as well. And it doesn’t matter whether you’ve signed one of the Business Associate Agreements you mention in your post — if you have the kind of sensitive data you talk about, you can be audited.

    Scary as it all sounds, the good news is that this is stuff that most businesses should be doing anyway. Nobody wants to end up on the front page of a news site or lose a key customer because they were hacked or lost a laptop filled with sensitive data. There’s a pretty methodical way for breaking up the overwhelming task of “improving security” and making steady progress towards better security.

    Great post!

  • Pingback: The Online Marketer's Guide to Privacy | eMedia Law Insider()

  • Jason Diller

    Really, no agency can claim to be HIPPA compliant? Interesting.

    Ugh, I just want to collect basic info and not do anything with it. Just report results to the client.

    Very annoying.

    Great post Matthew.

Request an Assessment

Let us take a look at your current online presence.


Get Blog Updates


Interested in Writing for Our Blog?

Tell us your idea.

For Us