I am in the process of working with a hospital that is using a marketing software product to integrate forms into a new website project. We have recently got into the discussion regarding HIPAA compliance. It turns out the product's forms are not HIPAA compliant.
With that being said the information being captured by these forms on the site are not intended to be capturing medical information. The purpose of these forms are marketing related.
The type of information that will be captured is: first name, last name, and email. We are not collecting any active patient data, sending any medical records, or tying into any existing lists that house medical records.
The purpose of these forms are to allow users to sign up for more information about hospital services that are service line specific (think: bariatric procedures, orthopedic surgery, etc...). The purpose of signing up for this will enter users into a list, and then they will be sent a series of emails that include information about the items that they have signed up for. These users will only receive information for what they sign up for, and it will not be used for other purposes.
I do not claim to be a legal expert, or know all the ins and outs of what HIPAA compliance is. But, from what I have read it appears that the scope of what is trying to be done does not violate HIPAA compliance. Because the forms will not be collecting or sharing any medical information. We are allowing users to sign up for information on services that they would like to know more about from the hospital.
If anyone knows of how this violates or does not HIPAA compliance I would be very interested in understanding that viewpoint.