Skip to main content

Are Your Marketing Practices Violating HIPAA?

In light of some healthcare organizations allegedly sharing PHI for use in advertisements, here are tips to consider for your cybersecurity strategy.
banner background

Have you considered how your marketing department might be involved in HIPAA violations? Recent cases have appeared in the news where organizations allegedly engaged in improper health data sharing practices for use in advertising. Let’s look at the issue and items to consider regarding your healthcare organization’s cybersecurity strategy.

Short Background on Consumer Data Privacy

Consumer data privacy laws in the U.S. are considerably less strict than you may believe. For instance, you might notice that after you’ve been searching something online a lot, you’ll start to see some related ads pop up on your social media channels. Many websites you visit are actually collecting and storing your activity on the website and any information you input, and they’ll use it to target their ads toward a specific audience.

Data Privacy & HIPAA

As defined by the U.S. Department of Health & Human Services (HHS), “the HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes.” These controls include requiring a written authorization before using this data, or a disclosure stating that protected health information (PHI) can be used in marketing (marketing description described at the HHS website), such as in targeting pop-up advertisements.

In recent cases in the news, the healthcare organizations were allegedly using the information collected to target ads for their services. A recent study found that more than 2,500 U.S. healthcare organizations use tracking tools on their websites or patient portals.1​ The organizations are now facing charges from the Federal Trade Commission (FTC) in the millions as a settlement, as the FTC has determined these practices violate HIPAA data privacy regulations.

Tech giants such as Google and Meta are facing scrutiny from organizations such as the FTC and the Office for Civil Rights. Congress also is adding pressure on these tech companies about their role in protecting PHI. Recently, legislation was proposed that would ban PHI from being collected from any source for the use of advertising without explicit consumer consent. This proposed legislation indicates an increased awareness of how consumer data is collected and used—and, in the healthcare world—a recognition that this PHI is not always protected.

What You Can Do

Consider these suggested action items when evaluating your organization’s data security practices:

  • Educate yourself on your marketing department’s advertising practices—especially surrounding pop-up advertisements and data collection.
  • Work with your marketing and communications department to confirm that sensitive information is not being collected and team members are trained in helping to remove data collection from appointment booking and patient portals.
  • Check that your compliance department is aware of what programs are added to your sites and what they are tracking.
  • Have your information security department run an automated technical scan against all your assets, including third-party managed, to look for trackers.

For assistance with HIPAA compliance, please reach out to our dedicated healthcare professionals on the IT Risk & Compliance team at FORVIS or submit the Contact Us form below.

  • 1“Pressure on Meta Mounts Over Pixel Collecting Health Data,”, October 25, 2022

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.