As we were recently reminded, businesses live and die by their tech stacks — with Cloudstrike’s single buggy software update grinding industries like aviation and finance to a halt, and costing over $5 billion in direct losses.
For healthcare organizations, tools that manage consumer data hold the same potential. Yet, data breaches and other violations of HIPAA (Health Insurance Portability and Accountability Act) continue to happen. In 2024 alone, Kaiser and HealthEquity reported exposing the personal data of millions of customers due to web tracking and third-party account access, respectively.
With recent HIPAA updates around online tracking technologies and increased scrutiny on how organizations are sharing data with third-party vendors, it’s clear: healthcare marketers play a pivotal role in maintaining HIPAA compliance, making sure their patients’ (and prospects’) data stays secure and private.
At the same time, consumers still expect personalized content and messaging. So let’s dive into HIPAA-compliant marketing automation — what it looks like to do it right, and the risks involved if you get it wrong.
Our lawyers would like us to say: We aren’t lawyers, and this isn’t legal advice. Consult with your own lawyers about any specific healthcare marketing questions.
What HIPAA compliance means for marketers
HIPAA aims to safeguard protected health information (PHI), including medical records and dates of appointments, as well as personal information like names, birth dates, and IP addresses, when linked to health-related data.
In order to stay HIPAA-compliant, organizations need to keep this data secure and protected by implementing security protocols such as encryption, access controls, and audit trails to prevent unauthorized access and breaches.
HIPAA applies to two kinds of organizations:
- Covered Entities — healthcare providers, health plans, and healthcare clearinghouses
- Business Associates — companies or individuals doing work that involves PHI on behalf of a Covered Entity, such as consultants, marketing agencies, IT service providers, data analytics firms
When sharing PHI with third-party vendors (like a martech solution), HIPAA requires a Business Associate Agreement (BAA) to ensure compliance.
Marketing under HIPAA includes some specific definitions and requirements. For instance, a health insurer promoting a home and casualty insurance product would be considered marketing, but a pharmacy sending prescription refill reminders would not. Marketing communications require covered entities to obtain written, detailed authorization from the recipients. HIPAA also prohibits selling PHI or patient lists without authorization.
HIPAA-compliant marketing automation
Marketing automation platforms collect data about your prospects and customers, use that data to segment your audience, and allow you to personalize your messages based on those segments. In other words, marketing automation has a lot of overlap with areas of HIPAA compliance.
Specifically, that includes:
- Data collection, storage, and encryption
- Access controls to ensure only authorized users can access PHI
- Maintaining proper audit trails
- Managing consent and authorization (note that traditional consent managers, like the ones used for cookies, are not HIPAA compliant when it comes to authorization for marketing messages)
Finally, since marketing automation platforms are built to personalize content and communications based on behavioral segmentation — i.e., what content your users engage with or pages they visit on your website — recent developments in HIPAA guidance could have a major impact on your ability to use these tools effectively.
New developments in HIPAA digital marketing
Since 2022, healthcare organizations have been under heightened scrutiny for how they track and share consumer data — such as appointments scheduled online — with Facebook and other tech platforms.
In 2022 and 2023, The Office for Civil Rights (OCR), which oversees HIPAA compliance, released updated guidance around collecting and sharing PHI online — clarifying when and if disclosing an IP address to a third-party vendor (like a website tracking tool) violates HIPAA.
For example, sharing the IP address of an individual visiting a hospital’s job postings would not constitute PHI, but if someone visited an oncology webpage in connection with seeking a second opinion, disclosing their IP address would violate HIPAA.
Specific elements of these guidelines are being contested in court, but the OCR seems to be committed to its increased scrutiny of digital PHI collection and sharing. That’s why industry experts recommend healthcare organizations “consider how to make their marketing technology stack HIPAA compliant and get a BAA on file for each vendor”.
The risks of non-compliant HIPAA marketing
The most straightforward risk of violating HIPAA guidelines around marketing and data privacy is being hit with significant fines from the OCR — anywhere from $100 – $50,000 per violation, multiplied by the number of patients impacted. For instance, small practices have been fined tens of thousands of dollars for improper PHI disclosures while health insurance provider Anthem, Inc. paid $16 million after a data breach impacted 79 million people.
Keep in mind, companies don’t have to be directly responsible for sharing customer information in order to get hit with a HIPAA violation. If they were found to be negligent in anticipating and preventing a data breach, they can still be fined and held liable.
But HIPAA fines aren’t the only potential consequence of failing to protect your consumers’ health information. There’s also the possibility of class-action lawsuits and action from the Federal Trade Commission (FTC), targeted at companies that mismanage consumer health data, even if they aren’t strictly subject to HIPAA.
For example, these companies were recently fined for sharing users’ personal health information with third parties, without consent:
- Health system Advocate Aurora Health agreed to pay $12.5 million to settle consolidated lawsuits
- Telehealth and prescription discounter GoodRX got hit with $1.5 million in FTC fines
- Online therapy BetterHelp had to pay out $7.8 million to impacted users
Finally, there’s a huge risk to brand trust. Being known for putting patient data at risk is a reputational hit no organization can afford.
The moral of the story: covered entity or not, when you’re dealing with consumers’ health information, staying HIPAA compliant is never a bad idea.
The best HIPAA-compliant marketing automation platforms
But while there are risks to using consumer data in healthcare marketing, there’s also opportunity. Research from McKinsey shows consumers trust healthcare organizations to protect their privacy and data more than other industries — double the rate for technology or retail companies. And more than half of the consumers surveyed would like to see more personalized messaging and communications about their health and wellness.
Instead, choosing a HIPAA-compliant marketing automation platform allows you to personalize communications without compromising data security or customer trust. That requires features like:
- Strict access controls
- Comprehensive employee training
- End-to-end data encryption
- Regular audits and detailed audit logs
Remember, while some marketing automation platforms have the data security standards in place to protect your information, they still need to sign a BAA in order to be HIPAA-compliant. Many refuse to do so.
Here at Act-On, we earned HIPAA compliance in 2023. As our Security Program Director Gregg Neveu says, “Our HIPAA compliance assures health companies that if they trust their data with us—which is confidential patient medical information—the patient’s privacy is always protected end to end, even when those companies are doing business with other vendors.”
If you’d like to learn more about HIPAA-compliant marketing automation, contact our team.