HIPAA and how to respect the patient when marketing in healthcare

You're looking to run a full digital marketing campaign for your doctor's office to reach new potential patients. This campaign includes email marketing, PPC ads on Google, and organic and paid social media marketing.

To begin, you use their current patient list to run an email campaign asking for referrals. Next, you try a retargeting PPC campaign to convert people who’ve already visited the site. Then, you use client testimonials, photos, and stories on their organic social. Finally, you use a “look-alike” list in the paid social to find people who match their current patients.

Sound like an easy success? Unfortunately, each of these activities is breaking at least one HIPAA law for marketing in healthcare. Healthcare marketers must familiarize themselves with HIPAA regulations to avoid massive fines and prevent potential campaign shutdowns.

How HIPAA requirements impact marketing in healthcare

HIPAA violations are very costly and hurt patient privacy, yet they are easy to make accidentally. Sharing a patient testimonial on social media or using a patient's email for a campaign without permission can incur a $100 to $50,000 fine with a maximum penalty of $1,500,000 per year. That's a lot of money for what could have been a simple mistake.

Blog Graphics 1.17.2021

That said, the cost of the violation increases depending on whether it was an unintended violation or a proved intended violation. This is good news for those who accidentally break a rule; however, the goal should be to avoid any fine. And don’t think you won’t be caught because you’re small. A 2016 law made it so that any business (even those with fewer than 500 patients) could be audited and investigated.

For example, this dental clinic had to pay $10,000 for social media breaches, some of which anyone could have made without realizing. Running social media campaigns, email marketing campaigns, or even PPC ads can be done without breaking HIPAA laws. But to do this, extensive thought, knowledge, and planning must go into a campaign to make it successful and law-abiding. Know the laws so you can strategize for your business with them top-of-mind. Looking for a quick guide that’s detailed to HIPAA for Professionals? HHS.gov has you covered.

5 ways to keep your healthcare marketing plan HIPAA-compliant

5 Ways HiPPA

1. Don’t share protected health information (PHI) in campaigns

When you send an email that contains any personal information, the email should be encrypted. What’s better is to leave out anything that could be personal and have at least one other set of eyes (within your practice) review the email.

Why? Personal information is protected — even the patient’s name or birthdate. While birthday email campaigns are a marketing trend that seems like a good idea, they are best avoided in the healthcare industry.

2. Secure written permission for email collection

When you use a patient’s email address for any type of advertising, you have to have expressed permission to use it. That means written confirmation that the patient understands their email address will be used for marketing, not just for patient portal information.

One simple way you can gain this permission for marketing in healthcare is to ask patients to sign an optional form when they come to your office for the first time. Write out why your healthcare organization wants their email address, what content the patient can expect, and how often they can expect something.

However, that takes a lot of time. Rather, you could use online software to accomplish the same thing and maintain HIPAA privacy. For example, when you use CallRail’s Form Tracking, you’ll know whether or not you can use each email address that’s been collected. Plus, the software is HIPAA-compliant and clear when asking potential patients for information.

3. Choose HIPAA-Compliant marketing and analytics tools

Any tool used for social media, email marketing, content management, or customer relations must be HIPAA-compliant. In short, that means the information on their server must be encrypted and stored with an off-site backup.

Our Call Tracking and Form Tracking follow all the laws and best practices that HIPAA requires for compliance. CallRail is one of the few marketing and analytics tools built for HIPAA compliance and the healthcare industry. It’s with this mindset that we’ve worked to ensure that your patient’s experience is smooth and that the best healthcare practices are being followed.

4. Create paid advertisements without advanced targeting

Generally, HIPAA laws prohibit retargeted ads because they violate the patient’s privacy and misuse their personal information.

If you use Facebook ads, you can’t benefit from advanced audience-targeting features such as look-alike audiences. Simple ads with basic targeting parameters can and should be utilized. Much like everything else when marketing in healthcare, HIPAA compliance means you can’t share or use any personal information.

5. Share testimonials only if you have authorization

Social proof is one of the best ways to advertise. But when using testimonials, stories, and case studies on social media, there must not be anything that would give away the patient’s identity.

In addition, if you choose to use personal information-free testimonials, make sure you have the client’s express permission anyway. If you’re still having a hard time coming up with posts for your social media, here are a few examples that should help your marketing team.

Implement HIPAA-compliant healthcare marketing


Your patient’s medical care and personal information are sensitive. Follow HIPAA regulations to build your current audience's trust and show potential clients that you take care of their privacy, too. HIPAA-compliant marketing in healthcare isn't just about avoiding fines or even doing the right thing. It's also about making sure your customers can trust you.

Are you in the healthcare industry and looking for help with Call Tracking or Form Tracking? Read a case study on how an agency used CallRail to achieve HIPAA-compliance and increase their client’s business by 108%.