Decoding HIPAA for Medical Practice Marketing

Dr. Google knows it all! Or at least, the nearly billion searchers surfing the internet for health-related queries would seem to think so. According to CNN’s analysis of a Google Trends 2018 report, health-related subjects rank among the most popular searches.1

Google Health’s Vice President David Feinberg stated that one in 15 Google searches is health-related. This is nearly 7% of the daily searches worldwide or 70,000 searches per minute.2 In the post-pandemic world, this number has most likely doubled or tripled, and not merely for Covid-19 related questions. 

For your medical practice, the implications are rather obvious. Most patients begin their health journey online, so leveraging your digital footprint and social media presence is essential to growing your patient base. However, unlike other industries that make hard sales to remain connected and competitive, the healthcare marketing industry must also consider a third ‘C,’ namely compliance. 

At Wisevu, compliance is one of our most critical considerations when it comes to healthcare marketing. We are HIPAA compliant, and in this article, we’ll decode some of HIPAA’s most essential terminologies.

HIPAA Compliant

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a US-mandated federal law that aims to reform the healthcare industry by reducing costs, simplifying various administrative processes, and improving the privacy and security of individuals’ protected health information (PHI). PHI would include any identifiable information–regardless of the form in which it is maintained–relating to an individual’s past, present or future health condition. When the PHI is in electronic form, it is called e-PHI.

HIPAA seeks to protect any kind of data that falls under the purview of ‘PHI’. Under HIPAA, the individual has a say in how his/her/their sensitive health information is used and disclosed.

Who Should Follow HIPAA?

Primarily, there are two types of organizations regulated under HIPAA: Covered Entities and Business Associates.

Covered Entities

Covered entities are defined in the HIPAA rules as (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which the HHS (Department of Health and Human Services) has adopted standards. 

Providers who send electronic claims transaction information directly or via an intermediary to a health plan are also covered entities, including hospitals, academic medical centers, physicians, and other health care providers. These entities may be individuals or organizations. According to HIPAA, these covered entities are directly regulated and required by law to put together a set of safeguards to protect the PHI to which they have direct access.

  • Health Plans
    Health insurance companies, employer health group plans, Health Maintenance Organizations (HMOs), and government programs such as Medicare and Medicaid, dealing with sensitive information.
  • Healthcare Clearinghouses
    Any entity that processes non-standard health information from another entity into a standard format. These transactions usually involve billing and payment for services or insurance coverage.
  • Healthcare Providers
    Any physician, dentist, nurse practitioner, pharmacy lab, or nursing home that has a direct relationship with the patient.

Business Associates

Business associates are the third parties with whom covered entities share information in the course of their work and to perform their tasks. Business associates could include insurance brokers, medical billing companies, marketing agencies, answering companies, software companies that are working with the covered entity and so on. 

Business Associates may receive information directly from the covered entity or another third party (another business associate). Business Associates, too, are directly regulated and required to be HIPAA compliant, i.e. have the proper safeguards to protect PHI.

HIPAA Chain of Trust Medical Practices

The HIPAA Chain of Trust

Under HIPAA, covered entities can share PHI with a business associate only if they too are HIPAA compliant. The business associate, in turn, can share information with another business associate only if the secondary business associate is HIPAA compliant. This assurance is passed along the chain through a vital piece of documentation called the Business Associate Agreement (BAA).

When a business associate agreement or a business associate contract is signed, the signing party legally attests to the covered entity OR business associate of the covered entity that they are HIPAA compliant and that they too will abide by HIPAA. 

As the information is passed down from one provider to the next, each of the subsequent business associates further down the chain are equally responsible for maintaining the privacy and security of the data by signing the business associate agreement.

HIPAA And Its Impact On Medical Practices

HIPAA and its Impact on Medical Practices

While HIPAA has several parts, healthcare practices need to be cognizant of two aspects, in particular, the HIPAA Privacy Rule and the HIPAA Security Rule.

HIPAA Privacy Rule
  • Focuses on PHI protections from a people standpoint.To safeguard the Privacy Rule, medical practices will have to develop training, contracts, policies, and procedures that are in line with HIPAA’s guidelines.
HIPAA Security Rule
  • Focuses on protections for ePHI, specifically from a technology standpoint. To safeguard the Security Rule, covered entities and business associates must implement firewalls, password policies, anti-virus, encryption rules, and so on.

Keeping track of these rules is critical as violating compliance guidelines can turn out to be expensive. The average cost of non-compliance for healthcare organizations is approximately 3 times higher than the cost of being in compliance.3

2020 saw the second-largest settlement since HIPAA’s inception. A health insurer, Premera Blue Cross, had to pay the OCR $6,850,000 to resolve potential HIPAA violations discovered during the investigation of a 2015 breach against 10,466,692 individuals.4

The four categories used for the penalty structure are as follows:

Tier 1A violation where the covered entity took a reasonable amount of care to abide by the HIPAA Rules, was unaware of the breach, and could not reasonably have avoided itMinimum fine of $100 per violation up to $50,000
Tier 2The covered entity should have been aware of a violation but could not avoid it despite a reasonable amount of care (falls short of willful neglect)Minimum fine of $1,000 per violation up to $50,000
Tier 3A violation resulting from “willful neglect” of HIPAA Rules; however, attempts were made to correct the violationMinimum fine of $10,000 per violation up to $50,000
Tier 4A violation resulting from willful neglect, with no attempts made to correct the violationMinimum fine of $50,000 per violation

The damage is not limited to fines. In extreme cases, apart from penalties, criminal charges can be issued which could result in jail time. Furthermore, healthcare organizations can lose revenue due to damaged reputations and lost customers, as most consumers lose trust quickly when their personal information is compromised.

For the complete list of HIPAA breaches and fines, you can visit OCR’s Breach Portal or “Wall of Shame.”5 Considering the heavy losses they can incur by violating HIPAA, either knowingly or unknowingly, healthcare practices must take care to comply with HIPAA while dealing with other third-party vendors and within their own communications.

HIPAA Marketing

Implications of HIPAA for Marketing

In the definition of marketing issued by the US Department of Health & Human Services (HHS), there are three key aspects to note:

  • It is “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
  • It is “an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration.” 
  • The covered entity must first obtain an individual’s “authorization.”

To put it simply, a covered entity cannot sell the protected health information of an individual to a third party or a business associate out of self-interest. If marketing is to use PHI as data points, explicit patient authorization is required. You can find a complete overview of HIPAA and a list of necessary permissions on the HHS website.

HIPAA Digital Marketing

Building a HIPAA Compliant Digital Marketing Strategy

Digital advertising is intrinsically more personalized, and it is this very aspect that makes the medium so popular. However, under HIPAA, personalization can be a double-edged sword, as personalization is often possible only based on a person’s ‘personal’ information, which according to HIPAA, is off-limits. 

So, while on the one hand, patients do expect enhanced digital experiences from their healthcare providers, healthcare providers cannot compromise on PHI while targeting them. 

The issue that marketers face is how to utilize the innate advantages of digital marketing while remaining compliant with ongoing regulations.

At Wisevu, we follow three best practices to ensure HIPAA compliance for our clients:

  • Providing a proven way to manage patient authorizations so you can market to them
  • Ensuring that all patient data is suitably secured
  • Signing a Business Associate Agreement (BAA) with all third-party vendors

We also follow specific protocols depending on the digital channel in question.

HIPAA Email Marketing

Email Marketing

eMarketer is the preferred channel among users for receiving brand communications. 6 Email marketing also makes $44 for every $1 spent—an astounding 4200% return on investment. 7

However, to truly leverage email marketing, you need to personalize it. At Wisevu, we have a thorough process to segment and target audiences, using their PHI securely without deviating from HIPAA compliance guidelines. We can also create automated drip campaigns to follow up on pending visits, deliver specific instructions, and follow up on appointments.

Here are the practices we follow at Wisevu for email marketing:

  • We do not create any emails or email campaigns using Personal Health Information (PHI) of any kind without receiving explicit permission via an opt-in.
  • We ensure that the third-party email marketing company or tool we use for your email marketing is HIPAA compliant.
  • We encrypt emails containing PHI of any type, such as names or email addresses, ensuring only the recipient and you access the mail’s content.
  • We ensure that the servers with PHI are encrypted and have an off-site backup.
  • Whenever applicable, we sign the BAA.
  • We follow all safety protocols to ensure the physical safeguarding of data at rest.
  • We carefully segment and personalize the emails, ensuring better deliverability and reducing the likelihood of being labeled spam.
HIPAA Organic Social Media

Organic Social Media

Social media is a great way to engage with current and potential patients. In the US alone, over 82% of people are estimated to be on social media platforms.8 Being present where your audience is active makes good business sense. Social media can also reinforce your brand’s voice and values without being intrusive.

However, there are several instances when social media has been the cause of a compliance slip-up. According to a global database of public data breaches, social media incidents accounted for over 56% of the 4.5 billion data records compromised worldwide in the first half of 2018.9

At Wisevu, we ensure adherence to certain social media best practices:

  • We have a clearly outlined social media strategy and ensure limited access to social media posts; a trained Wisevu team member or a POC from the client oversees and approves each post.  
  • We train staff periodically to give them a chance to catch up on any ongoing changes.
  • We take care never to include any form of identifier in our posts unless we have explicit consent.
  • We refrain from taking photos within the practice to ensure that we do not unwittingly reveal any patient’s PHI, and we use relevant stock images whenever possible.
  • We set up controls to flag keywords or phrases that might indicate HIPAA non-compliance. We also review every social media post before uploading it to make sure it is HIPAA compliant.
HIPAA Social Media Ads

Social Media Ads

As organic reach continues to decline across social media platforms, more organizations, including healthcare practices, are looking at paid advertising as a viable and cost-effective option to stay top of mind.10 Most social media platforms allow you to select custom audiences and retarget users, ensuring maximum visibility for your ads. 

Retargeting allows you to show your ad to someone who has already visited your website. So, if you were to visit a store online, the Facebook pixel on the site would retarget you on social media and show you an ad of the same store or product. While this is acceptable in other industries, it could have severe implications in the healthcare industry, as your PHI is sacrosanct.

We follow a few best practices while posting ads on behalf of our healthcare clients:

  • We exclude people from retargeting campaigns based on their visits to certain pages. These people are tagged using Facebook pixels and deliberately excluded from targeted ads.
  • We sometimes implement a cookie/pixel acceptance pop-up for all website visitors asking for permission to retarget them. If they do not accept the policy, we do not retarget them.
  • We do not upload existing patient lists to create lookalike audiences as this would involve uploading a custom audience containing PHI. Instead, we use core targeting filters to narrow down our audience based on age, location, occupation, interests, and more.
  • We exclude patients who have visited the patient portal or scheduled online consultations.
HIPAA Medical Websites


The website is often the cornerstone of one’s digital marketing efforts. If your website collects, stores, or transmits any data with PHI, you need to consider the HIPAA implications carefully.

Here are a few practical steps we take at Wisevu to ensure our clients  grow their patient database while adhering to HIPAA compliance guidelines

  • We use keyword tools and SEO effectively to attract the right audience.
  • All websites are SSL protected; the data passed between the client and the server is encrypted at all times. 
  • We also encrypt all data gathered on the website–feedback forms, surveys, consultation requests, and contact forms. 
  • All data is stored on an encrypted server with off-site backup.
  • The CRM software we use is HIPAA compliant. 
  • We advise clients to have a well-documented HIPAA privacy policy on the site so patients are aware and up-to-date on our efforts to keep collected data safe.
  • We ensure that a compliance officer or legal advisor is involved while building out the compliance process.
HIPAA PPC Advertising

Pay-Per-Click (PPC) Advertising

Google Ads are essentially intent-based. Ads only appear based on relevance–when a potential patient searches for the service or a term that incorporates the service. 

Google, as a platform, is sensitive to potential breaches of a patient’s health information. While Google may not sign the BAA, it does include a long list of keywords that are not approved, including several health-related ones. For instance, you would not be able to advertise products or services relating to “drugs,” “birth control,” over-the-counter medications for various health conditions, medical devices, cosmetic surgery, and so on.

Moreover, since retargeting campaigns require data collection, Google disallows this for healthcare professionals, ensuring that you do not violate HIPAA laws. 

Here’s how Wisevu can add value to your paid campaigns:

  • We analyze if running a Google ad campaign is beneficial to your practice’s overall healthcare marketing efforts.
  • Our medical SEO team works with a robust list of keywords and phrases that form the core of your ad campaign. 
  • They tweak the ad copy to add relevance and meet quality guidelines. 
  • We use our tried and tested optimal bidding strategies to rank well for relevant keywords.
  • We constantly evaluate your ad’s performance and make timely adjustments.
HIPAA Compliant Review Marketing

HIPAA Compliant Review Marketing

Marketing yourself through reviews is a powerful way to show potential patients that your medical practice can help solve their health issues. According to Moz, 84% of consumers look to online reviews before choosing providers, and review signals account for 13% of local ranking factors.11

Managing your reviews well is also integral to good online reputation management. Reviews are such a crucial determining factor that Google places them in the knowledge graph alongside the brand name. A well-crafted response to reviews can open up opportunities, build loyalty and demonstrate an attitude of concern.

However, responding to reviews could also lead to HIPAA violations. Here are some HIPAA compliant practices we follow at Wisevu to ensure that all our responses are appropriate. 

  • We have a well-thought-out review strategy to respond to patients. We directly manage the practice’s Google My Business (GMB) listing or train someone to do so. At no point do we release any patient information or the 18 PHI identifiers.
  • We do not acknowledge or confirm the patient’s visit, diagnosis, or treatment, even if they have mentioned these particulars. Instead, we craft our responses to remain neutral, polite, and non-committal. At the same time, we steer clear of canned responses.
  • When responding to negative feedback, we focus on office policies and use generic language without mentioning specific information or addressing the patient by name.
  • The content of the response is generic and focuses on the practice’s policies. 
  • We never use patient reviews as testimonials without consent. We also do not publish these reviews on any other platform.


Often, HIPAA is seen as a roadblock to implementing digital marketing strategies. However, there are lots of ways to utilize cutting-edge marketing and still be HIPAA compliant if you use the right tools. The key is to implement the right policies and procedures from the very beginning, so as to be more efficient and have a more significant ROI. Implementing both HIPAA privacy and security rules is critical to success. Working with a HIPAA-compliant digital marketing business associate can save you from costly mistakes.

Schedule an obligation-free consultation with Wisevu today.



1. Howard, Jacqueline. “10 top questions you had for Dr. Google in 2018.” CNN Health, 2018, Accessed 25 November 2021.

2. Murphy, Margi. “Dr. Google will see you now: Search giant wants to cash in on your medical queries.” The Telegraph, 2019, Accessed 25 November 2021.

3. Ponemon Institute and Globalscape. “The True Cost of Compliance with Data Protection Regulations.” Globalscape, 2017, Accessed 25 November 2021.

4. HIPAA Journal. “OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross.” HIPAA Journal, 2020, Accessed 25 November 2021.

5. U.S. Department of Health and Human Services Office for Civil Rights. “Cases Currently Under Investigation.”, Accessed 20 September 2021.

6. eMarketer. “Email Marketing 2019.” Insider Intelligence: eMarketer, 2019, Accessed 25 November 2021.

7. Hubspot, and Katrina Kirsch. “The Ultimate List of Email Marketing Stats for 2021.” Hubspot, 2021, Accessed 25 November 2021.

8. Statista. “Percentage of U.S. population who currently use any social media from 2008 to 2021.” Statista, 2021, Accessed 22 November 2021.

9. Business Wire. “Data Breaches Compromised 4.5 Billion Records in First Half of 2018.” 2018, Accessed 20 November 2021.

10. Sample, Josh. “Is Organic Reach Dead?” Forbes, 2019, Accessed 20 November 2021.

11. Moz. “2018 Local Search Ranking Factors.” Moz, 2018, Accessed 20 November 2021.

Give Us a Heart
Internet Marketing