Published on March 09, 2018/Last edited on March 09, 2018/5 min read
HIPAA is probably older than your interns (and maybe even some of your employees), so while we’re all paying attention to our data protection regulations thanks to GDPR, let’s have a quick refresher on HIPAA compliance.
HIPAA, established in 1996, is all about organizations in the United States. It stands for the Health Insurance Portability and Accountability Act, and it sets down rules intended to ensure that organizations with access to customers’ health information are protecting that highly confidential information appropriately.
If you’re like us, you’ve had GDPR on the brain for months now (and if you haven’t had GDPR on the brain, maybe check out our 17 must-knows on the regulation sooner rather than later). GDPR is all about PII, or personally identifiable information. HIPAA, however, focuses on Protected Health Information (PHI). While there’s a lot of overlap between the two, PHI refers specifically to any information created or received by a health provider that relates to any individual’s past, present, or potential future physical or mental health conditions.
Let’s break that down a little more. PHI encompasses some of the more obvious elements like medical records, test results, admission and discharge dates—really anything that you imagine a TV Doctor is looking for in those clipboards on the foot of a hospital bed. But it also refers to unique, individual data points, like a patient’s name, email address, Social Security number, IP address, account number, images, demographic information, and more.
In short, any information that could imply or allude to health conditions connected with an individual should be considered Protected Health Information.
Unlike GDPR which is said to affect 80% of global brands, HIPAA is mandated only for “Covered Entities.” This term refers to:
Like many regulations, there are fines associated with failing to comply with HIPAA. HIPAA’s financial penalties aren’t as hefty as the ones you see with some other regulations, though, with annual caps around $1.5 million in most cases (compare that to GDPR’s €20 Million or 4% of annual revenue!).
That said, in the most severe cases of non-compliance (those instances when organizations fail to correct issues, and there is clear deceptive intent), complicit individuals at non-compliant firms can face criminal charges of up to 5 years in prison. Yeah, that’s not something to mess with.
Yes, we are! While Braze is not a Covered Entity, security for our employees, our clients, and their customers is of the utmost importance to us. HIPAA is a little different from other regulations because it doesn’t require all your sub-processors to be compliant in order to maintain your own standing—you just have to use work-arounds when it comes to data (we’ll get to that later).
That said, the Braze platform is built on the concept of “Security by Design.” We believe in trust and transparency, and we want our customers affected by HIPAA to have the option to use our technology in the best and safest ways possible to reach their business goals.
Here’s a fun rule-of-thumb for understanding what kinds of messages to avoid under HIPAA: assume your customer is in a meeting with their boss, or better yet, giving a presentation on a shared screen. If your message would make them cringe in front of their coworkers (or, simply, would give their colleagues personal information they wouldn’t have wanted to share)… you probably shouldn’t be sending it.
Fear not, Covered Entities can use basic personalization, as long as it doesn’t pull in PHI. Plus there are still some great tools you can leverage for effective messaging, while remaining HIPAA compliant.
As a reminder, we can’t give you any legal advice for compliance. But here are a few tips and tricks we have seen some of our clients use to provide more engaging experiences to their customers without passing PHI through our system:
Some brands opt to use coded segmentation or to use a CSV so that they can send messages that are relevant to particular customers, without telling their tech that they’re sending a message to people with a certain predisposition. Simply segment customers in your internal system, label them A/B/C or 1/2/3 or Penguin/Giraffe/Unicorn (this is known as pseudonymous information), then upload that file into your engagement platform. That way, you can still send pertinent messages to people who, say, have an appointment booked, or who are due for their annual exam, without breaching HIPAA.
You can still use cross-channel messaging, and can even make sophisticated, coordinated campaigns around your users’ activity. Whether or not someone has engaged with a push notification is not PHI, after all.
But let’s go back to the rule-of-thumb test. Do you want a push notification coming up during your meeting with information about test results, or a web push notification saying “Picked just for you: New research on mole color change patterns in adults”? Likely not. Email can be a particularly vulnerable channel, too. Think about it—do you still own your university email? Or has it been passed to the next jon@university.edu? Being thoughtful about what channels you use to communicate which messages is a key part of ensuring that your customer outreach is seen as valuable and appropriate by the people you’re trying to reach.
Be mindful about the channels you choose, always keeping the meeting test at top of mind. As for your messages, maybe stick to more generic information like, “Hi! There’s a new message for you. Log in to patient portal to see.” That way, even if devices fall into the wrong hands, your users stay in control of who sees what message