In this health care marketing RX video, we’re going to cover how to make sure that you have a HIPAA compliant relationship with your marketing agency.
The first thing that’s painfully obvious to say is that, as a covered entity, you’re covered by HIPAA. You have to protect PHI and make sure that only authorized people can see it. The word “authorized” is a pretty heavy word. You are able to share PHI with outside agencies like marketing agencies under HIPAA. Marketing agencies are considered a business associate to you, the covered entity. Both of those are HIPAA specific terms.
It turns out that a marketing agency may need exposure to protected health information. Usually it’s emails and cell phone numbers sometimes paired with specific clinical information. That alone counts as PHI under HIPAA. Here’s a few examples of marketing agency exposure:
Even the website hosting agency can see protected health information. PHI on a website is most commonly it’s in the form of a contact form or some other form that you’ve got on your website. The contact form is the easiest example. Every website has a contact us page and every contact us page has a contact us form. And the form always asks for the same information – name, email, phone number, and then tell us something about why you’re contacting us. That can be anything from I’d like to make an appointment all the way down to here’s a paragraph of my detailed health history.
Maybe there’s a regular set of emails you send to patients. Maybe there’s an eNewsletter once or twice a month. To send those out you need the patient’s email address. So here we are back in protected health information territory.
More and more healthcare and medical practices are asking their patients to give them a review online. Most systems do so by sending emails or texts asking for reviews. And there it is again, email addresses and cell phone numbers along with the name.
Whether it’s advertising on social media, advertising on Google, there are ways you can clean some health history about specific people through paid advertising online.
There are a few components to it.
A BAA business associate agreement is required by HIPAA. It’s a dense, legal document. Some are denser than others, but good BAAs will have at least these four sections of coverage
What’s required with respect to protected health information and other areas of HIPAA that are relevant to the relationship you have with the marketing agency.
The second section is what’s required of you, the covered entity, across those same areas.
How are you each going to protect store and transmit protected health information? When you need to think of an example of transmission as like sending an email back and forth, there are other ways to do it, but just to explain what transmit means in this context.
God forbid what happens if there’s a data breach? Who does what? What are the deadlines? How long do they have to report back? Who pays what costs? These can all be laid out in a business associate agreement.
Why lay all of that out? Imagine you have a data breach. Rather than you and your marketing agency getting angry at each other and pointing fingers at each other and losing time, you’ve laid out who’s accountable for what, how fast and who pays, then you can deal with the primary issue, which is fixing the data breach and cleaning up the mess.
As a covered entity you should have your own business associate agreement that you use with third parties, like marketing agencies. A good healthcare attorney can draw one up for you, every business associate that could have access to protected health information needs to sign it.
At MarketVisory Group we offer a business associate agreement to our covered entity clients who don’t have one, which was all of them. None of them ever thought about the overlap of marketing and HIPAA before brought it to their attention. We found a healthcare attorney who created a business associate agreement as if a covered entity was giving it to us. We biased it in favor of the covered entity because that’s what a covered entity would do.
What else makes a HIPAA-compliant relationship? Well, we’ll like to say they talk the talk. They say they’re HIPAA compliant. They encrypt information, or they have encrypted systems. They have secure storage and so on and so on.
Why is this important? Well, obviously a big part of HIPAA is keeping private health information private. The business associate agreement is a legal document. It will reduce your legal risk but it’s not going to keep your data any safer than it was before. That’s where these other systems and policies and procedures come into play.
When you’re looking for a marketing agency, you should ask them about these things. A good healthcare attorney can give you a good set of questions to ask, but the marketing agency should say things like encrypted systems, policies, and procedures, these terms that we’ve already said.
The third part that should be in place is that the marketing agency, should have BAAs in place with their own subcontractors. There needs to be an unbroken chain of BAAs for HIPAA compliance. It starts at the covered entity and it goes all the way down the chain to include whomever else that marketing agency needs to bring in to get their work done.
We do this at MarketVisory Group. There are third-party tools that we subscribe to. We only choose HIPAA compliant tools. There are other marketing agencies that we work with who are subcontractors for us. We have BAAs with them. We’ve had to switch a couple of tools and a couple of subcontractors because they didn’t have BAAs or they were unwilling to sign.
We have no breaks in the chain from our clients down to the lowest level in it.
And then finally just the catch. All we’re going to call it other stuff. care attorney. There are other components that need to be in place. We don’t claim to be an expert on them outside of where marketing comes into play, but your health care attorney should.
If you don’t have a healthcare attorney, we strongly recommend that you find one. Please don’t rely on your general business attorney to be an expert on HIPAA for you. The body of law for HIPAA, compared to contracts, leases, buy, sell agreements, and all the other things that a good business attorney can do for you, is different enough. We don’t think that you should rely on a business attorney when it comes to healthcare law. We don’t in our practice.
Let’s say that you either have an agency or you’re thinking of finding one, what do you do?
Ask them about HIPAA, use this video, take your healthcare attorney’s advice, put them together and we think you’ll have a good checklist to make sure that you’re covering all of your bases in order to find agencies.
If you don’t have any yet just Google, HIPAA compliant marketing agencies, and you’ll get a good list. As you’re looking at agencies, evaluate their compliance.
If you’re already working with an agency, you’re sharing protected health information with them, but you don’t have the HIPAA compliant relationship in place, we really, really, really recommend that you correct that immediately. Find that healthcare attorney, get that BAA, follow the steps in this video and rely on what your healthcare attorney says. You might find that the agency that you’re working with either can’t comply or won’t comply. No judgments! It’s not the easiest thing to become HIPAA compliant and stay HIPAA compliant. Not everybody’s willing to do it. But if you are in this situation, we really recommend that you switch agencies. It sounds painful, but you don’t need the risk exposure of a non-compliant relationship.
Thanks for spending your time with this video. Our library of Healthcare Marketing Rx videos continues to grow! If you have questions about anything here, please contact us.