HIPAA Compliance for Marketers
Technology and wearables are becoming widely adopted by consumers to track and monitor their own health and wellness. In fact, mobile apps are empowering individuals to take control of their health and poised to take a critical role in the healthcare industry. AccelerateFP understands the role HIPAA will play in protecting patients and building a relationship of trust between providers and patients.
Mobile apps can connect patients and doctors, as well as provide a faster path for patiences to get care. It will also allow for information to flow from patient and doctor in real-time resulting in potentially better care.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that safeguards medical information. It’s the standard for electronic health transactions and outlines the data privacy and security provisions for collecting, storing, and processing unique health identifiers. It protects private health information (PHI) and affects how it is accessed, stored, and shared to give patients rights to their health information.
What’s Considered Private Health Information (PHI)?
Private Health Information (PHI) is any information that can be used to identify an individual. It includes identity information, medical records, conversations with doctors and other healthcare professionals and billing information with patient identifiable information on it. Examples of PHI include patient name, address, dates (birth, admittance, discharge) medical record numbers, account numbers, and email addresses.
Who Needs to be HIPAA Compliant?
Any organization that falls under the definition of covered entity under HIPAA has to comply. Covered entities include health care providers, health plans, and health care clearinghouses that electronically store and transmit any health information. If these entities create their own mobile applications that collect, store, or use PHI, then these mobile apps must be HIPAA compliant.
A business associate is anyone who collects, stores, maintains, or transmits any PHI on behalf of a covered entity. Most businesses that provide services that manage or use PHI for covered entities are included in this category. These are contractors, subcontractors, and other companies that are not employed by a covered entity but still need to access health information when offering their services to a covered entity. You can find more information on this on the official US Department of Health & Human Services website.
Within the purview of the HIPAA privacy rule, AccelerateFP is neither a covered entity nor a business associate.
How AccelerateFP Customers Address HIPAA Compliance Within their Marketing Organizations
Several healthcare companies leverage user behavior data in their marketing campaigns to acquire and engage users via email, push notifications, and social media. When users sign up for a healthcare service, they expect personalized communications, such as appointment confirmations and service notifications.
While companies use certain data to make their marketing campaigns more effective, the use of private patient data is not allowed. HIPAA mandates that healthcare companies restrict the use of private patient information to promote their products or services without written permission from the patient and that this permission may be revoked by the user at their discretion. Performing due diligence while developing your app can help ensure that your app stays HIPAA compliant.
Avoid sending or storing PHI: AccelerateFP has seen customers build HIPAA compliant use cases by ensuring that there is no sensitive information, specifically PHI, being processed, stored, or transmitted to AccelerateFP. That is the easiest way to adhere to the HIPAA privacy rule. Companies can still store behavioral data such as app launched, appointment scheduled, and payment submitted on a platform like AccelerateFP to make their marketing campaigns more relevant.
Do not use PHI for marketing campaigns: A good rule of thumb is to make sure marketing messages do not use any PHI to identify or disclose sensitive information across channels that are non-HIPAA complaint. For example, do not send health conditions in your appointment confirmation text message. Simply send a reminder of the time and place. Or avoid specifying prescriptions used or physician names in your push notifications or in-app messages.
Use separate systems for marketing and patient data: Another best practice for companies is to make sure marketing teams are well-versed in compliance and are taking measures to keep online marketing data separate from patient data. One option is to use different systems to collect marketing data such as name, email, and phone number from customers so that the information is strictly marketing oriented.
Use encrypted channels to store and transmit PHI data: As an industry best practice, mobile app publishers must make sure that PHI data is not stored or transmitted over unencrypted channels.
Ensure cloud storage compliance: If an app has its data stored in the cloud, app publishers should verify that the hosting provider meets HIPAA requirements. For example, if you are using Amazon Web Services (AWS) as your cloud service provider, ensure that all the AWS services that are used are HIPAA eligible.
Amazon provides a AWS Business Associate Addendum (AWS BAA), which is available on a self-service portal on AWS to run HIPAA sensitive workloads. Once a service is covered by the AWS BAA, they can process and transmit PHI on their mobile app.
Use Two-factor Authentication (2FA): Two-factor Authentication (2FA) requires customers to go through an additional layer of security to enter information that only they will possess. 2FA helps you verify that user information is not misused and that there is a strong authentication process in place.
Building a Secure, HIPAA-Compliant Healthcare Experience
HIPAA compliance is an opportunity for marketing and compliance functions to come together and build a positive brand experience for patients.
Data-driven marketers can strengthen relationships with their customers while ensuring that they incorporate the appropriate regulations in their workflows.
AccelerateFP recommends that customers seek legal guidance for any compliance related questions that apply to their applications. AccelerateFP does not offer legal advice and it is up to the customer to identify applicable laws and its nuances to determine how best to architect their application to comply with the HIPAA regulation.