" ePHI Archives - LuxSci

Posts Tagged ‘ePHI’

6 Email Marketing Best Practices for Healthcare

Tuesday, November 14th, 2023

Email marketing can be a powerful tool for healthcare organizations, but it requires careful planning and execution because of HIPAA compliance requirements. In this blog post, we will discuss email marketing best practices to help healthcare marketers achieve their goals. 

woman viewing email program

1. Define Your Campaign Goals

The success of any email marketing campaign depends on the goals you want to achieve. However, because healthcare organizations are often not selling products to their patients, marketers can be confused about how to set measurable goals for their campaigns that aren’t tied to revenue generation.

Healthcare marketers want to use email marketing campaigns for various purposes, including patient engagement, education, and retention. Some possible objectives of your campaigns could be:

  • New patient acquisition
  • Re-engaging lapsed patients
  • Spreading awareness about vaccines, treatments, or medical conditions
  • Increasing treatment or medication adherence
  • Collecting survey responses or patient-reported outcomes

All of these campaign objectives will correlate with different metrics. Identifying the campaign goal and the corresponding metrics you need to track is critical before selecting the audience and crafting the content.

2. Select Your Audience

Gone are the days of sending giant email blasts to your entire contact list. The best email marketers are creating highly targeted campaigns for specific audiences. Healthcare marketers using patient data in their audience targeting efforts are at an advantage. They can use patient information to create distinct audience segments. Targeting a patient population with common attributes makes it easier to craft a relevant message to drive clear results. For example, marketers can create more relevant campaigns when they can divide their patient population into subgroups based on shared characteristics like diagnoses, risk factors, and demographic data.

3. Personalize Your Content

Once you have clearly defined your goal and your audience, it’s essential to use personalization techniques to craft relevant messaging. Healthcare consumers expect more personalization from their providers and want to receive messages that tie into their past experiences. Generic, irrelevant messaging is more likely to annoy patients than get them to act. Healthcare marketers are lucky to have a wealth of data points to use in their messaging, but they must be aware of patient privacy and take steps to secure their messaging. When you have taken the appropriate steps to secure patient data, including protected health information in email messages is possible. This improves the patient experience and makes it easier for healthcare marketers to achieve their objectives.

4. Use A Clear Call-to-Action

Your emails should include a clear call-to-action (CTA) that encourages your audience to take the desired action. These actions may include scheduling an appointment, downloading a resource, logging into a patient portal, filling out a survey, or contacting your organization. Ensure that your CTA is prominent, stands out from the rest of your content, and ties back to the goal of your campaign. Most importantly, implement appropriate tracking technologies so you can see how many email recipients followed through on the CTA.

Don’t include too many calls to action in one message! Including multiple prompts may confuse the recipient and make it more difficult for your team to understand how the campaign performed.

5. Review Your Data

Finally, it’s essential to monitor your email metrics to evaluate the success of your campaigns. Some key metrics may include open rates, click-through rates, surveys completed, successful logins, appointments scheduled, and other relevant metrics that tie back to your goals. Use this data to refine your email marketing strategy, trigger follow-up campaigns and marketing activity, and optimize future campaigns. Use APIs or webhooks to ensure your email campaign statistics are tied into marketing dashboards to get a holistic view of how your campaigns are performing.

6. Choose an Email Marketing Platform Designed for Healthcare

Finally, to use the tactics recommended above, it’s necessary to use a HIPAA-compliant email marketing platform. Segmenting audiences and personalizing content requires the use of protected health information. Therefore, it must be secured in compliance with HIPAA. You must select a platform that can protect data both at rest and in transit to utilize the power of your data fully.

LuxSci’s HIPAA-compliant Secure Marketing was designed to meet the needs of healthcare marketers and enables the use of PHI at scale. Contact our sales team to learn more about our capabilities and email marketing best practices.

Improve the Patient Experience with Personalized Patient Engagement

Tuesday, November 7th, 2023

Patient expectations of healthcare providers have dramatically changed in the last decade. The introduction of technology and the widespread adoption of digital communications in other industries have increased the pressure on healthcare providers to provide a comparable experience.

The 2023 Healthcare Consumer Perspectives on Digital Engagement and AI report conducted by Dynata Research found that more patients are adopting digital tools to manage their health and want their providers to provide a consistent experience across all channels. To improve the patient experience, a personalized patient engagement strategy is necessary.

Personalized Patient Engagement Improves the Patient Experience

Healthcare organizations manage so much data that can be used to improve the patient experience. As audience segmentation and personalization techniques have become more common in other industries like e-commerce and personal care, consumers are starting to expect the same experiences from their healthcare providers.

For example, media streaming services make personalized recommendations for new shows based on what you have previously watched. People like these features because it helps them discover new content they may not know about. Likewise, patients are beginning to expect a similar personalized patient engagement experience from their healthcare provider. Suppose a patient wants to control their diabetes diagnosis and communicates with their provider about this at an appointment. Afterward, when they log into the patient portal or receive follow-up information, they expect to receive relevant information that aligns with that provider’s conversation.

survey data patient preferences

Proactive, personalized patient engagement can also drive patients to make the right choices in managing their health. By sending patients the correct information at the right time in the context of their individual health journey, it is easier for them to manage their own health.

Shifting Preferences for Digital Tools Enable Personalized Patient Engagement

As more people are open to incorporating digital tools into their healthcare journeys, it has revealed new patient engagement opportunities. Several reasons led healthcare organizations to embrace digital tools. The coronavirus pandemic kicked off a necessary wave of digital transformation because of the rapid transmission of the disease through close contact. The desire to use these tools has remained strong even after institutions largely reopened in 2021. Patients have also shown no desire to go back to the way things used to be. Digital channels and tools like patient portals, email, medical devices, and mobile applications all make it easier for patients to manage their health on the go.

shifting digital preferences survey data

As patient preferences have shifted to embrace digital channels and technologies, organizations that can implement digital-first personalized patient engagement strategies intelligently are more likely to have satisfied and healthier patients. However, healthcare organizations must strive to provide a consistent experience across both in-person and digital avenues. According to the survey, the number one reason consumers would consider changing their healthcare provider is “complex or confusing experiences.” Poorly implemented and executed patient engagement can negatively impact the patient experience and retention, so it’s essential to be thoughtful in your approach.

How to Personalize the Patient Experience

Traditionally, HIPAA compliance requirements have made it difficult for healthcare providers to utilize protected health information (PHI) in personalized patient engagement efforts. Using PHI in communications is vital to craft messaging relevant to the patient’s health journey. However, when transmitting and storing PHI, HIPAA regulations must be followed to protect patient privacy.

The first step to executing personalized patient engagement involves selecting the right tools. Many traditional digital engagement tools are not designed to meet these stringent encryption and security requirements. By selecting tools that meet HIPAA’s technical requirements (like LuxSci’s Secure Marketing and Secure High Volume Email) and properly training employees, healthcare teams can employ the same segmentation and personalization techniques to reach patients with relevant and consistent communications.

Conclusion

Personalizing patient engagement is one way to improve patient marketing and retention. Contact us today to learn more about improving the patient experience with secure email communications.

How Online Tracking Technologies & Data Collection Threaten Patient Privacy

Tuesday, October 10th, 2023

Many healthcare marketers use online tracking technologies to gather user information as they interact with a website or mobile application. After several breaches tied to improper uses of third-party tracking pixels, the Department of Health and Human Services has clarified that data collected via online tracking technologies are often PHI and must be secured according to the Privacy Rule. This decision has put many organizations at a crossroads- how can they balance patient privacy with the financial pressures to grow their business and provide a superior digital experience?

online tracking technologies

What are Online Tracking Technologies?

Tracking technologies collect information about website visitors in various ways, many of which are invisible to the user. Some of the most common types of tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps also include tracking codes within the application to enable the collection of user information.

After collecting the information, it is analyzed to create insights about users’ online activities. Marketers often use the data to create highly targeted advertising campaigns. In the case of third-party tracking technologies, they may continue to track users and gather information about them even after they leave and visit other websites. You’ve likely experienced this when online shopping. You look at a pair of shoes on a retailer’s website, and then they continue to follow you and appear as ads as you browse other websites and social media platforms. However, if you replace ads about shoes with advertisements for treatments for an individual’s medical conditions, this raises serious patient privacy concerns.

What Does HIPAA Say About Online Tracking Technologies & Data Collection?

Online tracking technologies have been widely utilized for over a decade but have only recently been considered in the context of health data privacy. The Dobbs vs. Jackson Women’s Health Organization decision by the Supreme Court in June 2022 kicked off a wave of reporting on how reproductive health information was collected and sold online. Some worried that this information could be used in court cases to convict people who sought abortions, leading to significant concerns over digital health data privacy.

In this context, researchers began looking at the websites of major health systems to explore how they used trackers to collect and transmit data. A study revealed that 99% of US hospitals employed online data trackers that transmitted visitors’ information to a broad network of outside parties, including major technology companies, data brokers, and private equity firms. Some hospitals even employed these trackers on internal patient portal web pages, potentially exposing highly sensitive patient data to advertisers.

As a result of the confusion surrounding this issue and the seemingly clear violation of HIPAA rules, OCR issued a bulletin explaining how covered entities can and cannot use tracking technologies on their websites.

You would think that is the end of the story. However, there is still a lot of confusion surrounding the proper use of these technologies. In July 2023, the FTC and OCR issued another warning to 130 hospital systems that continued deploying online tracking technologies despite the bulletin.

Gray areas still exist in how the bulletin is interpreted. The American Hospital Association recently asked OCR to reconsider its guidance, stating it contradicts interoperability efforts. As this situation evolves, healthcare providers must be aware of the risks of online tracking technologies and how they can balance risk with their business objectives.

How is this Data Protected Health Information?

One of the reasons this issue flew under the radar for so long is that it is not necessarily obvious that the information collected by these pixels qualifies as PHI. It may not be evident to end-users, but tracking technology vendors can infer a lot of personal data through tracking technologies placed on a healthcare provider’s website. Some of the information that can be captured by tracking technology could include:

  • medical record numbers
  • email addresses
  • appointment dates or requests
  • IP addresses
  • medical device IDs
  • geographic locations

Marketers may not realize that individually identifiable information collected on a covered entity’s website or mobile app is often protected health information (PHI). Even if the individual has no pre-existing relationship with the healthcare provider, DHHS’s recent update is clear that this information is protected. Collecting this information establishes a relationship between a covered entity and an individual relating to their past, present, or future provisioning of health care. A visit to a healthcare provider’s website may be the first step taken by a future patient in accessing healthcare treatment.

There is always some gray area when defining PHI, but it’s better to be safe than sorry in this case. If you are using any online tracking technology, you must confirm that it is processing and transmitting data in a way that aligns with HIPAA regulations.

How Healthcare Marketers Can Protect Patient Privacy

First of all, if you plan to use tracking technology on your website, the vendor needs to be a business associate of your organization. In these circumstances, covered entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) that outlines how PHI will be protected.

Think carefully about what data needs to be collected and why. In other industries, collecting user data and selling it to third parties or using it in advertising efforts is very common. Healthcare marketers must be more intentional in using online tracking technologies and take additional steps to ensure the data is processed and transmitted securely. Do not install tracking pixels without careful consideration. As many hospital systems learned, failing to do so can have profound privacy and compliance implications.

If you want to follow up with patients who browsed your website for available appointments, you must ensure their data is secure from when it is collected through the transmission to other systems. For example, a patient may enter their name, email address, phone number, and desired appointment time into an online form. When they click “Submit,” where and how is this data transmitted and stored? As they browse the available appointments and doctors, your system may log which web pages they visit and store them in a CRM, CDP, or another platform. If they leave without making an appointment, what do you do with the data you collect? If you transmit this data to other advertising or marketing platforms, you will also need business associate agreements with those vendors. As you can see, it can get complicated very quickly.

HIPAA-Compliant Marketing Technology

LuxSci’s Secure Form and Secure Marketing technologies offer a few ways to address the patient privacy issues associated with online data collection and transmission. Our fully HIPAA-compliant solutions enable you to securely collect data on your website and use secure email to engage prospects. Contact our sales team to learn more today.

Is TLS Email Encryption Suitable for Compliance?

Tuesday, September 19th, 2023

This article discusses what types of email encryption are sufficient to comply with government regulations. TLS email encryption is a good option for many organizations that manage sensitive data. However, it does not protect data at rest. Each organization must perform a risk assessment to determine which encryption methods suit their legal requirements.

Read the rest of this post »

When Do Online Forms Need to Be HIPAA-Compliant?

Tuesday, August 22nd, 2023

When it comes to digital data collection, there is often a lot of uncertainty surrounding the HIPAA compliance requirements for online forms. We often have customers ask if their website forms need to be HIPAA-compliant.

The short answer is that securing patient data is always recommended. You never know what types of information individuals will volunteer in an online submission. It is always a good idea to prepare for the possibility of sensitive information being entered into an online form to build trust with your users.

person entering info into login form

Criteria for HIPAA-Compliant Online Forms

Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice on your particular situation.

HIPAA requires that all Protected Health Information (PHI) be secured to protect the privacy of the individuals identified in the PHI. If your form falls into both of the following categories, it must conform to HIPAA standards:

  1. You are a Covered Entity or Business Associate and,
  2. The form collects PHI.

Let’s look at the two criteria to determine if your forms need to be HIPAA-compliant.

1. Does HIPAA Apply to Your Organization?

HIPAA applies to your web form if your organization is a Covered Entity. It also applies if you are a Business Associate of a Covered Entity and collect data on their behalf.

HIPAA defines a Covered Entity as an organization that falls into one of the following categories:

  1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items by a prescription.
  2. Provider: A provider of medical or health services or any other person or organization who furnishes, bills, or is paid for health care.
  3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system, or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information.
  4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many organizations and government programs as health plans.

Covered Entities contract with Business Associates to process PHI on their behalf. In this scenario, a good example of a Business Associate is a website developer or marketing agency hired to create a website or application for a Covered Entity. They are responsible for protecting PHI on the website and must comply with HIPAA regulations.

2. Does the online form collect PHI?

So, HIPAA applies to your organization. Next, we must determine if a particular web form needs to be compliant. The second criterion is, does the form collect Protected Health Information?

What is ePHI?

ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:

  1. Past, present, or future physical or mental health
  2. Past, present, or future provisioning of healthcare
  3. Past, present, or future payment-related information for the provisioning of healthcare

“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 identifiers for an individual (listed below), and together with health information, they constitute PHI.

  • Name
  • Address (all geographic subdivisions smaller than the state, including street address, city, county, and zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

As you can see, a lot of data qualifies as “health information,” and just about every type of web form will collect individual identifiers. Even if your form doesn’t request health information, sometimes people will volunteer it to get faster responses. Covered entities are responsible for securing this data in compliance with HIPAA regulations. In many cases, it’s easier to make all online forms HIPAA-compliant rather than trying to lock them down to prevent the insecure transmission of health data.

Examples of HIPAA-Compliant Online Forms

Some online forms are explicitly designed to collect protected health information. Here are some examples of web forms that generally must be secured to meet HIPAA compliance standards:

  1. Appointment and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, requesting an appointment may imply information about “an individual’s past, present, or future physical or mental health or condition.”
  2. Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. These forms collect identifiable information about “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered in the collection of PHI (depending on the exact context of the site) because, while they are individually identifiable, they may not include or imply health information for that individual:

  1. Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
  2. Purchases of products that do not require a prescription: Purchasing a product does not imply who is to use it unless that product is restricted (e.g., via a prescription). Of course, this may also depend on whether you collect health information as part of the purchase for future marketing purposes.

Anything that identifies the person and relates to that person’s health or healthcare should be considered PHI and protected. It’s also important to note that as technology has advanced and online tracking has become ubiquitous, it’s possible to infer more about an individual and their health conditions indirectly. It is essential to proceed cautiously and recognize that even the smallest information you collect about a website user is part of a more extensive online profile.

Other industries can get away with not being secure. But why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything a website can do to make visitors more comfortable and secure will improve trust and conversions.

What About Consent for Insecure Transmission?

As a follow-up question, we are often asked if there can be a checkbox on the form that patients can click to consent to use an insecure, non-compliant form. Presumably, if they do not click, they cannot submit the form.

This practice is highly advised against and is almost certainly not HIPAA-compliant. You should consult with a lawyer to ensure it is okay if you have a compelling reason to use this method.

To understand why this is a bad idea, consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

  1. You and the patient agree that insecure transmission is okay,
  2. The patient has been appropriately advised of the security risks involved,
  3. The patient agrees in writing that insecure transmission is okay, and
  4. The option for HIPAA-compliant transmission is available by implication.

However, this overcomplicates the process. It is much simpler to have secure web forms by default. You will not need to provide waivers, keep track of who has opted in/out, and maintain two different submission options.

The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:

  1. Your insecure form has a clear section advising the users of the risks of submitting their data via this form.
  2. That warning is understandable to most laypeople without further explanation.
  3. They must check a box (or sign their name) to consent to the insecure form transmission.
  4. You may need to show that they understood and agreed to the risks and didn’t just click without reading.
  5. When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
  6. You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

You burden the end-user significantly by adding warnings and consent to online forms. No one wants to read through disclaimers and checkboxes before completing a submission on a general website form. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warnings, just simple, secure submission.

Conclusion: Set Up HIPAA-Compliant Online Forms Today

LuxSci’s Secure Form solution is designed to meet HIPAA compliance requirements for online data transmission and storage. Contact our sales team today to learn more about our options for secure online engagement.