As a healthcare marketer, you have a high standard to live up to. On the ethical side, a medical practice must be better than Madison Avenue in how they present themselves to the public. On the legal side, there are binding requirements on patient privacy that must be met.
While any discussion of medical marketing compliance could be a book unto itself, the key concepts to watch are protected health information (PHI) and data protection.
The need to protect PHI stems from HIPPA requirements—the Health Insurance Portability & Accountability Act of 1996 that protects patient privacy. From a marketing perspective, there are things you might try that would be a good idea in another industry, but could cause issues for healthcare.
For example, let’s say you put together a nice brochure or a page on the website with a lot of photos from the office. Make sure there’s not a computer monitor in the background displaying any PHI. Even if it’s off in the background, an expert might figure out how to blow up the photo and get the information. The same goes for photos on social media.
Speaking of social media, be careful how you talk about any success the office has had in treating particular diseases. Getting too specific could give away a patient’s identity, especially if you’re in a smaller community.
Good data—like specific demographic information about your prospects–is vital to the success of any marketing campaign. In the medical field, you have to be certain the vendors that you acquire data from are HIPAA-compliant themselves.
Even if your vendors are HIPAA-compliant, you still need to know how they are collecting the data. Is it via a third-party? What were the privacy policies of that vendor? And wherever the point of the original collection was, did the consumers know their data was being used? You have to know the privacy policy that governed the original collection of data, even if you weren’t the one doing the collecting.
The General Data Protection Regulation (GDPR) was passed in the European Union in 2016. It’s not binding in the United States, but the GDPR is a good guide to use if you want to be scrupulous in how you protect sensitive data.
That starts with security. A recent study found that the average security breach costs over $3.6 million. The same study reported consumers are more worried about their data than they are about their primary source of income.
Your office needs a formal data security policy, identified data protection officers and inter-office rules that ensure the data is kept on a need-to-know basis. Privacy and data security are big deals and only getting more important to consumers. They can be expected to have higher expectations of their doctor than anyone else.