How to Navigate New & Updated Guidelines, Healthcare Marketing Restrictions and HIPAA Compliance

When implementing your healthcare marketing strategy to publish health content or ads of any type, it's paramount to understand the applicable regulations, or work with a firm that is knowledgeable in this area. This is particularly important regarding use of tracking technologies such as cookies, pixels or tracking codes.

Each social media platform has unique, specific restrictions regarding appropriate imagery, verbiage, and demographics when advertising healthcare services and products. Your ads will not be approved, or you could get banned from sending ads, if any platform finds your ads to be in violation of their healthcare advertising and marketing policies. These policies evolve continually, requiring ongoing monitoring of these restrictions for each platform or medium where you are running ads.

In addition to the ad restrictions from the media platforms, new government regulations were recently released that could forever change the future of digital healthcare marketing. These new HIPAA regulations may potentially make the use of tracking technologies cost-prohibitive for many entities, due to the risk of lawsuits, and the amount of legal obligations now required to utilize tracking technologies for healthcare marketing purposes.

This new guidance was released and outlined by the Office of Civil Rights (OCR), part of the US Department of Health and Human Services (HHS), regarding digital marketing and HIPAA compliance. The new regulations state that HIPAA rules apply "when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI)." Furthermore, according to HHS, "Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI… or any other violations of HIPAA Rules."

A detailed overview of the new regulations is provided on the HHS website. This excerpt below explains how tracking technologies fall under the HIPAA rules (emphasis ours):

How do the HIPAA Rules apply to regulated entities' use of tracking technologies?

Regulated entities disclose a variety of information to tracking technology vendors through tracking technologies placed on a regulated entity's website or mobile app, including individually identifiable health information (IIHI) that the individual provides when they use regulated entities' websites or mobile apps.

This information might include an individual's medical record number, home or email address, or dates of appointments, as well as an individual's IP address or geographic location, medical device IDs, or any unique identifying code.

All such IIHI collected on a regulated entity's website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.

This is because, when a regulated entity collects the individual's IIHI through its website or mobile app, the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual's past, present, or future health or health care or payment for care.

These HIPPA regulations apply to tracking technologies used on:

· All authenticated webpages (requiring a user login)

· Any unauthenticated webpages (no user login required)

· Mobile apps

Is it even feasible to incorporate any tracking technologies in digital healthcare marketing anymore?

Yes, but…

According to the bulletin, if HIPAA-covered entities and business associates do use tracking technology, they are obligated by the HHS and OCR to do the following:

· Make sure that all disclosures of PHI are permitted by the Privacy Rule and, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.

· Ensure that they have applicable permission prior to any disclosure of PHI and that the tracking vendor has signed a HIPAA BAA (business associate agreement) or that the patient signs a HIPAA-compliant authorization prior to the disclosure

· Even if the vendor does not save the PHI or removes PHI before saving data, the disclosure still requires a signed BAA and permissible purpose

· Analyze the tracking technologies in the entity's HIPAA Risk Analysis and Risk Management processes and ensure that transmitted PHI is properly secured

· Provide notification of any security/PHI breach to affected individuals, the Secretary, and the media (when applicable)

Proceed with caution… Our team of experts can help.

Above is simply an overview of some of the key components and complexities of the new OCR/HHS regulations governing the use of tracking technologies in healthcare marketing. Be sure to review the entire HHS bulletin.

If, after reviewing the new guidelines from the HHS, there are any remaining questions or lingering uncertainty about the above requirements for utilizing tracking technologies, you may want to consult with industry experts who are knowledgeable in the legal and regulatory aspects of digital healthcare marketing before proceeding with implementing the use of any tracking technologies in your digital healthcare marketing.

The team at CMG Healthcare Marketing can help you avoid any potential missteps by offering expertise and guidance to navigate the rules and regulations from the OCR/HHS as well as the restrictions by various media platforms.

Our team of experienced and knowledgeable consultants at CMG Healthcare Marketing can help you avoid any potential missteps by offering expertise and guidance to navigate the rules and regulations from the OCR/HHS, as well as restrictions enforced by various social media platforms.

We can work with you to devise a strategic multichannel marketing strategy to grow your reach, acquire more patients, and grow your revenue. To tap into the vast resources of CMG Healthcare Marketing, contact us to discuss your questions and challenges and we'll provide answers and solutions to meet your specific healthcare marketing needs with optimal ROI to achieve your revenue goals.