§ 01
What HIPAA covers in marketing
HIPAA's Privacy Rule and Security Rule apply to any vendor (Business Associate) that creates, receives, maintains, or transmits PHI on behalf of a covered entity. For marketing teams, this hits:
- Email service providers
- CRMs
- Analytics platforms
- Ad platforms (limited)
- Form vendors
- Telehealth platforms
§ 02
What we maintain
- BAA with every vendor in our marketing stack
- HIPAA-aware tracking — PHI segregated from analytics
- Restricted-category bidding on Google + Meta
- Annual HIPAA training for all senior staff
- Audit trails for every PHI access event
§ 03
What you should ask any healthcare marketing partner
- Do you sign a BAA?
- How do you segregate PHI from analytics?
- What's your training programme for staff handling PHI?
- Do you have an audit log? Can I access it?
- What's your incident response plan?
§ 04
Common HIPAA marketing mistakes
- Retargeting based on health-condition signals
- Sending appointment reminders via vendors without BAA
- Using analytics platforms without proper PHI exclusion
- Webhook integrations passing PHI to non-BAA tools