Dr. Google knows it all! Or at least, the nearly billion searchers surfing the internet for health-related queries would seem to think so. According to CNN’s analysis of a Google Trends 2018 report, health-related subjects rank among the most popular searches.1
Google Health’s Vice President David Feinberg stated that one in 15 Google searches is health-related. This is nearly 7% of the daily searches worldwide or 70,000 searches per minute.2 In the post-pandemic world, this number has most likely doubled or tripled, and not merely for Covid-19 related questions.
For your medical practice, the implications are rather obvious. Most patients begin their health journey online, so leveraging your digital footprint and social media presence is essential to growing your patient base. However, unlike other industries that make hard sales to remain connected and competitive, the healthcare marketing industry must also consider a third ‘C,’ namely compliance.
At Wisevu, compliance is one of our most critical considerations when it comes to healthcare marketing. We are HIPAA compliant, and in this article, we’ll decode some of HIPAA’s most essential terminologies.
HIPAA stands for the Health Insurance Portability and Accountability Act. It is a US-mandated federal law that aims to reform the healthcare industry by reducing costs, simplifying various administrative processes, and improving the privacy and security of individuals’ protected health information (PHI). PHI would include any identifiable information–regardless of the form in which it is maintained–relating to an individual’s past, present or future health condition. When the PHI is in electronic form, it is called e-PHI.
HIPAA seeks to protect any kind of data that falls under the purview of ‘PHI’. Under HIPAA, the individual has a say in how his/her/their sensitive health information is used and disclosed.
Primarily, there are two types of organizations regulated under HIPAA: Covered Entities and Business Associates.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which the HHS (Department of Health and Human Services) has adopted standards.
Providers who send electronic claims transaction information directly or via an intermediary to a health plan are also covered entities, including hospitals, academic medical centers, physicians, and other health care providers. These entities may be individuals or organizations. According to HIPAA, these covered entities are directly regulated and required by law to put together a set of safeguards to protect the PHI to which they have direct access.
Business associates are the third parties with whom covered entities share information in the course of their work and to perform their tasks. Business associates could include insurance brokers, medical billing companies, marketing agencies, answering companies, software companies that are working with the covered entity and so on.
Business Associates may receive information directly from the covered entity or another third party (another business associate). Business Associates, too, are directly regulated and required to be HIPAA compliant, i.e. have the proper safeguards to protect PHI.
Under HIPAA, covered entities can share PHI with a business associate only if they too are HIPAA compliant. The business associate, in turn, can share information with another business associate only if the secondary business associate is HIPAA compliant. This assurance is passed along the chain through a vital piece of documentation called the Business Associate Agreement (BAA).
When a business associate agreement or a business associate contract is signed, the signing party legally attests to the covered entity OR business associate of the covered entity that they are HIPAA compliant and that they too will abide by HIPAA.
As the information is passed down from one provider to the next, each of the subsequent business associates further down the chain are equally responsible for maintaining the privacy and security of the data by signing the business associate agreement.
While HIPAA has several parts, healthcare practices need to be cognizant of two aspects, in particular, the HIPAA Privacy Rule and the HIPAA Security Rule.
HIPAA Privacy Rule |
|
HIPAA Security Rule |
|
Keeping track of these rules is critical as violating compliance guidelines can turn out to be expensive. The average cost of non-compliance for healthcare organizations is approximately 3 times higher than the cost of being in compliance.3
2020 saw the second-largest settlement since HIPAA’s inception. A health insurer, Premera Blue Cross, had to pay the OCR $6,850,000 to resolve potential HIPAA violations discovered during the investigation of a 2015 breach against 10,466,692 individuals.4
The four categories used for the penalty structure are as follows:
Tier 1 | A violation where the covered entity took a reasonable amount of care to abide by the HIPAA Rules, was unaware of the breach, and could not reasonably have avoided it | Minimum fine of $100 per violation up to $50,000 |
Tier 2 | The covered entity should have been aware of a violation but could not avoid it despite a reasonable amount of care (falls short of willful neglect) | Minimum fine of $1,000 per violation up to $50,000 |
Tier 3 | A violation resulting from “willful neglect” of HIPAA Rules; however, attempts were made to correct the violation | Minimum fine of $10,000 per violation up to $50,000 |
Tier 4 | A violation resulting from willful neglect, with no attempts made to correct the violation | Minimum fine of $50,000 per violation |
The damage is not limited to fines. In extreme cases, apart from penalties, criminal charges can be issued which could result in jail time. Furthermore, healthcare organizations can lose revenue due to damaged reputations and lost customers, as most consumers lose trust quickly when their personal information is compromised.
For the complete list of HIPAA breaches and fines, you can visit OCR’s Breach Portal or “Wall of Shame.”5 Considering the heavy losses they can incur by violating HIPAA, either knowingly or unknowingly, healthcare practices must take care to comply with HIPAA while dealing with other third-party vendors and within their own communications.
In the definition of marketing issued by the US Department of Health & Human Services (HHS), there are three key aspects to note:
To put it simply, a covered entity cannot sell the protected health information of an individual to a third party or a business associate out of self-interest. If marketing is to use PHI as data points, explicit patient authorization is required. You can find a complete overview of HIPAA and a list of necessary permissions on the HHS website.
Digital advertising is intrinsically more personalized, and it is this very aspect that makes the medium so popular. However, under HIPAA, personalization can be a double-edged sword, as personalization is often possible only based on a person’s ‘personal’ information, which according to HIPAA, is off-limits.
So, while on the one hand, patients do expect enhanced digital experiences from their healthcare providers, healthcare providers cannot compromise on PHI while targeting them.
The issue that marketers face is how to utilize the innate advantages of digital marketing while remaining compliant with ongoing regulations.
At Wisevu, we follow three best practices to ensure HIPAA compliance for our clients:
We also follow specific protocols depending on the digital channel in question.
eMarketer is the preferred channel among users for receiving brand communications. 6 Email marketing also makes $44 for every $1 spent—an astounding 4200% return on investment. 7
However, to truly leverage email marketing, you need to personalize it. At Wisevu, we have a thorough process to segment and target audiences, using their PHI securely without deviating from HIPAA compliance guidelines. We can also create automated drip campaigns to follow up on pending visits, deliver specific instructions, and follow up on appointments.
Here are the practices we follow at Wisevu for email marketing:
Social media is a great way to engage with current and potential patients. In the US alone, over 82% of people are estimated to be on social media platforms.8 Being present where your audience is active makes good business sense. Social media can also reinforce your brand’s voice and values without being intrusive.
However, there are several instances when social media has been the cause of a compliance slip-up. According to a global database of public data breaches, social media incidents accounted for over 56% of the 4.5 billion data records compromised worldwide in the first half of 2018.9
At Wisevu, we ensure adherence to certain social media best practices:
As organic reach continues to decline across social media platforms, more organizations, including healthcare practices, are looking at paid advertising as a viable and cost-effective option to stay top of mind.10 Most social media platforms allow you to select custom audiences and retarget users, ensuring maximum visibility for your ads.
Retargeting allows you to show your ad to someone who has already visited your website. So, if you were to visit a store online, the Facebook pixel on the site would retarget you on social media and show you an ad of the same store or product. While this is acceptable in other industries, it could have severe implications in the healthcare industry, as your PHI is sacrosanct.
We follow a few best practices while posting ads on behalf of our healthcare clients:
The website is often the cornerstone of one’s digital marketing efforts. If your website collects, stores, or transmits any data with PHI, you need to consider the HIPAA implications carefully.
Here are a few practical steps we take at Wisevu to ensure our clients grow their patient database while adhering to HIPAA compliance guidelines:
Google Ads are essentially intent-based. Ads only appear based on relevance–when a potential patient searches for the service or a term that incorporates the service.
Google, as a platform, is sensitive to potential breaches of a patient’s health information. While Google may not sign the BAA, it does include a long list of keywords that are not approved, including several health-related ones. For instance, you would not be able to advertise products or services relating to “drugs,” “birth control,” over-the-counter medications for various health conditions, medical devices, cosmetic surgery, and so on.
Moreover, since retargeting campaigns require data collection, Google disallows this for healthcare professionals, ensuring that you do not violate HIPAA laws.
Here’s how Wisevu can add value to your paid campaigns:
Marketing yourself through reviews is a powerful way to show potential patients that your medical practice can help solve their health issues. According to Moz, 84% of consumers look to online reviews before choosing providers, and review signals account for 13% of local ranking factors.11
Managing your reviews well is also integral to good online reputation management. Reviews are such a crucial determining factor that Google places them in the knowledge graph alongside the brand name. A well-crafted response to reviews can open up opportunities, build loyalty and demonstrate an attitude of concern.
However, responding to reviews could also lead to HIPAA violations. Here are some HIPAA compliant practices we follow at Wisevu to ensure that all our responses are appropriate.
Often, HIPAA is seen as a roadblock to implementing digital marketing strategies. However, there are lots of ways to utilize cutting-edge marketing and still be HIPAA compliant if you use the right tools. The key is to implement the right policies and procedures from the very beginning, so as to be more efficient and have a more significant ROI. Implementing both HIPAA privacy and security rules is critical to success. Working with a HIPAA-compliant digital marketing business associate can save you from costly mistakes.
Schedule an obligation-free consultation with Wisevu today.
1. Howard, Jacqueline. “10 top questions you had for Dr. Google in 2018.” CNN Health, 2018,https://edition.cnn.com/2018/12/21/health/health-questions-2018-google-explainer/index.html. Accessed 25 November 2021.
2. Murphy, Margi. “Dr. Google will see you now: Search giant wants to cash in on your medical queries.” The Telegraph, 2019, https://www.telegraph.co.uk/technology/2019/03/10/google-sifting-one-billion-health-questions-day/. Accessed 25 November 2021.
3. Ponemon Institute and Globalscape. “The True Cost of Compliance with Data Protection Regulations.” Globalscape, 2017, https://static.helpsystems.com/globalscape/pdfs/guides/gs-true-cost-of-compliance-data-protection-regulations-gd.pdf. Accessed 25 November 2021.
4. HIPAA Journal. “OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross.” HIPAA Journal, 2020, https://www.hipaajournal.com/ocr-imposes-2nd-largest-ever-hipaa-penalty-of-6-85-million-on-premera-blue-cross/. Accessed 25 November 2021.
5. U.S. Department of Health and Human Services Office for Civil Rights. “Cases Currently Under Investigation.” HHS.gov, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed 20 September 2021.
6. eMarketer. “Email Marketing 2019.” Insider Intelligence: eMarketer, 2019, https://www.emarketer.com/content/email-marketing-2019. Accessed 25 November 2021.
7. Hubspot, and Katrina Kirsch. “The Ultimate List of Email Marketing Stats for 2021.” Hubspot, 2021, https://blog.hubspot.com/marketing/email-marketing-stats. Accessed 25 November 2021.
8. Statista. “Percentage of U.S. population who currently use any social media from 2008 to 2021.” Statista, 2021, https://www.statista.com/statistics/273476/percentage-of-us-population-with-a-social-network-profile/. Accessed 22 November 2021.
9. Business Wire. “Data Breaches Compromised 4.5 Billion Records in First Half of 2018.” 2018, https://www.businesswire.com/news/home/20181008005322/en/Data-Breaches-Compromised-4.5-Billion-Records-in-First-Half-of-2018. Accessed 20 November 2021.
10. Sample, Josh. “Is Organic Reach Dead?” Forbes, 2019, https://www.forbes.com/sites/forbesagencycouncil/2019/08/06/is-organic-reach-dead/?sh=49d6530433df. Accessed 20 November 2021.
11. Moz. “2018 Local Search Ranking Factors.” Moz, 2018, https://moz.com/local-search-ranking-factors. Accessed 20 November 2021.
Ratings: 4.1 Stars (Capterra) | 4.1 Stars (GetApp) Booker by Mindbody is a prominent CRM…
Affiliate marketing software offers a smart and convenient solution for businesses to refine their marketing…
For medical practices, where a single client’s experience relies on multiple team members working in…
When creating and optimizing a website, one of the most important factors that some businesses…
One of the biggest challenges in creating an effective healthcare marketing strategy is recognizing that…
As more women become increasingly interested in vaginal rejuvenation, having appropriate and professional vaginal rejuvenation…