HIPAA’s Impact on Healthcare Digital Marketing. What Are HIPAA Requirements for Healthcare Marketing and Website Hosting?
In a recent lawsuit, a prominent healthcare center in California breached HIPAA regulations by using healthcare information gathered online for Meta (owner of Instagram and Facebook) ads without permission. The Department of Health and Human Services has identified over 300 major HIPAA violations in 2023 so far, affecting more than 41 million consumers.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, has three main objectives:
- Simplifying health insurance access for consumers;
- Aiding in healthcare cost management; and
- Safeguarding the confidentiality and security of healthcare information, which is primarily stored digitally (unlike when HIPAA was initially enacted, a time when much of the data was in hard copy).
HHS Issues Bulletin Updating HIPAA Privacy Concerns
Due to ongoing HIPAA violations, the U.S. Department of Health and Human Services issued a bulletin in December 2022 addressing specific concerns regarding website hosting and digital marketing. Key points from that bulletin include:
- Expanded definition of Protected Health Information (PHI): The privacy rules now encompass personally identifiable information, even if it does not include billing details or specific treatment content. HHS discovered that many user-authenticated pages, as well as publicly accessible pages, contained sensitive HIPAA data. Popular advertising platforms like LinkedIn, Meta, and Google do not offer advertisers the required third-party agreement stipulated by HIPAA.
- Updated guidance on tracking technology usage online: The new guidelines emphasize that various tracking technologies, such as third-party cookies and pixels, pose a risk of HIPAA violation for healthcare providers.
Ensuring HIPAA Compliance in Healthcare Marketing
The initial step in ensuring HIPAA compliance is thoroughly evaluating digital marketing content for potential PHI. That means removing anything that could potentially identify a patient.
Next, eliminate marketing pixels from password-protected sites, pages, or apps. These pixels track user behavior, conversions, web traffic, and other metrics. If using a tag management system, ensure it’s secure to control the information shared with various ad platforms.