HIPAA Compliance for Digital Marketers: An Introduction

This webinar provides a practical overview of HIPAA compliance for digital marketers working with doctors and/or medical clinics.  Our focus is to introduce those working in digital marketing to basic HIPAA concepts so they can protect themselves and potentially make more money. 

Why Attend?

In the digital health landscape, adhering to HIPAA is crucial for protecting health information and ensuring compliance. This webinar is designed to help digital marketers (including web designers and SEOs) understand and implement HIPAA-compliant practices in their projects.

Our Expert

April Wier is an expert web developer and digital marketer who learned about HIPAA by specializing in medical practices. As a result she developed: https://medicalmarketingunlocked.com/.

Disclaimer: The presenter is not a legal expert, and this webinar does not offer legal advice. It’s a technical guide intended for educational purposes.

Summary and Key Points

  • Marketers can make a positive impact by helping healthcare clients stay independent, diverse, and financially successful while protecting patient health information.
  • Compliance chain ensures breach notification and best practices for preventing future breaches, while visual maps of PHI flow through the business are also necessary for compliance.
  • Business associates need to identify all potential ways they may come in contact with PHI to conduct risk assessments and avoid breaches, which are one of the biggest risks to healthcare businesses.
  • Fines for HIPAA violations vary based on the severity of the violation and whether it was willful neglect or not.
  • Compliance and documentation are important and related. There are tips for protecting PHI such as using access controls and avoiding downloading PHI to local machines.
  • The process of conducting a risk assessment and analysis, and creating an action plan based on potential vulnerabilities.
  • Ensure APIs are secure and encrypting data at rest and in transit for healthcare software development, emphasizes the importance of doing a threat assessment and risk analysis.

Transcript

David: Welcome to the fifth Wednesday webinar. This month, we are going to be talking about HIPAA compliance as it relates to digital marketing. And when it came to this topic, April was the person we wanted to talk to us because she has put, well, I’ll let you explain it, April, how did you get into HIPAA compliance? I’ve known you as a digital marketer, website builder, website designer. How did you get into the whole HIPAA compliance issue?

April: I think it’s kind of like how any of us get into any phase of digital marketing. We kind of fall into it. Our client needs it, and we’re like, oh, that’s interesting. Let me start learning more about it. And then, eventually, you feel confident enough to charge for it. I was a little backward there because I was already working with a client who needed HIPAA compliance and had kind of an “Oh, my God” moment when I realized what I should be doing versus what I was doing. And there’s just not a lot of resources out there for marketers when it comes to HIPAA compliance. There are a lot of scare tactics, there is a lot of drama, there are a lot of documents about penalties, and there is not a lot of stuff that’s really easy and accessible to learn. And every time I would ask anybody in the community, they would tell me I would not touch HIPAA with a ten-foot pole. And that was wildly unhelpful for me because I was already working with a doctor. I was in the process of rebuilding their website. I had access to their email marketing platform, and luckily, I did not create a really bad situation. But it could have been that really quickly. If I hadn’t realized almost immediately after starting to access their stuff, and I had not looked at any of their patient health information, I was collecting information. Who’s your email provider? And who’s this? And what’s this? And how are we planning on when you get your. Where are the forms from the website going? And I thought that if you just didn’t put really deep information on a contact form like they didn’t have their Social Security number or they didn’t put their health information on there, that they were fine. But let me just double-check. And so, I started doing a deep dive and just was like, oh, I’m wildly unprepared for this. And so, I had to kind of pause and teach myself these things because there just isn’t anything out there, just a small plug. I created a course called Medical Marketing Unlocked because I believe very deeply that this information needs to be out there and it needs to be easily accessible. It doesn’t need to be in government speak or scare tactics because there are very easy ways to stay compliant when you’re a digital marketer. I know a lot of you guys do search, but I’m sure there’s probably some crossover with web design or development or email marketing. I come from a web design development background, so you’ll see that kind of slant in my presentation. So, if it’s so risky, why would you do it? Okay. It’s incredibly risky dealing with patient health information. If you do it wrong, the penalties are ridiculous. Like, it’s out of this world, and there are a lot of people doing it. When I first started teaching this, I thought I took kind of the bent that I was going to teach people how to do HIPAA-compliant marketing so that they could open up and they could unlock a new market and be able to make a lot more money and do it safely. What I found when I started talking to people was that there were all these people who were doing medical marketing, but it was just like the Wild West. Like nobody was doing it correctly. They didn’t even know what correct was. And honestly, they weren’t even really making that much money. So, the risk versus reward was way out of whack. So, I kind of fine-tuned my approach and started approaching the community, kind of talking about how you can make a lot of money and why you would want to. And that worked out a little bit better. But what I’ve really found has resonated with people is the interaction between responsible marketers and the health of our healthcare system. So, as a lot of you know, here in the US, our healthcare system is, let’s just say, suboptimal. And it’s struggling in a lot of different ways. One of the big issues that we see in the medical marketing world is that there are a lot of big hospital chains that are coming in and gobbling up mom-and-pops. They’re kind of like when people were accusing Walmart of coming in and putting out mom-and-pop stores, right? Well, that’s kind of what’s happening in the healthcare world. Big hospital chains come in, and they’ve got these huge marketing budgets. They outspend the local private practitioners to the point where their practices start hurting. And I mean, this is just one model. Not all of them do that, but you get the point. And then the independent practitioner has to say, either I’m going to join with a bunch of other doctors and stay mildly independent, or I’m going to have to join this chain because I can’t outspend them. I just can’t compete. The biggest issue with them competing, I wouldn’t say the biggest, but a large issue with them being able to compete is marketing. If we, as marketers, can help a doctor’s office add 20% to their bottom line next year, that could be the difference between them staying independent or being absorbed into a hospital chain. And not that there’s anything inherently wrong with hospital chains. It’s just that this homogeneous structure, and in philosophy, that doesn’t necessarily benefit us as patients. What we really need is diversity. One for the health care economy, but also for diversity of thought and philosophy. Do you really want some bureaucrat somewhere, two states over, making decisions about your health care in your local town? Now, we do have some of that with insurance, but now you layer in that the only doctors available are within a certain chain that only works with certain pharmacies or blah, blah, blah. Do you see what I’m saying? So I really have felt like this is almost like a mission to teach marketers how to safely work with healthcare clients because there is a huge need right now, one just to create a positive impact in the world. You can do that by helping these healthcare clients stay independent and diverse, where the doctor is in charge, but then also there’s a lot of money to be made here. Doctors have marketing budgets, and a lot of times, they don’t know how to spend them correctly. They’re spending thousands of dollars on some flyers in a mailer pack that goes out. I mean, that’s not doing anything for them. Maybe a little bit of exposure. But if you could come in and help them outrank everybody in their SEO, If you can help them get their ads correct, if you can make sure that their website is converting and their email marketing is on point, you can change these people’s lives, and you can actually protect the integrity of the healthcare resources in your area. So that’s kind of where we start. And this talk is more to give you a high-level view of what compliance is made of, what our jobs are, and how we fit in this little ecosystem.

Okay. In the elements of compliance, it’s really not that complicated. It’s just you have to figure out who you are in this ecosystem and how you protect patient health information. So, a covered entity would be the doctor’s office or the clinic or the dentist or whoever it is that has patient health information, right? And so patient health information, or PHI, is called a bunch of different things. It’s called EPHI, which is electronic patient health information. The P just gets changed over and over. It’s private health information, patient health information. You’ll see a bunch of permutations of that. Really, it is just information that is basically identifiable. Right? So, you can connect it to a patient, and it is information that connects them to the covered entity. Right? So, let’s say I’m a patient of a family practitioner. When I signed up, they got my name, my address, and my Social Security number. All of those are patient health information. Right? And HIPAA was originally created so that our health information could be portable and protected. So, you can’t just keep my health records. I have a right to those things. And so, it’s kind of taking on a life of its own in a private way, in a way that gets really close to some of the things that are happening at the state level or, like, in Europe with GDPR and privacy laws. So, I really believe, kind of in a deep way, that when you embrace compliance in the way that HIPAA does it, it’s really a best practice. You’re not going to hurt yourself by being overly zealous, I guess. I mean, maybe if you’re overly zealous, but it’s just kind of good business. A covered entity, like I said, that’s our client normally. So that’d be the doctor, the dentist, the help. Healthcare provider. Okay. We are the business associate.

So when we’re interacting with our clients, the covered entities, we are designated as business associates, as are anyone or any entity doing business with a covered entity, right? That uses or discloses PHI. For example, I’m working with the doctor’s office, and I need to log into their email marketing app and start sorting through their lists, right? So, I’m a business associate because we’re going to come across names and email addresses because that’s the nature of the business, right? So, we can reasonably expect to have access to that information since we access that information on a need-to basis when we need to provide what’s called a business associate agreement or a BAA to the covered entity. Okay? So, when we issued a BAA, we effectively established what’s called the compliance chain. And so, here’s a possible compliance chain. As you see, we’ve got the marketing agency here. We have the covered entity. That’s our client. And so that’s a possible scenario, right? Now, let’s imagine that the email marketing company, I mean, that the covered entity signs up, they’ve got a relationship directly with the email marketing company, but maybe they also have a relationship with the web host that they get through us, right? So, in this situation, you can see that the email marketing company has a BAA directly with the covered entity, but the web host has a BAA with the marketing agency, which then has a BAA with the covered entity. Do you see how that works? Does that make sense? See how the BAA goes directly from the email marketing company to the covered entity. Because they work directly together, but then they only have the BAA with a marketing agency that also has the BAA with a web host. So, the chain should never be broken. Does that make sense? Is anybody nodding? Yes. All right. So, these are just the basics that we need to have in place to make sure we have the compliance chain intact. Basically, what this does is ensure that if there’s a breach, they’re required to let you know in an allotted amount of time and that they are using best practices to ensure that the breaches don’t happen again or to begin with. So, as patient health information flows through a business, it needs to also have a visual map as a part of compliance. So, what that might look like is something like this. This is the flow of the PHI through the business, right? So maybe internally, it’s going from their electronic health records to their patient accounting systems to their clinical apps to their other apps. And then they’ve got, as you can see. I have my slides over here. And then with the BAAs. Right? So, the external systems need to have BAAs, and some of them with each other. Right? The patient accounting system, the billing system, and marketing. Let’s just say that I recommended, or maybe I sell insurance to him. I don’t know if anybody does that, but they would have to have one with me and then with them. However the clinic is interacting with its vendors and its business associates determines if they need a BAA or anyway. So, just think of all the different ways that you might provide services for your client: email, marketing, social media, their website, lead forms from Facebook, or wherever that stuff is coming through. Well, we’re all dealing with patient health information if we’re dealing with healthcare clients, typically. And so, we just need to identify all the ways that we will potentially be coming in contact with it so we can do risk assessments later on. So, it’s really important to understand who we are in this ecosystem of compliance. Typically, we’re the business associate and what our responsibilities are so that we can identify potential risks and then make a plan to avoid them. Right? So, if we already have a huge vulnerability, then we can make a plan and take action steps to correct that. So, here are some potential ways we might come in contact with PHI. Like again, I said the email marketing app, maybe the database on the website, other apps, lead forms. But even, like, think about this. Even if you’re in the doctor’s office talking to the doctor and you overhear one of the nurses talking to a patient, that’s patient health information, right? It’s really important for you to understand that anything that we see that comes in contact with their information is protected. Let’s see.

All right, so elements, risk. So, the biggest risk to our businesses and to the healthcare businesses is a breach. So. A breach is when protected health information has been improperly acquired, accessed, used, or disclosed. Okay, so, for example, what we were just talking about, like, I’m overhearing the nurse talking to a patient, and maybe the patient has a scandalous situation happening, right? And I’m listening, and then I go home, and I tell my partner, you would not believe what I heard at work today. Boom, that’s a breach, right? So we want to make sure we don’t do that. But there are all kinds of ways that we can get breaches. One of the ways that I have seen breaches happen is everything was perfect. The forms were going to a secure location, access controls were in place, and yet the client decided that she didn’t like the way the emails or the forms that she was delivered were formatted. So she took a screenshot of the form with the patient’s health information in it and emailed it in an insecure way to her provider and went, oh, I don’t like the way this is formatted. That’s a breach, right? So, the purpose of all of this is to prevent breaches, but every now and then, breaches are going to happen. In fact, I talked to someone who works in this, and they said that when they’re looking at an organization, what they are not looking for is that you’ve never had a breach. But what they want to see is how you handle a breach when it happens. Because people are human and companies are made of humans, breaches are inevitable at some point. But do you have processes in place, and do you know how to take care of it? Right? So, remember, like our patient health information flowchart. So, the purpose of that is to document in an easy, digestible form the ways we access PHI. So, you want to have that visual flowchart in your documents so that you can show that you know every way that you access PHI and that you have the responsibility to protect that information. Right? So, we want to talk about breaches versus violations. So, a breach occurs when protected health information has been improperly acquired, accessed, used, or disclosed. Right? So that’s pretty clear. Right. But all breaches are violations. But not all violations are breaches. For example, if you’re hosting your site on an insecure web server, that’s a violation, even though no one has acquired, accessed, used, or disclosed that information improperly. Right. It’s a violation because it goes against best practices. Now, I want to leave this. Screen up here for a minute.

Fines. Fines are a really big deal in the HIPAA space. You can get fines for breaches, fines for notification delays, and fines for vulnerabilities that aren’t even breaches if they’re egregious enough. The most common fines are for breaches. Let’s look at the potential fine levels. Okay. Tier one is you didn’t know. Know that there was a breach. Right. You didn’t know that a violation was happening. So, the minimum penalty is $120, maximum of $60K. So that’s really, like, how egregious was the violation, and how many people did it affect? Right. So, if you have a bunch of these, it could get pretty expensive. The annual limit is $1.8 million. Tier two, you had reasonable cause to understand that you should have been doing something or that you weren’t taking best practices. And the minimum penalty is $1,200 per instance. Right. With an annual limit of $1.8 million, tier three is you had reasonable cause to understand that you needed to do something, and you had the ability to do it, and you just didn’t give a rat’s patootie. Right. Like, just willful neglect. That’s tier three. Like I said, maybe nobody has been hurt yet, but it’s a violation, nonetheless. And depending on the severity, you can see the fines keep going up and up and up, and then we’ve got tier four, willful neglect, and you fail to correct it within 30 days. Okay? So, you can see it goes way up from $12,000 as a minimum to $60,000. And this gets really serious really quickly. And like I said, most of the people who are getting in trouble for this are more in tier three. Like they knew that there was a problem, they knew there was a vulnerability. They didn’t do anything about it. And then when there was something that really was brought to light, hey, this information has gotten out. They didn’t even correct it. Let’s just pretend that goes away. Most of us are not at that level where we would get in trouble for that. Right. Where we would get in trouble is just not having any compliance at all. Right? So, compliance is actually really easy. You want to just make sure you have access controls in place. Right? Do you know who’s accessing the information? Do you have written documents that you have talked to these people about what you’re supposed to do, and this is how you keep this safe? It’s all about the documentation.

So here we’re going to talk about threat levels, and this is going to help you understand a little bit more about how we document. So, I know this is not the most exciting information in the world. However, what I do think is really exciting is not getting in trouble and making money. So, let’s go. So, a high threat level is when you have assessed a situation, and you have determined that a threat source is highly motivated and sufficiently capable and controls to prevent the vulnerability from being exercised or ineffective. Right? So that would be like, let’s just say there’s a plugin on your website that is critical to operations, and it’s been compromised, and nobody knows how to fix it. And the only way to get rid of it would be to shut the website down. Right? But in this case, for some reason, you can’t. And so that would be a medium threat source. It’s motivated and capable, but controls are in place that may impede the successful exercise of the vulnerability. Right. So we’ve got a threat, but because of the bureaucracy or whatever is in place, we can’t, or like, because of the controls that we have in place, maybe we’ve got Wordfence and Sucuri and all those in place. And so we probably won’t fall vulnerable to that exploit, but we could. And then, low is the threat source’s lack of motivation or capability or controls in place to prevent or at least significantly impede the vulnerability from being exercised. So, this is like, yes, someone could exploit this, but they probably won’t. They’re not even motivated to do so. Just kind of going through those.

Here we go. All right, so this is what I like to call low-hanging risk fruit. So, the best way to protect yourself is prevention. Right? There’s a lot of low-hanging fruit when it comes to risk that we can easily just pick off. Right. So, one, never ever download anything with Phi to your local machine. Everything should be in the browser; you should keep it in compliant storage. So, I use Google Drive, and Google Drive has a HIPAA-compliant version, so that’s what I use when I have forms that need to go from, let’s just say, a complaint on a site. We use JotForm for HIPAA compliance, and it gets sent to our HIPAA-compliant Google Drive. Then, we have controls on who can access that and who can’t. Okay.

You can avoid having to do risk analysis and access controls to your computer if you just keep Phi off of it because if you just download spreadsheets with Phi or whatever to your machine, then you’re required to keep your machine compliant. Keep the room that your machine is compliant. You have to have access controls to that room. Right? Nobody’s got time for that, especially those who work at home with kids. Do you want to make a note every time your kid comes into your home office? No, you don’t. Okay. Strong passwords for everybody, including your clients. You want to kind of force strong passwords where you can access controls. You need a log for everyone who’s accessing something, right? So, let’s just say you’re on a website and you’re working on the back end. You’ve accessed that website, even though you don’t go into and look at the database, if there is one with patient health information on it, you have access to it. And so you need to write that down. But there are actually plugins that will log that stuff for you. So that’s really helpful. I would just avoid being the responsible party for databases in general. Right. Is there any reason for you to have PHI in your database? Maybe, but I would say it’s better to have the client sign up directly with the service that provides that. For example, have them go directly to ActiveCampaign. Right? So, the BAA goes directly to them. You do a BAA to the covered entity so that you can access it, but you’re not responsible for it. Right? So I can access their active campaign with my BAA, but I’m not responsible if there’s a breach. ActiveCampaign is. I would like to say, I don’t know if I said this already, but just because you sign up for a service that has HIPAA compliance does not mean it is, okay? One, they may not actually know what HIPAA compliance is. That’s a whole other topic because there are a lot of people who have parts of their product as HIPAA compliant and other parts aren’t, but let’s just give them the benefit of the doubt and assume that what they’re saying is true. They are HIPAA compliant. Just because I signed up with them doesn’t make it HIPAA-compliant for me. Unless I get that BAA, the HIPAA-compliant chain is not in effect. All right. Internal policies. Having written policies that your entire team must agree to and understand is key. That’s one of the things that auditors are looking for. I had my course audited by Trava Security because I wanted the information to be so authoritative that it wasn’t just coming from April, who runs a little web shop. I wanted, you know, it to be audited by a security company. And so that’s what we did. And so Trava audited. Make sure that the things that I was saying were correct. I had a conversation with the auditor, and he said that he had used that at one point and that he worked very closely with people who were doing these types of business audits. And he said what he saw over and over again is that the auditors aren’t trying to crucify you. What they want to see more than anything is that you have written policies. Did this breach just happen because you have been cavalier and you haven’t put anything in place? Those are the people that get the biggest fines, the people that have processes in place. They’re the ones that if it looks like they did everything they could, get the minimum. Right? And then, this is just another reminder to never discuss patients. Don’t send patient health information by email. Right? So, let me skip through here. Don’t send patient health information by email unless you are 100% sure that your email is compliant. Right. So, remember how I said that I have HIPAA-compliant Google Suite? Well, just because I have that doesn’t mean that my clients have it. Right? Or that maybe a contractor that’s working with me has it. So, you want to be very careful, especially with lead forms. It’s always best to send that to a secure document or folder and really try to avoid email if at all possible. So, we want to keep everybody as safe and secure as we can. And I want to go through risk assessment and analysis really quickly. So, a risk assessment is where you are looking at the entire flow of everything you’re doing. For example, how is patient health information flowing through the organization? Who are the vendors, who are business associates? And, you know, you kind of look at all the different parts. Of the business and your interaction with that, and where are the potential pitfalls? Right. And so you go through that, and then you kind of list that. So that’s the assessment, finding the potential pitfalls, and the analysis is ranking them low, medium, and high. And then once you have that, you create an action plan, and the action plan is the step you’re going to take based on how elevated the threat risk is. And that’s pretty much it. So there’s a lot to it. This is not the most exhaustive example of compliance, but this is pretty much what you need to know to apply to each situation and to learn more. So, if you understand, I know a risk assessment is finding the vulnerabilities. I know an analysis is rating those vulnerabilities. I know what a compliance chain is. If you have a situation, you’re empowered to go out and learn more about your particular situation without feeling so completely. So, do we have questions?

David: Yes. Thank you so much, April. That was so helpful. We have a few questions. Lidija wanted to ask if a health coach could be a covered entity.

April: So, I’m not an attorney, so I can give you my opinion on that. And I would say yes. If someone is, as a part of your business interaction, someone is sharing protected health information with you, then I think that that’s probably a gray area. But I would really lean towards having best practices. Tattoo shops. Think about that. Okay? Like, I love tattoos, but you think about it. If you go into a tattoo shop where you get your ears pierced, they’re asking you your name, all of this, and what you’re getting done, and sometimes it has health information on there because you have to disclose whether you have any health conditions that could be vulnerable. You don’t see that come up a lot, and probably they’re not being targeted. But is it a best practice? Absolutely.

David: Anybody who takes in any healthcare-related information, whether or not they’re an actual provider, a doctor, a dentist, an orthopedist, or a chiropractor, they’re not officially a medical provider, but they still have a HIPAA requirement.

April: Yeah. The craziest thing about HIPAA is that there are all these laws and fines, but the language is really unclear when you get to the nitty-gritty about some of these things. So, for example, there are lots of people that I have seen that teach that, oh, if you have a form on your website, as long as you don’t have any information about the symptoms they’re experiencing, that’s not PHI. It’s not really true because it does identify that they are interacting with, let’s say, this doctor. Let’s say the guy’s going to a hair restoration doctor, and the fact that his name, email address, and telephone number are there makes him identifiable, right? Especially if he has his first and last name. So that might be embarrassing to that person. And so that’s protected healthcare. One of the things you can do is you can do, from my research, so take it with a grain of salt, is that you can do first name and email address, but once you add any other information, private identifiable information, then it becomes PHI. So, a first name and email, we’re okay. Anything more than that, the person’s readily identifiable.

David: Yeah. Thank you. That’s very helpful. Tricia asked a question. She asks if an office is subject to HIPAA and if they provide in their marketing materials, perhaps like a flyer an email address, which is not HIPAA compliant, like Gmail or Yahoo, even if they’re not asking for patient information. Is this a violation?

April: It’s a violation waiting to happen. Right. And it may actually be a violation because you’ve set the stage for it. Right? So, like we were talking about, a server that may never be attacked or may never have malware, but they’re still in breach because they don’t have these controls in place or are still in violation. My pediatrician doesn’t even have a contact form on their website. They are so terrified of this. There’s no email, there’s nothing. But I have seen quite a few doctors and massage therapists and chiropractors and all kinds of folks who just have a Gmail address and not even a protected one. And they’re like, hey, just email me. And they just don’t understand. And marketers who will go in and work with these people, and they’re just. Forwarding the lead forms over. Oh, you got another lead? And they’re just emailing them over. Breach, breach, breach, breach, breach, breach, breach, breach. And it’s really not that hard. It’s really not that hard to avoid all this stuff. Typically, we use JotForm for contact forms. You can get, I think, it’s like, I don’t know, $120 now. I’m grandfathered in it. You can get unlimited forms, HIPAA compliant, and then you can set up what you’re going to do with each one. And so what we do is you just embed it on the website. It’s like an iframe, so the stuff never hits the server. And so what happens is I submit the contact form, and the JotForm emails out to the client. Hey, you’ve had a submission to your contact form. Go check your folder. And there’s a folder in a compliant drive, in a compliant sheet, and it’s got the submissions in chronological order. And so that’s how we avoid that. Yes. It’s one extra step for the client. Oh, I’ve got to click on this link to go sign in, but nobody complains about it, and everybody’s actually really happy to know. Every single day, it’s a reminder that they’re being compliant.

David: Great. Thank you. The next question comes from Dave and other Dave. Dave asks if there are any extra precautions that should be taken for overseas workers that he might employ other than making sure they go through the web browser for everything or have a VPN.

April: That is really tricky. So, overseas worker, and I love my overseas team, but I’ll be honest, I do not let them get anywhere close to phi one because they are not bound by the laws of the United States. There’s actually no accountability if something goes wrong other than losing their job, and then you are the one that has to do the reckoning for that and having to show, blah, blah, blah. But there are ways to contain that. So potentially, maybe you’re not keeping your form information on your database, right? If it’s just an iframe, then your web developer doesn’t have any access to that. Right? Or maybe if they’re doing email marketing, maybe you’re keeping that email marketing with your staff. Maybe you’ve got a dedicated us person who handles just that versus the other things. I think there are a lot of ways to do that. I think that’s where you do the threat assessment, and you can do the threat assessment. You should do threat assessments on your own company. Right. So that’s a good way to do that. Where are we vulnerable, and how do we prevent that? Right. So, then you can create an action plan, and you have all this documented so that if heaven forbid, there is a breach or a violation of some sort, someone comes in and they say, let me see your documentation. You have to say, we have even been planning to avoid this.

David:  Thank you. Paul asks if there’s some kind of HIPAA checklist that he could use to make sure he’s taking all the necessary actions when it comes to healthcare software development.

April: Well, I’m not an actual developer. I’m a soft dev. I just put things together that other people have built, so I wouldn’t want to get into that. However, one of the things you really want to be careful and look at is your APIs, right? Are your APIs secure? There are certain standards for HIPAA when it comes to encryption. So, when you move data from one place to the other, it has to be encrypted at rest and encrypted in transit. Right? So not just while it’s going, but when it’s there and when it leaves and when it gets there. So that’s really interesting. I have a friend of mine who was in my mastermind while I was building my course. And so, she heard about this all the time, and she’s a fancy developer, and she was talking to a client, actually a huge client, and they were talking about their APIs connecting certain programs together, and one of them was healthcare-related. And she goes, are you sure that that’s HIPAA compliant? And it found out that it wasn’t, and that could have been. We’re talking about thousands and thousands and thousands of records going back and forth, and that could have been one of those breaches where we’re talking about a maximum of $1.8 million. And so she was able to identify that because she did a threat assessment on them and then a risk analysis, and then they took an action plan, and they were able to fix that. I would recommend it. I mean, obviously, I think you should take my course. But if you just take these principles and apply them, right? Is it vulnerable? Like, are you vulnerable? Like, do you know who you are in this ecosystem? Do you know how the patient health information flows? Have you done a threat assessment? Do all of those things? And I think it’s very easily translatable if that makes sense.

David: So, if I’m hearing you right, basically, we should not be providing any digital marketing services for healthcare companies?

April: No, that is not what I’m saying. No. I want you to go out and help all the doctor’s offices, but you just need to know what you’re doing. You need to do it thoughtfully. Right. So, in fact, I think it’s a huge distinction when you walk into a doctor’s office, and you’re talking to them, and they’re going, oh, well, we talked to XYZ Branding company, and you say, oh, well that’s really interesting. What did they suggest you do when it comes to assessing your HIPAA risks in your marketing? And they’re like, what do you mean? And I’m well, and you kind of explain, this is kind of the process. We need to make sure that we’re handling everything appropriately. Who’s going to get that business, to be honest? I mean, it gives you a huge leg up, and a lot of us are doing work anyway. We just weren’t doing it with a full arsenal of education.

David: Yeah. So, by special request, Dave wanted to ask you a verbal question.

April: Okay.

David: So, he says it’s too complicated to type in the chat. It must be a doozy.

Dave: So, I’m wondering, in the accessibility space, right? There are lawyers that go around trolling lawyers that see websites that violate, and then they say, pay us $6000 or $10,000, and we’ll go away. Or sometimes, it’s way more than that. Right? So, is there something like that when it comes to HIPAA or not?

David: Don’t suggest the idea, Dave, people are listening. Don’t even suggest that.

April: I would say there is. I think you can get someone who’s a specialist in HIPAA to do remediation consulting. And really, what it is is creating a risk assessment, doing a risk analysis, and creating an action plan based on the risk analysis. Right. That’s really what you’re looking at. Just like with accessibility, you’re doing an audit, and you’ve got a hit list, and then you do your mediation based on that. If you’re going to Google that, we’re talking. Usually, you’re looking in the $50,000 to $75,000 range to get something like that done. There are not a lot of people out here not like accessibility. There’s not a lot of people going around and targeting doctors like this because it’s not as obvious, right? It’s not as obvious when there’s a breach, right? So, like Tricia was saying, oh, somebody had, let’s just say if it’s like yourfavedoctor@gmail.com and that goes out, I mean, that person is at risk more than likely. But the chances of somebody doing that are very low. Right. Because if they get the fines, they’re not a person who’s been violated. Right. That breach hasn’t happened unless they purposefully do that. And so, where would the money go? The money would go to the government and fines. So, the motivation isn’t quite the same as with an accessibility person who’s actually had harm done to them. Now, if you are a part of a breach, then you might be a part of a class action lawsuit or something like that. Luckily, that’s not apples to apples there.

Dave: Okay. Thank you.

David: April, thank you so much for your time. This is a huge help, and we really appreciate it. You’ve clarified, you’ve demystified, and I think we all have written down action items that we need to take. So, thank you.

April: Well, I appreciate it. And if anybody has any questions, I’m always happy to talk about HIPAA because, like I said, it’s one of my passions. It’s not HIPAA itself, but I think making marketing more accessible for independent healthcare companies is actually a really important thing for the marketing community to do. And we are uniquely positioned to be able to really make a difference in preserving the diversity in our healthcare.

David: Yeah, absolutely. I just wanted to add, too, that this fifth Wednesday webinar is all part of a group called Curious Ants, where we help coach people by providing search marketing as a service. And so, every Wednesday at this time, we meet to talk about our SEO coaching dilemmas, and everybody brings their questions, and we answer them together in a group. In fact, this whole webinar came out of that talk where someone asked about HIPAA compliance, and then we decided, oh, we needed to bring in an expert to help us navigate a complex space. So, the conversation continues next Wednesday for members of the Colony at Curious Ants, and we hope you will join us. I put the link in the chat if you’d like to check out Curious Ants. April, your resource is in the chat as well. Will you tell us your domain one more time, just so everybody gets it?  

April: Sure, it is medicalmarketingunlock.com, and I had a little bit of a glitch with the coupon code, but we’ve got the coupon code CURIOUS for 50% off if you’re interested, and that should be within the next five to 10 minutes. That should be up.

David: Thank you. That was very generous. I appreciate that. Thank you for that discount.

April: My pleasure.

David: Yeah, well, thank you all for coming today. I hope you have a ton of information and you can keep up with us on Curious Ants. You can subscribe to the Meetup group, which is the fifth Wednesday webinar if you want to keep up with whatever we’re going to do whenever the next fifth Wednesday comes around. I don’t even know what we’re going to do. I guess we’ll have to figure that out during the group coaching. So anyway, thank you all for coming today. It was so nice to see you, and I hope you have a great week. We’ll talk with you soon.

April: Thanks for having me. See you all later.