171889828 © Ahasoft | Dreamstime.com
Dental offices must be careful to remain HIPAA-compliant.

Dental practice marketing: Keeping it HIPAA-compliant

May 17, 2024
Have you considered how HIPAA applies to your digital marketing and website? The HHS guidelines issued in December 2022 cannot be overlooked by dental practices.

Any dental practice that wants to reach new customers and be competitive is probably using digital marketing. An inexpensive way to target patients, digital marketing allows dental practices to show up where their patients are spending most of their time: online. However, as more health-care providers advertise online and create more sophisticated, data-driven marketing strategies, this has also created more attention by regulators. 

Many dental practices know how HIPAA regulations impact their in-office procedures, but they may not consider how HIPAA applies to their digital marketing and website. HIPAA regulations have specific standards around the online storage and transmission of data that may be overlooked. Website contact forms can be one of the stickiest areas: when a patient or potential patient submits their personal information, it can’t be stored just anywhere. It must be stored in a HIPAA-compliant server with a platform that will sign a special contract called a business associate agreement (BAA).

But new Department of Health & Human Services (HHS) guidelines were rolled out in December 2022 with broad-reaching implications for the most basic tracking tools used by dental practices, including Google Analytics, Meta Pixel, and others. These guidelines are so stringent that it calls into question whether health-care providers can use these free analytics technologies at all.  

Vet digital vendors

When protected health information (PHI) is stored online, it must be encrypted and stored in a server that meets HIPAA security standards. If it’s transmitted from one place to another, that transmission must also be encrypted. More than that, dental practices must ensure that anyone who has access to that data handles it appropriately. This includes any agencies who may be assisting with your digital marketing efforts.

Ask your digital agency or website vendor about how they handle PHI. Establish a BAA between your practice and the vendor. A BAA is a contract that certifies both parties understand and uphold certain security standards. It also assigns legal responsibilities in case anything should go wrong. Some vendors or platforms may not handle any PHI, which means you don't need a BAA with them. Determine whether a vendor will touch that protected information or not.

What about analytics and ads platforms?

Tracking and analytics technologies like Google Analytics, Meta Pixel, Google Ads Pixel, and other pixels often do not meet HIPAA standards when it comes to data storage and encryption. They also will not sign a BAA with your organization. Many believed these platforms were acceptable to use according to HIPAA standards because they store data in aggregate or data that is de-identified. However, the new guidance from the Office of Civil Rights calls into question whether it’s acceptable for a health-care organization ("covered entity") to pass IP address, detailed location information, and user ID onto a third-party platform. Google Analytics and other tracking pixels do this by default.

How server-side Google Tag Manager can help

There is an option to use Google Analytics and advertising pixels while adapting the data you pass on to those platforms. Sometimes called an “analytics proxy,” server-side Google Tag Manager is a system where you decide where to send the information collected about visitors on your website. When a patient or potential patient visits your website, the analytics you want to collect will be sent through a HIPAA-compliant server and secured under a BAA, and parameters like IP address and device ID can be removed from the data before it’s sent on to Google Analytics or the Meta Ads platform.

This method gives more access and control over your website data while preserving your current analytics and reporting structure on Google Analytics 4, Google Ads, Meta ads, and more.

What should your dental practice do?

We recommend that practices bring the new guidance to the attention of their lawyer or in-house compliance team and discuss the tracking technologies used for digital marketing. From there, work with your legal people and digital vendor on a plan that fits your goals around risk management and compliance. 

As a final note, all companies with a website should have a privacy policy, but this is especially important for health-care organizations. Now is the time to be open and transparent about how your practice collects and uses data for marketing purposes. Consider offering the option for your website visitors to opt into tracking. This will create more affinity and trust that your dental practice does the right thing with its data.

It may seem overwhelming at first, but there are options to ensure that your marketing is on-point, and your patient information is protected!


Editor's note: This article appeared in the May 2024 print edition of Dental Economics magazine. Dentists in North America are eligible for a complimentary print subscription. Sign up here.

Rachael Sauceman is director of strategy for Full Media, a health-care digital marketing agency. Full Media offers HIPAA-compliant digital marketing and website design services, including server-side Google Tag Manager implementation for dental practices.

 

About the Author

Rachael Sauceman

Rachael Sauceman is director of strategy for Full Media, a health-care digital marketing agency. Full Media offers HIPAA-compliant digital marketing and website design services, including server-side Google Tag Manager implementation for dental practices.

Sponsored Recommendations

Office Managers: A Glowing Review

Office managers are the heart of every practice, valued for their compassion, dedication, and exceptional skill. This year’s Spa Day giveaway highlighted their impact—from problem...

Care Beyond the Chair: A Trusted Provider for All Patients

Just as no treatment plan is exactly the same, neither are any two patients’ financial situations. Financial barriers can stand in the way of a patient receiving the care they...

Success in the Cloud: Benefits for Multilocation Practices

One practice, multiple locations. It sounds pretty simple, but we know it requires an intentional, multilayered strategy to be successful. Discover how implementing cloud-based...

4 Ways to Increase Case Acceptance & Practice Efficiencies

Cost limitations can be a big barrier to patients’ acceptance of dental care treatments. Click to learn more about Patterson CarePay+, a single, comprehensive financing option...