< Back to Blog


Each day, about six million Americans search for health information online. Because online activity is such a major part of healthcare consumers’ decision-making, there is a risk that their protected health information (PHI) could be accidentally exposed by an organization’s digital marketing efforts – causing a HIPAA violation. 

To avoid legal penalties and guard patients’ PHI, health system marketers must be knowledgeable about HIPAA regulations. Because HIPAA limits how health systems can collect online search data and target consumers, the most effective way to reach your community is an agile and engaging content marketing strategy that includes HIPAA compliance across channels.

Just like physicians and administrative staff, your health system’s marketing team is required to follow HIPAA regulations to protect patient privacy. This applies to both in-house marketers and outside agencies. If you outsource content, make sure the agency is well-versed in HIPAA to ensure full compliance. That’s why all of CrucialContent’s writers and managers are trained and certified in HIPAA business practices.

Make sure your health system’s content complies with the HIPAA Privacy Rule by following these guidelines: 

Use caution with user data.

The best way to keep PHI out of your digital campaigns is to store patient information on its own CRM and manage your marketing efforts, such as email automation, on a separate platform. When tracking engagement, for example phone calls that result from mobile ads, use a HIPAA-compliant service like CallRail to get useful analytics without exposing PHI.

Avoid overtargeting.

HIPAA forbids any content or ad copy that implies knowledge of consumers’ PHI. This means general information is best when describing a healthcare service. This is especially true for a remarketing strategy because displaying healthcare ads based on a user’s previous site visits risks exposing PHI. For this reason, Google AdWords most often restricts remarketing for healthcare services.   

Keep PHI out of your storytelling.

Including a patient testimonial in a video or article makes the content relatable, but make sure your efforts to humanize your message won’t reveal confidential information. If a patient agrees to be featured in an article, video or photo, you need to explain exactly what they’re agreeing to and receive written consent. When you don’t have written permission, remove all personal details – such as the patient’s name and date of treatment – so the subject is not identifiable. You can still tell a compelling story without giving away his or her identity.  

Monitor social media.

You’re educated about HIPAA, but most of the public is not. To keep community members from accidentally causing a HIPAA violation on your social media pages, review all comments to ensure no one posts any content with PHI (such as a message about a relative receiving care or a photo of a patient). This goes for review sites like Yelp too.

Connect to your audience as people, not patients.

Because HIPAA sometimes limits the ways health systems can use digital ads, a powerful content marketing strategy is especially important. The best way to stay top of mind among prospective patients is to create informative, timely and relatable content that’s focused on lifelong wellness. This will make you a trusted resource for consumers, no matter what their needs may be.


You’ve got compliance down. Now, need more on content? These custom content strategies for healthcare marketers are a great place to start.

Be a hero by sharing this post.