Make Sure Your SEO Is HIPAA Compliant

This is for General Information! We are not Attorneys

We are a HIPAA compliant healthcare marketing agency, but we are not lawyers. We’re providing this information based on our experience as a HIPAA compliant agency. It’s general information about getting HIPAA compliant online reviews for our clients based only on our experience. Please do not construe this as legal advice.

Please do consult with your healthcare attorney for specific questions. And throughout this video, you’re going to hear me refer to healthcare attorneys a few times. They’re really good to have. They’re different from a general business attorney. Healthcare laws are much more specific. If you do not have a healthcare attorney, we highly recommend that you find a good one.

SEO is All About Trust

This is NOT a tutorial about healthcare SEO! There are enough SEO geeks out there. This is about helping you make sure you keep your SEO HIPAA compliant.

SEO is a lot about knowing, liking and trusting someone. Before we even get into SEO, let’s talk about ourselves. In our own lives, we have people who we know like, and trust differently.

There’s Knowing Someone

healthcare SEOThis is some guy that we just met. Maybe we remember his name, but that’s all we know. Do we like him? Don’t know. Do we trust him? No, we just met him.

 

 

There’s Liking Someone

healthcare SEOThis is a couple holding hands. So let’s hope that they at least like each other, right? Maybe they trust each other depending on how long they’ve been together.

 

 

And Then There’s Trust!

healthcare SEOThe heart? That’s somebody we love. Hopefully we love them for good reasons and trust them deeply! If we’ve loved them for a long time, we’ve trusted them for a long time.

 

No matter how you look at these three different types of people though it’s all about trust. It’s either there or it’s not. You can earn trust from people. You can lose people’s trust. You’ve got to keep it over time.

Healthcare SEO Is Earning and Keeping Google’s Trust

healthcare SEOGoogle is the same way. Each of the things that somebody does with us to earn our trust and keep it is like a signal – somebody keeps their word, they keep their promise, they do what they say they’re going to do. They’re loyal to you. They keep your secrets. Whatever they do, each one of those is a signal of trust. Google also needs signals of trust. Remember Google was built by people, who need signals of trust in their own lives. When Google delivers search results, those results at the top of the page are the ones that Google trusts more than those at the bottom.

 

healthcare SEO

Keep Sending Signals of Trust

How many signals does Google need? Send it one signal…meh…just getting to know you. “I don’t know if I should rank you. I just met you”, says Google. Send some more signals of trust. Okay, now I’m liking you a bit more. I’m certainly getting to know you better. And when I know you, I can like you. Nobody likes what they don’t know and nobody trusts what they don’t like. Send a lot of signals, and good quality signals, and a lot of them over time and Google says, wow, I really know you. I really understand you.

For a deeper dive into healthcare SEO, check out our blog, Know Enough SEO to Choose A Marketing Agency.

What It Means For Your SEO To Be HIPAA Compliant

For anything to be HIPAA compliant, the PHI you choose to share with a third party must be handled in HIPAA compliant ways. This includes how PHI is stored and transmitted. Specifically for SEO, that means nobody who comes to your website could identify any of your patients simply by finding some information about them. That’s pretty broad, so here are a few examples.

Meta Titles and Meta Descriptions

Every website page on your website has a title that’s called a meta title, and it also has a short description, and this is an example of what each one looks like, a meta description.

These are valuable for SEO purposes. The more you tell Google about a website page, the better it understands what the page is about and when to rank it, depending on what search terms people are putting into Google when they search.

For HIPAA purposes, this is an example of what good looks like. It’s better to keep the description a bit broader versus specific. We know that this is an orthodontics practice that offers a variety of treatments and has two office locations. That’s it. That’s good.

What might be an example that’s not good for HIPAA? Let’s imagine that instead that this practice in said something like highest-rated orthodontics practice providing Invisalign for adults in Wicker Park with extremely crooked teeth. This might not be the greatest specific example, but the point is that the more specific you get, the easier it is for people or Google to figure out what someone’s health status is. That gives you an idea.

Comments On Your Website

Another example of where SEO can be non-HIPAA compliant is comments on your website. We don’t see this too often, but they’re still out there. The easiest example is if you allow comments on your blogs. Comments are a way to invite people to engage with the blog. People like engagement, and so does Google. Comments give Google more information to chew on.

However, if a patient, or anybody really, puts PHI in a comment, they just disclosed information that you’re responsible to protect because it’s on your website. If you want to leave comments on, you have monitor them very closely and remove all PHI you see. Your other option is to disable comments.

Or, you can disable comments entirely.

Reviews Or Testimonials

Another common example is reviews / testimonials on your website. These are great ways to spread the word about your practice. You can show them directly on your website.  You can stream them from other sites like Google to your website. You can have video testimonials. You have options.

In general, a patient can say anything they want about their health to whomever they want. Even if they do that, you are responsible for protecting your patient’s PHI because you’re the covered entity. If a patient gives a review with PHI in it, you shouldn’t have it on your website. If they do, you can either anonymize it by removing their name, or you can remove the portions that include PHI.

Tracking Website Visibility Data

Another example is tracking user activity. So, what do I mean by this? Examples include how many people came to your website? What pages do they look at? How long do they stay there? What’s the bounce rate? You’re going to want to know these things because your website is meant to promote your practice and you want to know if it’s working.

Google Analytics is the most popular tracking tool available. Google Analytics itself is not HIPAA compliant because they do not offer a Business Associate Agreement (BAA), and they’re not going to sign yours. However, you can use it in a HIPAA compliant way, as long as the data that Google collects about your website is anonymized.

Google can know PHI if it can pair who someone is with their health status. Google can know who someone is because Google tracks IP addresses. However, the only way Google can find out someone’s health status is if someone tells Google. You can tell Google that information if you supply specific enough content on your website so that Google could figure it out. The good news is that The most website pages that practice is offer are general information about the practice, general information about your services, your hours. Even most blogs are general in nature. With generalized information, Google cannot reasonably figure out an individual’s health status.

How do you Tell if You’re Using HIPAA Compliant SEO Providers?

Generally speaking, two things have to be true:

1.      They sign a BAA with you

2.      They talk the talk

Signing a BAA

BAA stands for business associate agreement. BAAs are required by HIPAA. They’re very dense, legal documents. They can be a dozen pages, but generally speaking, here’s what they cover with respect to PHI:

  • What’s required of you as the Covered Entity
  • What’s required of the Business Associate (your marketing agency or an online forms provider, for example). If you’re using a marketing agency and they are using a third party forms company, you need to have a separate BAA with both of them.
  • How each of you stores it
  • How each of you protects it from theft and theft and loss
  • How each of you transmits it
  • What happens if there’s a breach, God forbid, which party does what, how long do they have, who pays for what who’s responsible for?
  • Much more

With a BAA in place, the Office of Civil Rights (OCR) is much happier. OCR is the federal agency that will investigate a breach or conduct an audit. There are usually state agencies as well.

They Talk the Talk

The other broad category of things that you want to see is that they talk the talk. They use appropriate wording on their website or their materials like:

  • encrypted systems
  • log in to get your data
  • secure storage
  • HIPAA compliant website forms or HIPAA compliant online forms

hipaa compliant website forms

You don’t have to see all of these terms. But you want to see terms that at least sound like these. Inside each term are more specific descriptions of how they do each one, not to great levels of detail, but they give you some assurances that they’ve thought this through and that they’re doing these things.

Are Your SEO Service Providers HIPAA Compliant?

If you’re going to do it on your own, start easy. Go to their website, go to the homepage, scroll down to the bottom, look for their privacy policy or their terms, or, or both click on them, open it up and scan. You’re looking for the words, HIPAA compliant or HIPAA. If they say they are great, if they don’t, then either call them yourself, or even easier, go to whoever developed your website and ask them. Usually whoever built your website, also plugged in the forms and designed the forms for you. They’ll at least know who they’re using, and then you can ask them to research it, or they can give you the name and you can do it yourself. But one way or the other, we really do think you ought to find out if the online forums provider that you’re using is HIPAA compliant.

What If They’re Not HIPAA Compliant?

We can see four options for you.

  1. Keep using the service but stop sharing PHI with it. It’s okay to use a service that is not HIPAA compliant as long as you do not share PHI with them.
  2. Get a BAA in place. Maybe the service is HIPAA compliant but you don’t have an executed BAA in place with them. In that case, either sign their BAA or give them yours to sign.
  3. Stop including SEO in your marketing plan. If the service you’re using isn’t HIPAA compliant and you feel you must share PHI in order to do it the way you want, then an option is to stop doing SEO altogether. If you stop, you can’t share PHI.
  4. Switch to an SEO service that is HIPAA compliant.

Take our Free HIPAA Marketing Assessment

Marketing and HIPAA can and do overlap. If this topic has made you wonder, even a little bit, about your practice’s marketing and HIPAA compliance, our PracticeCare® HIPAA Digital Marketing Assessment can help you get started to figure it out.

It’s free and takes about 10 to 15 minutes. It’s a series of questions that cover what we know are the more common areas where digital marketing and HIPAA can overlap. It’s designed to be a good start to help you see if you have any gaps in your HIPAA compliance with respect to digital marketing and then some ideas of what you can do. Once you fill it out and submit it, we will send your assessment right away.

 

 Previous
Next