HIPAA and Data Enrichment: What Sales Teams Need to Know

What HIPAA Actually Covers

The Health Insurance Portability and Accountability Act applies to Protected Health Information (PHI), which is individually identifiable health information held by covered entities and their business associates.

There are three key definitions in that sentence.

Protected Health Information (PHI)

PHI is information about a patient's health status, healthcare treatment, or payment for healthcare that can be linked to a specific individual. It includes names, addresses, dates of service, diagnoses, treatment records, insurance information, and 16 other identifier categories when they're connected to health information.

What PHI is not: a physician's business email address. A practice's office phone number. A provider's NPI number. The address where a medical practice operates. An administrator's LinkedIn profile. These are business contact details, not patient health information. The HHS HIPAA privacy rule is clear on this distinction.

Covered Entities

HIPAA applies to covered entities: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. If you're a medical device company, a healthcare SaaS vendor, or a data enrichment provider, you're not a covered entity unless you're also providing direct patient care or processing health insurance claims.

Business Associates

If you handle PHI on behalf of a covered entity, you're a business associate and HIPAA applies to you. A CRM vendor hosting patient records for a hospital is a business associate. A data vendor providing physician email addresses for sales outreach is not, because physician contact data isn't PHI.

The Regulations That Actually Apply to Provider Data

If HIPAA doesn't govern most B2B provider data activities, what does? Several regulations are more directly relevant.

CAN-SPAM Act

If you're emailing healthcare providers for commercial purposes, CAN-SPAM applies. The requirements are straightforward: include a physical mailing address, provide an unsubscribe mechanism, honor opt-out requests within 10 business days, don't use deceptive subject lines, and clearly identify commercial messages as advertisements when applicable.

CAN-SPAM doesn't require opt-in consent for B2B email. This is a common misconception. You can send unsolicited commercial email to business contacts under CAN-SPAM as long as you comply with the rules above. However, state laws may impose additional requirements.

Telephone Consumer Protection Act (TCPA)

If you're calling or texting healthcare providers, TCPA governs your activity. The rules differ for cell phones versus landlines and for manual versus autodialed calls. Calling a physician's listed business line during business hours with a live rep is generally fine. Autodialing or texting a physician's cell phone without consent is where TCPA liability accumulates. Violations are $500-$1,500 per call/text, and TCPA class actions are common.

For your data vendor, the implication is this: you need to know whether a phone number in your provider database is a cell phone, a landline, or a VoIP line. That classification affects what you can legally do with it. Good provider data vendors include phone type classification. Cheaper ones don't.

State Privacy Laws

California's CCPA/CPRA, Virginia's CDPA, Colorado's CPA, and Connecticut's CTDPA all include provisions that can apply to B2B contact data under certain circumstances. The applicability depends on revenue thresholds, data volume thresholds, and whether you're processing personal information about California (or Virginia, Colorado, Connecticut) residents.

The practical impact: if you're collecting personal contact information (direct phone numbers, personal email addresses) about healthcare providers in these states, you may have obligations around disclosure, data access requests, and opt-out mechanisms that go beyond CAN-SPAM and TCPA. Consult with your legal team on state-specific requirements. This area is evolving fast.

Open Payments (Sunshine Act)

If your company is a medical device or pharmaceutical manufacturer, the Open Payments program (Physician Payments Sunshine Act) requires you to report payments and transfers of value to physicians and teaching hospitals. This doesn't directly regulate data enrichment, but it affects how you can use enriched data for activities like meal events, speaker programs, and consulting arrangements. Knowing a physician's NPI is essential for Open Payments reporting.

Common Compliance Mistakes

Claiming HIPAA Compliance When It Doesn't Apply

Ironically, the most common compliance mistake is claiming your provider data operations are "HIPAA compliant" when HIPAA doesn't apply to what you're doing. This creates two problems: it signals to knowledgeable buyers that you don't understand the regulatory landscape, and it can create implied obligations that you haven't actually met. If you don't handle PHI, don't claim HIPAA compliance. Say "we don't handle protected health information" instead.

Ignoring State Privacy Laws

Teams that dismiss state privacy requirements because "we're B2B, not B2C" are missing the nuance. Several state privacy laws apply to B2B personal information. A physician's personal cell phone number is personal information regardless of whether you're using it for B2B outreach. Don't assume B2B exempts you from privacy regulations without checking the specific language of each applicable law.

Using Personal Contact Channels Without Consent

There's a meaningful legal difference between emailing a physician's practice email (on the practice's website) and emailing their personal Gmail. Between calling their office line and calling their cell phone. The practice contact information is more clearly in the "business contact" category. Personal channels carry higher regulatory risk. Use them carefully and with appropriate consent where required.

Not Honoring Opt-Outs Consistently

The fastest way to create a compliance problem is to have Dr. Johnson unsubscribe from your email list and then receive a cold call from your sales team the next week using the same underlying data. Opt-outs need to be centralized, not siloed by channel. Build a single suppression list that applies across email, phone, direct mail, and any other outreach channel.