HIPAA Privacy and Security Rules for Marketing Your PT Practice
Marketing a physical therapy practice isn’t like marketing a retail business. There are special challenges associated with promoting healthcare treatments and services.With this in mind, one of the most common questions we hear is, “How do HIPAA privacy and security rules affect marketing?”
That’s a good question to ask. HIPAA regulations are designed to protect the privacy of your patients. Any marketing techniques you use must adhere to HIPAA rules while also letting your target audience know why they should choose your PT practice over others in the area. Here’s what you need to know.
HIPAA Final Rule and Marketing
The first thing you need to understand is the HIPAA final rule, which was released by the US Department of Health and Human Services in January 2013. Its intention was to strengthen the privacy protection already provided by HIPAA. It also laid out some new rules for the use of patient data in marketing.
The final rule included several provisions that apply directly to healthcare marketing and fundraising, which often go hand-in-hand with one another. Here they are:
- The final rule sets new limitations on how protected health information (PHI) can be used for marketing and fundraising purposes. It also sets limits on how and when PHI may be disclosed for either purpose.
- The final rule strictly prohibits the sale of any individual’s health information without their written permission.
- Covered entities must modify their written policies to reflect the updated HIPAA rules regarding the use of PHI in marketing.
- The final rule also spells out the responsibilities of covered entities in terms of disclosing PHI to third-parties. Limitations on disclosure and use of PHI must be spelled out in all agreements with third-parties.
The goal of these changes is to protect consumers from any potential violation of HIPAA that involves the disclosure of use of their personal information. It covers all information, including:
- Diagnostics
- Treatments
- Medications
- Names
- Addresses
- Email addresses
- Patient ID numbers
It’s your job to protect the information of all patients of your PT practice in accordance with HIPAA rules.
What Are the Penalties for a HIPAA Violation in Marketing?
As a healthcare provider bound by HIPAA regulations, you already know that if you’re responsible for a breach that affects your patients, you can be fined. The same is true of violations involved with marketing.
One high-profile case involved the TRH Health Plan in Columbia, Tennessee. They got inquiries from some of their patients who had received mailings from BlueCross BlueShield of Tennessee about a Medicare Advantage Program.
The issue? BlueCross had outsourced the mailings to a third-party company and had disclosed some protected information to them, including patient names, addresses, and member identification numbers. Since that information is all protected under HIPAA, it counted as a breach.
Penalties for non-compliance are based upon the size and severity of the violation and max out at $1.5 million.
HIPAA-Compliant Marketing Tips
The most important thing to do as you move forward with your marketing is to understand what constitutes a breach and how you can avoid violating your patients’ rights under HIPAA. Here are some pointers:
- Don’t create social media ads that use patients’ images or personal information — including data that might be accidentally captured in a photo of a computer screen.
- Update your written marketing policies to reflect the provisions of the final rule and make sure your staff understands them.
- Do not permit your staff or anybody else to take photographs inside your practice that might inadvertently compromise patients’ PHI.
- Contract only with HIPAA-compliant vendors for your marketing. This includes mailing and fulfillment companies, marketing companies, and anybody else who might need access to PHI to do their work.
- Never send emails to patients about their PHI without their express permission to do so.
- Make sure all emails that go to your patients are encrypted to protect their health information and personal data.
- Make sure that any data you collect via your website or a patient portal is encrypted in accordance with HIPAA rules.
- Any PHI you collect via your website must be stored on an encrypted server with secure, off-site backup.
- Put a written HIPAA policy on your website that includes the specifics of how and when you may use PHI in your marketing.
It’s important to think about the ways in which your marketing might impact patients. For example, you don’t want to send a mailing that’s only for patients with a specific ailment because an unauthorized person could learn about your patient’s health that way.
While data-driven and personalized marketing has its place, it’s essential for all healthcare providers to keep HIPAA rules — and their patients’ privacy — in mind when they create marketing campaigns. Not only will it protect your patients, but also your practice and the growth you’re working toward. Interested in a HIPAA-compliant marketing platform for your practice? Click here for a free demo of HENO!