In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here, this “dense piece of legislation…has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may already take precautions to protect your patients’ PHI within your clinic, you must also extend the same level of care to your marketing efforts. Failing to do so could land you in some very hot water. With that in mind, we’ve compiled some tips to help you ensure you’re:

  1. sending HIPAA-compliant marketing emails, and
  2. maintaining HIPAA-compliant social media channels.

Before we jump into that, though, we must say this: while we here at WebPT are well-versed in researching and writing about HIPAA, we are not attorneys, nor are we compliance experts. Therefore, please take the following information as just that: information. It is general in nature, will not be suitable for everyone, and should not be construed as legal or expert advice. We strongly encourage you to speak with a certified compliance expert—such as Rick Gawenda of Gawenda Seminars or Tom Ambury of the PT Compliance Group—as well as a healthcare attorney to decide what’s right for your business before you implement any strategy, including any of the ideas outlined below.

With that out of the way, here’s the healthcare provider’s guide to HIPAA-compliant marketing:

HIPAA-Compliant Emails

As WebPT’s Charlotte Bohnett and Brooke Andrus write in this post, “few tech inventions have endured the way email has.” In fact, the authors cite this infographic, stating that “95% of online consumers use email, and 91% check their accounts once a day.” As a result, businesses see a $44.25 average return on investment for every $1 they spend on email marketing. With all that in mind, it’s no wonder email remains a crucial piece of any successful marketing campaign. However, with HIPAA rules around marketing being “murky at best”—especially following the introduction of the 2013 HIPAA omnibus ruling—many providers have shied away from this potentially profitable pathway. But there is a way for your practice to reap the benefits of email marketing while remaining fully HIPAA compliant. Here’s how:

1. Include a marketing communications opt-in form in your intake paperwork.

That way, you’ll know which patients you can market to via email and which ones you can’t. As Bohnett and Andrus advise, be sure your opt-in form “clearly explain(s) the types of communications you will send,” as well as “how those communications will benefit them.” If a patient decides to opt out, you must respect his or her decision. Additionally, you are legally obligated to provide your patients with the option to unsubscribe at any time—and you must comply with all unsubscribe requests.

2. Ensure your email provider understands—and complies with—HIPAA.

This is important, because any breach on the part of your email vendor will ultimately fall on you. That could mean costly fines as well as broken trust with patients. It’s always your responsibility to vet your software vendors and make sure they’re on the ball when it comes to HIPAA compliance. While we’re talking specifically about marketing emails here, if you plan to discuss a patient’s health information via email—with that patient’s consent, of course—you must take additional precautions, like encrypting your messages or using a secure messaging service with which you have a signed HIPAA business associate agreement.

3. Never send patient PHI as part of an email marketing message—unless you have express written permission from the patient and you’ve discussed it with an attorney.

As Bohnett and Andrus suggest, “stick to communication that is appropriate and relevant to large groups of readers—like sharing great content that speaks to, say, a segment of patients who are runners or a segment of patients who participate in aquatic therapy.” You could also use marketing emails to promote new cash-pay wellness services or share clinic news. It’s also worth noting here that patient email addresses fall under the PHI umbrella as well, so be sure your emails are going out to a blind list (i.e., one that isn’t visible to any individual recipient), and never sell or disclose email addresses “unless expressly allowed under HIPAA law.”

HIPAA-Compliant Social Media Channels

Today, everyone’s using social media, including your patients, who—as we explain here—do so to “make informed decisions about their health.” Thus, as a healthcare provider, you should be using it, too. That being said, because you’re covered by HIPAA, you must take some additional precautions to ensure you’re using it safely. After all, “social media is anything by private—and it’s practically permanent, because once you put something online, chances are good it’s going to live forever.” With that in mind, here are eight tips for ensuring you’re keeping your social media channels HIPAA-compliant:

  1. As Tom Ambury advises here, keep your business and personal accounts separate.
  2. Develop—and enforce—a comprehensive social media policy; then, train your staff on it.
  3. Ensure all staff members who have access to your social media accounts are well-supervised and know who to ask for help should a complicated situation arise.
  4. Implement a system that enables you to track, archive, and retrieve all electronic communications—you’ll need them as evidence should you find yourself facing a lawsuit or breach accusation.
  5. Designate someone to approve all posts before they get published. And if that’s not possible, this Forbes article recommends adopting technology capable of monitoring your posts in real-time and flagging any that could be problematic.
  6. Write pre-approved copy that your staff can use to provide general status updates and respond in potentially tricky scenarios.
  7. Never, ever post medical advice or PHI on social media—unless you have express written permission from the patient and you’ve discussed it with an attorney. As this article says, “patient posts do not imply consent”—and it’s never a good idea to “violate privacy or post PHI.”
  8. Institute an audit schedule to regularly monitor all accounts for professionalism and compliance. Then, follow up with feedback and/or additional training.

To learn more about what constitutes ePHI—that is, protected health information “sent or stored electronically”—check out this article from LuxSci. You may be surprised to learn that there are 18 different individual identifiers that—if paired with any kind of protected health information, even something as seemingly innocuous as an appointment with a particular doctor—are considered ePHI.


How does your practice ensure your marketing efforts—via both email and social media—are HIPAA-compliant? Share your strategies in the comment section below.