As a medical practice owner, you know how important it is to protect your patients’ Personal Health Information. You’ve likely invested in secure servers, EHRs, and even a fax machine to make sure you’re doing everything you need to be responsible with medical records.
But, have you considered how you’re protecting the information of those people who haven’t yet become your patients? In marketing your practice, you’re communicating with future patients and collecting health-related information. This all needs to be protected with the same amount of diligence as the information you gather during an office visit.
HIPAA and Medical Practice Marketing
HIPAA compliance is a “must have” element in every aspect of your digital marketing strategy. The difficulty for healthcare marketers is that the guidelines are actually quite vague on exactly how practices can be compliant in today’s digital marketing landscape.
While we can’t give legal advice, we can give you some best practices to be more secure in your marketing efforts.
Collecting Patient Data
You may not realize it, but quite a bit of information about patients is being collected in your digital marketing strategy.
When an interested patient fills out a new patient form on your website, they’ve given you PHI data that you are now responsible for keeping HIPAA compliant.
The same is true with medical practice reviews or testimonials you collect to promote on social media. A person’s name, image, and descriptions of their pain or medical history all must be thought of not just as marketing data, but patient data.
Consider the example of a public patient review left in a public forum, like Google, Yelp, or social media platforms. This inherently has PHI. A public response from the practice or company is nearly always recommended, but taking the conversation offline can be the best way to remain compliant and avoid disclosing any PHI.
Storing and Transmitting Patient Data for Your Medical Practice
Patient data must be encrypted: Patient-related information contained in contact forms, appointment request forms and online check-in forms is at risk and must be encrypted.
You can protect the private information by using an SSL certificate on your website. SSL complies with HIPAA’s data encryption standards and keeps private patient information safe.
But you need to take your PHI protection a step further with a HIPAA compliant CRM. Think about it like this. When a potential patient fills out a form on your website, and thus submitting PHI, that information will be stored somewhere – that shouldn’t be a Google Sheet, it should be a CRM. And your CRM must be HIPAA compliant to protect patient data AND minimize your risk of a data breach and the resulting penalties.
As medical marketing experts, RUNNER Agency offers access to a HIPAA compliant CRM to our clients to ease the (often endless) process of researching HIPAA compliant CRMs. Request a consultation with us to learn more about our HIPAA compliant CRM package.
Business Associate Agreement for Agencies and Software
It is in your best interest to have a Business Associate Agreement (BAA) with any and all parties who may encounter PHI as a result of working with your medical practice, including your marketing agency.
If you’ve partnered with a marketing agency for paid digital advertising, they may need access to PHI to assess the ROI of marketing efforts. they will need to have access to the CRM to detail which campaigns were the most successful; which campaigns not only generated the most new patients but how many patients actually scheduled an appointment, or even the revenue of those patients.
As medical marketing experts, we sign a BAA with our client to be able to prove that return on investment and help grow practice revenue.
HIPAA-Compliant Medical Practice Website Hosting
A commonly overlooked aspect of HIPAA compliance is hosting. Yes, your hosting must be HIPAA compliant and have processes for protecting PHI. This is really important, because the host is potentially handling Protected Health Information (PHI) on your behalf.
Any breaches they have could reflect back onto your practice. I’ve been trying to drive this important point home; the update to the Omnibus ruling says you are now potentially liable for your subcontractor’s violations. YOU ARE NOT RESPONSIBLE FOR SUPERVISING YOUR SUBCONTRACTOR’S COMPLIANCE PROCESS, BUT YOU MUST VERIFY THEIR COMPLIANCE BEFORE ACCEPTING A SIGNED SUBCONTRACTOR’S BUSINESS ASSOCIATE AGREEMENT. If they do not show you those policies and procedures, you probably shouldn’t be doing business with them.
SSL Certificate for Your Medical Practice Site
SSL is not an option, but a must have for any medical practice site. One of the first steps you must take to ensure your website is HIPAA compliant is to make sure you have an SSL certificate for your website.
technically insecure in that if a computer is between you and the web server, they can see all data that is passing through such as usernames, passwords and any other sensitive data passes to the web server from the users computer. When a website has an SSL certificate (when there is an “s” after http – https://) the transmissions from the users’ computer to the server is encrypted and unreadable by any 3rd parties.
Email Marketing Best Practices
Email marketing is key to communication with leads as well as existing patients.
An email containing PHI must be encrypted: Even basic information as simple as a name and email address of a patient can be considered PHI. So the best practice is to encrypt all professional emails. You can either choose to manually encrypt each professional email before sending it out or use a HIPAA-compliant automated service.
Make sure email marketing services are HIPAA-compliant: Just because you are paying for a service, do not make the mistake of assuming it is HIPAA-compliant. In fact, many email marketing services are designed for corporate use. When choosing an email marketing service, ensure that it offers HIPAA-compliant emails.
Never send email communication to patients who did not request it. Most practices ask for patients’ email addresses on their sign-in forms. However, unless the patient has indicated that he or she wishes to receive emails from your practice, you should avoid sending any email. You can simplify this process by adding a question about the patient’s communication preferences on your sign-in forms. However, even when the patient requests email communication, you must ensure appropriate safety measures.
Inform patients about the potential risks of email communication: Despite taking all security measures on your end, there is a good chance that your patients’ email services are not secure enough to prevent potential breaches. It is important that your patients understand this risk before agreeing to email communication with your practice.
High-Performing Medical Marketing Can Be Secure, Too
As you know, HIPAA compliance is not something you should cut corners on. If you are going to work with medical partners to help grow your medical practice, you should expect them to adhere to best practices for keeping data secure.
This can feel overwhelming. It’s why you need guidance from an experienced partner like RUNNER. It’s also why we offer a HIPAA compliant CRM to our clients. Reach out to request a free consultation and speak with one of our experts, or to get a demo of our HIPAA compliant CRM.