The Healthcare Industry is heavily regulated when it comes to digital marketing in the USA and Canada. In order to protect the sensitive private data of individuals, there are specific restrictions and procedures that provide standardized best practices for websites or applications. Any medical or healthcare website must consider the collection of Protected Health Information (PHI) data and the limitations of what can be collected, for what purpose, and the security of storage processing systems. When referencing PHI in search marketing, the most practical purpose it is designed for is protecting the privacy of users, while also preventing private healthcare organizations from selling personal data to third-party software companies for profit.
Personal Health Information (PHI)
The term PHI can be interchangeably used to describe Protected Health Information or Personal Health Information, both referring to the data privacy policies during the design of the acquisition process. Having a secure environment to test for compliance before deploying digital assets in the Medical or Hospital space is one way to prevent breaching HIPAA/PHIPA compliance. In order to successfully leverage digital marketing tools to benefit medical practices, a solid understanding of HIPAA and PHIPA compliance should be communicated by your digital marketing agency or representative.
HIPAA Compliance for USA/American Data Collection
The Heath Insurance Portability and Accountability Act (HIPAA) regulates the use of data for advertising and marketing purposes within the medical industry. This includes a variety of provisions to keep confidential patient data safe, including a security policy for storage and encryption, as well as a limitation on how long the data may be kept depending on the purpose it is being used for. Anything that falls under Protected Health Information (PHI) will be impacted by these policies. In America, the regulation of PHI can be illustrated across several agencies including The Department of Agriculture, Food and Drug Administration (FDA), Federal Trade Commission (FTC). This means that within sensitive industries such as healthcare or medical clinics, every acquisition in search marketing must be HIPAA/PHIPA compliant.
Privacy Collection Considerations
- Given the public risk and common target practice for hackers, HIPAA technical and security requirements are often expensive but necessary costs for data stewardship
- For administrative teams, there should be a clear data breach response plan that can address the impacted individuals, working with IT to resolve any compromised computers
- Once Medical Information is collected, PHI data can only be used for reasons specified in the terms of service. Consider having backups that encrypt this data on third-party sites in case of physical emergencies.
- Require employees to follow password policies that force password updates to prevent breaches
- Include Two Factor Authentication or other security protocols to protect against suspicious activity
- The physical requirements for Privacy Protection are the most challenging:
- Administrative requirements, such as documenting who has access to what data
- Physical requirements, such as security features to prevent theft of devices that contain sensitive data or PHI
- Technical requirements, such as encrypting sensitive information or forcing password policies to update security information on a quarterly basis, or other security components that are in place to prevent data breaches
Compliance Considerations (HIPAA)
- Evaluate the current purposes/individuals with access to the data and how they are using it
- After the disposal of physical equipment, follow best practices for securely wiping hard drives including physical destruction of all storage devices
- Develop a plan to adapt or train employees on best practices, restrict access to secure areas, and require all visitors provide credentials and sign in
PHI Data in Ad Campaigns & Marketing on Google
- Personalized ad policies are applied differently for targeting users in sensitive interest categories, making ongoing ad deployments difficult if content or security compliance needs are not met
- Promoting products or services requires content compliance before Ads can be served — data collected from these ads cannot contain breach the PHI policies for digital marketing
- Some sensitive keywords are prohibited from ad campaigns completely
- Even advertiser-curated audiences that have been customized, curated or uploaded manually cannot be used to target sensitive interest categories
It’s important to understand where PHI data is located, who has access to the data, and whether or not it should be investigated for HIPAA violations before they happen. When organizations start asking the right questions to the teams managing the data, stakeholders are capable gaining an understanding of security implications including each specific reasoning behind data collection storage policies. When dealing with technical challenges surrounding PHI and ePHI, there is an opportunity for companies to adapt and meet compliance goals.
PHI Compliance Audits & Maintenance Plans
In order to establish a standard of Internet Privacy, personal data must be processed responsibly and demonstrate compliance with EU and member state data protection laws. The policies of GDPR are essentially applied globally to any website that captures and stores information obtained by EU site visitors. Big brands and corporations have the accountability to meet privacy standards whether they are hosted in the United States, Mexico, Australia or regardless of the location of the company that operates the website.
Looking for something a bit more comprehensive? Contact our team for affordable help.