Marketing is more complex if you're engaged in the healthcare field. Whether you work with patients or market to consumers interested in healthcare products, it's important to understand HIPAA guidelines. This article explains the basics of HIPAA Privacy and Security Rules, and how this legislation affects your marketing strategy.

Table of Contents

  1. HIPAA Explained
  2. Privacy and Security Rules under HIPAA
  3. What This Means for Healthcare Marketers
  4. Remaining HIPAA Compliant
  5. How Can Help

HIPAA Explained

The 1996 Health Insurance Portability and Accountability Act, or HIPAA for short, protects personal health information (PHI). The U.S. Department of Health and Human Services (HHS) manages HIPAA legislation and complaints — of which they receive thousands every year, proving that many organizations still have trouble fulfilling the compliance requirements.

As more and more aspects of healthcare data become digital and governments push for 100% digital healthcare records, privacy and security are major concerns for protecting PHI and PII (personally identifiable information). With devices such as smartwatches, fitness monitors, and related apps storing increasing amounts of PHI and PII, HIPAA applies to more organizations than ever before.

Privacy and Security Rules under HIPAA

The current Privacy Rule comprises a set of requirements for all healthcare providers and their data management partners. It includes revisions to the 2002 rule. These amendments have empowered patients to more easily access their records. The Privacy Rule mandates the following:

  • Organizations must appropriately safeguard PHI.
  • Organizations must only use patient data in line with limits set by HIPAA.
  • Patients have the right to access their health records.
  • Patients have the right to request copies of their data.
  • Patients have the right to request corrections to their data.

The Security Rule sets national standards that all healthcare-related organizations must meet without exception. While the Privacy Rule tells organizations what they must do, the Security Rule tells them how they must do it. The Security Rule focuses on electronically held information, known as e-PHI, or ePHI.

Where organizations don’t meet compliance regulations, the Office for Civil Rights (OCR) has the power to impose penalties.

What This Means for Healthcare Marketers

If you're marketing healthcare products and services, you need to ensure you collect the data you are using to communicate with potential consumers in a HIPAA-compliant manner. The Privacy and Security Rules are clearly about patient data being used appropriately, so if you don’t understand the compliance regulations, you could inadvertently put your organization at risk for fines.

However, not all communications from healthcare providers fall under the umbrella of marketing in the eyes of HIPAA. If healthcare providers are simply making someone aware of a product or service that their insurance already covers, then that does not count as marketing. For example, a healthcare provider who already provides benefits for an individual could let this person know about brand new equipment they have invested in, and this would not qualify as marketing.

Communications specifically about an existing treatment plan are not "marketing" either. If at any point during treatment the healthcare provider recommends a different avenue of care, including switching to different products or services, this is also exempt from marketing rules. The law considers this type of advice a form of care and a genuine recommendation with the patient’s health in mind.

Remaining HIPAA Compliant

Thankfully, the HHS provides a set of guidelines for healthcare marketers to follow. It starts with the core rule that individuals must give written authorization for their PHI to be used for marketing purposes. Just like with GDPR, this is part of the emerging “consent first” culture that doesn’t assume the consent of data usage just because a person has not proactively asked to opt-out, as used to be the case.

The guidelines go on to define marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Examples include:

  • The promotion of additional insurance products
  • The promotion of healthcare services not related to ongoing treatment
  • Offering chargeable tests for the individual’s peace of mind that are not necessarily designed to give medical advice (e.g., screening tests available to anyone)

These examples don’t actually require marketers to access PHI. However, any PII the marketer has access to still needs to be handled compliantly under relevant laws.

Healthcare providers can, in theory, sell patient data to marketers for more targeted marketing opportunities, but only if, as stated above, they have explicit permission to do so. If the marketer acquires and uses the patient data compliantly, then marketing can go ahead. If a healthcare provider offers to sell a marketer a list of patient details, every single patient on that list must have given consent in writing. If even one patient did not, it makes the whole transaction illegal and both organizations could be at risk of severe penalties from the OCR.

There are many other ways that marketers can fall afoul of compliance pitfalls, including:

Gathering data from social media for marketing purposes: This is publicly available unencrypted data, and it doesn’t comply with the HIPAA Security Rule.

Sharing customer details or comments on personal social media accounts: Data miners may gather this information, and it could leave organizations open to legal action.

Inadvertently exposing PHI in marketing materials: Marketers may not even share praise from customers about products without explicit consent — simply changing a patient or customer’s name is not enough to comply with the rules.

Taking photos inside business premises: whether it's a marketing office or a healthcare practice, if patient data is visible anywhere, others could use it for fraudulent purposes, leaving patients and personnel at risk. This includes patients’ faces, which nefarious actors could use in reverse image searches to find social media accounts and gather personal data.

Marketers can also suffer the pitfalls of working with partners or vendors who aren’t HIPAA compliant, putting their patients' or customers’ data at risk. You should talk to any product or service providers to ensure they understand HIPAA and are fully compliant so that you know any data transferred between HIPAA-covered entities (CE) is at the lowest possible level of risk.

How Can Help

You can only ensure full privacy and integrity of health data by collating and integrating it into secure destinations. That’s where an ETL (Extract, Transfer, Load) solution comes in. allows you to create data pipelines that bring all their patient or customer data into one place, making it easier to ensure compliance and security.

For additional peace of mind, provides field-level encryption to protect data at the source, which greatly aids in HIPAA compliance. PHI and PII protection is the absolute first step in any HIPAA compliance process, so talk to us about a 14-day demo and learn how can help support your marketing efforts.