As healthcare becomes increasingly data driven, digital, and more mobile, consumers demand healthcare organizations provide an online, streamlined experience to win their loyalty. Experts predict that by 2020, consumer experience will be more important than product or price in driving consumers to your brand.

This increased desire for a digital experience, however, comes with an increased need for security of protected health information (PHI). So you want to be sure you've got a HIPAA-compliant customer relationship management (CRM) system so your consumer data is as secure as possible.

HIPAA — the Health Insurance Portability and Accountability Act — was signed into law in 1996 after the growing use of computers led to greater electronic transmission of patient information. HIPAA forces healthcare organizations and providers to create standards and procedures for maintaining patient confidentiality, or face criminal penalties for failing to comply.

Of the five sections (or titles) to the law, “Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medial Liability Reform," applies most directly to a CRM system. Within that title, two key rules are most important: the Privacy Rule, and the Security Rule.

The Privacy Rule
The aim of The Privacy Rule is to protect against unlawful disclosure of PHI, physical and electronic, such as health status, healthcare services received, or healthcare payments made by a particular healthcare provider or organization.

You want to be sure that only authorized individuals are allowed access to sensitive healthcare information in your CRM, whether it is a preventative care print campaign or a personalized digital experience (or any number of cases in between). So while you wouldn't want to share specific patient data with those who aren't authorized to see it, you could share general demographic information about specific sub-groups, such as types of people prone to a greater risk of a particular cancer, or lifestyle habits that contribute to disease, while still remaining HIPAA compliant.

Additionally, you are allowed to “de-identify" patient information for use, where all patient identifiers are removed so that no one could identify a specific patient from the information.

Be aware, too, that the Privacy Rule also has a corollary, called the Breach Notification Rule, that requires organizations and their business associates to notify anyone who has been affected by an unauthorized disclosure of PHI.

The Security Rule
Complementary to The Privacy Rule, The Security Rule is designed to protect electronic PHI (e-PHI), which in this digital age is increasingly becoming the main method for reaching consumers. This rule requires your CRM software to have three layers of security: administrative, physical, and technical.

  • Administrative safeguards are the policies and procedures that help secure data privacy, which includes such things as internal audits and training staff to be up to speed on these concerns.
  • Physical safeguards require a secure physical location for both hardware and software with policies that protect and limit access and visibility to only authorized personnel.
  • Technical safeguards are the forms of data encryption for information that is transmitted over an unsecured network, to ensure that data remains protected. One way to ensure technical security in your CRM is to choose a a software that allows you to set different security roles for different people. Additionally, some software will allow for even more granular levels of security, where you can customize security of forms, and even fields within a form.

The Right Stuff
CRM software vendors may claim they are HIPAA compliant, but you need to be vigilant in ensuring your vendor understands the nuances of HIPAA rules while still enabling you to provide the best consumer experience for your needs. Ask your vendor if they'll sign a HIPPA-Business Associate Agreement, which means they will comply with the law. The right vendor should also have an experienced implementation and services team in place that can handle data and technology advancements, in this constantly evolving industry. The right vendor will take the guesswork out of protection and privacy so you can focus on the consumer experience.

Because hospital compliance and security teams are becoming more involved in the buying and approval process for healthcare CRM, it's also important to understand some potential compliance objections that may come up. Compliance teams like to know vendors have a formal incident management process. They also want to know vendors have disaster recovery plans and strategies in place, and they always want to know about the technical controls for data (encryption at rest, encryption in transit, etc). If you can answer these questions successfully early on in your process, you’ll find getting buy-in across your organization much simpler.

With careful consideration, HIPAA compliance doesn't have to be a hassle — it can push your health system to match content with consumer needs.

Want to learn more about how a healthcare specific CRM solution can protect your organization and help you reach your consumer experience goals? Download our Definitive Guide to Healthcare CRM.