This is for General Information! We are not Attorneys
We are a HIPAA compliant healthcare marketing agency, but we are not lawyers. We’re providing this information based on our experience as a HIPAA compliant agency. It’s general information about getting HIPAA compliant online reviews for our clients based only on our experience. Please do not construe this as legal advice.
Please do consult with your healthcare attorney for specific questions. And throughout this video, you’re going to hear me refer to healthcare attorneys a few times. They’re really good to have. They’re different from a general business attorney. Healthcare laws are much more specific. If you do not have a healthcare attorney, we highly recommend that you find a good one.
Paid Ads Online Can Be Valuable
If your goal is to get to the top of search results on Google, Bing, and any other search engine as fast as possible, then paid ads on those search engines should be in your considerations. Typically, paid ads can do this faster than organic search results can.
Another value that paid ads online can deliver is that in other online platforms, particularly social media platforms, paid ads can target very specific groups or profiles of people with an ad that most organic posting cannot do on its own. So whether you think that’s crossing a line or not, you can get very granular and get very specific with who you target on social media platforms with your ads.
There Are SO MANY Places To Advertise Online
Some of them here are Google ads, Bing ads, Facebook. Separate from the HIPAA discussion, if you’re going down the road of paid ads, you’re using them. You’ve got a lot of choices. As you think through the best choices for you, just make sure that you take the time to do that because some work better than others, depending on your goal.
Online Ads Can Expose Information That Crosses Into PHI
Online ads are a place where PHI can be exposed. Just like PHI can be exposed in lots of other places when you’re doing paid ads online.
An advertising platform can know PHI if it can pair who someone is with their health status. Different ads platforms have their own terms with regard to HIPAA compliance, and you’ll need to check each platform’s terms separately (more on that below).
How does an ad platform know who someone is? The platform collects that user’s IP address. How can an ad platform discover someone’s health status in a way that you disclose PHI? You disclose their health status. How could you do that? When someone visits your site, they visit content so specific that it’s difficult not to discover their health status.
Don’t Help Ad Platforms Discover PHI
To deal with this, for ad platforms that are not HIPAA compliant, only have ads point to general information. For example, if have an ad that says we are the best physical therapists in the area, and somebody clicks through the ad and they go to your home page, you’re fine. A homepage’s content is far too general for anyone to discern what that site visitor’s health status is.
Retargeting – Be Very Careful!
There’s a particular type of ad strategy called retargeting. Um, Google does a lot of this, but Google isn’t alone. What’s retargeting? Think about that the last time or the next time you click on an ad. For the next six months, you see ads from that same advertiser all over everywhere you go online. You’ve been retargeted.
Retargeting ads relies on something called a cookie. Maybe you’ve heard of it. A cookie is a small nugget of computer code called HTML code that when you click on the ad, it deposits that little bit of code into your browser. Now, the advertiser knows where you are and knows who you are. Whenever they serve out more ads, they can serve them just to where its cookies are. Now you can get much more specific ads if you choose.
This is where you start to get into HIPAA land if the ads you deliver get specific enough so that a platform can learn someone’s specific health status. The answer to this is not to send out ads that are so specific, or content that the user goes to after clicking on the link in your ad that is too specific.
How do you Tell if You’re Using HIPAA Compliant Ads Platforms And Providers?
Generally speaking, two things have to be true:
- They sign a BAA with you
- They talk the talk
Signing a BAA
BAA stands for business associate agreement. BAAs are required by HIPAA. They’re very dense, legal documents. They can be a dozen pages, but generally speaking, here’s what they cover with respect to PHI:
- What’s required of you as the Covered Entity
- What’s required of the Business Associate (your marketing agency or an online forms provider, for example). If you’re using a marketing agency and they are using a third party forms company, you need to have a separate BAA with both of them.
- How each of you stores it
- How each of you protects it from theft and theft and loss
- How each of you transmits it
- What happens if there’s a breach, God forbid, which party does what, how long do they have, who pays for what who’s responsible for?
- Much more
With a BAA in place, the Office of Civil Rights (OCR) is much happier. OCR is the federal agency that will investigate a breach or conduct an audit. There are usually state agencies as well.
They Talk the Talk
The other broad category of things that you want to see is that they talk the talk. They use appropriate wording on their website or their materials like:
- encrypted systems
- log in to get your data
- secure storage
- HIPAA compliant website forms or HIPAA compliant online forms
You don’t have to see all of these terms. But you want to see terms that at least sound like these. Inside each term are more specific descriptions of how they do each one, not to great levels of detail, but they give you some assurances that they’ve thought this through and that they’re doing these things.
Are Your Ads Platforms and Service Providers HIPAA compliant?
If you’re going to do it on your own, start easy. Go to their website, go to the homepage, scroll down to the bottom, look for their privacy policy or their terms, or, or both click on them, open it up and scan. You’re looking for the words, HIPAA compliant or HIPAA. If they say they are great, if they don’t, then either call them yourself, or even easier, go to whoever developed your website and ask them. Usually whoever built your website, also plugged in the forms and designed the forms for you. They’ll at least know who they’re using, and then you can ask them to research it, or they can give you the name and you can do it yourself. But one way or the other, we really do think you ought to find out if the online forums provider that you’re using is HIPAA compliant.
What If They’re Not HIPAA Compliant?
We can see four options for you.
- Keep using the service but stop sharing PHI with it. It’s okay to use a platform that is not HIPAA compliant as long as you do not share PHI with them.
- Get a BAA in place. Maybe the service is HIPAA compliant, but you don’t have an executed BAA in place with them. In that case, either sign their BAA or give them yours to sign.
- Stop including paid ads online in your marketing plan. If the service you’re using isn’t HIPAA compliant and you feel you must share PHI in order to do it the way you want, then an option is to stop doing ads altogether. If you stop, you can’t share PHI.
- Switch to an Ads Platform and Provider that is HIPAA compliant.
Take our Free HIPAA Marketing Assessment
Marketing and HIPAA can and do overlap. If this topic has made you wonder, even a little bit, about your practice’s marketing and HIPAA compliance, our PracticeCare® HIPAA Digital Marketing Assessment can help you get started to figure it out.
It’s free and takes about 10 to 15 minutes. It’s a series of questions that cover what we know are the more common areas where digital marketing and HIPAA can overlap. It’s designed to be a good start to help you see if you have any gaps in your HIPAA compliance with respect to digital marketing and then some ideas of what you can do. Once you fill it out and submit it, we will send your assessment right away.