In our nearly two decades of being a HubSpot partner that specializes in healthcare marketing, we’ve often been asked, “Is HubSpot HIPAA compliant?”
While HubSpot does not meet the requirements of a HIPAA compliant CRM today, it can still be used in a way that meets your marketing goals while ensuring you follow the law and maintain patient trust.
Below, we’ll cover what it means to achieve HIPAA compliance in marketing and how our digital marketing agency can help you develop processes to grow revenue without compromising patient privacy.
(We should note that this is not a substitute for legal advice, and we recommend seeking legal counsel for specific HIPAA-related questions.)
Most marketers are already familiar with the fundamentals of the Health Insurance Portability and Accountability Act (HIPAA) and its rules protecting patient privacy, including electronic protected health information. Under the law, a software provider or third party with a legal agreement in place to receive or transmit protected health information is considered a business associate. These third parties are liable and may be subject to civil or even criminal penalties if a HIPAA violation occurs.
A software provider or vendor that works with a covered entity, such as a hospital or physician group, is not considered by the U.S. Department of Health and Human Services a business associate unless they have a written agreement in place granting access to protected health information.
In many cases, marketers and marketing software would not be receiving protected health information and would not be considered business associates.
However, there are still important considerations to keep in mind:
Patients who agree to be featured in any marketing materials, such as a website testimonial, brochure or video, need to give explicit permission by signing a HIPAA authorization form.
This outreach should always be initiated by a physician or someone authorized to act on behalf of the covered entity (such as another hospital employee).
Patient names and email addresses are considered electronic protected health information (ePHI). According to The HIPAA Journal, they should not be uploaded to a sales or marketing platform unless the following criteria have been met:
Because HubSpot is not a HIPAA compliant CRM, we do not use it for any marketing to known patients. It is possible that patients may opt in to receive marketing emails by filling out a form on a hospital or healthcare organization’s website (such as signing up to receive a newsletter), but they would not disclose their status as patients.
For instance, Cincinnati Children’s Hospital has a variety of free resources on its website that don’t require users to provide any information to access them, as well as a blog they can subscribe to with only an email address.
You can still leverage a marketing platform like HubSpot to provide messaging to people who elect to receive them and promote your healthcare brand. The key is ensuring that nothing sent out identifies the recipient as a patient or as someone with a specific illness, diagnosis or medical condition.
If your organization will be sending general communications, such as a hospital newsletter, of course you’ll need to collect some basic information. To reduce barriers to filling out forms, we recommend asking for the least amount of information necessary to convert. While this is a best practice for any industry, it also aligns with HIPAA compliance best practices. Asking only for a name and email address in an opt-in form on your website is an example of lowering the barrier to entry while avoiding collecting information that may potentially violate HIPAA.
For instance, the Healthcare.gov Marketplace does not collect data that can be considered personally identifiable information (PII) by itself or when combined with other information, such as name, birthplace and birthdate.
It only collects PII when a user creates an account to apply for health care coverage, and it discloses how it uses the information to compare insurance plans.
Like many websites, Healthcare.gov and other healthcare providers use cookies to store specific information about a user’s visit so they can provide a better experience to returning users. They also use this information for retargeting ads. However, like many websites with tracking and cookie technology, they do disclose the data they are collecting, how it will be used, and how users can opt out of having their browser activity tracked.
Even if you don’t have HIPAA compliant CRM software, you can use your CRM and other platforms for sales and marketing as long as you aren’t storing protected health information.
This means regularly reviewing your data and any integrations you may have with other systems to ensure no protected health information is being shared with a CRM, advertising platform, or social media platform unless it is HIPAA compliant.
Revenue operations (RevOps) focuses on streamlining processes and breaking down silos between marketing and sales, which is just as crucial in healthcare as in other industries.
Having a documented data collection and management strategy can help your healthcare organization ensure you maintain HIPAA compliance even if you never intend to access patient data.
Here are a few examples of how Kuno’s RevOps team works with healthcare companies using HubSpot or other marketing platforms:
Understanding how your organization collects data through cookies, forms or events and uses that data can help you evaluate any potential risks. For instance, if your organization has a booth at a community event and you collect names and email addresses for a prize drawing, you should explicitly require them to opt in to receive marketing information.
HubSpot and other software systems have varying levels of permissions granted to users allowing them access to different types of data or functions, such as the ability to send emails or view or modify reporting. Even if you aren’t collecting any protected health information, you should know who has access to any contacts who may be current patients or may become patients.
To follow the cybersecurity principle of least privilege, every user should have the lowest level of access needed to perform the tasks assigned to them. If a user leaves, they should be immediately removed from your marketing automation platform.
Your RevOps team can help you determine what cookie tracking is appropriate and how to disclose tracking and data collection to comply with HIPAA, as well as the European Union’s General Data Protection Regulation (GDPR).
This will likely mean creating a consent banner or overlay that notifies users of how their activity will be tracked when they first visit your website, what information they collect through forms and how it will be used.
Here’s an example of how healthcare distributor McKesson notifies users of its cookie policy on its website:
You’ll also want to pay close attention to the data you’re collecting and the disclaimers you include on forms. In HubSpot, for instance, you can enable double opt-in on forms and pages. You might choose to enable or disable double opt-in for select pages and select forms depending on the purpose to ensure visitors understand what they are signing up to receive.
A CRM offers many opportunities to improve your team’s sales and marketing alignment with automated workflows.
For instance, you could trigger automated notifications when a new contact fills out a form on a specific page that indicates a high level of interest, such as requesting an appointment.
You could also create lead-nurturing email workflows to introduce new contacts to your brand, help them understand how you can help, and share some examples of what you’ve helped others achieve.
You’ll also want to establish clear processes for handing off qualified leads and following up with lost opportunities while ensuring your team is never interacting with known patients.
If you are a healthcare B2B company, you might receive a certain percentage of leads from people who use your products or services, rather than the hospital systems or physician groups that purchase them.
While these contacts could become brand ambassadors at some point, they are not your target and should not be part of your deal pipeline. A RevOps agency can make recommendations for classifying these contacts and removing them from your database if necessary so you don’t continue to market to them.
While a HIPAA compliant CRM can be beneficial in some instances, it’s not necessary if you’re not using it as a patient communication platform. With a solid marketing strategy and a clear understanding of how you’re collecting and using data throughout your sales processes, you can achieve sustainable growth while maintaining compliance.
When you hire Kuno Creative, you’re teaming up with a talented team of marketing strategists, revenue operations professionals, content writers, demand generation specialists, SEO analysts, graphic designers and web developers for a fraction of the cost of hiring a full in-house team.
Here are just a few examples of how we’ve helped healthcare companies achieve success:
If you’re ready to see real returns with a full-service marketing strategy, schedule a consultation today.
.jpg)
