HIPAA, the 24-year-old law that regulates the release of patient medical information, doesn’t restrict data use for what many might consider marketing by healthcare organizations.
If a hospital kicks off an email campaign about a new medical group affiliation, new equipment at the facility or—more recently—information about offering COVID-19 testing or pandemic-related changes to operations, that doesn’t count as “marketing” as defined by the Health Insurance Portability and Accountability Act.
As a result, some software systems used to coordinate patient outreach can be linked to hospitals’ electronic health record systems, bringing information collected as part of patient care directly into the fold. But a patient’s protected health information is still covered by HIPAA, even once it’s pulled into such a system.
That approach makes it easier to send patients the types of communications that are most relevant and of interest.
A hospital in Milwaukee, Children’s Wisconsin, brings encounter data from its EHR into its customer relationship management, or CRM, system, which it uses to coordinate digital marketing campaigns.
The information helps the marketing team target messages to patients by service line or specific clinics they’ve visited, said Richard Hanson, the health system’s marketing manager.
Hospitals use CRM systems to coordinate email, direct mail and other types of communications, tailoring outreach by what consumers say they prefer, as well as tracking how they’ve interacted with the health system previously.
CRM systems build profiles on patients, mingling demographic and health data from the EHR with consumer and household data from third parties like credit bureaus.
The goal, according to vendors, is to understand what messages are relevant to different consumers at different times, as well as managing preferences for how they want to be reached.
There are things healthcare entities can’t do with protected health information, said Dr. Mason Marks, an assistant professor at Gonzaga University School of Law and a fellow-in-residence at Harvard University’s Edmond J. Safra Center and the Petrie-Flom Center.
“They can’t sell it to a third party for advertising purposes,” he said, as an example of a marketing activity not allowed under HIPAA. A hospital can’t sell PHI or a patient list for a third-party company to use to market products.
A hospital also would have to get permission from a patient before sending information about a facility or program that’s not part of the organization if it’s not actively part of providing treatment advice.
“But there are a lot of ways they can use PHI for marketing if they’re marketing their own products and services,” Marks said.
Some may find it hard to believe that a patient’s protected health information is still covered by HIPAA, even if it’s being used for marketing a hospital’s services.
While HIPAA generally requires a patient’s authorization before a hospital can use data specifically known as PHI, the law carves out exceptions for communicating “certain treatment or healthcare operations activities” from how it defines marketing, according to guidance from HHS’ Office for Civil Rights, the agency that enforces HIPAA.
If a hospital sticks to describing its health services or to communicating about a specific patient’s treatment, it’s free to use patient data to target the communication. “As long as they’re not getting paid to send those reminders out, it’s not marketing,” said Lani Dornfeld, a healthcare attorney at law firm Brach Eichler.
Right now, the marketing team at Children’s Wisconsin is using its CRM as part of a campaign to encourage patients to get their annual flu shots—sending emails that are customized as coming from the specific primary-care clinic the patient visits, rather than the health system at large.
That “personalized” component makes patients more likely to open the email and schedule an appointment, Hanson said.
And since the CRM brings in patient encounter data, the marketing team can target messages to patients who haven’t received a flu shot yet.
Children’s Wisconsin sends these types of emails to all patients, but there’s an opt-out button that receivers can click in the footer of each message.
CRM systems leverage vast amounts of patient and consumer information “for the good of the patient,” said Jessica Friedeman, chief marketing officer for health systems at Healthgrades, the CRM system that Children’s Wisconsin uses.
Healthgrades is part of a growing industry of healthcare CRM tools, including competitors like Salesforce and Welltok. The global healthcare CRM market is projected to reach $17.4 billion by 2023, driven by hospitals’ growing focus on patient engagement, according to a report from market research firm MarketsandMarkets. That’s up from $8.8 billion in 2018.
“As patients are becoming more like consumers, they’re demanding a better experience,” Friedeman said.
Healthgrades signs business associate agreements with organizations it works with, so the company is also bound by HIPAA.
“Other industries have really set the tone of consumerism,” Friedeman added. “Healthcare is slower to catch up.”
But whether more targeted marketing feels personalized or invasive might depend on the patient.
It’s something for hospitals to consider, according to Marks. He recommended hospitals ask for consent before sending communications developed by analyzing health and consumer data to give patients more control.
“You can make the argument there will be people that might want to know about whatever services you’re offering them, but it is kind of an invasive thing,” Marks said. “Even if (hospitals) are technically allowed to be marketing to people, perhaps they shouldn’t.”
For COVID, many marketing efforts actually required less specific targeting than a typical campaign.
Hospital marketing teams were trying to get COVID-related messaging—about hospitals’ transition to telehealth, or how to continue accessing emergency and urgent care—to a broad population, and largely not focused on specific service lines or patient groups.
“What was unique about COVID and the pandemic was there was information that needed to go to all patients,” said Kathy Smith, vice president of marketing and communications at Johns Hopkins Hospital.
The Baltimore hospital did develop some targeted messaging for patients with medical conditions like cancer as well as racial minorities at a higher risk for COVID, but overall the focus was on getting the message out there, so all patients knew how to continue to safely access care.
The Johns Hopkins marketing team has access to information on medical specialties a patient is receiving care from, but not so-called “sensitive” health data, such as specific diagnoses. That access helps determine the right populations to target.
But Smith stressed it’s not necessarily helpful to send communications to patients who don’t want it. That’s why Johns Hopkins also focuses on asking patients to sign up for email and print newsletters, so that the hospital’s marketing team can get a better idea of the patient’s preferences and interests. “It doesn’t help to send out communication to those who really don’t want to hear from you,” she said.
Segmenting patients by demographics and the medical services they’re receiving hasn’t been a priority for St. Elizabeth Healthcare’s email outreach. Instead, much of the Edgewood, Ky.-based system’s strategy for targeting messaging stems from asking patients to sign up for newsletters or webinars dedicated to specific medical topics, from which the health system can extrapolate patients’ interests.
“Once they’ve done that, we can understand … who they are,” said Matt Hollenkamp, the health system’s vice president of marketing and public relations. “We can then serve them very specifically the right content.”