Share Moving Media

The Smart Manufacturer’s Guide to Data Privacy in Healthcare Marketing

By

The data security regulatory environment is changing at breakneck speed, and that, in turn, affects how you should approach privacy in healthcare marketing.  

If you fail to adhere to the industry’s privacy rules, you risk more than hurting your bottom line – you may be in for hefty fines, protracted lawsuits, and a considerable drop in customer trust. 

With this in mind, let’s take a look at the three most important sets of privacy rules you should be aware of as a healthcare product manufacturer. 

However, as you read through this article, don’t forget that this is just a very general overview. To ensure you’re up to speed with all applicable regulations, consider doing more in-depth research and consulting with a legal professional. 

Key Takeaways

  • The Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) are three key sets of rules you should be aware of.
  • Current privacy regulations may affect how you approach your database management, lead generation, and marketing campaign measurement.
  • Getting expert help is paramount if you want to build a marketing strategy that is both successful and compliant with all applicable privacy rules.

Data Privacy in Healthcare Marketing: 3 Critical Sets of Rules You Must Be Aware Of

How good are you with acronyms? Does HIPAA, GDPR, or CCPA ring a bell – or are you confused already?

1. Health Insurance Portability and Accountability Act (HIPAA)

The federal Health Insurance Portability and Accountability Act of 1998 seeks to prevent the disclosure of patient health information without the person’s consent. 

To implement HIPAA requirements, the Department of Health and Human Services (HHS) issued two father rules – the HIPAA Privacy Rule, and the HIPAA Security Rule, which protects a subcategory of the information covered by the Privacy Rule.

The Privacy Rule

The Privacy Rule restricts the use and disclosure of protected health information (PHI) by the so-called covered entities. These include:

  • Healthcare providers
  • Health plans
  • Healthcare clearinghouses
  • Business associates 

As a healthcare product manufacturer, you fall under the category of business associates. These are people and organizations that use or disclose individually identifiable health information to provide services, functions, or activities for a covered entity, such as:

  • Billing
  • Data analysis
  • Utilization review
  • Claims processing

As a covered entity, you may only use and disclose protected information without the individual’s consent for the following purposes:

  • Disclosure to the individual 
  • Opportunity to object or agree to the disclosure
  • Payment, treatment, and healthcare operations
  • Incident to a permitted use and disclosure
  • Activities in the public interest 
  • Building a limited dataset for public health, research, or healthcare operations

The Security Rule

This rule affords additional protection to some of the information covered by the Privacy Rule, namely electronic protected health information (e-PHI). That extends to all individually identifiable health information that covered entities receive, transmit, maintain, or create electronically.

2. General Data Protection Regulation (GDPR)

The General Data Protection Regulation is a European law that entered into force on May 25, 2018. This is one of the most sweeping privacy laws globally. Its goal is to improve the privacy rights of EU citizens and give them more control over the information about them online, including personal health data.

So far, so good – but here’s where things get tricky: the GDPR has an extraterritorial reach and protects EU citizens this side of the pond, too. More precisely, the regulation covers any data gathered on EU residents anywhere in the world.

Among other things, this means you have an obligation to inform the relevant authorities about personal data breaches that pose a risk to EU citizens. If the risk is high, you have to notify the concerned individuals as well. 

Like HIPAA, the GDPR covers the entire life cycle of personal information, from collection and processing to storage and disposal.

3. California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act came into effect on June 28, 2018 – barely one month after the GDPR. And very much like the GDPR, the CCPA imposes stringent consumer protections, which make it arguably the strictest and most wide-ranging data privacy law in the U.S. 

Even though the CCPA is a California state law, it imposes requirements on all entities that gather Californians’ healthcare data anywhere in the U.S. The obligations to consumers come hand in hand with strong enforcement for non-compliance, including a private right of action for certain data breaches.

Before you start panicking, here’s some good news: if you’re already compliant with HIPAA, you may be exempt from the CCPA’s right-to-forget clauses. However, note that this only applies to protected health information. Any other personally identifiable information, such as billing records, will have to be “forgotten.” 

How Do These Privacy Rules Affect Your Marketing Strategy?

HIPAA, GDPR, and CCPA have wide-ranging repercussions for your healthcare marketing strategy. Here are some ways in which these regulations may affect your business:

Database Management

Your database should be fit for audit at all times. All records and personally identifiable information should be accurate, complete, well organized, and well managed. Keep in mind that you ought to be ready for both routine and surprise auditing.

Lead Generation

If you plan to pursue lead generation using inbound marketing post-CCPA and GDPR, make sure to put consumer consent at the core of everything you do. This includes:

  • Using easy-to-understand language 
  • Clearly explaining what data you’re collecting and why
  • Providing a call to action or checkbox to enable users to give their informed consent
  • Avoiding automatic opt-ins and pre-checked boxes

Marketing Campaign Measurement

The right to be forgotten may make it more challenging to measure your marketing campaigns, as you won’t be able to see the customers’ identities and how your ads are performing.

To make up for all that, consider the following:

  • Using automation to fill in information gaps 
  • Leveraging more personalized content to collect data with consent
  • Creating incentives and loyalty programs

Data Privacy in Healthcare Marketing: Final Thoughts 

If what you just read feels overwhelming, it’s because it is. Data privacy laws are complex and constantly evolving to keep up with the evolution of modern technology.    

Unfortunately, that makes it incredibly hard to build a marketing strategy that is both effective and fully compliant with the applicable rules and regulations. There’s just so much to keep in mind – which is why it might be a good idea to get yourself some expert help. 

Contact us today to learn more!

4 HIPAA Regulations You Should Be Careful Not to Violate

By

2020 was a busy year for the Department of Health and Human Services’ Office for Civil Rights (OCR). In addition to dealing with a pandemic, they resolved 19 HIPAA violation cases. Over $13 million worth of fines were paid, costing more than what’s settled in the previous years, since OCR now can implement HIPAA violations.

As a manufacturer of healthcare products, you need to ensure that the medical devices you sell comply with HIPAA regulations. If you are unaware you are in violation of HIPAA and there is a breach of patient data, you can still receive a fine. 

Knowing the commonly violated HIPAA regulations is the first step in ensuring your healthcare products are up to code. 

What are the Most Commonly Violated HIPAA Regulations? 

It can be difficult to stay current on all the HIPAA regulation changes and common violations. Here are the often-violated HIPAA regulations you should concern yourself with as a manufacturer: 

1. Securing Patient Records 

When protected patient health information is stored on an electronic device, it must be encrypted and safeguarded. While encryption isn’t a mandatory regulation, it is an effective way to prevent data breaches.  

In 2017, the Children’s Medical Center of Dallas had to pay a penalty of $3.2 million to address several HIPAA violations that spanned several years. An unencrypted BlackBerry device used by the facility that 4 HIPAA Regulations You Should Be Careful Not to Violate  contained almost 4,000 patient records was lost at the Dallas/Fort Worth International Airport in 2009. Additionally, in 2013, an unencrypted laptop that had over 2,400 patient records was stolen from the hospital. 

The hospital knew the importance of encrypting patient information after what happened in 2009, yet they continued to distribute unencrypted devices to its staff. The failure to act by the hospital and document why their devices weren’t encrypted resulted in hefty fines. 

If you don’t encrypt patient records, you will need to use another security method. Having antivirus software on medical devices and continually updating it will help protect against data breaches. Firewalls will add another protection layer, as well as difficult passwords that you must change often. You can also use some advanced privacy tools such as fingerprint authentication for critical data. 

2. Performing a Risk Analysis

If a company doesn’t perform a risk analysis routinely, they are unable to determine where there are any vulnerabilities. Any potential risk will subsequently not be addressed, and hackers will be able to access private patient information. 

In 2020, Premera Blue Cross had to pay $6.85 million in fines for a data breach that affected 10.4 million people. A data breach occurred in 2014 when a hacking group accessed Premera’s patient information system for over nine months. The hackers installed malware through a phishing email and had access to Social Security numbers, bank information, and addresses. The investigation discovered that Premera did not conduct a routine risk analysis to find and reduce any potential risks and halt unauthorized access to patient records. Due to those factors, Premera had to start a plan of action to correct where they were noncompliant. 

Conducting a regular risk analysis and taking the proper steps to address any risks will help you avoid receiving this HIPAA violation. Some necessary steps are:

  • Figuring out what patient information your organization has access to and how it is stored/transmitted. 
  • Looking at what current security programs you have in place and if they’re adequate for protecting patient information. 
  • Evaluating where your company has vulnerabilities and the probability of a hacker accessing your patient systems. 
  • Depending upon how vulnerable you and the likelihood of you being hacked, figure out your risk level.
  • Document everything along the way, including how you will work to lower your risk.

3. Having Adequate Patient Information Access Controls 

HIPAA requires that organizations limit access to patient records to authorized individuals. Not implementing proper controls is a common HIPAA violation and has severe financial consequences. 

In 2018, Anthem had to pay $16 million in fines, the highest HIPAA penalty that was ever issued. Anthem failed to implement technical procedures and policies for their electronic health record (EHR) systems, allowing unauthorized individuals access to the information. They also did not perform a routine risk analysis to identify and address security incident detections before the breach. The breach resulted in hackers having access to the data of 78.8 million people.

4. Having a Business Associate Agreement 

As a medical device manufacturer, you’re classified as a business associate. You will need to have an up-to-date HIPAA business associate agreement with any vendor you deal with that’s provided with or given access to patient information. 

Raleigh Orthopaedic Clinic, P.A. of North Carolina had to pay $750,000 in 2016 for not entering into a business associate agreement with a vendor before sending through patient information. They sent the vendor X-ray images to have them made into digital files. They came to an agreement over the phone, but nothing was put into writing and it wasn’t HIPAA-compliant. In addition to the fine, Raleigh Orthopaedic had to enact a correction plan. 

HIPAA Violation Penalty Tiers

There are different tiers to HIPAA violation penalties that you should keep in mind. The higher the tier goes, the higher the fine:

  • First Tier: The organization didn’t know or couldn’t have known about the breach. 
  • Second Tier: The organization knew or could have known about the breach but didn’t act with neglect.
  • Third Tier: The organization acted with willful neglect and they corrected the issue within 30 days.
  • Fourth Tier: The organization acted with willful neglect and did not correct the issue promptly.

Take Precautions to Avoid HIPAA Violations Today 

Following HIPAA regulations is essential as a manufacturer of medical devices. Failing to comply has catastrophic results, from million-dollar fines to employment termination and prison sentences. Communicate often with your quality assurance, regulatory affairs, and development teams to make sure the proper protocol is being followed for dealing with patient information. With everything being digitized these days, it’s vital to protect patient information and your company from any violations.  

Share Moving Media is all about providing consistent healthcare tips, advice, and research. Subscribe to our weekly The Marketing Minute newsletter.