Building a HIPAA Compliant Marketing Strategy Selecting the Right DXP Tools

Healthcare is inherently a personal topic for any individual. That personalization also extends to marketing, as healthcare companies deploy personalized marketing strategies to attract patients and generate revenue.

According to BCG, personalization in healthcare can improve customer experience by 10%, reduce administrative costs by up to 10%, and increase quality standards by up to 25%. Many healthcare companies can access the data needed to create personalized experiences, but technology and HIPAA restrictions may limit them.

In this article, we’ll explain HIPAA, how it impacts marketing, and how to build a HIPAA-compliant marketing strategy using the right marketing technology tools.

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996, or HIPAA for short, is a US federal law enacted to prevent the disclosure of individuals’ Protected Health Information (PHI) without the patient’s consent or knowledge.

PHI is information created, used, or disclosed during the course of providing a health care service (diagnosis or treatment) that can be used to identify an individual. It can be in any medium (electronic, paper, or verbal) and includes information such as name, SSN, telephone number, DOB, addresses, biometric identifiers, medical record numbers, health care plan information, etc.

Another key part of HIPAA is the HIPAA Security Rule, which requires covered entities and their business associates to safeguard electronic PHI (ePHI). The rule is designed to uphold the confidentiality, integrity, and availability of ePHI. The types of safeguards include administrative (e.g., policies and training), physical (e.g., restricting facility or key card access), and technical (e.g., encryption, firewalls, and access controls).

Why Is HIPAA Important?

HIPAA allows patients to control who can access their data and how much can be disclosed by healthcare providers and their business associates. It aims to protect the privacy of patient health information, maintain the security of electronic health records, and simplify administrative and insurance portability.

As healthcare companies implement various degrees of personalization to appeal to their patients, they will eventually leverage PHI. However, failure to comply with HIPAA can have severe ramifications, particularly monetary ones, for healthcare providers.

For example, according to the HIPAA Journal, in 2024, Montefiore Medical Center settled for $4,750,000, Heritage Valley Health System for $950,000, and LA Care Health Plan for $1,300,000 after each was reprimanded for Multiple HIPAA Security Rule Failures.

Who HIPAA Applies To

The HIPAA law applies to Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and their Business Associates (persons or entities that perform a service for or on behalf of a CE and use or access PHI). When it comes to marketing, the vendors and tools that help healthcare companies do their marketing also fall under the category of these business associates.

Healthcare companies need a multifaceted approach that includes comprehensive policies and procedures, training, and strategic use of technology to be HIPAA-compliant.

How HIPAA Impacts Marketing and Technology

HIPAA can affect how healthcare companies execute their marketing strategies and the technologies they select to help them.

Marketing is any form of communication about a product or service that encourages recipients to purchase or use it. It requires consent or authorization from the recipients in question.

HIPAA marketing rules vary depending on the type of marketing being done. For example, if targeting is based on basic audience demographics such as age, gender, or location, it doesn’t fall under HIPAA’s jurisdiction.

However, once healthcare companies introduce direct marketing, target patients through remarketing, or use actual patient data to filter an audience through software, they must comply with HIPAA and ensure that the technology they use is also HIPAA compliant.

And what if the technology isn’t HIPAA compliant? Well, there are workarounds, as not every tool in the martech stack captures PHI. Healthcare companies need to be aware of how technology will be used, the information that will be captured, where and how it will be stored, and how it will be sent. However, one way to ensure that a specific tool will be HIPAA-compliant is their willingness to sign a business associate agreement (BAA).

Understanding Business Associate Agreements

A business associate agreement (BAA) is a legal relationship between HIPAA-covered entities, such as doctors and practices, and business associates (i.e., tech tools, software, etc.) that can potentially access PHI while working for a HIPAA-covered entity.

A BAA specifies each party’s responsibilities regarding PHI. Business associates are accountable for complying with HIPAA by entering into a BAA. If PHI is compromised in a data breach, it can be subject to repercussions similar to those of covered entities. This agreement ensures the complete protection of a patient’s PHI and shows a willingness from the vendor to share the burden of protecting patient data.

Key Considerations When Creating a HIPAA-Compliant Marketing Strategy

Healthcare marketing requires a delicate balance between being strategic and fostering trust and being assertive about maintaining compliance with evolving legal, privacy, and security requirements.

Healthcare providers must obtain explicit consent from patients and be completely transparent. They should clearly explain how their data will be used, the benefits, the cadence, and the communication medium and provide easy ways for patients to opt out.

Companies must introduce proper list segmentation and continuously test and review compliance campaigns. They also need to create feedback loops so patients can provide feedback and the strategy can be refined accordingly.

The HIPAA Security Rule also includes a mix of required and addressable requirements outlined in the Security Standards Matrix. However, applying all required / addressable requirements may not be practical for every healthcare company. As such, marketing teams and attorneys must assess the risk an organization is willing to incur.

Selecting the Right DXP Vendors

When assessing potential business associates, particularly DXPs, there are several capabilities they should possess. These security-focused features ensure the confidentiality, integrity, and availability of PHI shared with them. At the minimum, DXP vendors should provide user authentication, access controls, audit logs, and end-to-end encryption.

Sitecore

Several of Sitecore’s composable DXP products are HIPAA-compliant (XM Cloud, Content Hub, Customer Data Platform, and Personalize). Sitecore recently extended HIPAA requirements to their vendors and signed Business Associate Agreements (BAAs) with subcontractors handling sensitive data, ensuring shared responsibility and security across the board. They also implemented governance tools for monitoring to reinforce their compliance framework further and provide the transparency that healthcare companies need.

Adobe

Adobe provides healthcare companies with products and services that are ready to accept PHI. These HIPAA-Ready Services include additional features that allow customers, who are Covered Entities or Business Associates, and Adobe to comply with their respective HIPAA obligations.

Customers that license HIPAA-Ready Services to process PHI must have a BAA with Adobe that applies to those HIPAA-Ready Services. These HIPAA-ready products include Adobe Experience Manager (AEM) Managed Services, Adobe Experience Manager (AEM) as a Cloud Service, and Workfront.

Optimizely

Optimizely’s PaaS and SaaS CMS, as well as its Web and Feature Experimentation products, are HIPAA-enabled. These products include the required security protocols, access controls, encryption, and monitoring to protect PHI processes through the platforms. Optimizely also acts as a Business Associate when partnering with Healthcare and Life Sciences (HLS) customers.

Other Vendors

Healthcare companies should assess how each vendor approaches HIPAA Compliance based on their willingness to sign a BAA. Other DXP vendors and tools may offer the features and functionality required to be considered HIPAA compliant without the willingness to sign BAAs.

While these products can still be used, healthcare companies must perform additional due diligence with their legal, IT, and marketing teams to understand the extent of their liability in the event of a data breach.

Get The Best Support For Your Healthcare Organization DXP Needs

HIPAA places additional requirements for healthcare organizations that want to provide patients with the best care and engaging digital experiences. Selecting a HIPAA-ready solution can go a long way toward ensuring that healthcare companies have the right tools to safeguard PHI and deliver personalized and secure experiences.

Oshyn is a digital experience implementation agency and a Sitecore, Adobe, and Optimizely partner. We provide the services, technology, and platforms to help healthcare companies maximize their digital solutions. Contact us to see how we can support your healthcare company.