Understanding Digital Marketing Regulations For Healthcare Providers In Canada & The USA

Introduction to Medical Marketing

Medical marketing is the process of promoting health information and treatment options that protect and improve the health of a population. A well-designed medical marketing strategy can attract and retain healthcare consumers, guide them through their healthcare journey, and keep them engaged within the health system.

The healthcare industry has experienced rapid change in recent years, changing from one that was centered around caregivers, to one that is more patient/consumer focused. Today, the patient can choose from several healthcare practices that provide the same or relatively similar services in any given location. Without a strategic marketing plan and a sound medical SEO strategy, you may find that you have very few new patients, and even your loyal patients may slowly begin to drop off.  If you want these patients to come to your practice instead of going to your competitors, you need an innovative business model.

How Medical Marketing Works

Marketing your healthcare practice allows you to communicate directly with your patients, establish and nurture long-term relationships, and build a thriving practice through successful patient engagement. However, the healthcare industry must also comply with specific regulations and guidelines when advertising its services.

Whether you’re an individual physician, a large hospital, a dentist, a medical clinic, a medical spa, or a physiotherapist, it’s critical to be aware and comply with existing regulations. Violations can result in serious consequences ranging from ad restrictions on some platforms to legal action and possibly the cancellation of practice licenses.

Medical practitioners in the USA are governed by the Health Insurance Portability and Accountability Act (HIPAA) regulations, while Canadian medical practitioners are governed by the Personal Health Information Protection Act (PHIPA) regulations. While these regulations are different, they serve a similar purpose in protecting the patient’s private information, such as Personal Identifying Information (PII) and Protected Health Information (PHI).

Learn how digital marketing can benefit your practice and understand the various implications you need to be aware of while marketing digitally.

Healthcare Marketing Laws In Canada

Healthcare Marketing Laws in Canada

Canada has multiple government agencies and laws that regulate healthcare marketing.

  • Health Canada is a national regulatory authority for health product advertisements. It is responsible for administering and directing compliance with the acts and regulations of the Personal Health Information Protection Act (PHIPA).
  • PHIPA establishes the rules for collecting, using, and disclosing an individual’s Personal Health Information (PHI). Under this act, the individual has the right to:
    1. Ask how their personal health information is collected, used, and disclosed
    2. Gain access to their personal health information and correct errors if needed.
  • It is also the responsibility of all advertisers and physicians to ensure that health product advertisements comply with the requirements and regulations of the Food and Drug Act (F&DA) and the Controlled Drugs and Substances Act (CDSA).
Healthcare Marketing Laws In The US

Healthcare Marketing Laws in the US

There are a variety of laws, rules, and government agencies that regulate healthcare marketing.

  • The Health Insurance Portability and Accountability Act (HIPAA) regulates how physicians and hospitals advertise and use customer information for marketing purposes. It also provides security provisions and data privacy to protect patients’ medical information. The government mandates that organizations adhere to various procedures that protect Protected Health Information (PHI).
  • The Food and Drug Administration (FDA) sets rules for prescription drugs and medical services.
  • The Federal Trade Commission (FTC) reviews ads for over-the-counter drugs and other products making health claims.
  • The Department of Agriculture has rules about which food products can claim to be light, fat-free, low in sodium, and so on.

Advertising and Marketing Basics as Per the FTC

Promotional activities by certain healthcare stakeholders such as hospitals, clinics, and other health systems often fall outside the purview of the FDA. They are subject to the general advertising rules and regulations the Federal Trade Commission (FTC) enforced.

The Food and Drug Administration’s (FDA) regulatory control over the pharmaceutical industry dictates the list of warnings included in pharmaceutical advertisements, which typically account for two-thirds of healthcare marketing expenditure.

While the FTC values the role that advertising and marketing play in publicizing important healthcare information, they are also aware that misleading advertising and marketing claims can plague the healthcare industry. Under the FTC law, all claims in healthcare advertisements must be accurate, evidence-based, and non-misleading.

False advertising is a serious matter, and at Wisevu, we are well aware of the implications that a supposed act of fraudulence can have on your hard-earned reputation. Our staff is trained in PHI guidelines, and we comply with all the relevant guidelines while advertising and marketing your healthcare practice. You can rest assured that we have your best interests at heart.

Key Differences between PHIPA and HIPAA

PHIPA differs from HIPAA in various aspects.

Importance of PHIPA in Medical Business Regulations

Dealing with Breaches Under PHIPA

Under PHIPA, the requirements for reporting a breach are more rigorous. A Health Information Custodian (HIC) must notify the Information and Privacy Commissioner if any of the following have occurred:

  • The PHI was used or disclosed to someone without authority;
  • After an initial loss or unauthorized use or disclosure of PHI, it was further used or disclosed;
  • The loss or unauthorized use or disclosure of PHI follows a pattern of similar losses or unauthorized data use.

The HIC is required to give notice to a regulated health professional, governing body, or college related to the loss or unauthorized use or disclosure of PHI.

Importance of HIPPA in Medical Business Regulations

Dealing with Breaches

Under HIPAA, medical practices, dentists, pharmaceuticals, med spas, and all other medical entities must report breaches of unsecured PHI. However, the breach notification obligations differ based on whether the breach affects more or fewer than 500  individuals.

It is considered meaningful when a breach of unsecured PHI affects 500 or more individuals. It must be reported within 60 days of its discovery to:

  • The Secretary of Health and Human Services
  • Individuals affected by the breach and
  • Prominent media outlets in the states and jurisdictions where the breach victims reside.

On the other hand, an unsecured PHI breach affecting fewer than 500 individuals is considered non-meaningful. The covered entity may notify the Secretary about it no later than 60 days after the end of the year in which the breach was discovered.

Importance of Data Protection in Healthcare

Importance Of Data Protection In Healthcare

Changes in information technology and digital marketing can help doctors market their services to a wide range of audiences. Patients also benefit from these changes as it significantly improves healthcare service delivery, leading to fast and efficient medical care. However,  alongside these benefits, the security risk is also very high and can have severe consequences for healthcare providers and patients.

The patient’s information includes various Personal Identifying Information (PII) that cybercriminals can use, such as name, address, date of birth, social security number, insurance, and financial account information. It also includes highly confidential information such as the patient’s physical condition, medical ailments, disabilities, sexual behavior, drug/alcohol use, mental health, etc.

Data breaches also have financial implications and can damage the reputation of both the provider and patient. For HIPAA, penalties for non-compliance can range from $100 to $50,000 per violation, with a maximum fine of $1.5 million per year, depending on the level of negligence.

HIPAA Fines and Penalties

The four categories used for the penalty structure are as follows:

Tier 1A violation where the covered entity took a reasonable amount of care to abide by the HIPAA Rules, was unaware of the breach, and could not reasonably have avoided itMinimum fine of $100 per violation up to $50,000
Tier 2The covered entity should have been aware of a violation but could not avoid it despite a reasonable amount of care (falls short of willful neglect)Minimum fine of $1,000 per violation up to $50,000
Tier 3A violation resulting from “willful neglect” of HIPAA Rules; however, attempts were made to correct the violationMinimum fine of $10,000 per violation up to $50,000
Tier 4A violation resulting from willful neglect, with no attempts made to correct the violationMinimum fine of $50,000 per violation

In some extreme cases, violations can lead to criminal charges and the cancellation of licenses.

In 2017, Aetna, an insurance giant, improperly disclosed the HIV status of over 11,000 individuals. The highly-publicized data breach cost Aetna $17 million; however, it could not make up for the trauma caused to patients whose HIV status had been disclosed.

Wisevu deals with personal and sensitive healthcare data under the security requirements stipulated by HIPAA, PHIPA, General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). Also, the new data privacy regulations provide healthcare consumers in the US and Canada the “right to be forgotten” and to opt out of data reselling. These new rights reduce access to third-party data and the impact of marketing campaigns, targeted advertising, and other programmatic channels. To combat this, Wisevu works with more reliable first-party data acquisition channels. Keeping information in-house and ending our reliance on obsolete data enables us to devise more innovative marketing campaigns.

We sign the Business Associate Agreement (BAA) and maintain the HIPAA chain of trust when working with third-party vendors. For instance, while tracking phone calls, we follow CallRail’s healthcare plan and ensure that we comply with the regulations set forth by HIPAA and Health Information Technology for Economic and Clinical Health (HITECH).

We also conduct the following six (6) required annual audits/assessments:

  • Security Risk Assessment
  • Privacy Standards Audit
  • HITECH Subtitle D Privacy Audit
  • Security Standards Audit
  • Asset and Device Audit
  • Physical Site Audit

Compliant Healthcare Marketing Services From Wisevu

Patients want easier and seamless access to their health records, and they are willing to access them digitally. They are comfortable communicating with healthcare providers through texts, mobile apps, online chats, or live videos. As healthcare marketers and medical SEO experts, we deliver compelling digital experiences while staying HIPAA and PHIPA-compliant.

Here are some services we offer:

Medical Content Writing

Medical Content Writing

Narrative writing assures potential patients that the clinicians or facilities they are considering can treat their condition. Medical case studies and narratives also add an empathetic, caring tone and inject life into what could otherwise be a dull medical subject matter that nobody relates to or understands. However, the biggest challenge while developing these narratives is to ensure that you do not violate the privacy concerns of the individuals whose cases are being documented.

At Wisevu, we have a robust set of guidelines to ensure that every piece of content is compliant with regulatory requirements. Whether writing case studies of patients or marketing copy for your website, we ensure that our content is factual, evidence-based, non-misleading, and compliant.

Medical Content Marketing

There are several ways to create a vibrant, thriving online community and market your services while following HIPAA guidelines. Our creative content marketers find safe ways to share your content and generate leads. We look at innovative ways to market your services and build an emotional connection without revealing your patients’ identities.

Our content marketing services help you improve organic ranking results on Google, Yahoo!, and Bing for all your keyword phrases. In accordance with your unique needs, we may generate press releases, blogs, and articles that are attributed to you. To further increase your practice’s credibility, relevance, and quality, we can also produce in-depth, long-form articles. 

Medical Search Engine Optimization (SEO)
Email Marketing

Medical Email Marketing

Email marketing is an effective way to derive meaningful business outcomes and achieve a measurable return on investment. We do not create emails or email campaigns using the patient’s PHI without first obtaining consent. We encrypt every email sent to patients, ensuring only the sender and recipient can access the content of the mail. We target audiences with specific ad campaigns based on their past interactions by integrating email analytics. We also ensure email campaigns have clear opt-in and opt-out systems in place that are HIPAA and PHIPA-compliant.

Social Media Marketing

Social media allows healthcare providers and organizations to better engage with patients and get them involved in their personal healthcare. Healthcare organizations can also easily communicate about new services. When we implement social media ad campaigns for healthcare clinics, we do not use any patient information or PHI, except in cases with documented consent.

When using images, we stick with relevant stock photography or the ones provided by the PHI-compliant healthcare organization. We also hold training sessions to ensure that our team understands best practices; we have control measures and triggers to refrain from using keywords and phrases that indicate HIPAA/PHIPA non-compliance. Our team is versatile and can navigate the strict regulations of social media platforms to deliver effective social media ad campaigns in heavily regulated industries while still abiding by the dictums of HIPAA and other regulatory bodies.

Social Media Marketing
Website Design

Medical Website Design

A website is your practice’s digital business card and the cornerstone of your digital marketing strategy. We design HIPAA and PHIPA-compliant websites, encrypting all data gathered on your website, including web forms, appointment requests, and contact forms.

We also ensure, with your approval, that your website has a HIPAA/PHIPA privacy policy that makes patients aware of your efforts to keep their data safe. We also ensure your website is SSL protected using the highest security standards. This networking protocol ensures that all data passed between the client and server is encrypted.


Retargeting is an advertising strategy that helps keep you on the radar of website visitors once they leave your site. On average, 3-4% of users visiting a website for the first time convert into customers. The power of retargeting is that it re-engages users that visited your website but did not initially convert, resulting in higher customer acquisition success.

How Retargeting Works

How Retargeting Works

Retargeting is a cookie-based technology that uses a simple code to follow users around the web once they have left your website. When this code, usually known as the pixel, is placed on the website, it serves ads to users who left without converting, encouraging them to convert later. Remarketing reduces advertising spend by ensuring the ads are aimed directly at users who have shown interest in your services.

Challenges of Healthcare Retargeting

The world of healthcare retargeting is a bit difficult to navigate, as you must operate within the regulations and guidelines stated by the federal government. The ads must not include any content that could imply prior knowledge of personal medical information. For instance, if someone is experiencing a worrying symptom, their online search helps them conclude they are suffering from a socially embarrassing health issue. They then decide to get a test done and search for a relevant clinic in their vicinity. If they conducted this search via the family computer, the last thing they’d want would be to receive targeted ads about their condition. Any retargeting must thoughtfully keep the content generic, referencing only a brand, healthcare facility, or particular department rather than a specific disease or treatment.

Challenges Of Healthcare Retargeting
How To Utilize Retargeting Without Violating The Regulations For Facebook

Compliant Retargeting With Facebook, Instagram, and Google Ads

Facebook, Instagram, and Google are extremely sensitive about healthcare-related retargeting, so our team gets creative with your ad copy and campaign targeting. The ads we run pay attention to your business’ expertise in a particular department without explicitly referencing any health condition. Imagine that a user visits a page on your website regarding eczema but leaves without converting. A subsequent ad they see needs to emphasize the dermatology department’s Unique Selling Proposition (USP) rather than eczema information.

facebook-logo Facebook Ads

Facebook has over 2 billion monthly active users and is a lucrative avenue for your organization’s ad campaigns. Our team smartly utilizes retargeting while avoiding running into problems with regulators. We segment your users into specific lists depending on which pages they initially visited and create a custom audience to deliver the ads. The ads displayed to these users are generic, and we avoid references to any specific treatment or condition. We may also use video testimonials of patients who have received treatment from you and are happy to share their experiences. We document their consent, so you are never at risk of violating any rules or regulations.

instagram-logo Instagram

Instagram follows the same rules as Facebook. We take care to highlight the human side of your practice and make your social presence feel more personal. We show behind-the-scenes content, share the success of patients who have given consent and provide valuable health tips.  While remaining compliant on all fronts, we ensure that the content we post is engaging.

google-logo Google

We use various channels within Google for your remarketing campaign. If you use videos on your website or have a YouTube channel, Google remarketing can target users who interact with them. By including a clear call-to-action in your video content, you can help point users in the right direction. We also share a list of your customers’ email addresses with Google’s Customer Match tool to target adverts towards them. This can be particularly useful when targeting specific segments of your customer base, such as high-value clients.

We carefully navigate retargeting to remain safe and effective. Our entire team is aware of and trained on HIPAA and PHIPA standards. We’ve helped scores of local medical practices achieve phenomenal success with our digital marketing services, and we can do the same for you.

Get in touch with one of our digital healthcare marketing experts today.


Give Us a Heart
Internet Marketing