What is HIPAA & PHIPA?

The Healthcare Industry is heavily regulated when it comes to digital marketing in the USA and Canada. In order to protect the sensitive private data of individuals, there are specific restrictions and procedures that provide standardized best practices for websites or applications. Any medical or healthcare website must consider industry compliance, GDPR, Accessibility and data privacy policies during the design. Having a secure environment to test for compliance before deploying digital assets in the Medical or Hospital space is one way to prevent breaching HIPAA/PHIPA compliance. In order to successfully leverage digital marketing tools to benefit medical practices, a solid understanding of HIPAA and PHIPA compliance should be communicated by your digital marketing agency or representative.

HIPAA Compliance for USA/American Data Collection

The Heath Insurance Portability and Accountability Act (HIPAA) regulates the use of data for advertising and marketing purposes within the medical industry. This includes a variety of provisions to keep confidential patient data safe, including a security policy for storage and encryption, as well as a limitation on how long the data may be kept depending on the purpose it is being used for. Anything that falls under Protected Health Information (PHI) will be impacted by these policies. In America, the regulation of PHI can be illustrated across several agencies including The Department of Agriculture, Food and Drug Administration (FDA), Federal Trade Commission (FTC). This means that within sensitive industries such as healthcare or medical clinics, every acquisition in search marketing must be HIPAA/PHIPA compliant.

Privacy Collection Considerations

For administrative teams, there should be a clear data breach response plan that can address the impacted individuals, working with IT to resolve any compromised computers
Once Medical Information is collected, PHI data can only be used for reasons specified in the terms of service. Consider having backups that encrypt this data on third-party sites in case of physical emergencies.
Require employees to follow password policies that force password updates to prevent breaches
Include Two Factor Authentication or other security protocols to protect against suspicious activity
The physical requirements for Privacy Protection are the most challenging:
- Administrative requirements, such as documenting who has access to what data
- Physical requirements, such as security features to prevent theft of devices that contain sensitive data or PHI
- Technical requirements, such as encrypting sensitive information or forcing password policies to update security information on a quarterly basis, or other security components that are in place to prevent data breaches
Audit purposes/individuals with access to ePHI data and why they are using it
Follow best practices for securely wiping storage equipment, hard drives including the physical destruction of all devices
Develop a plan to adapt or train employees on best practices, restrict access to secure areas, and require all visitors provide credentials and sign in
Once Medical Information is collected, PHI data can only be used for reasons specified in the terms of service. Consider having backups that encrypt this data on third-party sites in case of physical emergencies.
Require employees to follow password policies that force password updates to prevent breaches
Include Two Factor Authentication or other security protocols to protect against suspicious activity
The physical requirements for Privacy Protection are the most challenging:
- Administrative requirements, such as documenting who has access to what data
- Physical requirements, such as security features to prevent theft of devices that contain sensitive data or PHI
- Technical requirements, such as encrypting sensitive information or forcing password policies to update security information on a quarterly basis, or other security components that are in place to prevent data breaches

Ad Campaigns & Marketing on Google

Personalized ad policies are applied differently for targeting users in sensitive interest categories, making ongoing ad deployments difficult if content or security compliance needs are not met
Promoting products or services requires content compliance before Ads can be served — data collected from these ads cannot contain breach the PHI policies for digital marketing
Some sensitive keywords are prohibited from ad campaigns completely
Even advertiser-curated audiences that have been customized, curated or uploaded manually cannot be used to target sensitive interest categories

In 1996 the Health Insurance Portability and Accountability Act (HIPAA) was passed in the USA which legally limits the use of, access or disclosure of PHI in the United States. Hosting patient details can increase the liabilities for organizations that are not HIPAA compliant. These details can vary anywhere from medical conditions, insurance claims or birthdates, including less specific data that is created, maintained, collected or stored by the organization.

PHIPA Compliance for Canadian Medical Data Collection

Collecting and processing personal data should be done so for the specified purpose only. This relates closely to the first principle of lawfulness, fairness, and transparency. It is also the responsibility of all physicians and advertisers to comply with the rules and regulations of the Food and Drug Act (FDA) and Controlled Drugs and Substances Act (CDSA). This can be particularly difficult for industries within the Cannabis space as it is highly regulated. This is to prevent misleading advertising or marketing claims that can disrupt trust in the healthcare industry. All advertisements must be evidence-based, accurate, and not misleading.

Ad Campaigns & Marketing

Geolocation data cannot be fine-grained or contain GPS information for any area less than 1 square mile, including lat/long coordinates
This includes Postal or Zip codes that can be mapped to a specific area or residence
Do not use Custom dimensions, including:
- utm_source
- utm_medium
- utm_term
- utm_campaign
- utm_content

Compliance Considerations (PHIPA)

A Health Information Custodian must notify the Information and Privacy Commissioner if:
- An initial loss or unauthorized use of PHI was used by a non authorized party
  - Beyond initial breach of PHI, information was used or further disclosed across unauthorized networks
  - Unauthorized use of data follows clear pattern of similar attacks and misuse

Given the public risk and common target practice for hackers, PHIPA provides a rigorous set of rules in Canada to determine the hosting and transfer of sensitive data. Similar to HIPAA, many of the same policies apply.

It’s important to understand where the data is located, who has access to the data, and whether or not it should be investigated for possible privacy violations. When dealing with technical challenges such as HIPAA/PHIPA, there is an opportunity to adapt and meet compliance goals.

Medical Website Design Challenges

The lawfulness principle ensures that personal data processing activities are communicated to data subjects in an open and honest manner. The lawful processing of user data that involves ePHI/PHI requires an appropriate purpose for processing that must be communicated in a clear, descriptive language.

User Prompts

Consent of the Data Subject via Popup
Submit Request for Contact

Compliance Audits & Maintenance Plans

In order to establish a standard of Internet Privacy, personal data must be processed responsibly and demonstrate compliance with EU and member state data protection laws. The policies of GDPR are essentially applied globally to any website that captures and stores information obtained by EU site visitors. Healthcare corporations in particular have a responsibility to meet HIPAA/PHIPA standards regardless of the location of the company that hosts the website.

Compliance can be boring and expensive. Looking for something a bit more comprehensive? Contact our team for affordable help.