Getting Healthcare Marketing Testimonials While Maintaining HIPAA Compliance
How to Get Social Proof While Also Protecting Patient Privacy
A lot of business owners turn to a copywriter because they believe that they need to persuade more people to purchase their products/services.
And while persuasion helps, it is far from the most powerful motivator for potential customers to take action. The most important one is "product/market fit", but the SECOND most important motivating factor is SOCIAL PROOF:
Live Site Traffic and Engagement
Customer Success Stories
Customer Testimonials
When people see these things on your website, it tells them that people like them trust you with thier healthcare. "It worked for them, so it will probably work for me!" is what they (correctly) tell themselves. 72% of people look for reviews when looking for a doctor, physician, or healthcare professional. And without them, even the best page of copy will struggle to convert website visitors.
But before any healthcare business can post social proof, they need to check and make sure their efforts will comply with one, very important thing...
HIPAA, the big kahuna of patient privacy, plays a HUGE role in how anyone in the healthcare industry markets their healthcare services. Email, social media, websites - all fair game for marketing, but you must follow HIPAA's rules like a star quarterback follows the playbook.
This blog post will first touch on some of the essential questions surrounding HIPPA. It will then pivot HIPPA and social proof: what kind of consent you need, how to get it, and ways to implement on your website.
NOTE: this is not official legal advice! I am a copywriter, not a lawyer, and all attempts at HIPPA compliance should be reviewed by a legal professional.
Looking to Acquire More Patients?
Frequently Asked HIPPA-Related Questions
What does HIPPA stand for?
HIPAA stands for the "Health Insurance Portability and Accountability Act". It is a federal law created in 1996 to prevent the distribution of sensitive patient information, informed consent, and protect patient privacy.
What are the four standards of HIPPA?
The Privacy Rule: healthcare operations must take reasonable steps to protect patient information
Electronic Transations: national standards for electronic communications between healthcare providers
Security Requirements: minimum defensive measures healthcare organizations must take to safeguard A) confidential patient information and B) prevent foreign third parties from accessing the data of a client without authorization.
National Identifier Requirements: each covered entity must have a number to identify themselves when communicating with one another.
Why was HIPPA passed?
As the internet became a bigger part of healthcare communication, patient information went from papers that could be faxed to digital files that could easily captured, copited, transferred, and stored digitally. As information becomes more accessible, the danger for a breach of confidentiality substantially increases. There was also a concern that insurance companies would collect information that was sent to them by healthcare providers for the approval/denial of claims for the purposes of targeted marketing.
What is protected under HIPPA?
HIPPA includes provisions designed to encourage electronic transactions and requires extensive safeguards to protect the security and confidentiality of health information. This includes medical records, treatment options, doctor notes, and PHI.
What is Considered "PHI" Under HIPAA in Marketing?
PHI, or Protected Health Information, is any information about a patient that can identify them. This includes their name, address, medical record number, or even if they visited a specific healthcare provider. HIPAA requires that this information be kept safe and secure.
Are there privacy restrictions that extend beyond HIPPA?
Yes. Provisions of state law may be more stringent in protecting patient privacy. HIPPA is the U.S.A. bare minimun, any any states additional regulation takes precedence.
What is the responsiblity of healthcare practitioners?
Health practitioners must A) inform patients of their rights, B) provide a written notice, C) ensure that all forms of communication take place in a secured environment. Once communication is in the hands of the patient, the patient may be share the information with third parties at their own discretion.
When there is a request for confidential health information, how much does a healthcare provider have to share?
As little as necessary for the healthcare provider to comply with the request. Usually this is for billing, so only waht is necessary and reasonable for insurance. However, if the information is demanded by a court order, the healthcare provider must comply and hand over anything and everything requested.
Are There Specific Penalties for HIPAA Violations in Marketing?
The Department of Health and Human Services takes HIPAA violations very seriously. The penalties can vary widely; they can be large fines or even criminal charges, depending on how serious the violation is.
How do I secure data storage and have save trasmission of client/patient details?
If you have worked in healthcare for any amount of time, then you place of work used a patient communication software built specifically for HIPPA compliance. For example, GMAIL is not HIPPA compliant... but the patient portal of a healthcare organization is.
When looking for HIPPA compliant security data storage and communication, you shoudl prioritize access controls, encryption, and audit trails. These tools make it impossible for patient information fo fall into the wrong hands.
Consent and Permissions in Healthcare Marketing
If you want to learn more, I suggest visiting the Compliance Group website. Because now we are going to pivot to how HIPPA creates a unique environment for marketing.
HIPPA states a healthcare provider or insurance provider cannot use ANY patient information in marketing materials without EXPLICIT patient/client consent. Even if you want a simple "____ Clinic Made Me Feel Better!" you need to really go out of your way to get their informed consent. With HIPPA, you have to go above and beyond... but the work to get that social proof is more than worth the effort (read about the importance of social proof here).
HIPPA dictates that health care providers must explain to patients how their health information is used, disclosed, and kept. The disclosure document must be read, understood, and signed by the patient.
First, the METHOD of communication:
The policy must be a written document that is in the patient's possession (and a copy if they sign)
The policy must be in plain language an adult can understan
The healthcare provider must make a good-faith effort to obtain the paitents wirtten acknowledgment (receipt of notice).
Second, the INFO that must accompany the request for disclosure:
A list of the patient's rights
The privacy policy itself
An overview of the health practiontioner's or healthcare businesse's responsibilities concerning the patients privacy
Details as to who the patient can contact if their privacy is violated
Finally, the DETAILS surrounding the request for disclosure.
A description of what the healthcare provider wishes to disclose
Idenfication of the person whose information they wish to disclose
A detailed outline of the uses of said client information
An expiration date that relates to the purpose of the use of the disclosure
How the patient will be informed if the privacy policy is change
That the disclosed information will be used for marketing purposes
These requirements mean that a healthcare provider must have a marketing strategy BEFORE they request to use any patient information in promotional material. For more information, you can download a HIPPA compliant checklist below.
Methods to Secure Patient Permissions Effectively
Reading all of that at once can be pretty intimidating...
And on the one hand, thats good; patient privacy is a serious matter!
But on the other hand, it really can be as simple as this:
Asking the patient if they are willing to provide a positive review
Provide them a list of their rights, your policy, and other necessary information
Explain that is only for your website (or any other marketing channels)
Clarify that you just want a sentence or two about whatt they liked about their experience of your services and their first name.
Explan that in two years you will take it down (unless they provide approval again)
Get their signature.
This should be initiated in person at the front desk. But it can be completed via online forms, electronic signatures, and safe portals make it easier for patients to give consent and for us to track those permissions. Just how we keep track of patient medical histories, we also need to keep careful records of patient consent. This should include dates, times, what information they agreed to share, and how they prefer to be contacted.
An easy way to initiate this conversation is to ask if they had a positive experience. If they said yes, ask if they would like to post a review, and as thanks you would like to give them a $25 gift card.
IMPORTANT NOTE: healthcare providers can ask for a review, but you CANNOT pressure the client/patient in any way, shape, or form. Keep in mind, it is not up to you to determine if you pressured them or not; if the PATIENT felt pressured, then you pressured them! So when asking patients if they are willing to disclose personal information for your marketing purposes, be sure to be A) kind, B) calm, C) gentle, and D) respect any decision.
Looking to Acquire More Patients?
Posting Patient Stories and Testimonials
So now that you know how to stay HIPPA compliant and ask for patients permission... what kind of stuff should you post! Assuming your site is secure and will keep patient data safe (I am assuming that, but you should NOT! Make sure!), there are five different types of proof customers will want to see that require getting patient permission:
Third Party Reviews is what people see on google, yelp, and other public review sites. Obviously these are posted by the free will of the patient on a public platform and do not require you getting their permission. However, you DO need their permission to them post those google reviews in your site... though some of them may be negative.
THAT SAID… if you COMMENT on these google reviews WITHOUT having some sort of permission, THEN you are in violation of HIPPA. For example, commenting “Thankyou” acknowledges the compliment… but commenting “it was great seeing you!” confirms that they were a patient of yours, which you cannot do unless you have their expressed permission.
Written Testimonials are positive patient experiences. They tend to be a few sentences long and reinforce some of the best benefits you have to offer. They are not pulled from google but sought out and cultivated by you from your customer base. Penn Medicine has a page set aside for testimonials. Its simple, but it gets the job done.
Case Studies are detailed accounts that take readers through the journey of one of your patients. They start off by identifying the patient, their symptoms, and the reasons they came to you for help. They then outline how you helped them and reveal the great results. They are comprehensive, thorough, and allow site visitors to imagine themselves in a similar position. Cleveland Clinic has a "Patient Stories" page that lists case study after case study.
Video Testimonials are the strongest form of social proof you can get. They are short, emotional video interviews featuring patients that can be shared on social media, YouTube, or in waiting rooms. They are the most relatable, personal, and authentic, and carry the most weight with potential patients.
Infographics & Data Visuals are simply charts, numbers, and graphics that Create compelling visuals that summarize patient improvements and outcomes in an easy-to-digest format.
"Can't I just do anonymous reviews?"
You can, but most people won't believe them. The more information about the person giving the review, the more credible it is. Usually a first name, year of service, and picture of a patient is more than enough to be compelling to website visitors or anyone considering your healthcare services.