HIPAA in plain English

HIPAA exists to keep a patient’s medical information confidential. It applies to “covered entities” (healthcare providers, including IV therapy clinics that bill insurance or treat HIPAA-covered conditions) and their “business associates” (any vendor that handles patient data on their behalf).

The law has two main rules that affect marketing: the Privacy Rule (controls who can access PHI and under what conditions) and the Security Rule (technical safeguards for electronic PHI). Together they require encryption in transit, encryption at rest, access logging, breach notification, and signed business associate agreements with every vendor in your data flow.

What counts as PHI in a marketing context

Some examples are obvious: a patient’s name + a diagnosis. Or a name + an appointment for a specific treatment. Less obvious examples that still count:

A name + email + the implication that the person is a patient (because the email came from a clinic’s CRM).

A phone number + a record that this person booked an IV session, even without naming the specific drip.

An SMS reminder that says “Your IV appointment is tomorrow at 2 PM” sent through a marketing tool without a BAA.

The bar is lower than most clinic owners realize. If your CRM or email tool can connect a contact to the fact that they are a patient, you are handling PHI.

Business associate agreements: why they matter

A BAA is a contract between your clinic and a vendor where the vendor agrees to handle PHI according to HIPAA’s rules. Without it, the vendor cannot legally process PHI on your behalf, and you cannot legally send it to them. If your clinic is audited or has a data breach, the existence of a signed BAA with every vendor in your data flow is the single most important thing the auditor checks.

Most popular marketing tools do not offer BAAs at standard tiers. Mailchimp does not. Klaviyo does not. HubSpot does on their enterprise tier only. Generic GoHighLevel does not, though their healthcare-specific configuration does. Twilio offers BAAs but you have to specifically request it.

Common compliance mistakes IV clinics make

1. Sending appointment reminders through a non-BAA SMS tool

If you confirm an IV appointment by SMS through your standard CRM, that message contains PHI. Without a BAA covering the SMS vendor, you are in breach the moment it sends.

2. Embedding intake forms that store responses in non-HIPAA tools

Google Forms, Typeform, JotForm (standard), and Wufoo all store responses in their general infrastructure. If your intake form asks about allergies, medications, or conditions, that data is PHI from the moment it is submitted. Use HIPAA-eligible alternatives (JotForm HIPAA, Formstack Healthcare, or a CRM-native HIPAA form).

3. Adding patients to remarketing audiences

Uploading patient contact lists to Google or Meta for retargeting passes PHI through ad platforms. Google bans this for healthcare. Meta’s terms are similar. The fines are significant when caught.

4. Using personal email or text to communicate with patients

Owner-operator clinics often send “quick check-ins” from their personal phone. If that phone is not enrolled in a HIPAA-compliant device management system, you are handling PHI on an unmanaged endpoint. Risky.

What “HIPAA-aware CRM” actually means

A HIPAA-aware CRM is not a special tool. It is a configuration of an existing tool (most commonly GoHighLevel Healthcare, HubSpot Enterprise, or Salesforce Health Cloud) where:

The vendor has signed a BAA covering every channel (database, SMS, email, voice).

Marketing automation logic excludes any PHI from message bodies that might be intercepted.

Lead capture forms either avoid asking for PHI entirely, or route to HIPAA-eligible storage with audit logging.

Two-factor authentication is required for every team member with access.

Patient records flow into the clinical system (EHR) for treatment-related notes, and only marketing-permissible data stays in the CRM.

The practical setup for IV clinics

Most IV clinics need three connected systems: a clinical EHR (the actual medical record, fully HIPAA), a HIPAA-aware CRM (marketing automation + patient communication, BAA in place), and a scheduling tool (Acuity, Booker, Mindbody, etc., with HIPAA-eligible plans). Data flows between them are controlled so PHI never enters the marketing automation layer unless the vendor has a BAA.

Getting this right takes a one-time setup of 30 to 60 hours of work. Once configured, it runs invisibly. Most violations come from shortcuts taken under deadline pressure (running a quick promo through a non-HIPAA tool, copying a patient list into a spreadsheet, etc.), not from the system itself.