Most agencies that put "HIPAA compliant" in their marketing copy don't know what HIPAA actually requires. We've been doing this since 2007 and we'll tell you straight: most healthcare marketing work is not subject to HIPAA at all. The work that is subject to HIPAA is subject to specific, knowable rules. Here's how it actually maps.
What HIPAA covers HIPAA's reach is Protected Health Information (PHI): identifiable patient data tied to a specific health condition, treatment, payment, or visit. A patient's name, alone, is not PHI. A patient's name + their condition is PHI. A patient's name + the fact they were a patient at a specific specialty practice is PHI.
Marketing surfaces that are not subject to HIPAA
- Your public website's general content (services, providers, hours, address)
- Your blog posts about clinical topics, as long as they don't reference identifiable patients
- Your Google Business Profile, as long as you respond to reviews without confirming the reviewer is a patient
- Your paid search ads
- Your email newsletters to a non-patient list (e.g., referring physicians, prospects who haven't become patients)
- Your social media presence, with the same constraint on identifiability
Marketing surfaces that are subject to HIPAA
- Patient communication tools that carry PHI (text reminders, recall systems, the patient portal)
- Marketing campaigns sent specifically to your patient list (you need a marketing-specific authorization beyond the standard treatment consent)
- Lead-form submissions from your website if they capture clinical detail (which is why our forms ask for "general inquiry" rather than "describe your condition")
- Call recording on your phone tracking, if calls discuss clinical topics (CallRail has a HIPAA-compliant tier; we configure it that way for any client doing call tracking)
- Anything that pushes patient identity + condition into a third-party platform that hasn't signed a Business Associate Agreement (BAA)
What that means for your marketing partner Your marketing partner needs to know which side of that line each of their tools sits on. Resend (transactional email)? They'll sign a BAA. Mailchimp on the basic plan? Won't, and shouldn't carry PHI. Google Analytics? Cannot accept PHI in any event parameter, ever. Your CRM? Depends on what's in it; if just contact info and engagement data, generally fine; if patient encounter data, must be BAA'd.
A few things we've seen agencies get wrong:
- Pushing form fields with clinical detail into Google Sheets via Zapier (no BAA, breach territory)
- Storing recorded patient calls in non-BAA'd transcription tools
- Adding patient names to retargeting lists without a marketing authorization
- Telling clients they're "HIPAA compliant" because they signed a BAA, while having no internal procedures that match BAA obligations
The Macbach approach We default to keeping PHI out of marketing systems entirely. The marketing site captures non-clinical inquiry data only. Reporting aggregates campaigns and channels, never individual patients. When a client's workflow does require PHI to flow into our systems, we sign a mutual BAA and route the data through services that have signed BAAs of their own (Resend Pro, Supabase Team tier, CallRail HIPAA mode, Anthropic API with BAA).
If you're evaluating an agency, ask them three things:
- Which of your tools have signed BAAs?
- What's your written procedure if a breach is discovered?
- Do you carry cyber-liability insurance with breach notification?
If they pause on any of those, find someone else.