How HIPAA Affects CRM and Vice Versa

The Health Insurance Portability and Privacy Act — more commonly known by its acronym “HIPAA” — targets specific electronic data and communication processes in medical organizations. Adopted in 1996, HIPAA sets standards for the use and disclosure of patient information.

At first blush, HIPAA seemed an imminent threat to customer relationship management in the healthcare industry. However, in the years since its passage, it has become clear that CRM can help hospitals and clinics market their services to the community in full compliance with HIPAA regulations.

“There was a general concern from organizations about what the rules meant for marketing in general,” says Lawrence Hughes, regulatory counsel for the American Hospital Association (AHA) in Chicago. “Marketing was identified early on as requiring special attention.”

The basic fear of medical marketers 10 years ago has dissipated, however. “The rule, as it evolved, kind of changed,” Hughes tells CRM Buyer.

Data Segmentation

Part of that transformation includes specific definitions of “marketing” within HIPAA.

The aim of CRM is to meet — and grow — the wants, needs and expectations of customers in order to increase the profitability of the CRM sponsor. The goal within healthcare organizations isn’t much different. Hospitals and clinics want to remain top-of-mind with existing patients while attracting and retaining prospects in their communities.

“HIPAA doesn’t restrict marketing from reaching out to its patients and its community,” Hughes maintains.

The AHA’s members cannot use protected health information for HIPAA-defined marketing without patient permission. However, communications about their services and their organizations do not qualify as marketing under HIPAA — even if they focus on results of CRM data segmentation.

Individual facilities differentiate themselves with the machines and medical innovations they adopt as much as by the staff competencies they nurture.

So, hospitals may mine CRM or health information management databases to determine the prevalence or ubiquity of diabetes or heart disease in the communities they serve.

They can issue information about medical problem prevention or management, even targeting identifiable victims, as long as they couch their communications in the service and prevention realm rather than playing up a specific machine or medication.

“HIPAA has made hospitals very aware of how they talk about services and products and the constructs of their messages,” Hughes says.

For example, if the Food and Drug Administration approves a new diabetes medication, HIPAA rules prohibit hospitals and clinics from talking about the drug as a product — but they permit them to talk about how they have used it successfully for patients in their treatment setting. “They are not marketing the pharmaceutical itself but [rather] their use of it,” Hughes says. “Context makes a lot of difference.”

Community Interaction

Some facilities steer clear of data use.

“I’ve never been asked to produce any sort of segmented reporting,” says Michelle Prisco, CIO of North General Hospital in New York City. Mailing lists for marketing materials and a community newsletter are not derived from the hospital’s CRM database but are distributed as mass communications. Neither the director of the community outreach department nor the director of patient advocacy has access to the CRM system, and neither has asked Prisco to supply contacts from it.

“We are a small hospital,” she says. Medical diagnosis is not as important in attracting patients as cementing a neighborhood presence and developing a reputation for having general concern about community health and wellness.

Marketing at Brooklyn Hospital doesn’t use patient information, either, Robert Cooper tells CRM Buyer. Instead, data analysis happens in internal medicine, where physicians may funnel patient information or aggregate trends in diagnoses to the various medical specialties.

“Marketing and community outreach is a pull, not a push,” Cooper says of Brooklyn Hospital’s practices. Additionally, cultivation of local health needs happens in a more grassroots, feet-on-the street environment than through a CRM solution.

“We know what’s going on in the community and what the needs are,” he says. Hospital staff and administrators interact with local clergy and elected officials and host an active community advisory board. The Hospital has developed programs on childhood obesity, cardiovascular disease, diabetes and hypertension because of feedback from these sources.

“We’re not taking information through the emergency room, so we have no HIPAA interaction,” Cooper says of the hospital’s community outreach and marketing functions. “We’re getting it straight.”

Patient Relationships

“In any field, risk tolerance varies by organization,” Hughes says.

Most medical services marketers worry less about HIPAA compliance than about maintaining appropriate relationships with their patients — protecting their personal information and using it with sensitivity to improve the health of individuals and the community. That concern and thoughtful approach to relationship management preceded HIPAA.

Brooklyn Hospital’s advisory board meets monthly. “What we hear about the conditions in the community is what we feel is needed,” Cooper says. This may include expanded health services, improved access to the hospital buildings and improved signage. “I think it’s an accurate way of determining what’s going on.”