HIPAA-Compliant Marketing For Therapists
Private practice therapists straddle the line between business owner and healthcare provider, making it difficult to market legally. As a business owner, marketing is essential — but as a healthcare provider, so is ensuring compliance with patient privacy regulations.
Perhaps the most well-known of these regulations is HIPAA, or the Health Insurance Portability and Accountability Act. Signed into law by President Clinton in 1996, HIPAA governs how patient information must be protected by healthcare providers, including psychotherapists.
As all therapists will know, HIPAA bars providers from sharing patient information for reasons unrelated to their healthcare. Likewise, rules and codes of ethics for licensure, such as NASW Code of Ethics Section 4.07, may prohibit you from soliciting endorsements from current clients or from people who may be vulnerable to undue influence.
When it comes to marketing (or brand storytelling), though, sharing your experience is critical to growing your business. Sharing examples from your experience as a healthcare provider can help build trust between you and prospective new clients. However, this type of marketing must be approached carefully to ensure HIPAA compliance.
So how do you share your experiences and market your private practice ethically and legally?
Here are some useful tips that may help you serve more clients without violating the privacy of your existing ones.
The Basics of HIPAA Privacy Rules
As a therapist, you likely received thorough training on patient privacy law during your education as a mental healthcare provider. Even so, let's first review the patient privacy regulations enforced by HIPAA, especially as they relate to mental health marketing.
Protecting Identifying Information
HIPAA established the first set of national standards for the protection of private health information (PHI). PHI is defined as any identifying information (such as your clients' names, birthdates, and home addresses), as well as personal health information, including medical conditions and treatment plans.
Of course, the law is rarely as simple as it appears. For example, "identifying information" includes obvious things like phone numbers and email addresses. But it also includes vague pieces of information, like a client's job title or other information that could potentially be used to deduce that person's identity. For example, releasing the identity of a client's friend or where they work could give enough clues for someone else to figure out whom you're talking about.
Types of Providers Who Must Comply with HIPAA
"Covered entities" who must comply with HIPAA include any healthcare providers who use electronic communications with their patients. Practices that are 100% paper-based do not need to follow HIPAA; however, in the modern era, these practices are few and far between.
Only one electronic communication is required to render you and your practice a "covered entity." Sending a single email or text message reminder to a single patient obligates you to bring the entire practice into HIPAA compliance.
Under HIPAA, you, as the provider, are a "covered entity" tasked with upholding patient privacy. However, so are your "Business Associates," or anyone who performs certain services on behalf of your practice which would give them access to PHI.
For marketing purposes, it's important to recognize that individuals you hire to perform marketing services — such as a copywriter — are considered Business Associates, as are the companies that produce digital marketing platforms (including CRMs, email providers, and more).
Even if you don't directly converse with anyone at, say, Mailchimp's corporate office in your everyday business activities, these software providers are still considered Business Associates because they have access to PHI through their platform. You must enter clients' names and email addresses (which are types of PHI) into Mailchimp in order to use the platform to send marketing newsletters.
Ways to Market Your Practice Compliantly
There are times when sharing stories from your work as a clinician may be an effective marketing strategy. These marketing practices can help you build credibility as a mental healthcare provider, convincing prospective clients to place their trust in your work.
If you want to talk about your clients in your marketing strategy, you have a few choices which allow you to do so without violating HIPAA:
1. Obtain Signed Consent in an Ethical Manner
If your licensure's code of ethics allows you to share experience about a specific case, you can obtain a signed consent form from the client. This is essential if you want to share an experience that may have identifying information or use photographs that includes the client. HIPAA requires that you include specific information in this authorization, meaning:
What PHI will be used
Who will use the PHI
Who the PHI will be shared with
An expiration date
The purpose for using the PHI
The patient's right to revoke the information
Even then, however, HIPAA strongly encourages you to educate your patient on the possible risks of releasing sensitive personal information about their mental health before they sign. A thorough patient information session may be necessary to legally and ethically disclose your client's PHI.
2. Remove All Identifying Information
Secondly, you can de-identify patient information by removing all traces of the client's identity from your marketing material.
In visual marketing, this allows you to legally use photos where no clients' names or faces are visible. In written material, you may legally share patient stories without their names, locations, or any other identifying information — even without obtaining consent from the client first.
One approach to de-identifying patient information is to change all names and identifying information while providing the disclaimer that names and other details were changed for the protection of the client's identity.
Another approach is to generalize by referring to the client in general terms like "one of my clients" or "someone I spoke with this week."
It's important to note that even if the patient's information has been de-identified, it may still be considered a HIPAA violation if enough details about their condition are shared that others may deduce who the patient is from their story.
3. Focus Marketing Materials on Your Expertise, Not Client Sessions
Finally, the least risky option is to avoid including PHI in your marketing material altogether. Instead of including stories from your sessions, share your clinical research, answer frequently asked questions, or offer patient resources like worksheets and journal prompts.
When you focus your marketing strategy on yourself, your knowledge base, and your values, you'll avoid a potential lawsuit — and start to attract the kinds of clients you actually want to work with.
Of course, there are downsides to avoiding the use of PHI whatsoever. Choosing to avoid PHI may limit your marketing activities — for example, by preventing you from utilizing email marketing — or lead you to miss out on valuable opportunities to build trust with prospective new clients.
How to Market by De-Identifying Information
When your goal is HIPAA compliance, it's better to err on the side of caution. Ideally, every therapist's goal should be to ensure the protection of PHI since potential violations can get you into a lot of legal and ethical trouble.
While releasing PHI requires you to obtain the client's consent for use in marketing, there are no restrictions on the use of de-identified information, meaning you can use it without the client's authorization. The exact language used to define de-identification of information under HIPAA is as follows:
"[De-identification of information is] the removal of specified identifiers of the individual and of the individual's relatives, household members, and employers … and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual."
Under the "Safe Harbor" provision of HIPAA, de-identification requires the removal of 18 specific types of identifiers, as well as any additional information that could be used to identify the client.
The identifiers that must be removed in all circumstances include:
Names
Locations (smaller than the state-level)
Dates
Phone numbers
Vehicle numbers (i.e., license plate, VIN)
Fax numbers
Device identifiers (i.e., serial numbers)
Email addresses
URLs
Social security numbers
IP addresses
Medical record numbers
Biometric identifiers (i.e., fingerprints, voice recordings)
Health insurance numbers
Full-face photographs
Account numbers
Certificate or license numbers
Any other unique identifying number, characteristic, or code
Whether the information is de-identified or not, HIPAA also requires that you use the "minimum necessary" amount of information needed to achieve your goals. In marketing, this means that you should take care only to include the most relevant details of the story in the message you are trying to communicate to your audience.
How to Market Without Patient Information
Ensuring your marketing material is HIPAA-compliant requires an investment of time and resources. Understandably, you might choose to forego this process altogether and consider marketing strategies that don't utilize patient information.
Some examples of HIPAA-compliant marketing practices free from any PHI could include:
Sharing graphics of your expertise that contain grounding techniques, coping strategies, or mindfulness practices on social media (with a disclaimer that the posts do not establish a therapeutic relationship between you and the follower)
Writing a blog post for your practice website that utilizes search engine optimization and specific search keywords in your area of expertise (with a disclaimer that the blog post should not be taken as medical advice)
Running social media or advertisements optimized for your target audience and keywords, utilizing graphics or stock photos with taglines that do not contain any PHI
Responding to reporter requests for quotes about trending mental health issues on Help a Reporter Out (HARO) and other platforms, AND ensuring your responses do not contain specific patient examples or PHI
Using old-fashioned paper marketing — hanging flyers and leaving business cards in cafes, libraries, and other businesses targeting consumers in the target area surrounding your practice
Marketing material that focuses on you, your professional services, your clinical expertise, and your values as a mental healthcare provider can be just as effective, if not more effective, at building trust than sharing patient stories and testimonials.
Including your headshots and other information about yourself in your marketing strategy helps humanize your brand by allowing prospective clients to put a face and personality to your practice's name.
Final Tip: Publishing Content with HIPAA-Compliant Digital Marketing Platforms
In today's robust digital landscape, there is no shortage of software available to help you streamline your digital marketing processes. Customer relationship management systems (CRMs), email marketing providers, and other digital tools undoubtedly make your life easier by allowing you to simplify your marketing strategy.
However, utilizing this software introduces unique privacy concerns when it comes to the protection of PHI. Not every digital marketing platform is HIPAA-compliant because not every platform offers you the ability to sign a Business Associate Agreement, or BAA.
Without a BAA, your "Business Associates" — defined as anyone who has access to PHI for marketing or other business purposes — aren't legally required to comply with HIPAA privacy regulations. Still, that does not relieve you of your responsibility to protect PHI.
By knowingly entering PHI into digital marketing software without a BAA, you are violating your responsibility to protect your clients' identifying information. Meanwhile, without a BAA, the company whose software you are utilizing cannot be held accountable for any potential breaches of client privacy — legally, only you will bear the blame.
Sadly, many popular marketing platforms are not HIPAA-compliant. Thankfully, when HIPAA went into effect, several companies identified a niche in the market and began creating digital marketing platforms designed exclusively for therapists. Additionally, other existing platforms implemented the option for BAAs so they could broaden the use of their software.
Some of my favorite HIPAA-compliant digital marketing platforms include:
Constant Contact. Constant Contact is a popular email marketing platform that will sign a standard BAA (provided by their company) upon request, bringing them into HIPAA compliance. You can build a website and/or landing page through Constant Contact, send marketing emails, and even integrate sales platforms like WooCommerce and Shopify.
Thryv. Thryv is a comprehensive Customer Relationship Management (CRM) platform that offers a HIPAA-Compliance add-on in their standard pricing. In addition to managing client information, you can also use the software to send emails and text messages to clients, as well as schedule your monthly social media posts.
Keap (formerly known as Infusionsoft). Keap is another comprehensive CRM platform that is fully HIPAA-compliant. You can utilize Keap to book appointments, create intake forms for your practice, and even send invoices, as well as complete marketing tasks like segmenting and messaging your email list and creating landing pages.
By using the strategies outlined here along with a HIPAA-compliant platform, your private practice will be able to showcase your expertise, build trust with current and future clients, and grow in an ethical way.
