Medical Marketing and HIPAA – Market In Compliance With ChartLocal

Marketing In Compliance

Like most businesses today, healthcare providers, and medical practitioners market themselves to potential new HIPAA, HIPAA Marketingcustomers and patients. Digital marketing provides a cost effective option for reaching the greatest number of potential patients. Data is key to the effectiveness of that marketing. With digital marketing, the reporting and analytics you can gather provide key insights into which of your channels are providing the highest-quality leads and eventual new patients. However, maintaining the privacy and security of protected health information can introduce challenges to maintaining compliance with the regulations set forth by HIPAA.  

HIPPA other wise known as the Health Insurance Portability and Accountability Act requires that a patient’s health information be protected from disclosure and misuse. In 2009, the act was expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH) to cover all business associates and vendors with access to health information. This includes marketing data, operations, and call tracking providers.  In other words, your advertising agencies, and other marketing firms that could somehow come in contact with your patient data.

This new wrinkle put a lot of digital agencies at risk for violating one or both of the rules of HIPAA, either the Privacy Rule or the Security Rule. This is not the case at ChartLocal Digital Agency. Medical practitioners can feel secure in knowing that working with ChartLocal, not only ensures their patient data is secure, but that the provider is also compliant.

The Rules

The Privacy Rule dictates what is considered Protected Health Information (PHI), and who may use and access this information. The Security Rule describes how this information is protected, including operational safeguards and technical measures.

According to the Privacy Rule, use of marketing data such as call tracking falls under the administrative operations usage of PHI. It is acceptable for this PHI to be shared with ChartLocal, but only when a Business Associate Agreement (BAA) is in place. BAAs contractually ensure that the rights of individual patients are protected according to the heightened standards HIPAA affords such sensitive personal information. When ChartLocal is managing the digital marketing for a healthcare provider, we always present the provider with a BAA.

The Security Rule requires ChartLocal to have operational safeguards in place to prevent unauthorized disclosure of PHI. ChartLocal has these measures in place, but the BAA is still  legally required to guarantee these measures to the healthcare provider for proper compliance with HIPAA regulations. In addition, the Security Rule requires additional technical safeguards, which are enabled for ChartLocal’s HIPAA customers.

In lay terms, what this means is that in actuality, ChartLocal never sees your patient’s data. It is encrypted via SSL both while in transit and at rest. Even recorded audio is encrypted, and only decrypted when needed for playback and even then, registered to an authorized user. These precautions protect the data even if hard drives fail, are decommissioned or stolen.

ChartLocal also prevents transmission of sensitive data to external systems by providing a link that requires the user to login with a password to review the information.

All this means that as it relates to HIPAA and HITECH, you are in good hands with ChartLocal. For a demonstration or further information call 888-826-8020 or email