Health and life science marketers need to offer targeted, personalized marketing content that will help them get their message to the right people. They're also required to safeguard information, and manage proper allowable use based on the patients' and consumers' opt in requests. So essentially, the info can't be used in a way that the consumer hasn't approved. Often those in the health and life sciences sector are pulled between marketing best practices, and what's permitted by compliance. These marketers must understand how to align both marketing and HIPAA best practices.
- Align marketing, IT, and compliance. Checklists exist within most companies to ensure they're meeting compliance across HIPAA, as well as local regulations. Most concerns are focused on data and less around campaign management. Ensure your campaign management tools enable and support the data requirements. A lot of marketers have a high level understanding but don't understand system data information exchange and file storage.
- Understand what HIPAA regulates. HIPAA regulates the use and disclosure of Protected Health Information, which is any information about health status, provision of healthcare, or payment of health care that can be linked to a specific individual.
- Understand what HIPAA doesn't prohibit. HIPAA does not disallow DTC healthcare marketing but the system has to meet security standards. Approach communications carefully. There have been 104,933 reported HIPAA complaints, with 22% resulting in actionable concerns.
- Recognize there are no data tricks. You cannot use codes or color codes to segment contacts like "red = diabetics". Companies should fully encrypt data at every touch point, keeping it safe within a data center while ensuring it remains just as safe as it flows in and out of that center. Marketing departments should consider a marketing information buffer to protect customer identifying information and protected health files, while still creating targeted audiences.
- Know the cost of non-compliance. Penalties can be up to $1.5 million per segment and there are 15-17 segments which HIPAA monitors. Implement security management to log opt-in and opt-out options and ensure changes around security credentials are properly stored. Deliver email in a secure way, giving patients a unique set of credentials in order to access their emails through a portal -- making it impossible to forward those emails to a third party.
- Learn about other regulations impacting the health and life sciences industries. The HITECH Act is going to have a growing impact on healthcare. A massive expansion in the exchange of ePHI is anticipated. This widens the scope of protections available under HIPAA, increases the potential legal liability for non-compliance, and provides for more enforcement for HIPAA
- Question your marketing technology vendors. Healthcare and life science companies own HIPAA compliance responsibility, not vendors. HIPAA does not require a software solution itself to be HIPAA compliant but as a business partner of any covered entity, the Business Associate must comply. Technology vendors can offer solutions that enable marketers to be compliant but must have safeguards in place to work with a covered entity. HIPAA compliance is a journey, not a process. Technology vendors should enable their customers to be HIPAA compliant, but customers should not use tools, like marketing automation systems, with the expectation that they are now HIPAA compliant. If a marketing automation vendor states they are HIPAA compliant, red flags should be raised.
Understanding around HIPAA compliance is imperative, but not always understood. Remember to align your marketing organization with both IT and compliance teams to ensure you're delivering impactful communications in a compliant manner.
Which best practices would your company add to this list? What HIPAA questions most often arise in your marketing programs?