So, you think you know the rules when it comes to HIPAA, but do you know how it relates to your marketing?
HIPAA, or the Health Insurance Portability and Accountability Act, provides data privacy and security provisions for safeguarding patients’ medical information. It applies to organizations that are considered HIPAA-covered entities, including health plans, healthcare clearinghouses and healthcare providers. Private health information like names, social security and health plan numbers, vehicle identifiers, fingerprints or facial images are some of the information protected by HIPAA.
The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service”. With limited exceptions, the rule requires an individual’s written authorization before his or her protected health information can be used for marketing. (It’s important to note that the HIPAA Privacy Rule distinguishes marketing communications from those communications regarding goods and services that are essential for quality health care.)
When considering sending direct mail within the healthcare community, it’s important to remember that HIPAA is, ultimately, there to protect patient health data and to protect your business against violations and fines. However, there are still ways that your team can market without putting patients’ privacy at risk. Here are a few ideas to get you started.
- Don’t create ads, posts or emails using patient information without obtaining explicit permission from the patients involved.
- Don’t allow staff members to take any photos or videos, including cell phone photography, within the practice if there is the potential that personal information will be visible.
- Create and enforce social media policies for employees limiting what they can and cannot post.
- Ensure that any third-party agencies, photographers or vendors are HIPAA compliant. Legal Business Associate Agreements must be executed with all vendors, including marketing firms.
- Encrypt any email sent to patients that contains personal information, including name and email address.
- Receive explicit authorization from patients before sending them any direct mail.
- Send marketing communications via certified mail and require the intended recipient’s signature.
- Clearly and prominently identify your organization (if you are the one sending it).
- Include clear opt-out instructions.
- Explain why the recipient has been targeted with your communication and how the product or service you’re selling relates to the health of the individual.
- Disclose whether a covered entity, such as a healthcare provider or partner, has received or will receive direct or indirect remuneration for making the communication.