For digital marketers in healthcare, HIPAA compliance is more than just a regulatory box to check — it’s an ever-evolving discipline that demands constant vigilance. This involves mastering the cornerstones, like the data security of your customers’ personal health information (PHI). But it also means mapping out the corners of marketing where HIPAA risks may take you by surprise.
So in this post, we’re shining a light on a few of the unexpected HIPAA compliance risks in marketing. From social media engagement to embedded videos, here are five key steps to ensure your marketing is HIPAA-compliant.
Keep track of your website trackers
Between updated guidance in December 2022, clarified guidance in March 2023, and a court ruling in July 2024, HIPAA regulations around how and when healthcare orgs can track customer interactions on their own websites have been evolving at a (relatively) breakneck pace.
Despite the back-and-forth, experts maintain the crux of the issue hasn’t changed. Say you use a marketing pixel to track a website visitor on a page that includes personal health information (like an authenticated page or even an online appointment scheduler). If you share that data, along with an IP address or other identifiable information, with a third-party tool without the required Business Associate Agreement (BAA) in place — that equals sharing PHI without authorization. And that’s a violation.
So, a few best practices to follow here:
- Regularly audit your site for all third-party trackers
- Remove any marketing pixels from authenticated, password-protected pages like patient portals
- Remember that videos embedded on your site through YouTube or Vimeo allow those platforms to capture data from your visitors
These guidelines are changing quickly as the Office for Civil Rights (OCR) and the judicial system figure out exactly what kind of online behavior coupled with an IP address qualifies as PHI. But staying on top of your trackers — including any that might have been installed by past employees or agencies pre-2022 — will help you respond swiftly if/when HIPAA guidance tightens up again.
Don’t confuse cookie consent with HIPAA authorization
Thanks to GDPR, digital marketers are now pretty comfortable with cookie consent managers. But while these tools and HIPAA authorization both involve obtaining user consent, they serve fundamentally different purposes and shouldn’t be confused. Consent to collect data on your website does not equal HIPAA-compliant authorization to share electronic protected health information (ePHI).
HIPAA requires specific, written authorization for using ePHI in marketing communications. This goes far beyond simple cookie consent, requiring detailed explanations of how PHI will be used.
Ensure your organization has separate, clear processes for both website cookie consent and HIPAA authorization for marketing communications. The latter should be more detailed and clearly state how ePHI will be used in marketing efforts.
Maintain audit trails — for your team and your vendors
HIPAA wants you to show the receipts. Literally.
HIPAA audit logging requirements mandate that you keep comprehensive logs of all activities related to electronic PHI. They have to be stored securely and made available to review in case of any investigations. This includes:
- Tracking access, modifications, deletions, and data movements
- Capturing information to identify who’s responsible for each action
- Recording the date and time of activities and the specific data affected
Don’t forget — these audit log requirements apply to all of your vendors’ access to your data, as well as your own team’s. Make sure any mar-tech vendor you work with has verifiable audit logs available. For example, here at Act-On, we provide comprehensive audit logs to all our clients who need to maintain HIPAA compliance.
And to really ensure your HIPAA compliance…
Choose a HIPAA-compliant marketing automation platform
Marketing automation platforms use your audience data (like demographics and website behaviors) to segment and personalize your marketing campaigns. Choosing a marketing automation provider that offers HIPAA compliance ensures you can reach prospects and drive engagement while protecting data security.
Look for features like:
- Data encryption, both in transit and at rest
- Separate HIPAA data environment
- Strict access controls
- Regular audits and detailed audit trails (as mentioned above)
- Comprehensive employee training
Here’s the kicker: Even if a platform has Fort Knox-level data security protocols, they still need to sign a BAA to be HIPAA-compliant. Most enterprise-class marketing automation platforms don’t want to be held liable for HIPAA compliance, so most refuse to offer BAAs to their customers. Double-check before you waste time evaluating features.
Or, save yourself the trouble and learn about our own HIPAA-compliant marketing automation platform.
Mind your reviews
Finally, responding to online reviews doesn’t require technical expertise — but it does require HIPAA savvy. An inappropriately worded response could cost tens of thousands of dollars in fines.
Here’s why: Even if a patient shares their entire medical history in a review, you can’t even acknowledge they’re a patient when responding. As the American Medical Association cautions, “A patient’s own disclosure is not permission for the doctor to disclose anything.”
Instead, stick to general statements about patient care, give the reviewer contact information to directly address concerns, and be liberal with disclaimers like “We can’t comment on specific cases”. And only allow staff members who have been trained in HIPAA guidelines to respond to reviews.
Staying HIPAA-compliant means staying up-to-date
Staying HIPAA-compliant requires constant vigilance and an understanding of how these regulations apply to digital marketing. It’s not just about avoiding fines — it’s about maintaining the trust of your patients, customers, and prospects.
Especially in marketing, those regulations are continually evolving. So keep up with the latest guidance, regularly audit your own marketing practices, and work closely with HIPAA-compliant partners to make sure your audience’s sensitive data is well protected.
[Disclaimer: This blog post is for informational purposes only and should not be considered legal advice. Always consult with legal professionals for specific guidance on HIPAA compliance in your marketing efforts.]