In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here, this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may already take precautions to protect your patients’ PHI within your clinic, you must also extend the same level of care to your marketing efforts. Failing to do so could land you in some very hot water. With that in mind, we’ve compiled some tips to help you ensure you’re:

  1. sending HIPAA-compliant marketing emails, and
  2. maintaining HIPAA-compliant social media channels.

Before we jump into that, though, we must say this: while we here at WebPT are well-versed in researching and writing about HIPAA, we are not attorneys, nor are we compliance experts. Therefore, please take the following information as just that: information. It is general in nature, will not be suitable for everyone, and should not be construed as legal or expert advice. We strongly encourage you to speak with a certified compliance expert—such as Rick Gawenda of Gawenda Seminars or Tom Ambury of the PT Compliance Group—as well as a healthcare attorney to decide what’s right for your business before you implement any strategy, including any of the ideas outlined below.

With that out of the way, here’s the healthcare provider’s guide to HIPAA-compliant marketing:

The PT Patient’s Guide to Understanding Insurance - Regular BannerThe PT Patient’s Guide to Understanding Insurance - Small Banner

HIPAA-Compliant Emails

As WebPT’s Charlotte Bohnett and Brooke Andrus write in this post, “few tech inventions have endured the way email has.” In fact, the authors cite this infographic, stating that “95% of online consumers use email, and 91% check their accounts once a day.” As a result, businesses see a $44.25 average return on investment for every $1 they spend on email marketing. With all that in mind, it’s no wonder email remains a crucial piece of any successful marketing campaign. However, with HIPAA rules around marketing being “murky at best”—especially following the introduction of the 2013 HIPAA omnibus ruling—many providers have shied away from this potentially profitable pathway. But there is a way for your practice to reap the benefits of email marketing while remaining fully HIPAA compliant. Here’s how:

1. Include a marketing communications opt-in form in your intake paperwork.

That way, you’ll know which patients you can market to via email and which ones you can’t. As Bohnett and Andrus advise, be sure your opt-in form “clearly explain(s) the types of communications you will send,” as well as “how those communications will benefit them.” If a patient decides to opt out, you must respect his or her decision. Additionally, you are legally obligated to provide your patients with the option to unsubscribe at any time—and you must comply with all unsubscribe requests.

2. Ensure your email provider understands—and complies with—HIPAA.

This is important, because any breach on the part of your email vendor will ultimately fall on you. That could mean costly fines as well as broken trust with patients. It’s always your responsibility to vet your software vendors and make sure they’re on the ball when it comes to HIPAA compliance. While we’re talking specifically about marketing emails here, if you plan to discuss a patient’s health information via email—with that patient’s consent, of course—you must take additional precautions, like encrypting your messages or using a secure messaging service with which you have a signed HIPAA business associate agreement.

3. Never send patient PHI as part of an email marketing message—unless you have express written permission from the patient and you’ve discussed it with an attorney.

As Bohnett and Andrus suggest, “stick to communication that is appropriate and relevant to large groups of readers—like sharing great content that speaks to, say, a segment of patients who are runners or a segment of patients who participate in aquatic therapy.” You could also use marketing emails to promote new cash-pay wellness services or share clinic news. It’s also worth noting here that patient email addresses fall under the PHI umbrella as well, so be sure your emails are going out to a blind list (i.e., one that isn’t visible to any individual recipient), and never sell or disclose email addresses “unless expressly allowed under HIPAA law.”

HIPAA-Compliant Social Media Channels

Today, everyone’s using social media, including your patients, who—as we explain here—do so to “make informed decisions about their health.” Thus, as a healthcare provider, you should be using it, too. That being said, because you’re covered by HIPAA, you must take some additional precautions to ensure you’re using it safely. After all, “social media is anything by private—and it’s practically permanent, because once you put something online, chances are good it’s going to live forever.” With that in mind, here are eight tips for ensuring you’re keeping your social media channels HIPAA-compliant:

  1. As Tom Ambury advises here, keep your business and personal accounts separate.
  2. Develop—and enforce—a comprehensive social media policy; then, train your staff on it.
  3. Ensure all staff members who have access to your social media accounts are well-supervised and know who to ask for help should a complicated situation arise.
  4. Implement a system that enables you to track, archive, and retrieve all electronic communications—you’ll need them as evidence should you find yourself facing a lawsuit or breach accusation.
  5. Designate someone to approve all posts before they get published. And if that’s not possible, this Forbes article recommends adopting technology capable of monitoring your posts in real-time and flagging any that could be problematic.
  6. Write pre-approved copy that your staff can use to provide general status updates and respond in potentially tricky scenarios.
  7. Never, ever post medical advice or PHI on social media—unless you have express written permission from the patient and you’ve discussed it with an attorney. As this article says, “patient posts do not imply consent”—and it’s never a good idea to “violate privacy or post PHI.”
  8. Institute an audit schedule to regularly monitor all accounts for professionalism and compliance. Then, follow up with feedback and/or additional training.

To learn more about what constitutes ePHI—that is, protected health information “sent or stored electronically”—check out this article from LuxSci. You may be surprised to learn that there are 18 different individual identifiers that—if paired with any kind of protected health information, even something as seemingly innocuous as an appointment with a particular doctor—are considered ePHI.


How does your practice ensure your marketing efforts—via both email and social media—are HIPAA-compliant? Share your strategies in the comment section below.

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • Common Questions from Our Patient Sticker Shock Webinar Image

    articleMar 31, 2017 | 33 min. read

    Common Questions from Our Patient Sticker Shock Webinar

    From copays and deductibles to payer contracts and benefits verification, understanding all the nuances of third-party insurances is tough enough for healthcare providers—let alone their patients. In WebPT’s most recent webinar— Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans —co-hosts Heidi Jannenga, PT, DPT, ATC/L, the cofounder and president of WebPT, and WebPT CEO Nancy Ham provided a lot of great advice on how to have productive conversations about healthcare costs with your patients—without …

  • Give to Get: The How and Why of Patient Loyalty Programs Image

    articleSep 28, 2017 | 8 min. read

    Give to Get: The How and Why of Patient Loyalty Programs

    It’s common knowledge that acquiring new patients is significantly more expensive than keeping existing ones. How much more expensive? According to this Harvard Business Review article —which WebPT’s Kylie McKee cited here —“Depending on which study you believe, and what industry you’re in, acquiring a new customer is anywhere from five to 25 times more expensive than retaining an existing one.” Even if your numbers are on the low end of that range—and that seems unlikely for …

  • The PT Patient's Guide to Understanding Insurance Image

    downloadApr 3, 2017

    The PT Patient's Guide to Understanding Insurance

    Patients are shouldering a greater portion of their healthcare costs than ever before. But when they don’t know the specifics of their coverage, they can end up with much bigger bills than they bargained for—and that often leads to unpaid balances and unfinished treatment plans. Bring them up to speed—and improve your practice’s collections and patient retention—with this guide. Patients will learn: What it means for a service to be “covered.” How to define common insurance terms. …

  • Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz] Image

    articleNov 22, 2016 | 1 min. read

    Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz]

    Using social media for your healthcare practice is a great way to connect with your patients on a more personal level. And while that’s exciting—and awesome—it also comes with some risks. After all, when you put your practice out there on the good ol’ World Wide Web, you have to take even more care to protect your patients’ privacy and comply with all HIPAA regulations . So, in the spirit of testing your social-media savvy, take this …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • 6 Digital Marketing Mistakes that Will Destroy Your Practice Image

    articleJul 3, 2017 | 9 min. read

    6 Digital Marketing Mistakes that Will Destroy Your Practice

    In this day and age, it’s nearly impossible to run a successful business without using some form of digital marketing. And yet, as of 2017 nearly a third of small business owners admit to not having a company website. If you’re shocked by that statistic, it’s for good reason. With more and more people turning to the web to find providers and medical advice, rehab therapy practices can’t afford not to hop on the digital marketing bandwagon. …

  • The Ultimate ICD-10 FAQ Image

    articleSep 1, 2015 | 21 min. read

    The Ultimate ICD-10 FAQ

    Yesterday, we hosted the largest webinar in WebPT history . Thousands of rehab therapy professionals attended the live session, which focused on ICD-10 coding examples . As expected, we received a lot of questions. Below is a collection of the webinar’s most frequently asked questions. The Seventh Character Craze What is the seventh character? The seventh character didn’t exist in ICD-9 , so it’s caused a great deal of confusion. Essentially, it’s a mechanism for applying greater …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.