Whether you are looking at your demand generation programs with email, your CRM and customer records, and even lead capture with messaging and chatbots… privacy matters.

At ClosedWon, we take HIPAA compliance seriously. We’ve made it a policy for each new employee to go through the HIPAA Awareness Training for Business Associates within 2 weeks of starting. Moreover, all team members have to complete the training every 2 years. We have strict HIPAA compliance policies in place that ensure the highest level of security and protection for private patient information.

Ever since the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, HIPAA compliance has been a critical consideration throughout the healthcare industry. Organizations that strive to be HIPAA compliant in the protection of confidential patient information can enjoy a bright, untarnished reputation. They can also avoid the loss of hundreds of thousands of dollars from fines and lawsuits due to violations of HIPAA guidelines.

Of course, to achieve true HIPAA compliance requires planning and effort. In fact, “HIPAA compliant” has become something of a buzzword over the years, and many company leaders are confused as to the actual meaning of the phrase. That’s why we use the term “HIPAA secure” to describe our approach to HIPAA compliant healthcare marketing.

What do HIPAA secure practices involve? What have we done to ensure that our marketers follow those best practices, in line with HIPAA regulations? Let’s answer those questions below.

“HIPAA Compliant” vs. “HIPAA Secure”

In order to understand the difference between “HIPAA compliant” and “HIPAA secure,” it is good to first analyze what HIPAA compliance is not.

For instance, true HIPAA compliance never involves a software program, or a specialized service. True, certain pieces of software can make HIPAA compliance easier, and some services can facilitate the protection of confidential information. That is why so many companies will advertise their products as “HIPAA compliant.”

However, only people or organizations can legitimately be referred to as HIPAA compliant. Why? Because true HIPAA compliance, according to DigitalGuardian.com, means that “companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.” In other words, HIPAA compliance is an integrated, holistic approach to protecting patient health information.

Therefore, while companies may utilize so-called “HIPAA compliant” products, that does not in itself mean that those companies are HIPAA secure. Here’s an example of what we mean:

Karen is a professional therapist. She decides to start using an invoicing service from a “HIPAA compliant” (fictional) company named AWESOME to bill her clients. Assuming that the invoicing service is secure, one day Karen is shocked to find out that the husband of one of her clients discovered his wife’s visits to Karen’s office, and flew into a murderous rage, leading to his wife’s hospitalization and his arrest. What happened? AWESOME’s invoicing service sent a text to the client’s phone that was seen by her husband.

As the above scenario demonstrates, using products and services that may assist your company to become HIPAA compliant does not excuse your company’s responsibility to establish HIPAA secure processes. If Karen had performed a basic risk analysis of using AWESOME’s billing services, she could have easily determined that, in order to protect their privacy, some clients would choose to opt out of receiving their invoices via text message.

So now the question comes up: What does true HIPAA compliance (in other words, being HIPAA secure) actually involve?

HIPAA Secure Practices

For a company to truly be “HIPAA secure” three basic aspects of information protection must be in place: technical, physical, and administrative.

Technical safeguards involve the technology or technologies used to access and deliver ePHI (electronic protected health information). Security measures would include controlled access to ePHI (such as a username and password), encryption and decryption, authentication, and activity logs of ePHI access and usage.

Physical safeguards would encompass all the access points to workstations and hardware that contains ePHI, as well as procedures to remove sensitive information from smartphones if users have terminated their employment with the company. Close collaboration with a third party security vendor is often a vital aspect of physical protection against data breaches.
Administrative safeguards are perhaps the most crucial components of HIPAA compliant practices.

Employees need to be trained to follow HIPAA guidelines in their daily work. It is critical that they are aware of HIPAA compliance policies, and understand the role they play in implementing them. Risk assessments must be conducted on a regular basis, as well as tests of current policies and procedures to determine if there are any inconsistencies or weaknesses in the standing security measures. Third party access to ePHI must be limited to authorized HIPAA Business Associates only.

Clearly, true HIPAA compliance requires an integrated, cross-departmental approach. It involves the careful selection of secure technology as a means of ePHI delivery and storage, the strict control of physical and digital access points, and an ongoing training program which ensures that employees consistently implement HIPAA best practices.

Another way that healthcare organizations maintain HIPAA compliance is by partnering with reputable, HIPAA secure marketing firms. What are some pitfalls that must be avoided in healthcare marketing? Here are just a few:

  • It is vital that marketing firms working for healthcare organizations never use ePHI in social media posts or advertisements without first obtaining the explicit permission of the patient(s) in question.
  • Photo-taking must be strictly monitored, especially if there’s the potential for PHI or ePHI leaks from pictures taken at work. Photographs of patients should never be publicly distributed or used in promotional material without, again, the patient’s explicit permission.
  • Emails and other forms of electronic communication must be end-to-end encrypted, so that only the sender and recipient have access to the contents of the message.
  • Any data gathered on the healthcare provider’s website must be encrypted, including form data and appointment requests.

How can marketing agencies that work with healthcare providers ensure that they are HIPAA secure? One important step is to have all team members take HIPAA compliance training. This will help all marketing employees to be aware of HIPAA guidelines, and act accordingly.

In healthcare marketing, and in all other aspects of the healthcare industry, true HIPAA compliance is an absolute must. If you want to learn more about the benefits of partnering with a HIPAA secure digital marketing firm, reach out to us at ClosedWon today.