HIPAA is shorthand for the “Health Insurance Portability and Accountability Act, a US law designed to provide privacy standards to protect current [and future] patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.” (Medicine.net)

The intent of HIPAA is to prevent the disclosure of Protected Health Information, PHI, see list below, as it is exchanged or disclosed by and between Covered Entities (CE), i.e., medical providers, insurers and clearinghouses. it also covers marketers who collect PHI of prospective patients. The PHI of any person, once collected during the process of lead generation, is considered PHI under HIPAA. The financial penalties and even criminal charges that can result from breaches of PHI are enormous.

HIPAA Logo.png

According to the Compliancy Group, “The federal fines for noncompliance are based on the level of perceived negligence found within your organization at the time oft he HIPAA violation. These fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.”

Krystin Ruschman, head of the Facebook group and program, HIPAA Compliance Secrets for Marketers, says “Lead Generation for Medical Practices falls under HIPAA. A lead who gives their contact information in this context is considered a "future" patient in the eyes of the law. This means EVERY LEAD falls, at minimum, into the "impermissible disclosure" category, and could potentially be considered a "breach."

According to Krystin, the Privacy Rule protects all “ individually identifiable health information” held or transmitted by a CE or its Business Associates (BA) in any form or media. The Privacy Rule calls this information “protected health information” (PHI), or information, including demographic data, that relates to:

  • The Individual’s past, prest or future physical or mental health or condition.

  • The provision of health care to the individual.

  • The past, present, or future payment for the provision of health care to the individual.

Notice the emphasis on future. As marketers, whether we like it or not, collecting name, phone, and/or email address (at minimum) to provide to a CE, e.g., a psychotherapist, is covered by HIPAA.

What You Know Matters.png

Catalyst Adlab respects this and has a HIPAA-compliance program in place so we can be confident we can provide that information to our clients in a safe, HIPAA-compliant manner. We use a combination of JotForm for lead collection and forward to our clients via HIPAA-compliant Google Docs. Each client must maintain their own G Suite account. G Suite accounts are HIPAA-compliant and they will sign Business Associate Agreements with marketers and CE clients, thus assuming risk for storage and transmission of PHI.

Another good source of HIPAA-compliance information, besides the US site, https://www.hhs.gov/hipaa/for-professionals/index.html, is The HIPAA Journal, https://www.hipaajournal.com/, sponsored by The Compliancy Group. Download their HIPAA-compliance Checklist at the site. Both the Compliancy Group and HIPAA Compliance Secrets for Marketers teach how to become HIPAA-compliant and to maintain appropriate records attesting to your efforts to maintain HIPAA-compliance. Each charges for its services to help marketers or providers maintain compliance.

HIPAA regulations consider collection, transmittal and storage of prospective patient information, as in lead generation, to be covered by HIPAA. To be HIPAA-compliant, as much as may be possible, marketers and providers must maintain HIPAA-compliant means of encrypted collection, storage and transmittal of such information as well as office systems for preventing and reporting breaches should they occur. Each party must be willing to and must sign a Business Associate Agreement which attests to the other party that they have taken HIPAA-compliant steps to safeguard PHI. These agreements protect one party in case of a breach by the other party. Providers and marketers must have specific record-keeping methods, beyond the scope of this Blog post, approved by HIPAA and be willing and able to pass HIPAA audits.

If you are not a medical/psychological provider or group, you are not covered HIPAA, you need not concern yourself with its regulations. Likewise, if you are a medical/psychological CE but have NEVER interacted electronically with an insurance company yourself or via a third party, you do not need to be HIPAA-compliant. If you’re not sure, please ask.

“Covered providers include:

  • Doctors

  • Clinics

  • Psychologists

  • Dentists

  • Chiropractors

  • Nursing Homes

  • Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.” (https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html). This applies even if the CE has done this only once, e.g.,when a psychotherapist bills an insurance company “just once” before deciding to move to a cash-only business model.

If you are a medical or psychological provider, you must be HIPAA-compliant to use our lead generation advertising services unless you do not now nor have you ever done electronic billing with insurers. Even one electronic transaction means you are covered by HIPAA.

In order to interact securely with providers, each party must be willing to enter into, by signature, what HIPAA calls a Business Associate Agreement, BAA. By doing so, each party signifies to the other that they have taken all appropriate safeguards to protect PHI

HIPAA for the rest of us: We’re doing our HIPAA due-diligence so we can safely provide lead generation *for psychotherapists and medical/dental/chiropractic practices. Let’s discuss Risk Assessment and Risk Mitigation Plans and Business Associate agreements before risking huge fines for claimed privacy breaches.

Catalyst Adlab is contracted with and has a signed Business Associate Agreements with HIPAA-compliant Lead Collector, www.Jotform.com and with G Suite. Each service stores your data in encrypted forms that meet HIPAA requirements. You could collect you leads in your own G Suite account ($6/YEAR) or your own HIPAA-compliant Lead management system.

What Is a “Business Associate?” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” This includes lead generation activities on behalf practitioners.

To work with us, if you are a CE covered by HIPAA regulations, you will need to be HIPAA-compliant so that you will be able to sign a Business Associate Agreement with Catalyst Adlab.


PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.

  1. Names (Full or last name and initial)

  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000

  3. Dates (other than year) directly related to an individual

  4. Phone Numbers

  5. Fax numbers

  6. Email addresses

  7. Social Security numbers

  8. Medical record numbers

  9. Health insurance beneficiary numbers

  10. Account numbers

  11. Certificate/license numbers

  12. Vehicle identifiers (including serial numbers and license plate numbers)

  13. Device identifiers and serial numbers;

  14. Web Uniform Resource Locators (URLs)

  15. Internet Protocol (IP) address numbers

  16. Biometric identifiers, including finger, retinal and voice prints

  17. Full face photographic images and any comparable images

  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Gerry SandersHIPAAComment