5 Tips for HIPAA Compliant Addiction Treatment Marketing

5 tips for HIPAA Compliant Marketing.png

It’s easy to get hysterical about the Health Insurance Portability and Accountability Act (“HIPAA,” to friends).

HIPAA fines are insane and nobody wants to go to jail over a bureaucratic slip-up. The rules aren’t clearly stated and they change from time to time. No one wants their business run into the ground over an obscure technicality.

We all agree with what HIPAA is trying to do: protect the identity of patients. Protected Health Information (PHI) like your patients' name, email address, health condition, home address, and test results should be 100% private.

In the days before the internet, the solution was simple—lock up the info and call it good. Now every server, cloud, e-mail, chat window, form, database, and Facebook post is a potential HIPAA violation waiting to happen.   

While medical providers generally have their immediate practice on HIPAA on lock-down, marketing—especially digital marketing—can open up a whole world of PHI problems. My clients are usually experts in HIPAA for clinical settings but not so sure about HIPAA in a marketing context.

The unknown can be scary. Some providers freak out and avoid digital marketing altogether. Others decide that HIPAA compliance is “no big deal” and take risky action to promote their business online despite the regulations.

Who’s right?

The truth is somewhere in between. Digital marketing for addictions treatment can be very safe if you know how HIPAA works. But you’ve got to know what you’re doing. Ignore HIPAA or work with a marketer who doesn’t understand HIPAA at your own risk.

Obligatory CYA Disclaimer: Folks, I’m a copywriter, not a lawyer. This is not legal advice. If you’re not sure about something, run it by a lawyer.

With that out of the way, here’s my top 5 recommendations for minding HIPAA laws while running a successful digital marketing campaign:

1 - Track Leads Securely

Tracking leads, patients, and alumni is vital to campaign management. Marketers need to know how leads are interacting with your center’s website and if they’re opening the emails you send. We need to know what content leads read and when. We need to know who’s due for a call-back and who doesn’t want to be contacted again.

Having all of this information in one place helps you plan and fine-tune marketing campaigns to be as impactful as possible.

CRMs (customer relationship managers) are slick databases designed for this purpose. You probably already have one and if you don't - get one ASAP. There are many CRMs out there to choose from but for addiction treatment marketing it is important that we only use HIPAA-compliant CRM developers.

One hallmark of a HIPAA compliant CRM is their willingness to sign a BAA or Business Associate Agreement. A good BAA essentially states that if hackers break into the super-secure CRM and steal PHI, the CRM company will be held liable for the breech, not you. When CRM developers sign a BAA, they’re saying that they think their software is so secure that they’re willing to bet big money that it’s 100% safe.

A BAA doesn’t mean there’s zero risk to you, but it’s pretty reassuring.

Big-name, commonly-used HIPAA complaint CRMs for health care include: Zoho, SalesForce, and SugarCRM. Salesforce is the biggest. 

2 - Don’t Send Emails Willy-Nilly

For every $1 spent on email marketing, the average return is $44.

People open and click through marketing emails when they're done right. I really can’t recommend good, targeted, inbound email marketing enough.

With phone calls, we only have one chance to convert a lead. With email marketing, we have an infinite number of chances. You do the math. Email marketing is too valuable a tool to leave out of your marketing strategy.

What’s the catch?

Like all marketing power tools, email marketing has a few HIPAA compliance pitfalls:

Email Pitfall #1 - You have to be sure that you're using a HIPAA complaint email service provider (ESP).

HIPAA requires all emails to be encrypted, so a good ESP will do this for you automatically. Sure, you can manually encrypt emails through an ESP like Outlook but that’s going to be pretty clunky. A HIPAA-compliant ESP like Spotlight Mailer or Clinical Contact will be a lot more elegant.

Email Pitfall #2 - HIPAA (and good manners) dictates that folks need to know when they are signing up for email marketing.

That means that you need to include an opt-in message that alerts leads that they are about to get some juicy marketing emails from you. It’s nice to include information about the frequency of these emails, just so that they know what to expect.

A simple message like: “Sign me up for the monthly newsletter” or “Yes, I’d like to get bi-weekly emails from XYZ center” works.

At the bottom of your emails, you’ll write a similar message: “You’re receiving this message because you opted to receive marketing emails from XYZ center.” You’ll also provide a link that makes it easy for the email recipient to unsubscribe from the email list any time they want.

Leads are happy; HIPAA is happy.

Email Pitfall #3 - Don’t include any PHI in your emails.

It will be tempting to personalize your emails based on specific details you may have gathered about your lead in the sign-up process.


Name, email address, possible conditions, age, etc. are all protected. Don’t put anything like that in your emails unless you like flirting with HIPAA doomsday scenarios.

Phew. That was a lot of information about HIPAA compliant email marketing. Next up: social media.

3 - Be Cautious About Social Media

Newsflash: yes, you can be on Facebook, Twitter, and Instagram without blowing your HIPAA compliance

The trick?

Just don’t “out” anybody as a potential, current, or former patient. That’s it.

This means:

  • No photos containing patients or patient’s info (remember to check the background on photos of staff and facilities!)

  • No responses to alumni comments (your response may be construed as an affirmation of the poster's status as an alumni and that’s a no-no)

  • No stories or photos of patients without written permission

  • No personal or public messages to potential, current, or former patients on social media

You can still post news, photos, articles, and other information about your center. You can post client success stories and photos of alumni gatherings with written permission. Patients and alumni can comment but you can’t respond to those individual comments—no big deal.

I recommend developing a social media rulebook that lays out what your organization will and will not post and how it will respond in various social media situations. Train a few folks to handle all social media posting with this rulebook and don’t let untrained individuals anywhere near the Facebook password.

Review what’s been posted periodically to make sure everything looks good. Simple.

4 - Get Written Permission for Testimonials

Testimonials and social proof are huge drivers of conversion in successful marketing campaigns. You’re going to want testimonials on your site.

By now, it shouldn’t come as a surprise that you need a written agreement from anyone providing a testimonial before you can include their review, their likeness, or their name on your site. It’s rare that addiction treatment centers screw this up, but it’s worth saying.

Neglecting to do this could put you in major trouble with the federal government so make sure that all your testimonials have corresponding documentation proving that the person giving the testimonial is OK with their information being out there.

5 - Just Say No To Patient Brokering

Can we all agree that patient brokering is the worst?

Not only is it illegal, but it’s also just plain morally wrong. As a former Drug and Alcohol Counselor, I’m personally offended that we even need to tell people to stop doing this. Patient brokering should never have been a thing. Patients are people, not products.

Patient brokering is a huge HIPAA violation for any “covered entity.” Selling a lead’s information to a third party without the lead’s formal written consent is a clear violation of HIPAA’s laws around transmission of PHI. Just don’t do it—it’s gross, illegal, and wrong.

Play by the Rules and You Have Nothing to Worry About

Whatever you do, don’t decide that HIPAA is stopping you from embracing digital marketing.

It’s not.

Yes, HIPAA has some rules that must be followed, but once you know how to play by the rules, you’re good. It really boils down to making sure that the tools you are using are HIPAA compliant and making sure that the humans in charge of marshaling the information in your campaigns know how to protect PHI when they’re doing content creation.

That’s really all there is to it.

Get a good CRM, find a secure ESP, be cool on Facebook, get permission before you post testimonials, and steer clear of patient brokering and you’ll be fine.  

Working with a HIPAA compliant copywriter like myself might be a good idea, too. Just sayin’.

Erin Gilday