In this Healthcare Marketing Rx video, we’re going to cover how to make sure that you have a HIPAA compliant relationship with your marketing agency.

You’re Covered by HIPAA

The first thing that’s painfully obvious to say is that, as a covered entity, you’re covered by HIPAA. You have to protect PHI and make sure that only authorized people can see it. The word “authorized” is a pretty heavy word. You are able to share PHI with outside agencies like marketing agencies under HIPAA. Marketing agencies are considered a business associate to you, the covered entity. Both of those are HIPAA specific terms.

It turns out that a marketing agency may need exposure to protected health information. Usually it’s emails and cell phone numbers, sometimes paired with specific clinical information. That alone counts as PHI under HIPAA. Here are a few more examples of marketing agency exposure:

Your Website

website hipaa compliant relationshipEven the website hosting agency can see protected health information. PHI on a website is most commonly in a contact form or some other form on your website. Every website has a contact us page and every contact us page has a contact us form. And the form always asks for the same information – name, email, phone number, and then tell us something about why you’re contacting us. That can be anything from making an appointment all the way down to sharing detailed health history.

Email Marketing

email marketing hipaa compliant relationshipMaybe there’s a regular set of emails you send to patients. Maybe there’s an eNewsletter once or twice a month. To send those out you need the patient’s email address. So here we are back in protected health information territory.

Patient Reviews

reviews hipaa compliant relationshipMore and more healthcare and medical practices are asking their patients to give them a review online. Most systems do so by sending emails or texts asking for reviews. And there it is again, email addresses and cell phone numbers along with the name.

Paid Advertising

paid advertising online hipaa compliant relationshipWhether it’s advertising on social media or advertising on Google, there are ways you can glean health history about specific people through paid advertising online.

What makes a HIPAA compliant relationship with a marketing agency?

There are a few components to it.

The Marketing Agency Will Sign Your Business Associate Agreement

hipaa compliant website formsA BAA business associate agreement is required by HIPAA. It’s a dense, legal document. Some are denser than others, but good BAAs will have at least these four sections of coverage:

What’s Required of the Business Associate

What’s required with respect to protected health information and other areas of HIPAA that are relevant to the relationship you have with the marketing agency.

What’s Required of the Covered Entity

The second section is what’s required of you, the covered entity, across those same areas.

How will Both Parties Store, Protect, and Transmit PHI?

How are you each going to protect, store, and transmit protected health information? An example of transmission is sending an email back and forth. There are more ways to transmit PHI.

What Happens if There’s a Data Breach?

What happens if there’s a data breach? Who does what? What are the deadlines? How long do they have to report back? Who pays what costs? These can all be laid out in a business associate agreement.

Why lay all of that out? Imagine you have a data breach.  Rather than you and your marketing agency getting angry, pointing fingers at each other and losing time, you’ve already laid out who’s accountable for what, how fast and who pays. Then you can deal with the primary issue, which is fixing the data breach and cleaning up the mess.

Do You Have Your Own BAA?

As a covered entity you should have your own business associate agreement that you use with third parties, like marketing agencies. A good healthcare attorney can draw one up for you. Every business associate that could have access to protected health information needs to sign it.

At MarketVisory Group we offer a BAA to our covered entity clients who don’t have one, which was all of them. None of them ever thought about the overlap of marketing and HIPAA before we brought it to their attention. We bias our BAA in favor of the covered entity because that’s what a covered entity would do.

Systems, Protections, Policies, Procedures

hipaa compliant website formsWhat else makes a HIPAA-compliant relationship? The business associate talks the talk. They say they’re HIPAA compliant. They encrypt information, or they have encrypted systems. They have secure storage and so on and so on.

Why is this important? Isn’t a BAA enough? No. The business associate agreement is a legal document. It will reduce your legal risk, but it’s not going to keep your data any safer than it was before. That’s where other systems and policies and procedures come into play.

When you’re looking for a marketing agency, you should ask them about these things. A good healthcare attorney can give you a good set of questions to ask, but the marketing agency should say things like encrypted systems, policies, and procedures, and other terms that we’ve already said.

The BAA Chain of Trust

The third part that should be in place is that the marketing agency should have BAAs in place with their own subcontractors. There needs to be an unbroken chain of HIPAA compliance for HIPAA compliance to exist. It starts at the covered entity and it goes all the way down the chain to include whomever else that marketing agency needs to bring in to get their work done.

subcontractor baa hipaa compliant relationship

We do this at MarketVisory Group. There are third-party tools that we subscribe to. We only choose HIPAA compliant tools. There are other marketing agencies that we work with who are subcontractors for us. We have BAAs with them. We’ve had to switch a couple of tools and subcontractors because they didn’t have BAAs or they were unwilling to sign.

We have no breaks in the chain from our clients down to the lowest level in it.

Everything Else

And then finally the catch-all: we’re going to call it all the other stuff. There are other components that need to be in place. We don’t claim to be an expert on them outside of where marketing comes into play, but your health care attorney should.

Get a Healthcare Attorney!

If you don’t have a healthcare attorney, we strongly recommend that you find one. Please don’t rely on your general business attorney to be an expert on HIPAA for you. The body of law for HIPAA, compared to contracts, leases, buy – sell agreements, and all the other things that a good business attorney can do for you, is different enough. We don’t think that you should rely on a business attorney when it comes to healthcare law. We don’t in our practice.

You’re Ready to Have a HIPAA Compliant Relationship!

Let’s say that you either have an agency or you’re thinking of finding one, what do you do?

You’re Evaluating New Agencies

Ask them about HIPAA, use this video, take your healthcare attorney’s advice, put them together and we think you’ll have a good checklist to make sure that you’re covering all of your bases in order to find agencies.

You’re Looking for a HIPAA Compliant Agency

If you don’t have any yet just Google “HIPAA compliant marketing agencies” and you’ll get a good list. As you’re looking at agencies, evaluate their compliance as we’ve described.

You’re Already Working with an Agency

If you’re already working with an agency, you’re sharing protected health information with them, but you don’t have the HIPAA compliant relationship in place, we really, really, really recommend that you correct that immediately. Find that healthcare attorney, get that BAA, follow the steps in this video and rely on what your healthcare attorney says. You might find that the agency that you’re working with either can’t comply or won’t comply. No judgments! It’s not the easiest thing to become HIPAA compliant and stay HIPAA compliant. Not everybody’s willing to do it. But if you are in this situation, we really recommend that you switch agencies. It sounds painful, but you don’t need the risk exposure of a non-compliant relationship.

MarketVisory Group is a HIPAA compliant healthcare marketing agency. We’ve gone through all the steps to become compliant. We keep doing them to stay compliant. You can learn more about our HIPAA compliance here.

Thanks for spending your time with this video. Our library of Healthcare Marketing Rx videos continues to grow! If you have questions about anything here, please contact us.