HIPAA & Compliance

Story LLC (operating as Story Allergy Marketing, a Story Agency brand) builds patient acquisition programs for allergy & immunology practices. Because our work touches the channels where prospective and current patients find you, we treat HIPAA not as a checkbox but as a design constraint that shapes how we build campaigns, configure tracking, and handle data on your behalf.

HIPAA & PHI in healthcare marketing

HIPAA (the Health Insurance Portability and Accountability Act) and its Privacy and Security Rules govern how protected health information (PHI) may be used and disclosed by covered entities (like your practice) and their business associates. PHI is more than a diagnosis or chart note. In a marketing context, it can include any individually identifiable health information that links a specific person to their care, for example, the fact that a known individual visited your allergy practice, scheduled an appointment, requested allergy testing, or filled out an intake form about their symptoms.

The risk in digital marketing is subtle: identifiers (names, email addresses, phone numbers, IP addresses, device IDs, cookies) combined with the context of a healthcare website or a health-related action can become PHI the moment they leave your control and land in a third-party ad or analytics platform. Federal regulators, including the HHS Office for Civil Rights and the FTC, have made clear that tracking technologies on healthcare sites can create impermissible disclosures. We build with that reality in mind.

Business Associate Agreements (BAAs)

When the services we provide cause us to create, receive, maintain, or transmit PHI on your behalf, we become a business associate under HIPAA, and we will sign a Business Associate Agreement with your practice before that work begins. Our BAA commits us to the obligations HIPAA requires of business associates, including:

• Using and disclosing PHI only as the agreement and HIPAA permit;
• Implementing appropriate administrative, physical, and technical safeguards;
• Ensuring that any subcontractors who touch PHI agree to the same protections via written agreement;
• Reporting security incidents and any breach of unsecured PHI without unreasonable delay;
• Making PHI available to support your access, amendment, and accounting obligations; and
• Returning or destroying PHI when the engagement ends, where feasible.

Not every engagement requires a BAA. Many marketing programs can be, and are deliberately, structured so that we never receive PHI in the first place, which is the safest posture of all. Where a BAA is appropriate, we would rather have it in place than guess. If you are unsure which applies to your practice, we will help you sort it out before any data changes hands.

How we keep advertising HIPAA-conscious

The cleanest way to honor HIPAA in advertising is to keep PHI out of advertising entirely. That principle drives a series of concrete choices in how we build and run your campaigns.

No PHI in ad platforms

We do not upload patient lists, intake-form contents, appointment data, or any health-condition-linked identifiers into Google Ads, Meta, Microsoft, or other ad platforms. Audience targeting is built from non-PHI signals, geography, search intent, interests, and your own first-party non-health data, never from a patient's clinical relationship with your practice.

Conversion tracking configured to avoid PHI leakage

Conversion tracking is where leaks most often happen, because URLs, form fields, and page context can carry health information into a measurement tool by accident. We configure tracking to report that a conversion happened without smuggling out who converted or why in health terms. In practice that can mean server-side or gateway-based conversion handling, hashed or stripped identifiers, suppressing query strings and form values, and confirming that "thank you" or confirmation pages do not pass condition-revealing parameters downstream.

Careful pixel & analytics use

Third-party pixels and analytics tags are reviewed page by page. On pages where health context is unavoidable (symptom checkers, condition pages, appointment requests, patient portals), we restrict or remove tracking that would create an impermissible disclosure, and we mask IP addresses and disable features that fingerprint individuals where the data isn't needed. We document which tags run where, so there are no surprises in your tag manager.

Form & intake handling

Lead and intake forms are designed to collect the minimum necessary information and to route any health-related detail through secure, access-controlled paths, not through marketing analytics. Where possible we keep clinical questions off marketing forms entirely and hand prospective patients to your secure scheduling or portal once contact is established. Form data in transit and at rest is encrypted, and access is limited to people who need it.

Vendor due diligence

Every platform and subprocessor in your stack is evaluated before we rely on it: does it handle data the way HIPAA requires, will it sign a BAA when one is needed, and what is its security track record? When a vendor can't meet the bar for a particular use, we change the architecture rather than the standard. We maintain a record of the tools involved in your program so the chain of accountability is always clear.

Data security & access controls

We protect the data we hold with safeguards scaled to its sensitivity:

• Encryption of data in transit (TLS) and at rest for systems that store sensitive client data;
• Least-privilege access, team members can reach only the accounts and data their role requires, granted and reviewed deliberately;
• Strong authentication, including multi-factor authentication on administrative and platform accounts;
• Audited, time-bound access to your advertising and analytics accounts, with credentials rotated and offboarding handled promptly when people or vendors change;
• Minimum-necessary data handling. We collect and retain only what the work requires, and dispose of it securely when it is no longer needed; and
• Ongoing training so the people on your account understand what PHI is and how to avoid creating it where it doesn't belong.

Breach response

If we discover a security incident or a suspected breach of unsecured PHI in systems we manage for you, we act quickly to contain it, investigate scope and cause, and notify your practice without unreasonable delay and within the timeframes our Business Associate Agreement and HIPAA require. We will provide the information you need to meet your own notification obligations to affected individuals, HHS, and, where applicable, the media, and we work with you on remediation so the same gap doesn't reopen. Our goal is a response that is fast, honest, and documented.

A practical, partnership-minded posture

Compliance shouldn't make your marketing timid. With tracking architected correctly, you still get the measurement you need to know what's working, which campaigns fill the schedule, which channels earn new patients, what each acquisition costs, without putting patient privacy or your practice's standing at risk. We would rather build it right the first time than apologize later, and we are happy to walk your compliance officer or counsel through exactly how your program is set up.

---

This page describes Story LLC's general practices and is provided for informational purposes. It is not legal advice and does not create an attorney-client relationship. The specific obligations between your practice and Story LLC are governed by our written agreements, including any Business Associate Agreement. Story LLC · Greenville, SC · hello@storyllc.com · (864) 565-0482 · storyallergymarketing.com · A Story Agency brand.