Acquia

HIPAA + Healthcare Marketing: How to Protect both Yourself and Patients’ PHI

Istock 187023332

According to the U.S. Department of Health and Human Services (HHS), more than 45 million people have had their personal health information (PHI) accessed in the last two years due to data breaches. That’s a staggering statistic; however because HHS doesn’t post information about breaches that affect fewer than 500 individuals, the true scope of health information breaches is likely larger still.

PHI security is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), with later regulations adding on to HIPAA’s controls. Under HIPAA, the maximum civil penalty for healthcare organizations that violate patients’ PHI is $50,000 per violation, with a maximum fine of $1.5 million per violation category per year.

Breaches of patients’ health information can happen in ways beyond someone hacking into your organization’s electronic medical records (EMRs) or accessing your web server. For example, your marketing team’s personalization campaigns could put your organization at risk if you don’t have proper protections in place. It’s crucial to take steps to protect yourself and your organization from inadvertent HIPAA breaches during your personalization campaigns. It’s also important to choose the right agency partner to help keep you safe.

Potential Marketing HIPAA Violations

Most healthcare digital marketers are familiar with the requirements of not personally identifying patients treated by their organizations without the patients’ consent, whether that’s in ads, patient stories, images, or videos. Just as you wouldn’t publicize your sports medicine center having treated a famous athlete without first getting the athlete’s permission, the same guidelines apply for all types of patients.

But it’s not just these potential identifications you have to watch out for. Patients’ PHI can be breached by many simple actions they take on your website as a result of your marketing personalization campaigns. Users may unconsciously share information about their health conditions by submitting information for:

  • Classes
  • Newsletters
  • Contact Us submissions

Protect Yourself From HIPAA Breaches

One of the first protocols we recommend to our clients is to always capture patients’ consent to share their PHI in writing. Never rely solely on verbal consent. By having that written consent, it ensures the user understands what information you’re capturing and opts into sharing that information willingly.

In cases when users signing up for programs or communications on your website, you can capture consent by including a checkbox on your sign-up form that says users are agreeing to share potentially protected information. Alternatively, you can add language to the field where they input their email address stating that providing their address indicates that they are agreeing to share that potentially identifying information.

However, this sort of opt-in mechanism can be overused. If your user must fill out other forms on your website for necessary actions, don’t force them to share PHI in order to proceed. Make the opt-in fields optional, rather than requiring patients to agree in order to complete the form.

Our Proven Record of HIPAA Security

Our vast expertise in healthcare web and data systems means you don’t have to bring us up to speed on the rigid requirements of HIPAA data security. We know how to help protect clients and keep their patients’ data secure, and we’ve applied our security solutions to both Sitecore and Drupal sites.

We always ensure the security of patients’ PHI within the websites we develop, host, and maintain for our clients. Our website products have built-in encryption in place to protect forms and other items that might contain PHI. When we assign roles to users on our clients’ teams, we create specific roles for a limited number of users who have a legitimate reason to access patients’ health information, and those are the only users who can do so. In order to further protect patients’ data, we recommend that clients never store PHI in any location within the content management system (CMS) that is accessible to other content authors

Our clients also benefit from strong measures to protect their web and data servers from breaches. Layered security services are available through Azure for Sitecore sites and Acquia for Drupal sites. We also recommend periodic testing and scanning — usually on an annual basis at minimum — to ensure breaches can’t happen in your systems.

HIPAA violations are all too common in today’s digital healthcare landscape. If you lose patients’ trust by allowing breaches of their PHI, it’s hard to earn that trust back. Make sure you choose the right partner to help you keep patients’ data secure while allowing you the freedom to grow your organization’s business. Contact us today for more information on our healthcare-focused technology and data security solutions.

About the Author

Hiral Shah is a lead technical consultant on the digital health solutions consulting practice.

More from this Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up
Categories