A nurse from a children’s hospital in Texas got fired from her job when she shared her encounter with a child suffering from measles on her personal social media account. This turn of events was a little surprising because she had not even shared the child’s name. However, the court ruled that the details she’d shared were ‘easily identifiable.’ 1 A dental practice in Dallas did not realize that responding to patients’ reviews by directly addressing them would cost them a whopping $10,000 2. Another healthcare practitioner in the US–this time in Florida– was charged a hefty US$ 2.15 million fine for three separate instances of HIPAA violation3. There are many more such cases of healthcare practices paying heavily for seemingly minor lapses.
It wasn’t that these healthcare practitioners were unaware of the health regulations, nor were they openly defying them. Rather, they did not realize that their actions constituted a ‘breach.’ Unfortunately, the law makes no exceptions for ignorance and one’s inability to connect the dots between a regulation and the event at hand. A breach is a breach, and it can irreversibly wipe out careers and businesses.
Little wonder then that many of the most experienced marketing agencies are cautious about signing up with clients from the healthcare industry. Compliance is one of the most critical considerations in medical marketing, and it can often seem to stand in the way of creative marketing. However, losing out on the benefits of digital media because you fear the intricacies of compliance is hardly the solution. At Wisevu Inc., we have experience navigating the ever-changing healthcare marketing landscape. We offer HIPAA-compliant services and are well aware of the privacy and security concerns relating to PHI and ePHI. Our clients in Canada and USA have benefited from our healthcare digital marketing services and medical SEO. This article discusses some of the most crucial medical advertising regulations that businesses in the healthcare industry should be aware of and follow.
Regulations and Agencies Impacting Digital Marketing in the USA and Canada
Rapidly evolving technologies have improved healthcare services, making them agile and efficient. However, they have also increased the likelihood of information security breaches with severe consequences for healthcare providers and patients.
In 2017, a highly publicized data breach by Aetna, an insurance giant, revealed the HIV status of over 11,000 individuals. Aetna agreed to pay $17 million in damages, but the ‘damage’ had already been done for the patients whose HIV status had been exposed.4 PHI violations are expensive. In the US, for privacy violations considered civil offences, the penalty for non-compliance can range from $100 to $50,000 per violation. A maximum fine of up to $1.5 million per year can be imposed. In extreme cases, violations can lead to criminal charges and the cancellation of licenses.5
There are various laws, rules, and government agencies regulating healthcare marketing in the US and Canada, and they actively seek to avert the risks posed by data breaches. The ultimate objective is to preserve the patient’s Personal Identifying Information (PII) and their Personal Health Information (PHI).
Personal Identifying Information (PII)
Refers to details like name, address, date of birth, social security number, insurance, financial account information, patient’s physical condition, medical ailments, disabilities, sexual behaviour, drug/alcohol use, mental health, and more that can be used by cybercriminals.
Protected Health Information (PHI)
Any data that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that is transmitted by electronic media; maintained in electronic media, or transmitted or maintained in any other form or medium.6
In the US and Canada, there are specific laws pertaining to PHI and PII, as well as federal regulators who oversee how patient information is used.
Healthcare Laws in the USA
Health Insurance Portability and Accountability Act (HIPAA)
Regulates how physicians and hospitals advertise and use patients’ information for marketing purposes.
Health Information Technology for Economic and Clinical Health Act (HITECH)
Addresses patient data privacy and security concerns, Electronic Health Record (EHR) files, and how they are shared.
US Government Agencies Regulating Healthcare Marketing
Food and Drug Administration (FDA)
Sets rules for prescription drugs and medical services.
Federal Trade Commission (FTC)
Reviews ads for over-the-counter medications and other products and makes health claims.
US Department of Agriculture
Oversees the health claims made by different food products.
Healthcare Laws in Canada
Personal Health Information Protection Act (PHIPA)
Regulates the dissemination of Personal Health Information (PHI). Individuals have the right to ask how their Personal Health Information is collected, used, and disclosed. They also have the right to access their PHI and correct any errors if needed.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Protects the rights and privacy of consumers in Canada. This law is for private-sector organizations that collect, use, and reveal information. PIPEDA also oversees consumer privacy for information relating to medical and healthcare billing.
Canadian Government Agencies Regulating Healthcare Marketing
Royal College of Dental Surgeons of Ontario (RCDSO)
A regulatory body that ensures advertisements by dentists or someone else on the dentistry’s behalf will not demean the integrity and dignity of the profession.
A national regulatory authority for health product advertising; also responsible for administering and directing compliance with government acts and regulations.
Pharmaceutical Advertising Advisory Board (PAAB)
Reviews all advertising materials for health products, excluding exempted natural health products.
Common Challenges Facing Healthcare Practices’ Digital Marketing Efforts
Digital marketing and Medical SEO empower patients to reach out more easily to clinics and enables practitioners to market their services to a broader audience. However, alongside these apparent benefits, it has also increased the likelihood of information security risks. The patient’s personal identifying information (PII) can fall into the hands of cybercriminals, resulting in identity thefts. Digital marketing agencies, therefore, encounter peculiar challenges when it comes to healthcare.
Where other industries are free to use customer data to create targeted digital marketing campaigns, healthcare professionals have to be vigilant and diligent with their data. Healthcare practices facing time and resource crunches would do best to work alongside third-party vendors who are well aware of federal and state laws.
At Wisevu, we are well-versed with the implications of various healthcare regulations – HIPAA, PHIPA, PIPEDA, the Omnibus Rule, Texas HB 300 and CMIA – and how it affects our marketing efforts. Here are a few real-scenario challenges that face our healthcare clients.
- Difficulty in Measuring Campaigns
Most medical practices face difficulties in automating measurement. For instance, tracking lead conversions by source would be impossible without implementing URL tracking and phone tracking; measuring revenue per patient becomes more complex as every patient will have a different type of insurance and reimbursement. The attribution approach may fail because the patient-consumer exercises the “right to be forgotten” under the current PHI regulations. This could make it challenging to get a complete picture of the customer since there is less access to third-party data.
- Limitations with Targeting
One of the most significant advantages of the digital medium is its ability to target audiences. However, privacy regulations curtail this to a pretty large extent. Laws may often prohibit targeting medical conditions.
- Lack of Data for Analysis
Digital marketing relies heavily on interactive touchpoints like healthcare portals, review sites, social media groups, etc. The innate strength of these platforms lies in their ability to refine and customize future touchpoints through data. However, data collection and analysis may not be possible under health regulation laws.
- Impact on Social Media Use
Though it is a powerful way to personalize communications and build community, social media can also prove to be a PHI hazard. As we saw earlier, though the Texas nurse did not provide the patient’s name, the court ruled that the rare case of measles was easily identifiable information in an age where everything is connected.
In the case of the dental practice, the patient’s medical condition was unwittingly revealed. The healthcare establishment in Florida inadvertently revealed patient information on social media as they did not blur the information on the operating room screen. In each of these cases, what could have been a powerful tool became a stumbling block that injured profit margins, reputation and trust.
- Impact on Marketing Technologies
PHI rules have long-term implications on how one handles marketing and leads, site-hosting, vendor relationships and much more. Since technology often moves much faster than regulations, practices that adopt new marketing technologies must understand whether these new technologies are compliant and in which areas they are likely to encounter risks. They must also coordinate with legal and IT resources to make decisions.
- Challenges with Retargeting
Remarketing reduces advertising spend by ensuring the ads are aimed directly at users who, in the past, have shown interest in your medical services. The challenge facing healthcare marketers is that these retargeting ads cannot include content that implies prior knowledge of a patient’s personal medical information. For instance, if someone is experiencing worrying symptoms and an online search reveals that they are suffering from a specific condition that is socially embarrassing. The last thing they’d want in this situation is for their family computer to be bombarded with ads about the disease. Instead, messaging in the ad should be generic, referencing a brand rather than a specific condition or treatment. While this may appear to reduce the effectiveness of the message, there are many creative and tactical ways to compensate for it.
Wisevu’s Healthcare Marketing Strategy
We understand that patients are always looking for more effortless ways to access their health records. Since many of them are comfortable with digitalization, they expect dynamic digital experiences. According to CDW Healthcare’s 2017 Patient Engagement Perspectives Study, 89% of patients want simple, seamless access to their health records, and 98% are comfortable communicating remotely with their healthcare providers via texting, mobile apps, online chats or live video.
The healthcare marketer’s challenge is to accommodate the patient’s expectations for privacy against their desire for seamless, digital experiences. At Wisevu, we help our healthcare clients accomplish this. We deliver compelling digital experiences while staying mindful of the ongoing laws and regulations. We have over ten years of experience building comprehensive marketing campaigns for healthcare clients and local clinics and have evolved certain best practices.
- Our marketers stay on top of industry trends and are familiar with healthcare marketing regulations and requirements.
- They are trained in HIPAA and PHIPA compliance and clearly understand what types of marketing violate the enforcement rule.
- We have detailed protocols, documented best practices and extensive checklists for digital channels we specialize in to preempt violations proactively.
- We ensure that every marketing campaign going live goes through these predefined checks.
- We advise clients to request vendors to sign a Business Associate Agreement (BAA) when using third-party vendors
While privacy regulations may seem like a hindrance to savvy marketing, they are excellent opportunities to personalize patient relationships, build deeper engagements and create a culture of trust by establishing yourself as the committed custodian of patients’ data.
Though healthcare marketing poses an array of challenges, it also presents you with the unique opportunity to cut through the clutter and find more reliable data to devise more innovative campaigns. At Wisevu, we have expertise in helping healthcare practices improve their visibility on leading digital marketing channels.
Schedule a consultation to find out how we can help your medical practice or hospital succeed online.GET A QUOTE
Disclaimer – The information provided here does not and is not intended to constitute legal advice. All the information and content available here are for general information purposes. Readers should contact their lawyer to obtain guidance concerning any particular legal matter.
- Allen, Karma. “Texas nurse fired after posting about patient’s measles on anti-vaccination page.” ABC News, 29 August 2018, https://abcnews.go.com/US/texas-nurse-investigation-posting-patients-measles-anti-vaccination/story?id=57443736.
- HIPAA Journal. “Dental Practice Fined $10,000 for PHI Disclosures on Yelp.” HIPAA Journal, 2019, https://www.hipaajournal.com/dental-practice-fined-10000-for-phi-disclosures-on-yelp/. Accessed 3 October 2021.
- CISOMAG. “Jackson Health’s HIPAA Violation Costs US$ 2.15 million fine.” CISOMAG, 2019, https://cisomag.eccouncil.org/jackson-health-hipaa-violation/. Accessed 17 September 2021.
- Howard, Jacqueline. “Aetna customers get $17 million in HIV privacy settlement.” CNN Health, 2018, https://www.cnn.com/2018/01/17/health/aetna-hiv-privacy-settlement-bn/index.html. Accessed 20 September 2021.
- “What are the Penalties for HIPAA Violations?” HIPAA Journal, 2021, https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/. Accessed 20 September 2021.
- HIPAA Journal. “What is Protected Health Information?” https://www.hipaajournal.com/what-is-protected-health-information/. HIPAA Journal, 2021, /. Accessed 20 September 2021.