When engaging in medical advertising or marketing, healthcare organizations and professionals have to be aware of how certain activities and information are regulated under the Health Insurance Portability and Accountability Act (HIPAA). Penalties for HIPAA violations can be steep – regardless of whether your organization is a small physician’s office or a large hospital system – so being familiar with HIPAA in a marketing context is a must.
What is covered by HIPAA?
HIPAA is concerned with empowering people who live in the United States to have control over their personal health information (PHI). The act ensures that patients should have timely access to their medical records and have an expectation of privacy for their PHI shared at healthcare institutions. Any medical records or health information that’s individually identifiable falls under the purview of the rule. Obviously, this act isn’t just targeted at marketing activities, but at any of the operational and business situations in which a patient’s personal health information (PHI) may be illicitly accessed, heard, or seen by someone unauthorized to have that info. So a receptionist with loose lips who shares patient info with friends, an unsecured hospital server with sensitive patient information that gets hacked, or a marketing email that uses sensitive info that the patient did not authorize for marketing use could all be penalized for HIPAA noncompliance.
Anyone can report a potential HIPAA violation to the government, so a disgruntled individual doesn’t have to hire a lawyer or jump through a lot of hoops to file a complaint. They just have to get on their computer and provide their information. That makes HIPAA a major source of regulatory risk.
Marketing vs. Advertising Under HIPAA
Marketing activities, many of which fall under the purview of what agencies and healthcare organizations would call medical advertising, are regulated under HIPAA. Fundamentally, certain forms of advertising carry far fewer risks for HIPAA noncompliance due to their nature.
Think of a billboard advertising a doctor who performs bariatric surgery for people with BMIs over 40. There’s no way for viewers of the billboard to share any information about themselves, or for anyone else to capture any sensitive info from the advertisement itself—it’s not a risk to HIPAA compliance. Now, compare that to a practice advertising those same services, with the same specificity, via retargeting. A retargeting ad will use pixels and cookies that log searches and clicks and store that info for later use. Under HIPAA, an organization has to have prior authorization from the patient to use health information for marketing purposes, and retargeting doesn’t allow for that permission to be given. Furthermore, searches on the same browser by another user may, via retargeting ads served, unintentionally disclose personal health information (i.e. – that the previous user has a high BMI and has potentially had a consult about bariatric surgery).
How are HIPAA violations enforced?
How HIPAA violations are enforced (and who enforces them) can vary. HIPAA is a federal law, and typically the Office of Civil Rights (OCR) is responsible for vetting HIPAA complaints and following up on them. It’s within their authority to refer violations to the U.S. Department of Justice if they feel the complaint is a criminal violation. Inadvertent marketing-related HIPAA noncompliance would not be the sort of violation referred for criminal justice. Most violations are due to lack of understanding or negligence, and they’re typically corrected by a voluntary compliance process and resolution agreement. The OCR may assign training and guidance to ensure issues are corrected, rather than charging with a formal violation. And yes, there may be fines imposed.
The OCR isn’t the only enforcement arm that companies should be aware of. The 2009 HITECH Act allows state attorneys general to enforce HIPAA guidelines relating to data breaches of patient info, as well as giving them the ability to file civil actions against healthcare organizations. These actions are filed with federal courts and can result in fines as high as $25,000 per category of violation per year. OCR’s fines can be even higher.
HIPAA enforcement powers – for specific scenarios – have also been granted to the FDA, CMS and FCC. Individual states may have their own HIPAA-style legislation that states can enforce in their own courts, and with their own fines. All that is to say: mess up on patient privacy, and you’re potentially in for a world of trouble from a diverse group of angry federal acronym agencies and state attorneys.
Examples of HIPAA Lawsuits, Violations, and Fines for Marketing-Related Activities
One marketing-related HIPAA lawsuit that’s making waves right now is the class action lawsuit in the Northern District of Columbia against Meta (the parent company of Facebook), the Dignity Health Medical Foundation, and the UCSF Medical Center.1 Facebook’s pixel was allegedly found in login-only areas of patient portals, where it’s common for patients to enter sensitive information. Patients were not informed about the presence of the pixel and were not able to opt out of having their PHI collected. They realized the connection when they were being served retargeting ads on social media related to their sensitive medical information, including unproven or even medically dangerous health advice. While Meta’s policy states that its partners (the companies whose websites host their pixel) need to have the lawful right to collect, use, and share users’ data before handing it over to Meta, the plaintiff’s complaint references that their medical info is covered under HIPAA and should be subject to more stringent privacy protection.
Smaller organizations aren’t immune from HIPAA issues either, like the dental practice fined $10,000 by the OCR for its social media violations back in 2019. In responses to Yelp reviews, a Dallas-based dental practice wrote responses that included multiple patients’ last names and conditions treated. Another dental practice in Fairhope, AL had to pay $62,500 this year after they disclosed patients’ PHI to a third-party marketing company who was hired to help with a state senate election campaign.
When you partner with a third party (yes, like an advertising agency), it’s important to know whether they have awareness of potential HIPAA concerns in the course of administering campaigns. If you give a company the keys to your social media and they post a photo that contains PHI, for example, you’re on the hook for a potential fine. Partnering with an experienced medical advertising partner like bfw can give you peace of mind when engaging in new marketing and advertising initiatives. Introduce yourself to see how we can help you.