How HIPAA Applies to Your Practice’s Online Marketing

While you’re probably used to having to deal with HIPAA in your office, websites and online marketing have always been an area that wasn’t clearly as defined. 

However, a recent bulletin issued by the U.S. Department of Health & Human Services (HHS) on the use of analytics and online tracking tools indicates that they are paying closer attention to online patient interactions.

Though analytics is the subject of the most recent guidance regarding patient activity online, it’s not the only thing practices need to pay attention to. From your website to advertising and social media, there are several other online tools that you may be using that could put you at risk for a HIPAA violation if you aren’t careful.

Working with Third Party Online Marketing Providers

Depending on the service, third party marketing providers will often have access to some form of PHI. This could include your web developers, reputation marketing providers, call tracking, analytics, etc. Any third party that could potentially have access to PHI will need to have a Business Associate Agreement (BAA) in place. If a third party provider is unwilling to sign a BAA, you should not work with them even if they meet all of the security requirements; the BAA is required for HIPAA compliance

Website Analytics

The HHS bulletin suggests that the use of certain tracking tools like Google Analytics may be a HIPAA violation in certain situations. We’ve talked about HIPAA and website analytics in depth in a previous post, but if you missed it, you can read it here: Are Your Analytics HIPAA Compliant?

Online Forms

Many medical practice websites have Contact Us forms, and/or forms to request an appointment. Since these forms are collecting information from current or potential patients, you need to make sure that they are HIPAA compliant. Many of the basic forms available for websites are not compliant. In order to be compliant, proper encryption and security measures must be in place to protect any data when it is stored and when it is transmitted.

This means that any data collected by the forms needs to be stored in a secure location, but also that your staff are receiving and reviewing that data in a secure manner. For example, the data collected should not be sent directly to your staff via email. For our clients, we have the forms send notifications about new submissions with a link to the secure portal where they can view the information.

Facebook Ads

Another key component of the HHS bulletin was that the use of Facebook’s Meta tracking pixel may not be compliant. The Meta pixel is used for Facebook ads to track conversions and other activity on your website back to the ads. However, the pixel is not required to run ads, so we suggest you avoid it. You can use things like campaign tracking links, call tracking, and your analytics to attribute website activity to your campaign without using the pixel.

Call Tracking

Call tracking services can help you track phone calls back to patients who visited your website, and find out how those patients got to your website. This software typically works by adding a bit of code to your website that automatically swaps out your actual phone number with a tracking phone number that forwards to your office line. Often, it will even collect the caller’s phone number and information, and some services can even record calls.

Because these tools are collecting and storing patient information, it’s important that you use a HIPAA compliant call tracking service. In addition to meeting the proper security measures, this means that the provider must be willing to sign a BAA since they are a third party handling PHI.

Online Appointment Scheduling Tools

Any appointment scheduling service that is made for medical practices should be HIPAA-compliant, but always a good idea to make sure. You also must have a BAA in place since they are a third party provider.

Google My Business Call History

A couple of years ago, Google My Business rolled out a new Call History feature for business listings. This feature tracks when customers use the “Call” button on your listing to call your office. However, it also collects and stores the phone number of the caller, which would potentially be considered PHI. Since Google is unwilling to sign a BAA for this feature, we do not recommend using it.

Google Ads Lead Forms

Google also introduced lead form extensions for Google Ads a couple years ago. These forms enable advertisers to collect leads from their target audience directly from the ads. However, like the forms on your website, PHI is being collected. Since Google will not sign a BAA and it is not clear if these forms meet the proper security protocols, you should not use them for your Google Ads campaigns.

Social Media Interactions with Patients

Social media interactions can be tricky when patients are involved. On the one hand, if a person is divulging their own private health information on a public social media page, it is their right to do so. However, this does not necessarily mean that you, as the healthcare provider, have the right to publicly discuss the patient unless given express permission.

If a patient posts on your page or leaves a comment with a complaint or asking for specific medical guidance, our advice is to direct that conversation to a more private channel.

Responses to Online Reviews

Like responding to social media posts and comments, it’s important to avoid discussing the specific details of a patient’s diagnosis, treatment, etc. when you respond to online reviews. This is true even if the patient is posting something negative. If you believe the content of a review is false or otherwise violates terms of use, you should use the review site’s reporting tools to remedy the situation.

Learn more about how to respond appropriately to online reviews in this blog post: Take Charge of Your Online Reviews: How to Be Proactive and Reactive

Email Communication

If your practice is sending any type of email communication or using an email marketing service to send out newsletters, you need to make sure that you have the appropriate measures in place to maintain HIPAA compliance.

Learn more about HIPAA-Compliant Email Marketing.

Staying Ahead of HIPAA Compliance Issues in Medical Practice Marketing

The rules on how HIPAA applies to online marketing are constantly changing. This is why we recommend that medical practices work with online marketing providers who have experience in the healthcare space, as they will typically be more up-to-date on the latest HIPAA standards than marketing firms who primarily work outside of healthcare.

Anytime you need to work with a third-party vendor for something that could potentially expose PHI, even if it’s as simple as an email address or phone number, ask that vendor about their HIPAA compliance status. If they aren’t aware of HIPAA requirements or refuse to sign a BAA, that is your sign to move on to another vendor.

This may mean that you have to spend more money on certain aspects of your marketing to get what you need. The rigorous security standards required by HIPAA typically need more maintenance than things that are not bound by HIPAA regulations. However, consider how much more costly it could be if your practice was found to be in violation of HIPAA for using non-compliant services. Several hospitals and health systems have been sued recently for healthcare data-sharing. While the outcome of these lawsuits is still to be determined, the legal process alone can be costly.

At the end of the day, patients have a right to their privacy, and healthcare providers have a responsibility to uphold that. Fortunately, there are tools and methods that enable practices to market themselves and uphold HIPAA standards.