Skip to main content

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress and signed into law by the Clinton administration in 1996. It requires that any company dealing with sensitive personal healthcare information – whether that’s related to treatment, payment or operations – and any subcontractor or related business associate in the healthcare sector comply with security protocols put in place to keep that data safe.

And these days, with paper records having passed into history, there’s so much more to it than just keeping records in a locked room. With stiff punishments for negligence, if you’re in healthcare, HIPAA compliance is something you literally can’t afford to take lightly.

Why do these rules exist?

There were several reasons behind the HIPAA legislation. An important aim was to modernise the flow of healthcare information, while at the same time protecting people’s personally identifiable information (PII) from being stolen or used to commit fraud. It also aimed to address some of the limitations in healthcare insurance, like portability or pre-existing condition coverage.

If you create, receive, transmit or maintain healthcare data, you’re obligated to:
• Ensure its confidentiality, integrity and availability

  • Detect any threats and safeguard it against them
  • Provide protection against its illegal use or access
  • Certify the compliance of everybody with access to it.

What sort of data are we talking about?

The range of what’s protected is pretty broad. Names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos are all included – basically anything that could be used to identify a person individually. But it doesn’t end there; billing information, medical records and even records of conversations between medical professionals and patients are also included.

There are some exceptions where data can be shared without permission, but they’re very specific. They include legal proceedings and post-mortem organ donation. But frankly, if you don’t know the law, and your own obligations, you could find yourself in real trouble. Get it wrong, and the punishment depends on the degree of negligence.

Four defined tiers of non-compliance mean fines range between $1,000 and $1.5 million for breaches you couldn’t reasonably know about, to a minimum of $50,000 and possible criminal charges for wilful neglect. In short, HIPAA compliance matters.

So what kind of data can I use?

 In short, very little. You shouldn’t even send marketing emails, for example, that relate to your customers’ personal health information (PHI) without their written permission, as even encrypted emails can be intercepted. And if you’re considering using an anonymised but real case as a case study for marketing purposes, think again – the risk of somebody who knows that person identifying them leaves you liable.

For the same reason, stock photography is preferable to photos of your actual practice or office, too. You may accidentally reveal information or identities in an image so it’s better to take no chances. And if your marketing is gathering any data from response forms, make sure the platform it’s gathered from is encrypted. Don’t use social media platforms to gather this sort of data; they’re just not secure enough.

 If you’re producing creative content for the healthcare sector, you want to know that your production partners take security as seriously as you do. Who can build encrypted websites or apps, and work collaboratively with your organisation to produce multi-channel campaigns quickly and cost-effectively.

Security as standard

 While we may not be handling your PHI or PII data, we take the security of your work extremely seriously and apply the very highest standards of data security. We realise that in healthcare in particular you can’t afford to take chances with this.

So if you’re working with sensitive, confidential or embargoed information, or simply need to keep your new product or campaign to yourselves, you can rest assured that nobody unauthorised will see or hear about it. That goes not just for any marketing data you may have passed on to us, but your work itself.

Our Smartshoring® model is designed to make scaling quick and easy, save time, lower costs and secure your content production. If you need content production or management, web and app development or corporate communications, and you need to know it will be produced in a strictly secure operational model, talk to us.

Saskia Johnson

Author Saskia Johnson

More posts by Saskia Johnson