The Digital HIPAA-potamus
October 30, 2017
As of August 2017, the US Department of Health and Human Services has received over 160,000 HIPAA Privacy Rule Complaints. In this episode of The 19, Orange Label Account Supervisor Michelle Torr explains why HIPAA is the proverbial hippopotamus in the room for healthcare providers.
Hey everyone, this is Michelle Torr, Agency Account Supervisor at Orange Label, and I’ll be the host of today’s The 19: The Digital HIPAA-potamus. You may have heard me in our last episode of The 19, covering social media and health care. One of the topics we touched on briefly was HIPAA, and it’s impact on social media. Today, I’d like to expand on this topic, and discuss HIPAA’s impact on digital response marketing as a whole.
Though some of you listeners may be familiar with the acronym, I figured a good place to start would be: what does HIPAA stand for? Well, it’s the health insurance portability and Accountability Act of 1996. Totally self-explanatory, right? Well, not so much. In one of the latest Orange Label blog articles, we shared that as of August 2017, the U.S. Department of Health and Human Services has received a whopping 163,277 HIPAA privacy rule complaints. 2016 was deemed the second-worst year in terms of HIPAA violations. And the top three causes behind these data breaches were employee action, lost or stolen devices, and third party error.
My interpretation of this is that the act is confusing, and that there are a lot of people who simply don’t understand what HIPAA entails. And this is a concern, not only for the violation of a patient’s privacy, but also for the hospitals, or healthcare provider, because HIPAA violations can be expensive – really expensive. The penalties for non-compliance are based on the level of negligence, and can range from one hundred dollars to fifty thousand dollars per violation, or per record. The maximum penalty of 1.5 million dollars per year is for violations of an identical provision.
Of course, not every HIPAA violation is rooted in marketing. Something as personal as a Facebook post could violate the law. But these types of penalties are what keep HIPAA top of mind for healthcare providers, and in my experience with healthcare clients, the areas of marketing that HIPAA is brought up most often, are patient testimonials, social media, and direct response targeting. The reason being that HIPAA is designed to protect patient data and medical information, whether it be patient medial records, patient doctor and patient nurse conversations about treatment, health insurance information, or billing information.
This level of patient privacy is what makes online behavioral targeting, and the sharing of real patient related content difficult, and begs the question: how can real healthcare providers leverage digital marketing to acquire qualified leads, raise brand awareness, and track ROI, while remaining HIPAA compliant? Digital marketing offers so many ways to get in front of the right people, at the right time. And a personalized online experience is often more enjoyable. Why wouldn’t we want to see content in ads that are relevant to us? I’d be lying to say I haven’t purchased an item from an online ad that was served to me, that was clearly based in some form of behavioral targeting. Nowadays it would almost seem strange to have ads served to me that have absolutely nothing to do with me. As someone that lives and breathes marketing and advertising, I’d view a completely untargeted ad as wasted media dollars. If we look at the facts, HIPAA definitely does not agree with this high degree of targeting, but also doesn’t ban healthcare providers from targeted online marketing and advertising. Simply said, it sets boundaries that we as people, and even patients do, in fact, appreciate. And as much as I enjoy a targeted ad, I personally wouldn’t like being targeted for a perceived medical ailment based on a specific medication I may take, or a recent medical visit I had. For me, that would be invading my personal privacy. And I don’t want others knowing about my medical condition or state of health without my permission. Well, it turns out that permission is the magic word with HIPAA.
You’ve likely seen forms of marketing that ask users to opt in to learn more about a service. Once healthcare providers have this information, they can use it for marketing purposes, because the user provided it voluntarily. This also applies to the sharing of a patient testimonial. A healthcare provider must have a release form that’s signed by the patient, and includes a written opt-in stating that the testimonial can be used on all forms of media and advertising – and make sure this includes social media. The more specific the release form is, the more protected you are from violating HIPAA. And while marketers cannot target patients with a particular condition, they can target people viewing articles, and other forms of online content about a condition. In the eyes of HIPAA, the permission has been granted on the grounds of search content. Because we’re not targeting with the knowledge of whether the search content is based on a fact that person has such an ailment. That person is simply interested in that subject, and if additional related content is served to that person, well, that provides a better online experience, according to Google.
Now, permissions within social media is a little more complicated. A good starting place is private, or public, and how your social profile is set up. Facebook keeps things simple, and says that regardless of the profile setting, content that a person posts cannot be used by a marketer. While Instagram says, if the profile is public, then technically any posted content is in fact public information and can be used. So go hurry, and check your own personal profile settings. But even with these platform rules, HIPAA still stands by its rules of permission. If a healthcare marketer doesn’t have that permission to share posted content from social media, then they can’t share it. Even if someone posts a picture of themselves at a hospital and tags that hospital, a healthcare provider cannot repost or comment on that post in a way that leads others to believe that person is or was a patient.
Social media paid advertising falls in line with the general HIPAA digital targeting guidelines. General behavioral targeting is okay, while specific ailment-focused targeting is not. For example, targeting married women in their 20’s and 30’s with mom and baby services at a local hospital, that works. From a marketing perspective it’s a better use of media dollars, versus sending those same ads to women in their 60’s or 70’s who are likely not having a child. Or furthermore, serving ads to an individual about a healthcare service, or location that’s not geographically relevant to them. The broad based targeting within social media paid advertising is all okay with HIPAA, and supports an all around stronger digital marketing strategy.
These are a few key components of HIPAA’s guidelines that affect digital marketing. And my hope is that my brief explanations have helped create a sense of comfort for healthcare marketers, knowing that digital marketing is possible and can be down powerfully and effectively without risking any expense of HIPAA penalties. For those interested in diving deeper about HIPAA and its legal jargon, I’d like to leave you with a few helpful resources.
Visit www.hhs.gov, the U.S. Department of Health and Human Services, where you can search for a variety of HIPAA related questions, and access various documents, including an HHS social media policies checklist. Or, for those of you in California, you can visit www.dhcs.ca.gov, the California Department of Healthcare Services website. Here, you’ll find additional detailed information about HIPAA.
So at the end of every episode of The 19, we provide you with a key takeaway. We call it, the sum-up. Here’s today’s sum-up: permission is key. HIPAA does not appreciate the idea of asking for forgiveness later, instead, HIPAA will simply fine you. So the rule of permission must be kept at the forefront of all strategic marketing and planning. And if you don’t have patient permission, you need to tread cautiously, and likely reference HIPAA to ensure that your T’s are crossed, and your I’s are dotted, before you launch any campaign, or share any patient-related content. Staying in line with permissions as a response marketing agency, we’re granting healthcare marketers the permission to embrace digital marketing, and befriend the digital HIPAA-potamus. There are a variety of benefits that digital marketing and social media provide for healthcare marketers that shouldn’t be passed up because of the potential fears of HIPAA violations, or the confusions within the legal jargon of the act.
At the end of the day, HIPAA is asking that we target with a broader lens. That doesn’t mean that digital marketing strategies will lack effectiveness, which can impact results. And even though we have access to specific patients information that technically may allow our marketing to be extremely specific, we have to stop, and put ourselves in the shoes of the recipient, and think about whether we would like our own health and medical information to be used just for the sake of an ad.
Thank you for listening to The 19: The Digital HIPPA-potamus. If you have any additional questions on this topic, please share them with us. Visit our website atorangelabelmarketing.com, and contact us, and be sure to tune in for our next episode, discussing the relationship between health care and Instagram. Be sure to subscribe to The 19 on iTunes and Google Play. And if you like what you heard today, leave us a review.
This was The 19, brought to you by Orange Label. If you’re interested in more healthcare response marketing, visit our blog and subscribe to our content, where we share our response marketing expertise on current healthcare industry topics. Visitorangelabelmarketing.com for all the details.