Are Your Website Practices HIPAA-Compliant?

Dec 1, 2023 | by Brad Bichey

Attention Healthcare Professionals and Healthcare Entities:

As the CEO of a pioneering Healthtech company specializing in surgical solutions, I want to bring to your attention a critical issue that is affecting your organization’s compliance with HIPAA laws.

This new law just passed by the Biden administration is currently affecting your risk exposure with your online website traffic and patient exposure.

Read the full law here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

Our Advisory Summary:

The Bulletin issued by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services emphasizes the critical compliance requirements for HIPAA-covered entities and business associates when using online tracking technologies. These entities are restricted from using tracking technologies in a way that results in unauthorized disclosures of Protected Health Information (PHI). Specific mention is made of email and phone number data as protected information (PII). Capturing PII or PHI from web forms and passing it internally or back to third-party vendors like Google for Enhanced Conversion tracking would constitute an impermissible disclosure under HIPAA. Violations can lead to severe penalties, emphasizing the importance of strict adherence to HIPAA regulations in all forms of data handling and technology use.

What you can do immediately as a surgeon:

  1. Ask your marketer or web developer if you are using Google tracking or Meta Pixels on your website and what data is being passed back to Google or Meta in that process. Verify that no PII/PHI is being passed.
  2. If you are paying for Google paid ads, contact your marketer immediately and ask if they are running enhanced conversion tracking. If so, you are at risk and should stop that form of marketing until you understand exactly what patient information is being tracked and shared.

What you can do if you are a healthcare organization or medical device company:

  1. Meet with your marketing team immediately. If you are running call rails, call centers, physician locators, or forms, verify that each doctor listed has a valid BAA in place with the vendor you use for collecting data. If you are a medical device company, you are not allowed to collect PHI internally.
  2. Verify with your chief counsel that you are treating every doctor on your website as a covered entity and following all necessary HIPAA laws in your business processes, especially with any forms you are using to engage patients directly.
  3. Consider self-reporting to the OCR if you have inadvertently shared PII/PHI with an inside or outside marketer or with Google in your current marketing programs, as the penalties will be much lighter.
Call rails and most of the patient engagement forms currently in use by medical device companies are simply not HIPAA compliant under the new rules…

Unfortunately, many of the major health systems and surgical practices we interact with believe that this law is shutting down their ability to run an effective patient engagement strategy on the web. This is simply not true. There are now custom-designed solutions available for any size of healthcare entity that can work within existing marketing frameworks.

Here is more information on our research, potential penalties you may face, and steps you can take now to mitigate risk:

🔍 What is our research showing? Recent scrutiny has revealed that numerous healthcare websites might be unintentionally violating HIPAA regulations in their marketing efforts, particularly when integrating with Google’s marketing tools. This is a significant concern, as non-compliance not only risks patient privacy but also exposes your organization to legal penalties.

📊 What are your potential penalties? Many healthcare entities, including health systems, med device companies, and individual surgeons, use website analytics and tracking technologies for marketing purposes. However, without proper safeguards, this could lead to the inadvertent disclosure of Protected Health Information (PHI) to third parties like Google. Penalties for these direct HIPAA violations can reach up to $10,000 and 10 years in prison per violation, with pass-through litigation to marketers likely.

Read more: https://www.usnews.com/news/top-news/articles/2023-11-02/us-hospital-groups-sue-biden-administration-to-block-ban-on-web-trackers

What solutions should you look for? Understanding the gravity of this issue, look for companies that have developed a suite of HIPAA-compliant solutions specifically designed for the healthcare sector. These should integrate patient triaging, prequalification, and scheduling systems while remaining fully compliant with the latest HIPAA regulations.

🔐 Why are custom SAAS solutions better than your CRM?

Custom SaaS offers a distinct advantage over conventional marketing tools. The majority of current marketing platforms are designed for the general consumer and do not meet the specific compliance requirements of the healthcare industry. The ideal strategy involves adopting custom SaaS solutions that bring your digital marketing into healthcare compliance while mitigating risk with updated healthcare regulations.

🤝 Consider Partnering With Nemedic for a Safer Future: We are committed to helping you navigate these complex legal waters with ease and security. By choosing our solutions, you not only safeguard your patient’s data but also reinforce the integrity and trustworthiness of your business processes.

📩 Let’s Discuss: I invite you to connect with me for a detailed discussion on how we can tailor our solutions to meet your unique needs and ensure your digital practices are engaging, compliant, secure, and efficient.

Fire Up!

#HealthcareInnovation #HIPAACompliance #PatientPrivacy #DigitalHealth #HealthTechCEO #SecureHealthcareSolutions