" business associate agreement Archives - LuxSci

Posts Tagged ‘business associate agreement’

Healthcare Marketing: Are You HIPAA Compliant?

Tuesday, January 14th, 2025

Healthcare marketing is essential to growing your business successfully, but when you work in a regulated space such as healthcare, there are serious HIPAA compliance considerations that must be adhered to. Whether responding to an online patient review or trying to increase patient engagement through marketing campaigns, misunderstandings in marketing best practices can lead to patient privacy breaches.

Healthcare marketing and HIPAA work together through rules that healthcare organizations follow daily when promoting services and engaging patients. Healthcare marketing and HIPAA compliance affects everything from social media posts to email campaigns, requiring healthcare teams to understand when patient information can be used for promotional purposes.

HIPAA related healthcare marketing regulations distinguish between legitimate healthcare communications and marketing activities that need explicit patient permission, creating guidelines that protect patient privacy while allowing organizations to grow their practices.

Healthcare Marketing & HIPAA

A large part of HIPAA regulates what is appropriate for the use or disclosure of patient information. There are certain instances where the use and disclosure of protected health information (PHI) is allowed without patient consent. These instances include sharing PHI for treatment, payment, or healthcare operations.

However, before you can use patient information for marketing efforts, you need to receive explicit written consent from the patient. The consent form must be specific to the marketing efforts you will use the patient’s PHI in. For instance, if you would like to share patient testimonials, photos, or videos on your website or social media accounts, the patient must sign a consent form stating that you will use their information in this way.

HIPAA-compliant marketing also largely depends on an employee’s understanding of the law. Employees responsible for handling PHI must be trained to use and disclose PHI within the scope of their job role. Improperly trained employees can expose your practice to HIPAA violations and costly fines.

8 Common Misunderstandings With Healthcare Marketing and HIPAA

1. As long as patient consent is obtained, HIPAA doesn’t matter
Some organizations think they can use any marketing tool with a signed patient consent form. Still, the tool has to be HIPAA-compliant. Even if patients agree, it does not remove the organization’s obligations to secure PHI under the law. If protected health information is improperly accessed, it is still a breach and can lead to severe financial and reputational consequences.

2. Marketing emails do not need encryption
Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as protected health information. PHI must be encrypted in transit and at rest to comply with HIPAA.

3. Personalizing marketing emails is a HIPAA violation
Marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

4. Marketing companies do not need to sign Business Associates Agreements
As of 2013, the HIPAA Omnibus rule expanded HIPAA obligations to include business associates and subcontractors. Marketing agencies and vendors that process PHI on behalf of a covered entity must comply with HIPAA regulations, which include signing a BAA.

5. The only way to protect PHI is to use patient portals
TLS encryption meets HIPAA transport encryption requirements and provides a better user experience. Marketing emails sent with TLS encryption are more likely to be opened than those sent to a patient portal.

6. Using BCC is enough to keep patient identities private
BCC is NOT enough to protect patient identities. Although the end recipient cannot tell who else received the message, the entire list is visible as the messages are transmitted from server to server. The messages can be eavesdropped on by someone with technical abilities.

7. Always respond to social media reviews
Be extremely careful when responding to online reviews. Publicly confirming information about a patient’s health or treatment status is a HIPAA violation.

8. Healthcare marketing isn’t necessary or worth the hassle
Healthcare consumerism is rising, and patients are willing to change providers if they are unsatisfied with their experience. Educating and informing current and potential patients about your services is essential to improve new customer acquisition and retention.

How to be HIPAA Compliant In Healthcare Marketing?

The most crucial step is vetting marketing vendors and HIPAA compliance tools. Any vendor that handles PHI on behalf of a healthcare entity needs to sign a Business Associate Agreement that outlines how patient data will be stored, transmitted, and disposed of. Don’t choose a vendor who is unfamiliar with HIPAA’s stringent requirements. Also, watch out for quasi-compliance. Some self-identified “HIPAA-compliant” vendors can protect data at rest but not in transmission or require patient waivers to achieve compliance.

Next, always use encryption and default to security. Identifying PHI is often tricky, and the legal burden should not fall on the marketing team. By selecting technology that encrypts every marketing email, you can rest assured that messages are secure and compliant. A bonus tip- do not send marketing messages to an encrypted patient portal. Instead, send marketing messages with TLS encryption directly to patients’ inboxes. You will see much higher response rates and engagement.

Finally, to create the most effective marketing campaigns, use PHI to create segmented audiences and send them personalized content. These tactics are widely used outside the healthcare industry because they deliver results. *Remember that any tool you put PHI into must be HIPAA-compliant.

Social Media Marketing Under HIPAA Healthcare Marketing Rules

Social media platforms create challenges for healthcare marketing and HIPAA compliance because posts can inadvertently reveal patient information through photos, comments, or location tags. Healthcare organizations cannot post patient images, even from public areas of their facilities, without written authorization that allows social media use. Staff members need clear policies about what content can be shared on professional social media accounts and personal profiles that might identify their workplace.

Patient testimonials on social media require detailed authorization forms that specify which platforms will be used and how long the content will remain posted. Video testimonials need more detailed consent because patients may not fully understand how their image and voice will be used across different social media channels. Healthcare organizations must also consider whether patient testimonials posted years ago still have valid authorization and whether patients retain the right to request removal of their content.

Community engagement through social media allows healthcare organizations to share educational content, health tips, and general practice information without using patient data. Posts about new services, staff achievements, community health initiatives, and general wellness topics fall outside HIPAA healthcare marketing restrictions when they avoid references to patients or treatment outcomes. However, responding to patient comments or reviews on social media can quickly cross into impermissible disclosure territory.

Photography and video content for social media marketing must be planned to avoid capturing identifiable patient information in backgrounds or waiting areas. Even simple content like facility tours or staff introductions can inadvertently include patient information visible on computer screens, appointment boards, or patient charts. Healthcare organizations need protocols for reviewing all visual content before posting to ensure no protected information appears in social media marketing materials.

Email Marketing Personalization and Patient Data Usage

Personalized email marketing campaigns can incorporate patient information when proper authorization and security measures are in place. Healthcare marketing and HIPAA allows for segmentation based on treatment history, demographics, or service utilization when patients have consented to receive targeted marketing communications. However, personalization must be weighed against privacy protection, ensuring that email content does not reveal more patient information than needed for the marketing purpose.

Behavioral targeting in healthcare email marketing can use patient portal activity, appointment patterns, or service preferences to customize messaging without requiring extensive medical information. Patients who frequently access preventive care information might receive campaigns about wellness programs, while those who use patient portal features could get communications about digital health tools. This approach allows for relevant messaging while minimizing the amount of protected health information needed for personalization.

Dynamic content in marketing emails can reference patient names, preferred providers, or relevant services without including detailed medical information that might violate privacy rules. Email systems can populate patient information from authorized data sources while maintaining encryption and access controls that protect information during transmission. Dynamic content systems must include protections that prevent accidental inclusion of unauthorized patient information.

List segmentation for HIPAA healthcare marketing requires consideration of how patient groups are defined and whether those definitions reveal medical information. Segmenting patients by insurance type, geographic location, or general service categories may be permissible under healthcare operations, while segments based on diagnoses or treatment outcomes likely require marketing authorization. Healthcare organizations need clear criteria for determining when segmentation crosses from healthcare operations into marketing territory.

Vendor Management for Healthcare Marketing and HIPAA Compliance

Marketing technology vendors must sign Business Associate Agreements before handling any patient information for healthcare marketing campaigns. HIPAA and healthcare marketing rules extend to all third-party services that process, store, or transmit patient data, including email marketing platforms, customer relationship management systems, and social media management tools. Healthcare organizations cannot assume that vendors understand healthcare privacy requirements without explicit contractual agreements and compliance verification.

Cloud-based marketing platforms require attention to data location, encryption standards, and access controls that meet healthcare privacy requirements. Some marketing platforms store data in countries with different privacy laws or use subcontractors that may not maintain appropriate security measures. Healthcare organizations must verify that their marketing vendors maintain all patient data within approved geographic regions and comply with healthcare security standards throughout their service networks.

Integration between marketing platforms and healthcare systems creates compliance issues when patient data moves between different technical environments. Application programming interfaces, data synchronization processes, and automated workflows must maintain the same security protections applied to other healthcare information systems. Regular security assessments help ensure that marketing technology integrations do not create vulnerabilities that could compromise patient information.

Vendor compliance monitoring involves regular review of security practices, incident response capabilities, and staff training programs maintained by marketing service providers. Healthcare organizations need visibility into how their marketing vendors handle security updates, respond to potential breaches, and train their employees about healthcare privacy requirements. Annual compliance assessments and audit reports provide evidence that marketing vendors continue meeting healthcare privacy standards.

Campaign Analytics and Privacy Protection

Performance measurement for HIPAA healthcare marketing campaigns must weigh useful insights against patient privacy protection. Click-through rates, open rates, and conversion metrics can be tracked without exposing individual patient information when proper aggregation and reporting procedures are followed. However, detailed analytics that could identify individual patient behavior or preferences require the same privacy protections applied to other healthcare information.

Conversion tracking from marketing campaigns to healthcare services creates issues because it connects promotional activities with actual patient care. Healthcare organizations can measure whether marketing campaigns drive appointment bookings or service utilization without tracking individual patient journeys when proper anonymization techniques are applied. Aggregate reporting provides valuable insights about campaign effectiveness while protecting individual patient privacy.

A/B testing for healthcare marketing campaigns must ensure that test groups cannot be used to infer patient medical information or treatment status. Random assignment to test groups helps prevent bias while maintaining privacy protection, but healthcare organizations must avoid testing variables that might reveal protected health information. Test results should focus on aggregate performance differences rather than individual patient responses that might compromise privacy.

Patient feedback collection through marketing campaigns requires clear disclosure about how responses will be used and whether they will be connected to patient medical records. Survey responses, preference updates, and engagement metrics may constitute protected health information when they can be linked to individual patients. Healthcare organizations need policies that govern how marketing-generated patient data integrates with clinical information systems.

Content Creation Guidelines for Healthcare Marketing Teams

Educational content creation allows healthcare organizations to share valuable health information without using patient data or requiring marketing authorization. Blog posts, newsletters, and social media content about general health topics, treatment options, and preventive care serve legitimate healthcare communication purposes while promoting organizational expertise. However, content that focuses on provider services or competitive advantages may cross into marketing territory requiring compliance measures.

Patient story development for marketing purposes requires authorization that covers all intended uses of patient information across different marketing channels. Healthcare organizations cannot assume that general treatment consent covers marketing uses, necessitating separate authorization documents that specify how patient stories will be used in promotional materials. Patient stories must be reviewed to ensure they do not include more medical information than needed for the marketing purpose.

Visual content guidelines help healthcare marketing teams avoid inadvertent privacy violations when creating promotional materials. Photography in healthcare facilities requires protocols that prevent capture of patient information visible on computer screens, patient charts, or appointment schedules. Video content needs similar safeguards, with attention to audio that might include patient conversations or names in background discussions.

Compliance review processes for marketing content should include evaluation by both marketing professionals and privacy officers to ensure materials meet promotional objectives while maintaining privacy protection. Content review workflows can identify potential privacy issues before materials are published, preventing violations that might require expensive remediation or result in regulatory penalties. Regular training helps marketing teams understand how privacy requirements apply to their daily content creation activities.

Crisis Communication and Social Media Response Protocols

Online reputation management for healthcare organizations requires weighing patient concerns against maintaining privacy protection. Responding to negative reviews or social media comments can inadvertently confirm patient relationships or reveal treatment information that violates HIPAA healthcare marketing rules. Healthcare organizations need protocols that allow for professional responses without disclosing any patient information or confirming treatment relationships.

Public relations during privacy incidents must coordinate marketing communications with legal and compliance teams to ensure consistent messaging that does not compound privacy violations. Marketing teams may need to suspend certain campaigns or modify messaging during incident response periods to avoid appearing insensitive to privacy concerns. Crisis communication plans should include procedures for evaluating whether marketing activities should continue during privacy-related investigations.

Social media monitoring helps healthcare organizations identify potential privacy violations in real-time, allowing for rapid response before issues escalate. Automated monitoring tools can flag posts that mention patient names, medical conditions, or treatment details, enabling prompt removal or correction of problematic content. Monitoring systems must also comply with privacy rules and avoid creating privacy violations through overly broad surveillance of patient communications.

How LuxSci Healthcare Marketing Solutions Can Help

LuxSci’s Secure Marketing tool is an email marketing platform designed to meet HIPAA requirements. It allows marketing teams to segment audiences and personalizes emails to engage patients and improve marketing ROI. If you are already using a third-party email marketing platform, no worries, we got you covered. LuxSci’s Secure High Volume Email solution can integrate with any third-party platform to make sure those emails are also HIPAA compliant.

Find The Right HIPAA Compliant Email Marketing Automation Platform

Saturday, June 15th, 2024

If you are subject to HIPAA regulations think twice before sending off that marketing email blast to your customers. If your emails contain ePHI, stop and make sure you are using a HIPAA compliant email marketing automation platform before sending.

Not all email marketing platforms were designed with HIPAA marketing in mind. In fact, it can be difficult to figure out which vendors will allow you to send HIPAA compliant emails on their platforms. We created this list of five questions to help you screen potential HIPAA compliant email marketing automation platform vendors for compliance.

hipaa compliant email marketing

1. Is your email marketing automation platform HIPAA compliant and HITRUST certified?

It’s a simple question, but if the vendor does not mention anything about HIPAA or HITRUST certification on their website, it’s a good indicator that they are not secure enough to be compliant. As you probably know, HIPAA regulations can be onerous, and many companies do not have the time, expertise, or desire to update their technology. On the other hand, if they have taken the time and spent the money to invest in the serious security steps needed for HIPAA compliance, you should be able to find something about it in their marketing.

2. Will the vendor sign a Business Associate Agreement?

If you are sharing ePHI with a vendor (including lists of patient names and email addresses), you must have a BAA in place that outlines their responsibilities to protect your ePHI. If a vendor will not sign a BAA with you, it is an obvious sign that you cannot use their platform for HIPAA-compliant email marketing.

However, even if a vendor will sign a BAA, it does not mean that you can use their platform and comply with HIPAA. Read the fine print! Some companies have very restrictive BAAs that severely limit the functionality of the platform and prevent you from sending emails. We call these vendors “quasi” compliant. The only comply with HIPAA, if you abide by strict rules that prevent you from actually using their solution.

For an example, take Constant Contact. They will sign a BAA. However, they explicit state in their BAA that you:

“Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.”

Constant Contact does not encrypt outbound emails, making it a poor choice for a HIPAA-compliant email marketing vendor. Depending on your email use cases, you could be unable to send any emails on their platform. Even worse, if you mistakenly send emails that contain ePHI you will be held liable for violating HIPAA, not Constant Contact, because you violated the terms of the BAA.

3. Does the email marketing platform protect data at rest and in transit?

Encryption is an addressable standard as part of the HIPAA Security Rule. Encryption is highly recommended to protect ePHI in all digital communications.  Many email marketing platforms have adopted encryption methods that are secure enough to protect ePHI while it remains in their systems. However, that’s not enough to comply with HIPAA. You should specifically ask about their ability to encrypt outbound emails. Data in transit is extremely vulnerable to malicious actors, and therefore you need to encryption to protect emails containing ePHI. If a vendor does not provide encryption for outbound marketing emails then you should not consider using them.

4. How does the email marketing platform encrypt emails?

If a vendor says that they do encrypt outgoing messages, it’s important to consider these additional questions.

  • How are they encrypting those emails?
  • Do the encryption methods match your email use cases?

As a marketer, you want your emails to directly reach the recipient with as little friction as possible. If the recipient has to login to another platform to read the email, it’s unlikely to be read. A good HIPAA-compliant email marketing platform will use TLS encryption to send marketing messages directly to inboxes that support it. Emails sent with TLS encryption appear just like any other message directly in the recipient’s inbox.

However, there may be scenarios when you need to use more secure encryption methods. We recommend finding an email marketing vendor that is flexible and will let you select the right method of encryption for any type of message. For example, you may want to use a portal-based encryption method to send highly sensitive messages. Either way, make sure your vendor can support your needs with the right type of email encryption.

5. Does the platform allow you to send ePHI in the body of your emails?

Finally, the most important question to ask is: can I include highly sensitive patient information in an email? If you cannot, you can’t use the full power of the email marketing platform to create targeted, personalized and relevant messages. At best, you can only send generic office newsletters. If you want to create the types of marketing emails that will drive ROI and improve patient engagement, utilize your patient data for personalization and segmentation.

HIPAA Compliant Email Marketing Automation Platform

LuxSci’s Secure Marketing automation platform was built from the ground up with HIPAA marketing in mind. If you would like to learn more about how to create compliant email marketing campaigns utilizing ePHI, please let us know.

Rules for Using PHI in Patient Engagement

Friday, November 11th, 2022

As you know by now, we believe strongly in the benefits of using protected health information (PHI) to create highly targeted and personalized email campaigns. However, before you dive in and kick off your campaigns, you must be aware of the complex compliance requirements governing healthcare organizations’ marketing communications.

using PHI for patient engagement

Reminder: What is PHI?

PHI, or protected health information, is “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data can be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with “protected health information,” would constitute PHI.

It’s often more complicated than it looks. For example, if you are running email campaigns, an email address is an individual identifier because it can be connected to a specific individual. That, combined with the email content, which often refers to the name of the provider, information about their health conditions, insurance coverage, or upcoming appointments, means that most communications from a healthcare practice could qualify as PHI.

HIPAA Rules for Using PHI in Patient Engagement

HIPAA regulates patient privacy. Healthcare organizations and their associates must obtain consent and implement technical safeguards before starting marketing campaigns.

HIPAA Privacy Rule

According to the U.S. Department of Health & Human Servicesyou must acquire consent to send marketing communications under the HIPAA Privacy Rule. It reads, “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

The Privacy Rule defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This also applies to many patient engagement communications.  

Generally, if the communication is “marketing,” then the communication can only occur if the covered entity obtains an individual’s authorization. Organizations must keep track of who has consented to receive marketing communications and allow them to opt-out at any time. We further discuss the nuances of patient consent for marketing communications here.

HIPAA Security Rule

All covered entities and their Business Associates are subject to the HIPAA Security Rule. If you are working with a vendor (like a marketing consultant, email marketing platform, or ad agency) that will have access to PHI, you need to enforce a Business Associate Agreement.

The HIPAA Security Rule categorizes the necessary safeguards into three categories: Physical, Administrative, and Technical Safeguards. More details about the requirements for each can be found here. Any vendor you choose to work with must follow these regulations. Some basic requirements include the following:

  • Physically protecting data and where it is stored,
  • Training staff on handling PHI, and
  • Setting up technology to protect PHI properly.

Assuming your patient engagement campaigns are primarily occurring via email, at a minimum, you must ensure that the email marketing vendor will:

  • Protect data at rest and
  • Protect data in transmission.

This means utilizing encryption to ensure that PHI cannot be eavesdropped on. Many popular email marketing vendors do not encrypt PHI in transmission. It’s extremely important to choose a provider who can protect PHI following HIPAA regulations.

hipaa compliant applications

The Benefits of Using PHI for Patient Engagement

Once you have established the proper policies and procedures, signed a BAA, and put any technical requirements in place, you can start segmenting and personalizing emails using PHI. Here are some segmentation and personalization ideas to get started.

By applying these techniques and using PHI in your patient engagement strategy, you can:

  • Design targeted patient journeys
  • Deliver better patient outcomes
  • Improve ROI and reduce costs

Contact us today to learn more about how to securely engage patients using PHI.

Business Associate Agreement: Explained

Monday, October 26th, 2020

If your organization collects, stores or processes electronic protected health information (ePHI) it will need a clear understanding of business associate agreements (BAAs). This also applies to businesses that process ePHI on behalf of other organizations.

Business Associate Agreements

Each business associate agreement stipulates how a company will share its ePHI with the respective business associate, and where the responsibilities lie. Unless your organization is a rare breed that has its own web hosting, email service, lawyers, accountants and every other aspect of its business in-house, then it needs to have these agreements in place with every provider that it shares ePHI with.

Read the rest of this post »

Is Skype HIPAA Compliant? If not, what is?

Saturday, May 9th, 2020

In recent times we have seen a huge push toward telehealth, so many are wondering, “Is Skype HIPAA compliant?” While Skype is a practical tool that many people have access to, it’s important to consider any regulatory obligations you need to meet before you use it.

If your business collects, stores, transmits or processes electronic protected health information (ePHI), then it is subject to HIPAA regulations. Organizations that process ePHI on behalf of other parties also need to stick within the rules, otherwise they may face heavy fines.

Regardless of whether your organization provides health services through video or it uses video platforms to process ePHI in any other way, it needs to make sure it is using software that abides by the regulations.

Wondering, “Is Skype HIPAA compliant?” is a good starting point, but there are several things to consider before you commit to a video conferencing service.

Do You Need a BAA to Make Skype HIPAA Compliant?

A business associates agreement (BAA) is a contract between your organization and any others that process its data. In essence, these agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the two parties.

BAAs are absolutely necessary for HIPAA compliance. Even if your organization and its partner share ePHI with every control and security mechanism imaginable, as well as following all other aspects of the regulations, it would still be violating HIPAA if a signed BAA was not in place.

If your organization is going to be sharing ePHI over a video service, then it needs to be HIPAA-compliant.* However, the only way that it can be HIPAA compliant is if a BAA is in place.

Is Only the Business Version of Skype HIPAA Compliant?

Skype comes in several different versions, but the basic, consumer oriented one is not HIPAA compliant. The only type that offers BAAs and which could be made HIPAA compliant is Skype for Business, which is one of Microsoft Office’s business communication tools.  Note that “Skype for Business” is a completely different service than consumer Skype. 

However, it’s also worth noting that Skype for Business is currently being phased out in favor of Microsoft Teams. If you don’t already have a supported version of Skype for Business, you should look for HIPAA-compliant alternatives instead. Support for Skype for Business Online ends in 2021, while support for Skype for Business Server will be extended until 2025.

With this in mind, it’s probably not worthwhile pursuing any version of Skype for HIPAA compliance. If you use the basic version of Skype, you will be violating the regulations, and even if you can get Microsoft to sign a Skype for Business BAA, you may have to switch your software in 2021 anyway.

HIPAA-Compliant Alternatives to Skype

Considering that Skype for Business doesn’t have much time left and that it is not even the same as “regular Skype,” your organization will be better off finding a HIPAA-compliant alternative. One option is LuxSci’s SecureVideo, which was designed specifically to make it easy to stay within the regulations.

SecureVideo was developed from the ground up with HIPAA compliance in mind, ensuring that it became a practical video calling service that made security and compliance simple. The Zoom for Healthcare-based platform is great for telemedicine and other forms of sharing ePHI.

SecureVideo includes handy features like screen-sharing, file-sharing, and virtual clinics, with a capacity of up to 100 participants. This makes LuxSci’s SecureVideo a convenient and compliant alternative to Skype.

 

* During the Covid-19 pandemic, HHS has waived responsibility for breaches through non-compliant video conferencing services, like Skype. So, while Skype may not be compliant, it is OK to use during the pandemic. However, as the pandemic subsides and this waiver is lifted, you should have transitioned to a service that is actually HIPAA compliant.