We’ll talk through your marketing goals, and determine if we’re a great fit.
Marketing A Private Medical Practice.While in school, business and marketing was not a focal point of coursework. Unfortunately for you, that means you have to learn about business from the school of hard knocks.
Just because you opened your medical practice doesn’t mean your calendar will be overflowing with new patients. You need a game plan to help you grow regardless of how big or small your practice is.
If you are here you need help.
From our experience from successfully marketing practices,
We compiled our list of the 30 best marketing tactics for private practices to help you build and grow a healthy sustainable practice.
While helping you remain HIPAA Compliant in your marketing efforts.
First you may be asking,
As a doctor, you need to remember that you are an advocate for your patients and must be sure to make this clear to them from the start. This should be your main message. Making sure your patient base understands who you are and what your values are is an important part of marketing yourself as a doctor they can turn to in times of need. Which can lead to more patient referrals.
When a patient wants to learn more about you, the first thing they are likely to do is head to good ol’ Google. Give them something meaningful to look at when they find you; invest in a site that is professional, aesthetically pleasing, and easy to navigate.
Gathering testimonials from current or past patients that highlight their positive experiences with your private medical practice is one of the best ways to build a trustworthy reputation. Studies have shown that half of patients think it is important for their doctor to be well liked by others, and 77% ranked trustworthiness as the most important trait their doctor needs to have.
Best of all, collecting testimonials is a relatively straightforward process. Keep up your excellent care and bedside manner. Then ask your patients to review your medical practice and attest to your high level of care.
However, always maintain HIPAA compliance. Only use testimonials or reviews with the patient’s expressed SIGNED consent. Don’t assume that if you get a review online you can respond any way you want or post it on another site, never reveal any personal identifiable information.
Social media is the ultimate modern marketing tool. Billions of users flood social media platforms daily for information, entertainment, and so much more. So, how can you take advantage of it? Create social media accounts on major platforms such as Twitter, Facebook, and Instagram, of course.
Before establishing your presence on any of these sites, however, it is important to research what platforms you are most likely to find your patients on. For example, Facebook is the go-to social media platform for many older people. If you see mostly adults who are 60 or older, then, it only makes sense to work hard to establish yourself on Facebook above any other platform. Here is a helpful breakdown of social platforms by age group as well as income levels.
As a doctor, you are a valued member of your community. Your private medical practice is also part of that community. Therefore, taking the time to invest in your community shows others that you are not just in it for the money but you genuinely want to help people. Examples of community outreach include attending charity events or volunteering medical supplies or services several times a year.
These are not only excellent ways to show the community that you care but also a great opportunity to make your practice locally known.
SEO stands for search engine optimization. Using SEO best practices ensures that your website ranks high when prospective patients search for you. Good SEO strategy takes into account quality content, word choice, and local listings. You can hire an SEO company to help you with this or read up on these best practices yourself here.
Local listings display information about your practice like address, website, and contact number. All of this information makes it easier for patients to find you. Make sure to claim and verify these so that search engines can easily pull up your information. Search engines like Google are such an integral part of our everyday life—it would be a detriment not to effectively utilize this form of advertising!
Blogging is a great tool for connecting with your audience and building your reputation. Information shared on your medical practice’s blog not only helps you build credibility as a doctor but also gives your patients insight into your business. Offer health tips, post information on health conditions, or touch on other topics your readers would be interested in.
When used correctly it can support your SEO strategy.
After establishing a website, it can be easy to think that your work has been done. However, it is not quite that simple. Make sure that you are taking the time to update your website on a regular basis.
You do not want patients or potential patients coming across a site with outdated information or old technological functionality. These issues can create distrust or frustration among your patients or leave you open to a hack.
Show your patients that you care by actively engaging with them. Utilize social media platforms to share information and keep in touch with your patients. Also make sure you are replying to all comments or messages, not just the positive ones. This shows that your practice’s first concern is ensuring patients are taken care of and that their concerns are not being ignored.
Important to note that when replying to comments that are available publicly do not include any personally identifying information. It is best to direct feedback related comments or questions to a pre approved list of canned HIPAA compliant responses that move those conversations offline or to a more secure environment.
Direct marketing strategies include sending out newsletters, birthday cards, “welcome to the family” greetings for new patients, and even friendly reminders for upcoming appointments. Patients want to feel valued and seen. Direct marketing can be impactful because it creates personalized experiences that make patients feel welcome and more than just another number in your records.
As a doctor, you have knowledge and experience that can benefit your entire community. Use your expertise to educate your community on staying healthy; hold seminars at local events to offer patients tips on a variety of health-related topics. You might even visit schools, nursing homes, and other institutions to educate others. In any case, showing your willingness to help others builds trust.
The best way to win over your patients and ensure that they want to come back? Simply provide them with top-notch care. Maintain quality care, and the good reviews will follow. This method depends upon building a loyal patient base by promoting your practice via word-of-mouth. It may take time to pay off; however, if you are persistent and passionate about everything you do, it will be worth it.
Branding plays a key role in marketing and is a dynamic way for patients to recognize you in the community. Make sure to create a cohesive logo, website, and practice “look” so that your practice is easily identifiable. Focus on creating a memorable experience for your patients. There are great resources on building and defining brands online that can help you with this.
Make visiting your practice seem more enticing than ever. Discounts may come in the form of free screenings or referral discounts for patients who are introduced to your practice by a current patient. Moreover, discounts can give patients the opportunity to test out your care or explore new services.
Like blogs, webinars are great for building trust and showing off your expertise. These online speaking events inform your patients on topics they may be interested in while also giving them a chance to engage back. Webinars usually incorporate question and answer sessions or discussions, which can help you connect with the community your medical practice serves.
Let potential and current patients know that you have time in your schedule by emailing, posting online, or putting up signs that state that you are “Accepting New Patients”. This will signal to people that you want to prioritize them.
Personalize pens, notepads, magnets or other free items with your medical practice’s brand and contact information. Then, pass these out to your patients or at various events throughout the community. These little items keep your patients and strangers alike excited. After all, who doesn’t like receiving free things? Not to mention, even a little pen with your name and practice plastered on it is a great way to advertise yourself.
Become familiar with other professionals in the area and in your field. They can become critical supporters of your medical practice, and you can even help them build their client bases. They will do the same by referring patients to you.
Paid search campaigns can easily drive your target audience to your social media and website while also targeting patients interested in your private practice’s specific services. Pay-per-click advertising buys you advertising space on search engine results pages–for example, Google, Bing, or Yahoo. The best part is that you only pay if your paid ad is clicked on and you can get in front of higher competitive searches your SEO and content marketing campaigns may have trouble ranking for in the search results when you are new.
As your private medical practice continues to grow, consider adding additional staff and services to your practice. This not only attracts new business but creates more loyalty within your patient base, because they may visit your office for multiple services instead of just one. For example, if you are a pediatric orthodontist, you may team up with a general pediatric dentist to offer more services in one office.
While digital marketing has grown significantly in the last decade, you shouldn’t overlook the benefits of traditional marketing to attract new patients. In fact, traditional advertising strategies like TV ads are still the most effective based on indicators such as sales and new accounts. Reach out to local radio, newspapers, and TV stations for some of your practice marketing needs. Just remember to target advertising towards your desired audience.
Offer to be a medical reference for news articles relating to medicine. This is a great way to gain exposure while establishing your expertise in the medical world. Being cited in a news article as a medical source or as the health column expert helps you foster trust among your current/prospective patients. While also improving your local SEO and reach.
A chamber of commerce is a business network that works to further the goals and interests of businesses. If you’re not sure where to start when it comes to community outreach, you can get in contact with your local chamber of commerce to get involved. This network can help you identify areas where you are needed and is also a great way to build relationships with other businesses in the area.
Open houses are a great way to welcome the community to your private practice and help you establish important relationships. Show off your facility and your services to the community by inviting the public to an open house. These events give potential patients a chance to meet your staff and see what your office looks like.
Health fairs help you build brand awareness and can help you advertise your services to people who may otherwise have been unaware about you or your practice. Use these events to give back to your community while also speaking to them about the services you offer. They can also be an effective way to build professional relationships with other providers who can become a great source of referrals.
Contribute to medical journals or publications to show your knowledge on particular topics. You can build your reputation and credibility by referencing studies and research that your doctors have participated in. These can help assure your patients of your expertise. White papers also can help in a SEO strategy for building up your brand mentions and backlinks.
3.5 billion people in the world own smartphones. Tap into this market by making sure your website is mobile friendly. For example, you might make it so that your patients can call your office simply by tapping a button on your website.
Create materials for distribution and information to hand out to your patients when they visit your office. Pamphlets and brochures not only teach a patient about your services and the values and mission of your medical practice, but they are also easy to pass along to others. In addition, you can hand these out at any events you attend.
Stay in touch with your patients and keep the lines of communication strong with email. Emails can include appointment reminders, links to your blog or newsletter, and updates on upcoming events or promotions your practice is holding. This strategy allows you to keep in touch with patients outside of regular office visits.
Don’t forget the patient release documentation to allow you to market to them.
Let your new and long-time patients know that you appreciate them with handwritten letters. Personalized touches like this remind your patients that you care about their business and will help your practice stand out.
There are plenty of marketing ideas out there both for new and established medical practices. For those looking to keep costs down, focus on marketing strategies that you can personally carry out. Learn how to build great social media and other marketing courses in Udemy. However, don’t forget about HIPAA when engaging in social media.
Design apps like Canva offer free basic graphic creating tools while a basic internet search can teach you how to put out helpful content. If spending money on advertisements is too costly, focus on word-of-mouth marketing and building a loyal patient list and find some networking groups to gain professional relationships that will help promote your business through referrals.
The world of marketing is expansive. Take time to test different strategies and find what works best for your medical practice.
As a healthcare provider, your mission is to ensure that your patients are receiving high-quality medical care. When it comes to building a patient base, marketing efforts for private medical practices cannot be overlooked. Having multiple marketing strategies in place will put your private medical practice on the map, enticing prospective patients to seek out your care and expertise.
There are many ways to set your private practice up for success. Below, we offer some of the best strategies for ensuring that your private medical practice receives the attention it deserves.
If you’re a practicing physician or have just finished your residency, you may be considering starting your own medical practice. Although it can feel like a daunting task, the truth is, you’ve already completed the hardest part: becoming an MD or DO. Establishing your practice won’t take nearly as long as completing the degree and postgraduate requirements did–nor will it cost as much!
That said, there are some things to consider before you take the steps to starting your own medical practice: time, expenses, and licensing, just to name a few. Establishing your private practice is much like starting any other business: there are many moving parts to consider. But once you have solidified your plan of action and start researching everything you need to know, opening your practice and taking on patients will likely begin to come naturally.
How exactly do you begin? How do you start a medical practice from the ground up?
Here are some things you should keep in mind!
Even doctors need to consult someone else for help every once in a while. With that in mind, you might consider hiring a consultant to help you get organized and explore your options. A consultant can help you identify where you should establish your practice, how you will design the space to meet your needs, how you’ll organize your staff and patient data, and how much this will all cost.
It might also be helpful to hire a personal assistant to help keep you organized throughout the process, especially if you’re already working for another hospital or private practice. Managing your time and energy will keep your mind clear, and keep the task of establishing your own practice from beginning too overwhelming.
When it comes to your medical website design or marketing you should always consider hiring a HIPAA compliant and minded company or consultant.
Costs for opening your own practice will depend upon a number of factors. Where you decide to practice will play the biggest role in determining the overall cost, as real estate and property rental fees vary widely from one state to another; even cities within the same state with just a few miles between them can bear different price tags.
How you choose to furnish the practice, the types of benefits you offer your employees, and the number of employees you’ll need to staff your practice are some other major factors that will determine the total cost of starting your practice.
In total, opening a small-sized practice could range anywhere from $70,000 to $100,000 over the course of just a few months. This estimate covers your insurance, start up costs, and your personal expenses for the first quarter that you’re open for business. However, some costs can be reduced depending on what you decide to do yourself.
Assuming that you will require a small business loan to get started, having good credit will save you some of the expense associated with the high interest rates of credit cards or loans. If you’re beginning the planning process now, be sure to take your credit history into consideration.
If your credit is not great, make it a priority to improve it as quickly as you can. With good credit, you might be able to find a low-interest loan that can be structured to require interest-only payments for the first year. In doing this, you should be able to establish a decent revenue-flow and salary before you’re required to begin repayment.
Assuming that you are already practicing as a physician, you should give yourself about six to nine months of planning time before you expect to open your practice. This will give you time to find an appropriate and convenient location and to renovate it to suit your needs, if necessary. It will also give you time to purchase all of the equipment, furniture and materials you’ll need to be business-ready.
You can also spend this time applying for a business license, acquiring the insurance you’ll need, and establishing standard operating procedures for your day-to-day and special-circumstance operations.
That said, the bulk of these decisions should be outlined in your business plan that you’ll need to apply for your loan.
Not only will a business plan be required to secure a loan; it can also serve as a great foundation for conceptualizing what your practice will look like. The business plan should include at least a few detailed pages articulating your plan for financial growth and the services you’ll offer, among other things. Let’s look at each of these in detail:
(Don’t forget about the office supplies and utilities)
Also It may be helpful to plan for non-payment and if you are going accept private, state medical insurance, medicare, or medicaid.
When considering the staffing requirements for your practice, you’ll need to first consider its size and scope. Like many businesses, you will need employees to operate various aspects of your practice, including reception, billing, accounting, and marketing. You might decide to hire an office manager, or you may delegate multiple responsibilities to various employees with other medical-related responsibilities (like employing multiple nurses who can also answer the phone and schedule appointments).
According to managemypractice.com, the number of employees you will need will depend on a number of factors. Inefficiency creates the need for more hires. If your employees need to leave their desks to handle multiple responsibilities, you’re losing efficiency. The record-keeping and transcription services you use will also determine whether or not you’ll need additional staff to transcribe and file patient records, or whether you’ll spend more initially for software that will save employee costs in the long run.
As your practice grows, it may be practical to have a specific staff member dedicated solely to answering the phone and scheduling appointments. For a budding practice, being able to accommodate new patients in a timely and friendly manner without being rushed or sidetracked is crucial.
Your patient’s first contact with the office will likely be via phone inquiry or email, and having a dedicated staff member to complete those tasks will make the process smoother for a new, or returning, patient. If you miss a new patient’s inquiry, they are much more likely to try a different practice. That is a patient you cannot afford to lose out on!
You will also need to consider whether or not you’ll be a general medicine practice or offer some specialty services. Depending on your type of practice, you may either need a staff member to organize and set up referrals to other doctors, or have specially trained medical staff on duty full or part-time. These could include X-ray technicians or lab technicians, depending on the type of specimens you plan to process in your office.
As a rule of thumb, you’ll want to have enough dedicated triage nurses to greet and process patients as they come in for appointments. You may require a physician’s assistant or other medical practitioners as the volume of your practice grows, or if you plan to operate a fairly large practice from day one. Other staff to consider, based on technology, location and operation size include:
Hiring highly skilled candidates and cross-training employees can help cut down on human resources expenses in the long run. Holding employees to high standards of efficiency is important.
In the beginning, you likely need to closely monitor and modify standard operating procedures in order to find a system that works for your office and needs. Competitive benefits and paid time off will also attract more qualified candidates. This is also another reason to make sure employees are cross trained so that even your small to mid-sized practice can accommodate employee sick and vacation days.
In order to legally practice medicine in your own private practice, there are several licensing (including the obvious medical licenses) and insurance requirements you will need to meet.
One of the first steps you’ll need to take is applying for a National Provider Identifier number. The national provider identifier (NPI) is a HIPAA-required unique identification code that qualifies your practice to accept different insurance types from your prospective patients. More information on how to apply can be found at www.cms.gov.
Your staff members will also need to complete HIPAA and OSHA compliance training prior to practice’s opening. This will ensure that your staff is well-educated on workplace safety operating and reporting procedures and patient confidentiality rights.
Finally, you need to insure your practice; the type of insurance you need will depend upon the nature of your practice. Aside from the standard medical malpractice insurance, you’ll also need to purchase business liability and internal theft coverage.
Insurance rates can vary based on a number of factors, but depend mostly on how many employees will be on your staff. Worker’s compensation insurance can cost upwards of $2000 for a staff of three employees, according to medicaleconomics.com. You may also want to offer health insurance to your employees and make sure that you and your family remain medically insured as you leave your place of employment.
There are many potential challenges in getting your practice off the ground, as is the case with any other type of business. First and foremost, you’ll need to be sure you’ve given yourself enough time to plan. You’ll likely need to work with both your attorney and accountant to draft some of the legal documents and business plan required to get started. Surrounding yourself with a team of professionals that you can trust will take some of the burden off of your shoulders during the startup process.
Finally, remember to take into account any existing contracts you may have signed at your current place of employment. Some employment contracts contain no-competition clauses; as such, you may need to wait it out or have your attorney review the circumstances. Expect delays to occur, especially now that many agencies have employees working remotely for the first time.
Above all else, try to be patient and persistent. Opening your own practice will be challenging, but also rewarding, and doing your research will help create a smoother process for everyone involved!
There are plenty of marketing ideas out there both for new and established medical practices. For those looking to keep costs down, focus on marketing strategies that you can personally carry out. Learn how to build great social media and other marketing courses in Udemy.
However, don’t forget about HIPAA when engaging in social media. Design apps like Canva offer free basic graphic creating tools while a basic internet search can teach you how to put out helpful content. If spending money on advertisements is too costly, focus on word-of-mouth marketing and building a loyal patient list and find some networking groups to gain professional relationships that will help promote your business through referrals.
The world of marketing is expansive. Take time to test different strategies and find what works best for your medical practice.
When considering HIPAA compliance, choosing a CMS platform to build your website on is daunting. Choosing the wrong one can cause a host of issues: revenue, costly rebuilds, potential fines, and headaches.
Should care about your website as much as your electronic health record system? You should read our post about commonly overlooked HIPAA risks or take our HIPAA risk quiz.
There are many options to choose from (literally hundreds) we would love to analyze all of them but that post would be massive.
We have laid out a helpful table for each platform (for those who want a quick answer) as well as a more in-depth review of each platform.
*Full disclosure: If you use our affiliate link for Hushmail you get a lifetime discount on their service and we get a small amount for referring you. However, do not mistake that as influencing our decision to include them in this post. Any of our affiliate choices are only based on quality of service and if they align with giving value to our clients (discounts or upgrades). All of the forms listed offer a great service and were chosen for quality of service.
MySql databases MYSQL enables you to pull data from your website or execute complex commands with that without having to load the site. It also enables you to use it as a data backup point.
HIPAA Compliant Server As part of the requirements of HIPAA, a business associate agreement is required for any company who stores ePHI. Any Host who is compliant will be able to provide documentation on how they satisfy HIPAA.
The platform is Free. The monthly cost depends on the host.
4.8
Standard MySql database with most hosts. Integrates well and fully supported
Drupal has a robust security team and is utilized because of their security. In addition to Drupal Security you can utilize Sucuri for an additional layer of protection. Sucuri addresses HIPAA concerns. Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, (Blocks unusual admin logins from unknown IPs), and much more. These are only part of a HIPAA security solution and do not replace good security practices.
Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.
Drupal is a content management system and not a packaged platform. It can be built in a way that is compliant. There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement.
Recommended. If you are a larger organization and need a more robust platform, Drupal is trusted by many banking, government organizations, and large health care providers.
The platform is Free. The monthly cost depends on the host.
4.6
Standard MySql database with most hosts. Integrates well and fully supported
Top 3rd party security solutions for WordPress are Wordfence and Sucuri. However, Sucuri addresses HIPAA concerns while Wordfence does not speak to HIPAA anywhere on their site. Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, Whitelist IP (Blocks unusual admin login's from unknown IPs), and much more. Wordfence is also a great plugin for security and some protection is better than none.
Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.
WordPress is a content management system and not a packaged platform. It can be built in a way that is compliant. There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement.
Recommended. WordPress can be built in a way that is HIPAA compliant. Some of the highest traffic sites online are built on WordPress. It is a great choice for a HIPAA compliant website. Making a compliant site on WordPress can be affordable as well. There are many tools to assist you in building your own site even if you have limited coding skills. If you build your own site it is important that you carefully vet what you install on your site. It is advised that you utilize a HIPAA consultant or a web designer that understands the risks and can recommend compliant options.
The monthly cost varies from $16 to $46.
Squarespace does not support with MySql Database and can't be connected externally
States that their servers and most parts of the platform are not HIPAA compliant, including their forms. They recommend you use a HIPAA compliant third party service Acuity Scheduling. (That is cover their own butt speak).Squarespace integrates analytics, logs your visitor's IP addresses, and your patients will interact with the site. All of this becomes PHI if they can be used to identify your patient. You are also responsible if they suffer a breach or your site is hacked. As thousands of sites found out in 2018.
No
Not Recommended based off HIPAA Risk and performance. If you understand the risk that you may fail an audit if you have a breach then Squarespace can be an option. We don't advise our clients to use it for this reason. The performance of the site in terms of load speed and limited search engine optimization options also make Squarespace less than ideal.
The monthly cost varies from $13 to $500
A database can only connect to an externally hosted one through custom API
HIPAA is not addressed on the Wix site. It has to be assumed they are not compliant.
No
Not Recommended based off HIPAA Risk. The performance of the sites on this platform have been less than ideal for most. While they did a rebranding campaign advertising new search engine optimization tools, in the greater professional web development community, Wix still comes up short.
The monthly cost varies from $5.0 to $38
Platform does not support with MySql Database and cant be connected externally
HIPAA is not addressed on the Wix site. It has to be assumed they are not compliant.
No
Not Recommended based off HIPAA Risk. Weebly has lagged behind in terms of website builders. It was acquired by Square in 2018. The potential for this platform to become better is possible with the backing of Square. This may become a good alternative for small providers in the future.
The platform is Free. The monthly cost depends on the host.
4.8
Standard MySql database with most hosts. Integrates well and fully supported
Drupal has a robust security team and is utilized because of their security. In addition to Drupal Security you can utilize Sucuri for an additional layer of protection. Sucuri addresses HIPAA concerns. Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, (Blocks unusual admin logins from unknown IPs), and much more. These are only part of a HIPAA security solution and do not replace good security practices.
Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.
Drupal is a content management system and not a packaged platform. It can be built in a way that is compliant. There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement.
Recommended. If you are a larger organization and need a more robust platform, Drupal is trusted by many banking, government organizations, and large health care providers.
The platform is Free. The monthly cost depends on the host.
4.6
Standard MySql database with most hosts. Integrates well and fully supported
Top 3rd party security solutions for WordPress are Wordfence and Sucuri. However, Sucuri addresses HIPAA concerns while Wordfence does not speak to HIPAA anywhere on their site. Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, Whitelist IP (Blocks unusual admin login's from unknown IPs), and much more. Wordfence is also a great plugin for security and some protection is better than none.
Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.
WordPress is a content management system and not a packaged platform. It can be built in a way that is compliant. There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement.
Recommended. WordPress can be built in a way that is HIPAA compliant. Some of the highest traffic sites online are built on WordPress. It is a great choice for a HIPAA compliant website. Making a compliant site on WordPress can be affordable as well. There are many tools to assist you in building your own site even if you have limited coding skills. If you build your own site it is important that you carefully vet what you install on your site. It is advised that you utilize a HIPAA consultant or a web designer that understands the risks and can recommend compliant options.
The monthly cost varies from $16 to $46.
Squarespace does not support with MySql Database and can't be connected externally
States that their servers and most parts of the platform are not HIPAA compliant, including their forms. They recommend you use a HIPAA compliant third party service Acuity Scheduling. (That is cover their own butt speak).Squarespace integrates analytics, logs your visitor's IP addresses, and your patients will interact with the site. All of this becomes PHI if they can be used to identify your patient. You are also responsible if they suffer a breach or your site is hacked. As thousands of sites found out in 2018.
No
Not Recommended based off HIPAA Risk and performance. If you understand the risk that you may fail an audit if you have a breach then Squarespace can be an option. We don't advise our clients to use it for this reason. The performance of the site in terms of load speed and limited search engine optimization options also make Squarespace less than ideal.
The monthly cost varies from $13 to $500
A database can only connect to an externally hosted one through custom API
HIPAA is not addressed on the Wix site. It has to be assumed they are not compliant.
No
Not Recommended based off HIPAA Risk. The performance of the sites on this platform have been less than ideal for most. While they did a rebranding campaign advertising new search engine optimization tools, in the greater professional web development community, Wix still comes up short.
The monthly cost varies from $5.0 to $38
Platform does not support with MySql Database and cant be connected externally
HIPAA is not addressed on the Wix site. It has to be assumed they are not compliant.
No
Not Recommended based off HIPAA Risk. Weebly has lagged behind in terms of website builders. It was acquired by Square in 2018. The potential for this platform to become better is possible with the backing of Square. This may become a good alternative for small providers in the future.
Drupal is a free open source platform that can be used by groups or individuals to manage a website with large volumes of content or users. It can be very user friendly but it has to be built that way.
Drupal is commonly chosen by larger organizations who need a highly secure website. The platform is light weight and fully customization which is great for developing a responsive website.
Platform is Free. Monthly cost depends on host.
Yes
4.8 Out of 5
Standard with most hosts. Integrates well and fully supported.
Yes
Yes
Drupal has a robust security team and is utilized because of their security. In addition to Drupal Security you can utilize Sucuri for an additional layer of protection.
Sucuri addresses HIPAA concerns.
Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking,
(Blocks unusual admin logins from unknown IPs),
and much more.
These are only part of a HIPAA security solution and do not replace good security practices.
Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.
Drupal is a content management system and not a packaged platform. It can be built in a way that is compliant.
There are many HIPAA compliant web design agencies and hosting providers who will sign a business associate agreement. Just make sure you do your due diligence.
That depends on how the site is built. Drupal is an open source content managment platform that you host and build your website on. That means if you do not have a HIPAA compliant hosting, a server set up correctly, and your forms are not built compliantly then it is not. However, HIPAA compliant hosting can be slightly cost prohibitive for smaller practices.
You can embed a HIPAA compliant form into Drupal for a less than optimal solution. Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack. Most electronic health record systems also have options to embed into or connect to your site.
It is important to note that if you are building on Drupal you web design agency will likely already choose a HIPAA compliant host and create a custom form.
Recommended.
If you are larger organization and need a more robust platform, Drupal is trusted by many banking, government organizations, and large health care providers.
Bring your own domain name and email service of choice.
What sets Drupal apart is their commitment to security. They have a dedicated security team to ensure the infrastructure is secure and new threats are addressed timely. By hiring a good web developer, Drupal can maintain HIPAA data integrity and confidentiality. Just being on Drupal does not make your secure but it does help.
Drupal site owners can set up a good-looking site but they need HTML or CSS knowledge. There are some pre-made themes out there as well as marketplaces. It is important to remember that Drupal is geared towards larger sites and developers. But a Developer can make a very easy to use and edit site on Drupal.
The platform is built lightly so the Drupal platform will not be the reason for a slower site. A good website developer can create custom code that performs exceptionally on Drupal.
Drupal can be hosted on nearly any HIPAA compliant host or self-hosted. The server just has to have Drupal installed. Drupal Does have a list of prefered hosts here. This means Drupal can connect or create any database or web application API without limitation. In laymen’s terms you have more flexibility.
While the platform is free the cost quickly mounts due to the need for custom code. Like WordPress, Drupal has many “plugins” or modules. However, unlike WordPress, to get them to do what you want will require a developer. Think of Drupal modules as frameworks made by developers for developers on a truly open source platform. While WordPress is consumer focused and a majority of plugins only do some of what they say and have bloatware (extra code or gated sales pitches) that can slow down a site significantly the more that are used.
That depends on how the site is built. Drupal is an open source content managment platform that you host and build your website on. That means if you do not have a HIPAA compliant hosting, a server set up correctly, and your forms are not built compliantly then it is not. However, HIPAA compliant hosting can be slightly cost prohibitive for smaller practices.
You can embed a HIPAA compliant form into Drupal for a less than optimal solution. Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack. Most electronic health record systems also have options to embed into or connect to your site.
It is important to note that if you are building on Drupal you web design agency will likely already choose a HIPAA compliant host and create a custom form.
Most Drupal site range from $30,000-$60,000 with additional costs depending on organizational requirements. That cost is largely development costs. Unless you are a clinician who is also a web developer, then the cost would be time and server costs.
Do not let the custom Drupal price tag fool you.
A custom Drupal site has more flexibility and lower cost in the long run for larger organizations in terms of performance and security. Because all or a majority of the code is custom, the potential for hacking is much lower. WordPress is the largest platform for creating websites and this makes it a common a target for hackers of all skill levels. Drupal has a much smaller user base and typically requires more advanced hackers to exploit. Both WordPress and Drupal can be very secure with the right web developers.
Drupal has an edge over WordPress when your clinic is much larger and handles more ePHI.
We highly recommend Drupal if you can afford development costs.
WordPress.org is the open source version of WordPress that has a robust developer community and flexibility. WordPress.com is the for-profit provider of WordPress hosting that has limited options in terms of development and limited plugins. Nearly all the plugin’s on WordPress.com are premium and have limited customization. Also WordPress.com sites are only hosted by WordPress.com and they provide the security updates and server maintenance.
* This review of WordPress, is for WordPress.org.
WordPress powers a third of all of the top websites on the internet. It was originally built to be an open source blogging platform but quickly became a powerhouse for other web content. It is now one of the largest content management system online.
WordPress is great for small to mid-sized clinics and solo practitioners. However, it can be a security risk if you do not take proper steps to secure your site. That is why working with a Web designer who understands security and HIPAA is important.
Platform is Free. Monthly cost depends on host.
Yes
4.6 Out of 5
Standard with most hosts. Integrates well and fully supported.
Yes
Yes
Top 3rd party security solutions for WordPress are Wordfence and Sucuri.
However, Sucuri addresses HIPAA concerns while Wordfence does not speak to HIPAA anywhere on their site.
Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, Whitelist IP (Blocks unusual admin login's from unknown IPs), and much more.
Wordfence is also a great plugin for security and some protection is better than none.
Both solutions are only part of a HIPAA security solutions and do not replace good security practices.
Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.
WordPress is a content management system and not a packaged platform. It can be built in a way that is compliant.
There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement. Just make sure you do your due diligence.
That depends on how the site is built. WordPress is an open source content managment platform that you host and build your website on. That means if you do not have a HIPAA compliant hosting, a server set up correctly, and your forms are not built compliantly then it is not. However, HIPAA compliant hosting can be slightly cost prohibitive for smaller practices.
You can embed a HIPAA compliant form into WordPress for a less than optimal solution. Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack. Most electronic health record systems also have options to embed into or connect to your site.
Recommended.
WordPress can be built in a way that is HIPAA compliant. Some of the highest traffic sites online are built on WordPress. It is a great choice for a HIPAA compliant website.
Making a compliant site on WordPress can be affordable as well.
There are many tools to assist you in building your own site even if you have limited coding skills.
If you build your own site it is important that you carefully vet what you install on your site. It is advised that you utilize a HIPAA consultant or a web designer that understands the risks and can recommend compliant options.
Bring your own domain name and email service of choice.
WordPress can be built very secure if your web developer knows what they are doing. However, due to the popularity of the platform it does suffer more hacking attempts. There are also 3rd party sites selling plugins and themes that are compromised. There have been plugins that were available to download that were really malware. The convenience of installing a plugin or a new theme can lead to data breach if they are not properly vetted.
WordPress site owners can set up a good-looking site without much HTML or CSS knowledge. With the Gutenberg update pages can be built with some more design options, there are also page builders, and pre-made themes.
While WordPress is not a light as other content management systems it can make a site that performs great if it is built right. Unfortunately, it can easily be bogged down by needless plugins, poorly developed themes to name a few issues. Typically, new site owners installing a plugin to do something that is easier and faster to do with a few lines of code.
WordPress can be hosted on nearly any HIPAA compliant host or self-hosted. This means WordPress can connect or create any database or web application API without limitation. In layman’s terms you have more flexibility.
WordPress can be very un-secure and slow if built improperly.
You can’t set it and forget it. WordPress, themes, and 3rd party plugins have regular updates that are recommended because new vulnerabilities or bugs are discovered.
However, these updates can also have unexpected interactions on the site and can break sites if they are not tested. A regular backup schedule is recommended (it is good to backup your site no matter the platform you are on).
Performance can be degraded if you have a high-volume site.
High amounts of content can become difficult to work with in WordPress.
That depends on how the site is built. WordPress is an open source content managment platform that you host and build your website on. That means if you do not have a HIPAA compliant hosting, a server set up correctly, and your forms are not built compliantly then it is not. However, HIPAA compliant hosting can be slightly cost prohibitive for smaller practices.
You can embed a HIPAA compliant form into WordPress for a less than optimal solution. Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack. Most electronic health record systems also have options to embed into or connect to your site.
A WordPress site can range in price. Sites can range from $1,000– $15,000+ depending on what you need. A good rule of thumb, sites under a $1,000 are going to be more of a template theme set up with little to no customization, or fully outsourced out of the country. Both have concerns with potential HIPAA violations and future ePHI. We have seen sites where they had a backdoor placed in the site by the outsourced web developer or all form data was logged and copies sent to the web “guy”. You get what you pay for but also understand that with HIPAA the “get what you pay for” might also be a fine much much higher than the cost of a fully customized site. (Since HIPAA fine caps per year range from $50k- $1.5 million)
In general, a WordPress site typically costs less than a Drupal site however, costs can become comparable if complex requirements are added.
A custom or premade WordPress site has more flexibility and lower cost in the long run for solo practitioners, small to larger organizations in terms of performance and security. Because all or a majority of the code is custom, the potential for hacking is much lower. WordPress is the largest platform for creating websites and this makes it a common a target for hackers of all skill levels. Drupal has a much smaller user base and typically requires more advanced hackers to exploit. Both WordPress and Drupal can be very secure with the right web developers.
WordPress can be built in a way that is HIPAA compliant. Some of the highest traffic sites online are built on WordPress. It is a great choice for a HIPAA compliant website.
Making a complaint site on WordPress can be affordable as well.
There are many tools to assist you in building your own site even if you have limited coding skills.
If you build your own site it is important that you carefully vet what you install on your site. It is advised that you utilize a HIPAA consultant or a web designer that understands the risks and can recommend compliant options.
Drupal has an edge over WordPress when your clinic is much larger and handles more ePHI.
We highly recommend Drupal if you can afford development costs.
The Squarespace platform is a drag and drop grid website builder that uses pre-made templates that users can customize. It has grown in populularity due to it's ease of use and quick ablity to get a site up and running.
$16- $46 Monthly
Yes
3.6 Out of 5
Not supported
No
No
Security is only provided by Squarespace. They offer passive scanning periodically. Not real-time. Hacking issues are dealt through support.
States that their servers and most parts of the platform are not HIPAA compliant, including their forms. They recommend you use a HIPAA compliant third party service Acuity Scheduling. (That is cover their own butt speak).
Squarespace integrates analytics, logs your visitor's IP addresses, and your patients will interact with the site. All of this becomes PHI if they can be used to identify your patient. You are also responsible if they suffer a breach or your Squarespace site is hacked. As thousands of sites found out in 2018.
No
No. Squarespace states thier forms are not HIPAA compliant and they do not currently sign a business associate agreement. However, you can embed a HIPAA compliant form into Squarespace for a less than optimal solution. Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.
Not Recommended based of HIPAA Risk and performance.
If you understand the risk that you may fail an audit if you have a breach then Squarespace can be an option. We don't advise our clients to use it for this reason.
The performance of the site in terms of load speed and limited search engine optimization options also make Squarespace less than ideal.
Bring your own domain name and email service of choice.
You do not have control over your website’s security. You get passive scanning of your website and for basic websites that do not handle ePHI this can be perfectly fine. However, since hacking and malware issues are not identified in real-time and hacking issues are dealt through technical support, your site could be compromised for a while. With HIPAA that could translate into a significant breach.
Squarespace is very user friendly and the drag and drop editor can build a great looking website both on desktop and mobile, if you have time to build it. You can also customize through HTML and CSS or hire a Squarespace designer to build the site you want.
This gets tricky since a Squarespace site can perform well but typically speed is an issue. If your site loads slowly there a few things you can do to optimize such as uploading properly optimized images but the limiting factor is the Squarespace platform itself. Such as: How it pulls resources into a page can be edited slightly if you know how to code and pay for the higher tier plans. Also limiting the amount of inline CSS but you risk breaking the site completely.
Squarespace is only hosted by Squarespace. Their servers are also not HIPAA compliant.
First and foremost, Squarespace explicitly states they are not HIPAA compliant and their forms are not as well. The form you can use is Acuity for HIPAA but that does not ensure that you are compliant.
Security is not up to par when it comes to HIPAA. Like we said in the table Squarespace has been hacked recently causing thousands of sites to have a data breach.
Customization for slightly complex (or not that complex) requirements that need server access to implement efficiently are virtually nonexistent.
No. Like we said earlier, Squarespace states thier forms are not HIPAA compliant and they do not currently sign a business associate agreement. However, you can embed a HIPAA compliant form into Squarespace for a less than optimal solution. Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.
Monthly costs range from $16- $46 with a discount if paid annually. If you hire a web designer costs vary greatly depending on your requirements and the designer’s fees. Because of the ease of use there are a lot of overpriced novice designers. (Remember you get what you pay for, in this case you may pay more for less.)
We do not recommend Squarespace for those under HIPAA (We also don't reccomend it for businesses that are not under HIPAA for SEO and performance reasons). If in the future Squarespace changes their servers to be compliant and fix the performance issues then it can be a decent option for solo practices or small clinics.
However, at this time it is a business risk decision that falls on the owner.
If you are dead set on using Squarespace you can embed Hushmail, Jotform, or Formstack for at least a basic HIPAA compliant form that transfers securely to their servers. This will limit the risk of a data breach in contact form data.
The WIX platform is a cloud-based drag and drop grid website builder that users can customize. WIX is an Israeli based company.
$13-$500 Monthly
Yes
3.2 Out of 5
Only can connect to an externally hosted database through a custom API and adaptor to translate requests.
No
No
Security is only provided by WIX. They offer passive scanning periodically. Not real-time. Hacking issues are dealt through support.
HIPAA is not address on the Wix site. It has to be assumed they are not compliant.
No
Not Recommended based of HIPAA Risk and performance.
The performance of the sites on this platform have been less than ideal for most. While they did a re-branding campaign advertising new search engine optimization tools, in the greater professional web development community, Wix still comes up short.
Key Features Of WIX
Bring your own domain name and email service of choice.
You do not have control over your website’s security. You get passive scanning of your website and for basic websites that do not handle ePHI this can be perfectly fine. However, since hacking and malware issues are not identified in real-time and hacking issues are dealt through technical support, your site could be compromised for a while. With HIPAA that could translate into a significant breach.
WIX is very user friendly and the drag and drop editor can build a great looking website if you have time to build it. Unlike Squarespace you can build much faster on WIX. You can also customize through HTML and CSS or hire a WIX designer to build the site you want.
Like WordPress they have their own plugins and 3rd party plugins. Which makes integrating features if you are not tech savvy easier. This also means the site can slow down the more you add.
WIX sites have had performance issues and even after they have added Search Engine Optimization “tools” they still perform less than optimal.
We have moved many sites off WIX and almost immediately have seen a boost in organic traffic and performance. Just saying.
That being said there are some very well performing sites on the WIX platform but those are on the higher paid plans. Those are WIX powered but everything else is custom built. Which means they can limit the bloat their 3rd party plugins can cause.
We will give credit to WIX. WIX has been working hard at cleaning up their image and performance issues. The platform has improved since it started.
WIX is only hosted by WIX. They do not address HIPAA in any documentation. Since they are an overseas company if you get a Business Associate Agreement (which we have not seen they provide) there are additional costs with more risk assessments required by HHS that are put on the healthcare provider or vendor. Which doesn’t provide an incentive for WIX to cater to, and why would they since HIPAA and HITECH doesn’t currently apply to them. In short do not send ePHI through any of their servers.
Unlike Squarespace you can connect your externally hosted database to your WIX site through a workaround. This means WIX has more flexibility than Squarespace for custom coded sites.
HIPAA is big drawback for WIX. Unlike Squarespace which is US based and has to address HIPAA, WIX is not and has chosen not to open the door to unneeded litigation or HITECH audits.
Squarespace has slightly better performance than WIX and their sites tend to look better due to the grid-based design. We know that “look better” is subjective. In this case we are talking about the ability to move items where you want while staying in line with other elements. You can also design mobile easier in this builder for Squarespace over WIX's builder.
No. Out of the box WIX forms are not HIPAA compliant because they do not currently sign a business associate agreement. However, you can embed a HIPAA compliant form into wix for a less than optimal solution. Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.
The monthly cost for WIX ranges from $13-$500 (with discounts for paying yearly). They charge more to unlock more features. This is not for the development of the site but just to use the platform features and the cost can go up depending on what plugins you decide to purchase. Like Squarespace the cost to develop a site depends on the designer.
Like Squarespace we do not recommend WIX for those under HIPAA (or other businesses). It is unlikely that WIX will invest in becoming HIPAA Compliant in the future. If they fix the performance issues then it could be a decent option if you do not collect form data.
However, at this time with so many other compliant platforms that perform much better there isn’t really a reason to use WIX as a first, second, or even third choice for covered entities.
If you are dead set on using WIX you can embed a Hushmail, Jotform, or Formstack form for at least a basic HIPAA compliant form that transfers securely to their servers. This will limit the risk of a data breach in contact form data.
The Weebly platform is a widget-based drag-and-drop website builder that users can customize. Weebly is a US based company that was recently acquired by Square Inc in 2018. (Not to be confused with Squarespace)
$5-$38 Monthly
Yes*
2.3 Out of 5
Not Supported.
No
No
Security is only provided by Weebly. They offer passive scanning periodically. Not real-time. Hacking issues are dealt through support.
HIPAA is not addressed on the Weebly site. It has to be assumed they are not compliant.
No
Not Recommended based off HIPAA Risk.
Weebly has lagged behind in terms of website builders. It was acquired by Square in 2018. The potential for this platform to become better is possible with the backing of Square. This may become a good alternative for small providers in the future.
Key Features Of Weebly
Free domain with the .weebly.com, custom domain*, and any email service.
*Bring your own domain name if it ends in, .weebly.com, .com, .net, .org, co, .info, or .us.
You do not have control over your website’s security. You get passive scanning of your website and for basic websites that do not handle ePHI this can be perfectly fine. However, since hacking and malware issues are not identified in real-time and hacking issues are dealt through technical support, your site could be compromised for a while. With HIPAA that could translate into a significant breach.
Weebly is less flexible than Squarespace or WIX. With both Squarespace and WIX you can edit your fonts, arrangements, literally everything. With Weebly you have fewer options in their drag and drop widgets. The issue with their widgets, if you want to customize the location you will need CSS and HTML knowledge. Do not take this as a bad thing Weebly is slightly easier to use since it has less options to mess up. However, you can break your site or lose your work a little easier with Weebly (no undo option).
Don't mistake easier to use for great design, it takes a lot of skill, and custom code to do that.
Weebly sites have had performance issues (adding functionality that commonly comes with other platforms is plugin based and lowers performance) and they have added Search Engine Optimization “tools” they still perform less than optimally than Wix or Squarespace. In the SEO community most answers to Weebly SEO is "move off it."
We have moved many sites off Weebly and almost immediately have seen a boost in organic traffic and performance.
Weebly is only hosted by Weebly. Like Wix, they do not address HIPAA in any documentation. In short do not send ePHI through any of their servers.
Performance issues as well as HIPAA are big drawbacks for Weebly. Weebly has chosen not to open the door to unneeded litigation or HITECH audits.
Squarespace and Wix have slightly better performance than Weebly and their sites tend to look better and have a more modern feel. However, recent updates have added modern elements such as adding H1-H6 html tags. However, that is a plugin add-on and not part of the platform.
No. Out of the box Weebly forms are not HIPAA compliant because they do not currently sign a business associate agreement. However, you can embed a HIPAA compliant form into Weebly for a less than optimal solution. Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.
The monthly cost for Weebly ranges from $0-$29 (with discounts for paying yearly). They charge more to unlock more features. This is not for the development of the site but just to use the platform features and the cost can go up depending on what plugins you decide to purchase. Like Squarespace and WIX the cost to develop a site depends on the designer. (Any reputable web designer won't work on Weebly.)
Like Squarespace and Wix, we do not recommend Weebly for those under HIPAA (or other businesses). There is potential that Weebly will invest in becoming HIPAA Compliant in the future. If they fix the performance issues then it could be a decent option if you do collect form data.
However, at this time with so many other compliant platforms that perform much better there isn’t really a reason to use Weebly as a first, second, or even third choice for covered entities.
If you are dead set on using Weebly you can embed Hushmail, Jotform, or Formstack form for at least a basic HIPAA compliant form that transfers securely to their servers. This will limit the risk of a data breach in contact form data.
With Square's payment processing power, developers, and financial backing there is some potential that Weebly may change into a player. We just wouldn't hold our breath or risk putting a practice on it.
Drupal is a winner for large clinics with a large volumes of content, followed closely by WordPress. A website is only as good as the person or website designer who builds it. Websites can be built in a compliant way depending on how you use them. Some platforms are much more risky than others and add performance issues they can limit your practice's profitablity. While they are easy to forget in your HIPAA audits; websites, social media, and other digital properties, they are becoming a leading cause of HIPAA fines. If you work with a developer who doesn't understand the complextities of HIPAA you may put your practice at risk.
Still feeling overwhelmed in choosing what to build your website on?
Do you have a platform you want us to review or features we missed?
We will keep this blog updated with any new updates or features.
Why not leave your comments below or reach out to us?
Marketing A Private Medical Practice. While in school, business and marketing was not a focal point of coursework. Unfortunately for you, that means you have to learn about business from the school of hard knocks. Just because you opened your medical practice doesn’t...
How To Market a Private Medical Practice. As a healthcare provider, your mission is to ensure that your patients are receiving high-quality medical care. When it comes to building a patient base, marketing efforts for private medical practices cannot be overlooked....
Table of Contents Website Design Trends to Avoid1. Stock photos2. External links opening in the same tab3. Minimalism for the sake of minimalism4. Skimping on mobile optimization5. Too many fonts6. Social media overload7. Promising great results without evidence8. Too...
There are countless HIPAA Settlements each year. With well over half involving digital and network compliance.
At the end of this you will learn:
Covered Entities (CE) medical providers, mental health providers, medical insurance providers, and yes that includes medical insurance brokers/agents. Pretty much anyone who accepts insurance as a form of payment, companies who handle Protected Health Information (PHI), or electronic PHI (ePHI), or come in potential contact with it fall under some level of HIPAA. This includes third parties that have entered a Business Associate Agreement (BAA) (And only if they have signed a BAA.)
“A Covered Entity is any entity that receives federal financial assistance from the Department of Health and Human Services or is covered under Title II of the Americans with Disabilities Act as a program, service, or regulatory activity relating to the provision of health care or social services.” HHS
Any company that doesn’t handle or has the potential to see/ interact with PHI. That includes your contractor who is building your IT network or repairing your office if they don’t have a BAA. (See the problem if you don’t do an effective risk analysis for PHI)
It depends.
First, we recommend talking to a lawyer that specializes in HIPAA about your situation. Good rule of thumb: If you have ever fallen under the CE rule, accepted insurance in the past, currently, or will potentially in the future, you still have to protect all of that data. (Some lawyers have even mentioned if you included HIPAA releases on your intake forms you, fall under it.) HIPAA Is Past, Current, and Future client’s PHI.
HOWEVER, even if you are not under HIPAA, you are still open to the governing laws of your state and professional license. While HIPAA has a lot to do with how to best protect data, not protecting your data can open you up to the new consumer protection laws that states are adopting which can still hit you with big fines.
The Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) publishes a list of the largest fines and breaches. The HHS lists all HIPAA breaches involving 500 individuals or more on the OCR Portal. There are over 500 large breaches as of 2019 over a 24 month period. The largest fines and select breaches are listed on HIPAA Resolution Agreements website.
Large beaches are only a small fraction of the fines assessed every year.
If you have a breach, you risk not only having a very public description of your incident, you also face a financial penalty based on the size and severity of the breach and practice’s culpability. Not to mention the loss of patient trust and news coverage.
In addition to fines, you may face criminal charges if the violation merits it.
Important to note: You do not need to have a breach to face HIPAA penalties.
There are five tiers based on the violations and what level of responsibility (and negligence) the entity acted in at the time of the violation.
Tier 1: Minimum fine of $100 per violation up to $50,000, with a per-year maximum of $25,000 that the issues persisted.
Tier 2: Minimum fine of $1,000 per violation up to $50,000, with a per-year maximum of $100,000
Tier 3: Minimum fine of $10,000 per violation up to $50,000, with a per-year maximum of $250,000
Tier 4: Minimum fine of $50,000 per violation, with a per-year maximum of $1,500,000.
As of April 2019, fines were adjusted to reflect the maximum amount per tier violation. But the figures could change as they are still pending additional rule-making. Federalregister.gov
It is important to remember that each State Attorney General can also impose HIPAA fines which the State keeps a percentage. As you can see, a multi-state data breach can get quite costly quickly and the incentive for a state AG to push a case.
Each Tier has maximum criminal penalties as well.
Tier 1: Maximum Up to 1 year in jail
Tier 2: Maximum Up to 5 years in jail
Tier 3: Maximum Up to 10 years in jail
Plus up to 2 years for PHI theft and potential payment of restitution.
HIPAA protected health information (PHI) is any information about an individual created in the provision of medical care. This includes past, current, and future care.
ePHI is simply the electronic; storage, transmission, or creation of PHI information which can be on any device. For example: computer, thumb drive, internet, cellphone or any recording device.
HIPAA treats any company that stores or transmits PHI as a Business Associate (BA) with the Covered Entity (CE) and requires a Business Associate Agreement (BAA). If the CE does not get a signed BAA, the CE is the one that will incur the HIPAA violations even if the BA is at fault. Technically a BA does not even have to view the PHI data to fall under the BAA requirement. A BAA helps safeguard both the CE and BA with clear responsibilities in handling PHI and liability in the event of a breach. It also helps lower the risk of a breach since both parties understand and follow HIPAA best practices. Also having a good BAA and documented procedures can help lower the fines associated with a breach or violation.
That means if you create, transmit, pass through, store, potentially see, ePHI with them, they need a signed BAA. But more on that later.
Digital marketing and websites.
PHI pertains to past, current, and the most commonly overlooked future clients. Remember our list of PHI data? IP addresses, contact information, etc. Yes, you may have invested thousands on protecting at your physical location, staff training, and internal network but you may have left the backdoor wide open.
If your site is not hosted on a HIPAA compliant server or does not have end-to-end encryption, and has any of the following: contact form, chat, server hosted email, and a whole host of potential website security gaps, then you are potentially exposed. We have seen some big providers of “medical websites” who built non-compliant sites.
Your website is the portal of first contact so if it is susceptible to hackers or malware, then your patient data may be intercepted.
Your web designer may post testimonials on your website without a signed release.
This office was one the hook for $25,000 for posting testimonials and photos on their website.
While a non-compliant website can cause a huge issue when you start to market online, the company you hire can be an even bigger risk.
More often than not, you may hire a marketing company who does not handle the data (such as lead information) with HIPAA in mind and inadvertently cause a breach. If you don’t have a BAA with them, then you are fully on the hook for their mistakes (not to mention the violation from not having a BAA). And it could put you and your practice at risk.
But how could that happen?
Example: You hire an SEO consultant or company who is helping your site reach the top of the search results. If they know what they are doing, they will ask for FTP access to your site. As well as higher-level access than your average user.
You could be on the hook for $300,000 like this Tennessee medical imaging company who let a contractor have FTP access and did no due diligence.
Or they may install call tracking software to show you proof ot their results, logging all calls to your business, owner name, and traffic source.
Example: Posting a picture of a patient without a signed consent can get you in trouble (even if they are in the background inadvertently).
OR
Your lead generation company may be selling or buying your leads on the open market. Or using your patient list to create lookalike audiences on Facebook. We don’t need to get into the data breaches that Facebook has had…
Real posts from one large Facebook marketing group looking to buy or sell lead data.
Or your marketing company can leave their server open exposing your new clients.
But it doesn’t take much searching to find examples of potential HIPAA violations. There are literally thousands of examples of how your practice can be exposed by third-party vendors.
If you are still in doubt as to why HIPAA compliance or proper vendor due diligence is something to care about, then please re-read or look up fluffy cat videos on YouTube.
Take our HIPAA compliance quiz to see where you may be at risk and/or contact us to schedule a digital risk assessment.
$100,000 HIPAA Breach due to compromised Username and Password
Open Server Database in Search Engines.
Mental health non-profit pays $150,000 fine for un-patched and noncompliant software.
$500,000 for sharing HIPAA data with 3rd party vendor without BAA.
Allowing sales representatives access to phi to identify patients to market to. Jail time avoided in plea agreement and settlement.
Get started now by scheduling an intro call. We’ll talk through your marketing goals, and determine if we’re a great fit.
