Work with Marketing to Ensure HIPAA Compliance

HealthLeaders Magazine , By Chris Houchens for HealthLeaders News, November 2, 2006

It’s a familiar business fact that it’s much easier and cheaper to sell to your existing customers than it is to find new ones. Your former and current patients will be more receptive to your marketing efforts than someone who has never had contact with your organization. And all of the detailed personal information that you would need to market to these current and former patients is currently contained in their medical records that you possess. However, the methods and circumstances that you can use this internal database to market are now regulated by portions of HIPAA. But what are those circumstances? What types of activities are now under the glare of HIPAA? Actually, you’d be surprised what is and what is not. What HIPAA defines as marketing and what your marketing department considers marketing probably are vastly different. Some common marketing functions are not considered “marketing” by HIPAA, while other efforts such as community relations, public relations, or business development may qualify as marketing under HIPAA’s definition. In addition, HIPAA may require authorization for activities that it does not consider marketing but that are thought of as marketing by your business. The judgment relies upon how your organization uses or discloses personal health information. Therefore, it’s important for the privacy official (or PO) to look not just at your office’s “marketing” efforts, but all projects dealing with database marketing. Defining marketing HIPAA defines marketing as “making a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service.” For the most part, the privacy rule requires prior authorization from individuals when their PHI is used for marketing--but there are exceptions. HIPAA specifically excludes these three items from its definition of marketing, and permits communications by covered entities (or CEs) to patients and plan members:

  • Communications describing services or benefits to patients and plan members (e.g., a hospital sending a general mailing to patients to announce its new heart center)
  • Communications about patients’ treatments (e.g., a physician sending a general mailing reminding women to get an annual mammogram)
  • Communications related to the patient’s case management (e.g., an orthopedist sending a letter to a patient about follow-up physical therapy)
In addition, these two activities are considered marketing under HIPAA, but authorization is not required:
  • Face-to-face encounters between CEs and individuals (e.g., a physician suggesting use of a medication during a consultation)
  • Communications involving a gift of nominal value (e.g., an office giving away pens/calendars with the name of the office to patients)
If the marketing campaign does meet HIPAA’s marketing definition and doesn’t fall under these exemptions, a signed marketing authorization must be on file for the patient. The authorization is valid for only the specific marketing detailed in the authorization. A blanket open-ended authorization is not valid. The basic truth about marketing under HIPAA is that most of the marketing projects that your organization is doing are either not considered marketing by HIPAA or fall under one of the exceptions. Typically, health and treatment communications, as well as communications about your health-related products and services, are not considered marketing, even if they also promote or provide a clear benefit to your organization. The concern of any CE should be to keep an eye out for the small percentage of marketing initiatives that would fall under the privacy rule restrictions. Monitoring compliance The burden for making sure marketing efforts are HIPAA-compliant falls upon two people: the head of the marketing department and the PO. The marketing department must understand the parts of the privacy rule that apply to marketing and the use of protected patient data. And conversely, the PO must understand that the role of the marketing department is to promote the organization and grow revenue. The PO can help the marketing department develop a marketing campaign that is both compliant and successful. Most of the marketing initiatives that a CE would undertake, such as advertising and other mass marketing programs, need no oversight from a HIPAA perspective. However, anytime a database marketing project is undertaken, the PO should look at the marketing campaign to make sure it’s compliant. As regulatory oversight is provided for marketing projects, it’s important to not have the marketing department report to the PO, but for the departments to act as partners to make sure the facility is HIPAA compliant. In many organizations, some or all of the marketing functions are outsourced to an agency or other type of marketing consultant. Hopefully, you’ve hired an agency that is familiar with healthcare marketing. They should be versed in not only current HIPAA regulations, but all regulatory concerns dealing with marketing healthcare. If your facility’s marketing is outsourced, set up a meeting with the agency to ensure that the marketing is compliant with the law. However, even if most of the marketing is done in-house, it may be necessary for the marketing department to hire outside firms such as mail houses, telemarketers, and other businesses to perform certain marketing tasks. If you do not release PHI to these businesses, then this business relationship is outside the scope of HIPAA. On the other hand, if you do disclose PHI to the business, the business must sign a business associate contract before you release any PHI. Remember, in the end, it’s your responsibility to make sure the marketing is HIPAA-compliant, not the agency. You’ll receive the complaint and have to deal with the consequences. In my consulting and speaking practice, I have seen healthcare marketers dealing with HIPAA in one of three ways. Some entities have kept doing what they have always been doing with no changes and they take the risk of triggering complaints and fines. Most have attempted to follow the rules, even though they may not fully understand them. And some healthcare providers have stopped using their database for marketing. Healthcare entities should not be afraid to use their patient data in marketing efforts. HIPAA does not outlaw the use of medical databases. It just sets forth guidelines and procedures for making sure that organizations don’t use the private, personal information patients provides for their medical care in improper ways, which is good for the patient. It’s good for the marketer, too. While database marketing is effective, there still are people who don’t want to be on the receiving end of direct marketing. This is evident in the response to initiatives such as the state and federal do-not-call lists, do-not-mail lists, and opt-outs for electronic marketing. Not wasting resources and attention on recipients who have identified themselves as poor prospects increases the effectiveness and overall return on investment of a marketing campaign. In today’s cluttered market, a strong marketing program is an essential function for any healthcare organization. Increased choices and more competition for consumers’ attention means that the healthcare industry must stop thinking in terms of patients and start thinking in terms of customers. Database marketing is an important tool to reach out to these customers, and the fear of a HIPAA complaint should not stop you from using a database marketing program. However, there is a need to monitor the use of databases to make sure that you are not breaking the law or invading your patients’ privacy.
Chris Houchens is a marketing speaker, writer, blogger, and the owner of Shotgun Concepts, a marketing firm he founded in 1997. Chris was the reviewer and wrote the foreword for the HCPro, Inc. book, A Marketer’s Guide to HIPAA: Resources for Creating Effective and Compliant Marketing. He can be reached at chris@shotgunconcepts.com.