What does HIPAA mean for your medical spa’s marketing?

HHS, which implements, enforces, and offers helpful information about HIPAA and related topics, has provided specific information on healthcare marketing to help clear up some confusion. They define marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” 

That’s a pretty broad description.

The key function of marketing is telling a story that compels someone to purchase a product or service. However, healthcare marketers are not able to access these stories to tell without consent from that person since that would mean using their protected health information (PHI). 

Beyond this central definition, marketing can also refer to an arrangement between a covered entity (CE) and another organization where the CE gives PHI to the other organization in exchange for payment, whether direct or indirect, so that the other entity can then make communication about their products or services. This part of the definition doesn’t have any exceptions but the individual must authorize this usage before that exchange can happen. Covered Entities cannot sell these lists under any circumstances without approval from each and every person on the list. 

Within the scope of the definition of healthcare marketing by the HHS, organizations are still required to receive clear and direct consent from the patient before their protected health information is used in any of these ways. 

What is NOT considered Healthcare Marketing 

Just as the HHS has clearly defined what marketing is in the context of healthcare & PHI, they have also laid out the exceptions to this definition. There are three exceptions to the marketing definition laid out above which allows these communications to occur without approval from the patient, assuming that they comply with HIPAA in any other ways as necessary. 

The first exception is that communication is not considered marketing if it describes a health-related service or product that is provided by or included in a plan of benefits of the CE making the communication. This means that an email or posting from a covered entity can include a product and service that they offer without being considered marketing. CEs are allowed to let their client lists know about a new piece of equipment they have or a new facility that is being built. 

Another exception to the HHS definition of marketing is that if a form of communication is created for the treatment of the individual that it is sent to, then it is not considered marketing and does not need their approval. This often looks like a healthcare provider sending the patient a prescription refill reminder or a referral for a discussed follow-up testing. Since these types of correspondence are regular parts of the treatment of that individual, they are not marketing. 

The last exception from marketing is a communication that occurs during the care coordination case management process of working with a patient. This is typically where a recommendation for an alternate provider or treatment is suggested and presented. As long as that is part of their treatment and is their genuine recommendation for their patient, then it is not considered marketing but merely a part of caring for the patient. 

HIPAA Compliant Healthcare Marketing

If you are having trouble distinguishing between marketing activities and typical treatment activities, there are a few things to keep in mind. Sometimes in the course of recommending a treatment, a doctor or healthcare provider recommends the purchase of a medicine or product of some sort. This is not considered marketing by the HHS, as the benefit of this product is being portrayed and it is within the regular operations of the healthcare industry. 

Specifically for marketing, the main thing to keep in mind is getting written authorization for any uses of PHI in a campaign or communication that you may be sending out. 

There are many do’s and don’ts to healthcare marketing and complying with HIPAA as a whole that it may seem complicated at times. That is why Accountable exists to simplify the process and steps of achieving HIPAA compliance. Getting written authorization for use of PHI in marketing is important, but there are many other steps that need to be taken for complete compliance.