{"id":54165,"date":"2026-02-01T12:29:58","date_gmt":"2026-02-01T18:29:58","guid":{"rendered":"https:\/\/heartbeat.ai\/healthcare\/not-hipaa-no-patient-data\/"},"modified":"2026-02-27T13:31:22","modified_gmt":"2026-02-27T19:31:22","slug":"not-hipaa-no-patient-data","status":"publish","type":"post","link":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/","title":{"rendered":"HIPAA and recruiting contact data: what procurement should verify (no patient data)"},"content":{"rendered":"<p><img decoding=\"async\" loading=\"false\" class=\"aligncenter\" src=\"http:\/\/hc.heartbeat.ai\/wp-content\/webp-express\/webp-images\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png.webp\" alt=\"54164\" \/><\/p>\n<h1>HIPAA and recruiting contact data<\/h1>\n<p><strong>Ben Argeband, Founder &amp; CEO of Heartbeat.ai<\/strong> \u2014 Written for procurement review. This is general information; your counsel should confirm applicability to your organization.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\r\n<div class=\"ez-toc-title-container\">\r\n<p class=\"ez-toc-title\" >What&rsquo;s on this page:<\/p>\r\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\r\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Who_this_is_for\" title=\"Who this is for\">Who this is for<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Quick_Answer\" title=\"Quick Answer\">Quick Answer<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Framework_Procurement_FAQ_tone_%E2%80%9CAre_you_HIPAA_compliant%E2%80%9D_answered_carefully\" title=\"Framework: Procurement FAQ tone: \u201cAre you HIPAA compliant?\u201d answered carefully\">Framework: Procurement FAQ tone: \u201cAre you HIPAA compliant?\u201d answered carefully<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Procurement_clarification_%E2%80%9CAre_you_a_covered_entity_or_business_associate%E2%80%9D\" title=\"Procurement clarification: \u201cAre you a covered entity or business associate?\u201d\">Procurement clarification: \u201cAre you a covered entity or business associate?\u201d<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Step-by-step_method\" title=\"Step-by-step method\">Step-by-step method<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Step_1_Classify_the_data_youre_actually_using_field-level\" title=\"Step 1: Classify the data you\u2019re actually using (field-level)\">Step 1: Classify the data you\u2019re actually using (field-level)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Step_2_Identify_what_would_change_this_into_a_HIPAA-scoped_workflow_risk_flags\" title=\"Step 2: Identify what would change this into a HIPAA-scoped workflow (risk flags)\">Step 2: Identify what would change this into a HIPAA-scoped workflow (risk flags)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Step_3_Confirm_the_%E2%80%9Cno_patient_data%E2%80%9D_boundary_in_writing\" title=\"Step 3: Confirm the \u201cno patient data\u201d boundary in writing\">Step 3: Confirm the \u201cno patient data\u201d boundary in writing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Step_4_Evaluate_outreach_compliance_controls_often_the_real_risk\" title=\"Step 4: Evaluate outreach compliance controls (often the real risk)\">Step 4: Evaluate outreach compliance controls (often the real risk)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Step_5_Require_standard_metrics_so_you_can_see_control_not_chaos\" title=\"Step 5: Require standard metrics (so you can see control, not chaos)\">Step 5: Require standard metrics (so you can see control, not chaos)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Step_6_What_procurement_should_request_artifacts\" title=\"Step 6: What procurement should request (artifacts)\">Step 6: What procurement should request (artifacts)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Diagnostic_Table\" title=\"Diagnostic Table:\">Diagnostic Table:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Weighted_Checklist\" title=\"Weighted Checklist:\">Weighted Checklist:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Outreach_Templates\" title=\"Outreach Templates:\">Outreach Templates:<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Email_template_first_touch\" title=\"Email template (first touch)\">Email template (first touch)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Text_template_only_where_appropriate_for_your_program\" title=\"Text template (only where appropriate for your program)\">Text template (only where appropriate for your program)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Voicemail_template\" title=\"Voicemail template\">Voicemail template<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#%E2%80%9CStop_request_handling%E2%80%9D_mini-flow_uniqueness_hook\" title=\"\u201cStop request handling\u201d mini-flow (uniqueness hook)\">\u201cStop request handling\u201d mini-flow (uniqueness hook)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Common_pitfalls\" title=\"Common pitfalls\">Common pitfalls<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#1_Treating_%E2%80%9CHIPAA%E2%80%9D_as_a_checkbox_instead_of_scoping_the_data\" title=\"1) Treating \u201cHIPAA\u201d as a checkbox instead of scoping the data\">1) Treating \u201cHIPAA\u201d as a checkbox instead of scoping the data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#2_Letting_users_paste_sensitive_information_into_free-text_fields\" title=\"2) Letting users paste sensitive information into free-text fields\">2) Letting users paste sensitive information into free-text fields<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#3_Weak_opt-out_handling_the_fastest_way_to_create_escalations\" title=\"3) Weak opt-out handling (the fastest way to create escalations)\">3) Weak opt-out handling (the fastest way to create escalations)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#4_Measuring_the_wrong_things\" title=\"4) Measuring the wrong things\">4) Measuring the wrong things<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#How_to_improve_results\" title=\"How to improve results\">How to improve results<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#1_Put_suppression_first_then_scale\" title=\"1) Put suppression first, then scale\">1) Put suppression first, then scale<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#2_Standardize_measurement_and_review_cadence\" title=\"2) Standardize measurement and review cadence\">2) Standardize measurement and review cadence<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#3_Data_minimization_reduces_risk_and_review_time\" title=\"3) Data minimization (reduces risk and review time)\">3) Data minimization (reduces risk and review time)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#4_Use_respectful_language_patterns_that_reduce_complaints\" title=\"4) Use respectful language patterns that reduce complaints\">4) Use respectful language patterns that reduce complaints<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#5_Align_procurement_controls_with_recruiting_workflow_reality\" title=\"5) Align procurement controls with recruiting workflow reality\">5) Align procurement controls with recruiting workflow reality<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Legal_and_ethical_use\" title=\"Legal and ethical use\">Legal and ethical use<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Evidence_and_trust_notes\" title=\"Evidence and trust notes\">Evidence and trust notes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#FAQs\" title=\"FAQs\">FAQs<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Does_recruiting_outreach_involve_PHI\" title=\"Does recruiting outreach involve PHI?\">Does recruiting outreach involve PHI?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#What_should_procurement_ask_a_recruiting_data_vendor_to_provide\" title=\"What should procurement ask a recruiting data vendor to provide?\">What should procurement ask a recruiting data vendor to provide?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#What_would_make_a_recruiting_workflow_higher_risk_under_HIPAA\" title=\"What would make a recruiting workflow higher risk under HIPAA?\">What would make a recruiting workflow higher risk under HIPAA?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#How_should_we_handle_%E2%80%9CSTOP%E2%80%9D_requests_from_clinicians\" title=\"How should we handle \u201cSTOP\u201d requests from clinicians?\">How should we handle \u201cSTOP\u201d requests from clinicians?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-37\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#What_metrics_indicate_an_outreach_program_is_under_control\" title=\"What metrics indicate an outreach program is under control?\">What metrics indicate an outreach program is under control?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-38\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Where_can_we_review_Heartbeatais_trust_approach\" title=\"Where can we review Heartbeat.ai\u2019s trust approach?\">Where can we review Heartbeat.ai\u2019s trust approach?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-39\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#Next_steps\" title=\"Next steps\">Next steps<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-40\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#About_the_Author\" title=\"About the Author\">About the Author<\/a><\/li><\/ul><\/nav><\/div>\r\n<h2><span class=\"ez-toc-section\" id=\"Who_this_is_for\"><\/span>Who this is for<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This page is for <strong>Procurement, compliance, security reviewers<\/strong> who need a clean way to evaluate recruiting outreach data and tools\u2014especially when the question is framed as: \u201cIs this HIPAA?\u201d<\/p>\n<p>For Heartbeat.ai\u2019s recruiting use case, we handle <strong>no patient data<\/strong>. The practical review is about data scope, controls, and outreach governance.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Quick_Answer\"><\/span>Quick Answer<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<dl>\n<dt>Core Answer<\/dt>\n<dd>Recruiting contact data about providers is generally not patient PHI; HIPAA risk depends on whether patient-identifying health information is created, received, maintained, or transmitted.<\/dd>\n<dt>Key Insight<\/dt>\n<dd>Procurement should verify data types, access controls, opt-out suppression, and outreach compliance controls\u2014then document the \u201cno patient data\u201d boundary.<\/dd>\n<dt>Best For<\/dt>\n<dd>Procurement, compliance, and security reviewers approving recruiting outreach tools and data sources.<\/dd>\n<\/dl>\n<blockquote>\n<p><strong>Compliance &amp; Safety<\/strong><\/p>\n<p>This method is for legitimate recruiting outreach only. Always respect candidate privacy, opt-out requests, and local data laws. Heartbeat does not provide medical advice or legal counsel.<\/p>\n<\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"Framework_Procurement_FAQ_tone_%E2%80%9CAre_you_HIPAA_compliant%E2%80%9D_answered_carefully\"><\/span>Framework: Procurement FAQ tone: \u201cAre you HIPAA compliant?\u201d answered carefully<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When a reviewer asks, \u201cAre you HIPAA compliant?\u201d they\u2019re usually trying to de-risk two different things:<\/p>\n<ul>\n<li><strong>Data scope risk:<\/strong> Are you touching <strong>PHI<\/strong> (protected health information) or anything that could become PHI?<\/li>\n<li><strong>Operational risk:<\/strong> Even if it\u2019s not PHI, are you running outreach in a way that creates regulatory, reputational, or deliverability problems?<\/li>\n<\/ul>\n<p>A procurement-ready way to handle the question is to break it into four checks:<\/p>\n<ol>\n<li><strong>What data is in scope?<\/strong> Provider recruiting contact data (business contact details, professional history) vs. patient information.<\/li>\n<li><strong>What systems touch it?<\/strong> Where data is stored, who can access it, and how it\u2019s logged.<\/li>\n<li><strong>What is the intended use?<\/strong> Recruiting outreach to clinicians, not patient care, billing, or clinical operations.<\/li>\n<li><strong>What controls exist?<\/strong> Opt-out\/suppression, consent signals where applicable, and auditability.<\/li>\n<\/ol>\n<h3><span class=\"ez-toc-section\" id=\"Procurement_clarification_%E2%80%9CAre_you_a_covered_entity_or_business_associate%E2%80%9D\"><\/span>Procurement clarification: \u201cAre you a covered entity or business associate?\u201d<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>In a recruiting-only workflow that uses provider contact data and <strong>no patient data<\/strong>, vendors <em>may<\/em> not be acting as a HIPAA business associate when no PHI is involved. Role and applicability are fact-specific\u2014procurement should have counsel confirm based on the workflow and contracts.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Step-by-step_method\"><\/span>Step-by-step method<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Step_1_Classify_the_data_youre_actually_using_field-level\"><\/span>Step 1: Classify the data you\u2019re actually using (field-level)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Start by listing the exact fields your recruiting workflow uses. For clinician recruiting, common fields include name, specialty, practice location, employer\/affiliation, and professional contact channels.<\/p>\n<p>High-level distinction (for reviewers):<\/p>\n<ul>\n<li><strong>Provider contact data:<\/strong> Information used to reach a clinician about a job opportunity (e.g., work email, office phone, specialty). This is generally not patient PHI.<\/li>\n<li><strong>PHI:<\/strong> Individually identifiable health information about a patient, in connection with care or payment, as defined under HIPAA. For baseline definitions, see <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/index.html\" target=\"_blank\" rel=\"noopener\">HHS HIPAA Privacy Rule overview<\/a>.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Step_2_Identify_what_would_change_this_into_a_HIPAA-scoped_workflow_risk_flags\"><\/span>Step 2: Identify what would change this into a HIPAA-scoped workflow (risk flags)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Procurement should explicitly ask whether any of these are created, received, maintained, or transmitted in the recruiting workflow:<\/p>\n<ul>\n<li>Patient identifiers or patient-specific clinical details included in notes, attachments, or messages.<\/li>\n<li>Patient referral details stored in a system of record.<\/li>\n<li>Scheduling or operational data that includes patient identifiers.<\/li>\n<li>Any integration that pulls patient-related fields from clinical systems into recruiting tools.<\/li>\n<\/ul>\n<p>If any of the above is in scope, treat it as a different review path and involve counsel and security early.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Step_3_Confirm_the_%E2%80%9Cno_patient_data%E2%80%9D_boundary_in_writing\"><\/span>Step 3: Confirm the \u201cno patient data\u201d boundary in writing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Ask the vendor (or your internal team) to state plainly:<\/p>\n<ul>\n<li>We process <strong>no patient data<\/strong> for recruiting outreach.<\/li>\n<li>We do not request or ingest patient charts, claims, diagnoses, or patient identifiers.<\/li>\n<li>We do not use recruiting outreach to infer patient conditions.<\/li>\n<\/ul>\n<p>Also confirm what happens if a user tries to paste patient information into notes or messages. Reviewers should look for acceptable-use rules, monitoring, and the ability to remove content.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Step_4_Evaluate_outreach_compliance_controls_often_the_real_risk\"><\/span>Step 4: Evaluate outreach compliance controls (often the real risk)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Most recruiting outreach risk shows up in communications compliance and brand risk: calling\/texting rules, email rules, and honoring opt-outs quickly.<\/p>\n<p>Procurement should verify:<\/p>\n<ul>\n<li><strong>Suppression\/opt-out:<\/strong> A durable \u201cdo not contact\u201d mechanism that applies across campaigns and users.<\/li>\n<li><strong>Source transparency:<\/strong> Where contact data came from and how it\u2019s refreshed.<\/li>\n<li><strong>Auditability:<\/strong> Who contacted whom, when, and through what channel.<\/li>\n<li><strong>Respectful messaging patterns:<\/strong> Clear identification, purpose, and a clean exit path.<\/li>\n<\/ul>\n<p>The trade-off is\u2026 tighter controls can reduce raw outreach volume, but they usually improve deliverability, connectability, and reduce escalations that slow hiring down.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Step_5_Require_standard_metrics_so_you_can_see_control_not_chaos\"><\/span>Step 5: Require standard metrics (so you can see control, not chaos)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Even for a trust review, you should require basic measurement. Use these canonical definitions:<\/p>\n<ul>\n<li><strong>Connect Rate<\/strong> = connected calls \/ total dials (e.g., per 100 dials).<\/li>\n<li><strong>Answer Rate<\/strong> = human answers \/ connected calls (e.g., per 100 connected calls).<\/li>\n<li><strong>Deliverability Rate<\/strong> = delivered emails \/ sent emails (e.g., per 100 sent emails).<\/li>\n<li><strong>Bounce Rate<\/strong> = bounced emails \/ sent emails (e.g., per 100 sent emails).<\/li>\n<li><strong>Reply Rate<\/strong> = replies \/ delivered emails (e.g., per 100 delivered emails).<\/li>\n<\/ul>\n<p>Measure this by\u2026 requiring a weekly export or dashboard view that shows these metrics by channel, by campaign, and by sender identity, plus a log of opt-outs and complaints.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Step_6_What_procurement_should_request_artifacts\"><\/span>Step 6: What procurement should request (artifacts)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>If you want a review that holds up later, request artifacts you can file:<\/p>\n<ul>\n<li><strong>Data inventory:<\/strong> field list + purpose for each field (recruiting outreach).<\/li>\n<li><strong>System touchpoints:<\/strong> where data is stored\/processed and who has access.<\/li>\n<li><strong>Retention &amp; deletion:<\/strong> retention schedule and deletion mechanism.<\/li>\n<li><strong>Suppression proof:<\/strong> sample suppression export, plus a documented \u201cpropagation test\u201d showing suppression applies across users\/campaigns.<\/li>\n<li><strong>Audit log sample:<\/strong> a redacted outreach event export (who\/when\/channel) and opt-out log export.<\/li>\n<li><strong>Acceptable-use policy:<\/strong> including prohibition on uploading patient information.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Diagnostic_Table\"><\/span>Diagnostic Table:<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Visual note:<\/strong> This section is designed to be used as a Do\/Don\u2019t table in procurement review.<\/p>\n<div class=\"table-scroll\" style=\"overflow:auto;-webkit-overflow-scrolling:touch;width:100%\">\n<table class=\"separated-content\">\n<thead>\n<tr>\n<th>Question procurement asks<\/th>\n<th>What \u201cgood\u201d looks like<\/th>\n<th>Red flags<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Are you handling PHI under HIPAA?<\/td>\n<td>Vendor states recruiting workflow uses provider contact data and <strong>no patient data<\/strong>; scope is documented; escalation path if PHI is accidentally introduced.<\/td>\n<td>Vague \u201cyes we\u2019re HIPAA\u201d marketing language without defining data scope; inability to describe what data is stored.<\/td>\n<\/tr>\n<tr>\n<td>Are you a covered entity or business associate in this use case?<\/td>\n<td>Vendor explains role based on workflow boundaries and contracts; procurement confirms with counsel; no PHI in recruiting-only scope.<\/td>\n<td>Overconfident blanket statements; refusal to describe data flows.<\/td>\n<\/tr>\n<tr>\n<td>What data fields are stored?<\/td>\n<td>Clear list of fields; purpose limitation (recruiting outreach); retention and deletion policy.<\/td>\n<td>\u201cWe store whatever users upload\u201d with no controls; no retention policy.<\/td>\n<\/tr>\n<tr>\n<td>How do you handle opt-outs and stop requests?<\/td>\n<td>Central suppression list; immediate enforcement across users; documented workflow for \u201cstop\u201d requests.<\/td>\n<td>Opt-outs handled per-user only; delays; no audit trail.<\/td>\n<\/tr>\n<tr>\n<td>How do you reduce spam\/harassment risk?<\/td>\n<td>Respectful language patterns; frequency caps; identity disclosure; easy exit; escalation for complaints.<\/td>\n<td>Encouraging repeated contact after a clear \u201cstop\u201d; no frequency controls.<\/td>\n<\/tr>\n<tr>\n<td>How do you prove outreach quality?<\/td>\n<td>Metrics tracked with standard definitions (connect\/answer\/deliverability\/bounce\/reply) and reviewed regularly.<\/td>\n<td>No measurement; only vanity metrics like \u201cemails sent.\u201d<\/td>\n<\/tr>\n<tr>\n<td>What\u2019s the differentiator for reaching clinicians?<\/td>\n<td>Operationally: better routing and prioritization (e.g., Heartbeat.ai has <strong>ranked mobile numbers by answer probability<\/strong>).<\/td>\n<td>Claims of guaranteed reach or implied harassment enablement.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2><span class=\"ez-toc-section\" id=\"Weighted_Checklist\"><\/span>Weighted Checklist:<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Use this as a scoring sheet during vendor review. Total 100 points.<\/p>\n<ul>\n<li><strong>(25) Data scope clarity:<\/strong> Written statement of provider contact data vs PHI; explicit <strong>no patient data<\/strong> boundary; documented handling if PHI is accidentally introduced.<\/li>\n<li><strong>(20) Opt-out &amp; suppression:<\/strong> Central suppression list; applies across channels; immediate enforcement; exportable audit log.<\/li>\n<li><strong>(15) Outreach governance:<\/strong> Frequency caps; role-based access; campaign approvals; complaint handling.<\/li>\n<li><strong>(15) Measurement &amp; reporting:<\/strong> Connect Rate, Answer Rate, Deliverability Rate, Bounce Rate, Reply Rate tracked with denominators and trend lines.<\/li>\n<li><strong>(10) Source transparency:<\/strong> Data provenance; refresh cadence; correction process.<\/li>\n<li><strong>(10) Security basics:<\/strong> Access controls, logging, and incident response contacts.<\/li>\n<li><strong>(5) Documentation quality:<\/strong> Clear acceptable-use policy and reviewer-ready answers.<\/li>\n<\/ul>\n<p>Passing guidance: if a tool scores low on suppression\/opt-out, it will create downstream risk regardless of whether HIPAA applies.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Outreach_Templates\"><\/span>Outreach Templates:<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Visual note:<\/strong> Use these as a respectful language examples callout. They are designed to reduce complaints and make \u201cstop\u201d handling unambiguous.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Email_template_first_touch\"><\/span>Email template (first touch)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>Subject:<\/strong> Quick question about your next role<\/p>\n<p><strong>Body:<\/strong> Hi Dr. [Last Name] \u2014 I recruit physicians in [Specialty\/Service Line]. Are you open to hearing about a [Role Type] opportunity in [Location\/Health System]? If not, reply \u201cno\u201d and I won\u2019t follow up.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Text_template_only_where_appropriate_for_your_program\"><\/span>Text template (only where appropriate for your program)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Hi Dr. [Last Name] \u2014 this is [Name] recruiting for [Org]. Are you open to a quick call about a [Role] in [Location]? Reply STOP to opt out.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Voicemail_template\"><\/span>Voicemail template<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Hi Dr. [Last Name], this is [Name] with [Org]. I\u2019m calling about a [Role] opportunity in [Location]. If you\u2019re not interested, no problem\u2014tell me and I\u2019ll close the loop. My number is [Callback].<\/p>\n<h3><span class=\"ez-toc-section\" id=\"%E2%80%9CStop_request_handling%E2%80%9D_mini-flow_uniqueness_hook\"><\/span>\u201cStop request handling\u201d mini-flow (uniqueness hook)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>Visual note:<\/strong> This is the stop request handling mini-flow procurement should require.<\/p>\n<ol>\n<li><strong>Candidate says \u201cstop\u201d (any channel):<\/strong> Treat as an opt-out request immediately.<\/li>\n<li><strong>Confirm once:<\/strong> \u201cUnderstood\u2014I\u2019ll mark you as do-not-contact. If you ever want to reconnect, you can reply anytime.\u201d<\/li>\n<li><strong>Suppress:<\/strong> Add to a central suppression list (email + phone) tied to the identity, not just the campaign.<\/li>\n<li><strong>Propagate:<\/strong> Ensure suppression applies across all users\/teams and future sequences.<\/li>\n<li><strong>Log:<\/strong> Record timestamp, channel, and who processed it for audit.<\/li>\n<li><strong>Review:<\/strong> If the stop came with a complaint, review the prior touches for frequency and tone; adjust templates and caps.<\/li>\n<\/ol>\n<h2><span class=\"ez-toc-section\" id=\"Common_pitfalls\"><\/span>Common pitfalls<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"1_Treating_%E2%80%9CHIPAA%E2%80%9D_as_a_checkbox_instead_of_scoping_the_data\"><\/span>1) Treating \u201cHIPAA\u201d as a checkbox instead of scoping the data<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Reviews go sideways when teams argue labels instead of listing data fields and system boundaries. Start with: what data is stored, where, and why.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"2_Letting_users_paste_sensitive_information_into_free-text_fields\"><\/span>2) Letting users paste sensitive information into free-text fields<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Even if your intent is recruiting, free-text notes can accidentally capture sensitive details. Require acceptable-use rules, training, and a removal\/escalation path.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"3_Weak_opt-out_handling_the_fastest_way_to_create_escalations\"><\/span>3) Weak opt-out handling (the fastest way to create escalations)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>If a clinician says \u201cstop\u201d and gets contacted again, you\u2019ve created a reputational incident. Central suppression and audit logs are non-negotiable.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"4_Measuring_the_wrong_things\"><\/span>4) Measuring the wrong things<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u201cEmails sent\u201d is not a control metric. Require deliverability, bounce, and reply rates (with denominators) and review trends by sender and campaign.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_to_improve_results\"><\/span>How to improve results<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Improvement here means: fewer complaints, better reach, and faster recruiter throughput\u2014without increasing risk.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"1_Put_suppression_first_then_scale\"><\/span>1) Put suppression first, then scale<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Before you expand outreach volume, confirm suppression works across channels and users. Tie suppression to the person (identity) and contact points (email\/phone), and keep it exportable for audits.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"2_Standardize_measurement_and_review_cadence\"><\/span>2) Standardize measurement and review cadence<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>Measurement instructions:<\/strong><\/p>\n<ul>\n<li>Track <strong>Deliverability Rate<\/strong> = delivered emails \/ sent emails (per 100 sent emails) weekly by sender domain and campaign.<\/li>\n<li>Track <strong>Bounce Rate<\/strong> = bounced emails \/ sent emails (per 100 sent emails) weekly; investigate spikes immediately.<\/li>\n<li>Track <strong>Reply Rate<\/strong> = replies \/ delivered emails (per 100 delivered emails) by template; retire templates that drive negative replies.<\/li>\n<li>Track <strong>Connect Rate<\/strong> = connected calls \/ total dials (per 100 dials) and <strong>Answer Rate<\/strong> = human answers \/ connected calls (per 100 connected calls) by time-of-day and number type.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"3_Data_minimization_reduces_risk_and_review_time\"><\/span>3) Data minimization (reduces risk and review time)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Store only what you need to run outreach and honor suppression:<\/p>\n<ul>\n<li>Keep recruiting contact fields and outreach logs; avoid collecting unrelated sensitive details.<\/li>\n<li>Limit free-text fields or enforce acceptable-use rules so patient information does not enter the system.<\/li>\n<li>Prefer centralized suppression over scattered \u201cnotes\u201d that are hard to audit.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"4_Use_respectful_language_patterns_that_reduce_complaints\"><\/span>4) Use respectful language patterns that reduce complaints<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Make the exit path explicit (\u201creply no,\u201d \u201creply STOP\u201d), identify yourself and the organization, and avoid repeated follow-ups after a clear decline. This improves both compliance posture and recruiter efficiency.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"5_Align_procurement_controls_with_recruiting_workflow_reality\"><\/span>5) Align procurement controls with recruiting workflow reality<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Controls should not force recruiters into shadow tools. If the approved system makes opt-outs hard, people will route around it. Approve the workflow that makes the compliant path the easiest path.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Legal_and_ethical_use\"><\/span>Legal and ethical use<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Whether HIPAA applies depends on facts and roles (for example, covered entity\/business associate) and how data is handled. For HIPAA basics, see <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/index.html\" target=\"_blank\" rel=\"noopener\">HHS HIPAA Privacy Rule overview<\/a> and confirm applicability with your counsel.<\/p>\n<p>Separately, recruiting outreach must follow applicable communications and privacy rules. Two common U.S. references procurement teams review:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.fcc.gov\/general\/telephone-consumer-protection-act-1991-tcpa\" target=\"_blank\" rel=\"noopener\">FCC overview of the Telephone Consumer Protection Act (TCPA)<\/a><\/li>\n<li><a href=\"https:\/\/www.ftc.gov\/business-guidance\/resources\/can-spam-act-compliance-guide-business\" target=\"_blank\" rel=\"noopener\">FTC CAN-SPAM Act compliance guide<\/a><\/li>\n<\/ul>\n<p>Ethically: do not pressure clinicians, do not misrepresent identity, and honor opt-outs immediately. Build systems that prevent repeat contact after a stop request.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Evidence_and_trust_notes\"><\/span>Evidence and trust notes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Heartbeat.ai publishes how we think about trust, sourcing quality, and reviewable claims here: <a href=\"http:\/\/heartbeat.ai\/resources\/resources\/trust-methodology\/\">Trust methodology<\/a>. If you\u2019re doing a vendor assessment, start there and map it to your internal controls.<\/p>\n<p>External references commonly used in procurement reviews:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.fcc.gov\/general\/telephone-consumer-protection-act-1991-tcpa\" target=\"_blank\" rel=\"noopener\">FCC: TCPA overview<\/a><\/li>\n<li><a href=\"https:\/\/www.ftc.gov\/business-guidance\/resources\/can-spam-act-compliance-guide-business\" target=\"_blank\" rel=\"noopener\">FTC: CAN-SPAM compliance guide<\/a><\/li>\n<\/ul>\n<p>Related internal resources you may want in the same review packet:<\/p>\n<ul>\n<li><a href=\"http:\/\/heartbeat.ai\/resources\/resources\/trust-methodology\/data-ethics-acceptable-use\/\">Data ethics and acceptable use policy<\/a><\/li>\n<li><a href=\"http:\/\/heartbeat.ai\/resources\/resources\/recruiting-compliance\/\">Recruiting compliance overview for outreach programs<\/a><\/li>\n<li><a href=\"http:\/\/heartbeat.ai\/resources\/resources\/company\/contact\/\">Contact Heartbeat.ai for security\/procurement review<\/a><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"FAQs\"><\/span>FAQs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Does_recruiting_outreach_involve_PHI\"><\/span>Does recruiting outreach involve PHI?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Often, no. Recruiting outreach typically uses provider contact data (professional identifiers and contact channels). PHI is individually identifiable health information about a patient, in connection with care or payment. Confirm your exact data fields and workflow with counsel.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_should_procurement_ask_a_recruiting_data_vendor_to_provide\"><\/span>What should procurement ask a recruiting data vendor to provide?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Request a field-level data inventory, system touchpoints, retention\/deletion approach, suppression\/opt-out workflow (with export), and audit logs for outreach and opt-outs.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_would_make_a_recruiting_workflow_higher_risk_under_HIPAA\"><\/span>What would make a recruiting workflow higher risk under HIPAA?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>If patient identifiers or patient-specific clinical details enter the workflow (for example, in notes, attachments, or integrations pulling patient fields), treat it as a different review path and involve counsel and security early.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"How_should_we_handle_%E2%80%9CSTOP%E2%80%9D_requests_from_clinicians\"><\/span>How should we handle \u201cSTOP\u201d requests from clinicians?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Process immediately, confirm once, add the person to a central suppression list across channels, propagate to all users\/campaigns, and log the action for audit. Do not continue outreach after a clear stop.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_metrics_indicate_an_outreach_program_is_under_control\"><\/span>What metrics indicate an outreach program is under control?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>At minimum: Deliverability Rate (delivered\/sent), Bounce Rate (bounced\/sent), Reply Rate (replies\/delivered), Connect Rate (connected\/total dials), and Answer Rate (human answers\/connected calls), each reported with denominators and trends.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Where_can_we_review_Heartbeatais_trust_approach\"><\/span>Where can we review Heartbeat.ai\u2019s trust approach?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Start with our <a href=\"http:\/\/heartbeat.ai\/resources\/resources\/trust-methodology\/\">trust methodology<\/a>, then review our <a href=\"http:\/\/heartbeat.ai\/resources\/resources\/trust-methodology\/data-ethics-acceptable-use\/\">acceptable use<\/a> and your internal outreach compliance requirements.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Next_steps\"><\/span>Next steps<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>If you\u2019re in procurement: use the <strong>Diagnostic Table<\/strong> and <strong>Weighted Checklist<\/strong> above as your review worksheet.<\/li>\n<li>Draft your approval memo using: data inventory, system touchpoints, retention\/deletion, and suppression + audit log exports.<\/li>\n<li>If you need policy alignment: read <a href=\"http:\/\/heartbeat.ai\/resources\/resources\/trust-methodology\/data-ethics-acceptable-use\/\">data ethics and acceptable use<\/a> and <a href=\"http:\/\/heartbeat.ai\/resources\/resources\/recruiting-compliance\/\">recruiting compliance<\/a>.<\/li>\n<li>If you want to evaluate Heartbeat.ai in your workflow: <a href=\"https:\/\/heartbeat.ai\/signup\" target=\"_blank\" rel=\"noopener\">create an account to review the product<\/a> or route questions through <a href=\"http:\/\/heartbeat.ai\/resources\/resources\/company\/contact\/\">our contact page<\/a>.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"About_the_Author\"><\/span><b>About the Author<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"http:\/\/heartbeat.ai\/resources\/author\/ben-argeband\"><span style=\"font-weight: 400;\">Ben Argeband<\/span><\/a><span style=\"font-weight: 400;\"> is the Founder and CEO of Swordfish.ai and Heartbeat.ai. With deep expertise in data and SaaS, he has built two successful platforms trusted by over 50,000 sales and recruitment professionals. Ben&#8217;s mission is to help teams find direct contact information for hard-to-reach professionals and decision-makers, providing the shortest route to their next win. Connect with Ben on <\/span><a href=\"https:\/\/www.linkedin.com\/in\/ben-m-argeband-2427a8a3\/\"><span style=\"font-weight: 400;\">LinkedIn<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"Article\",\"about\":[{\"@type\":\"Thing\",\"name\":\"HIPAA\"},{\"@type\":\"Thing\",\"name\":\"PHI\"},{\"@type\":\"Thing\",\"name\":\"HHS\"}],\"author\":{\"@type\":\"Person\",\"jobTitle\":\"Founder & CEO of Heartbeat.ai\",\"name\":\"Ben Argeband\"},\"headline\":\"HIPAA and recruiting contact data\",\"isPartOf\":{\"@type\":\"WebSite\",\"name\":\"Heartbeat.ai\",\"url\":\"https:\/\/heartbeat.ai\"},\"mainEntityOfPage\":{\"@id\":\"https:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/\",\"@type\":\"WebPage\"},\"publisher\":{\"@type\":\"Organization\",\"name\":\"Heartbeat.ai\"}}<\/script><br \/>\n<script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Often, no. Recruiting outreach typically uses provider contact data (professional identifiers and contact channels). PHI is individually identifiable health information about a patient, in connection with care or payment. Confirm your exact data fields and workflow with counsel.\"},\"name\":\"Does recruiting outreach involve PHI?\"},{\"@type\":\"Question\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Request a field-level data inventory, system touchpoints, retention\/deletion approach, suppression\/opt-out workflow (with export), and audit logs for outreach and opt-outs.\"},\"name\":\"What should procurement ask a recruiting data vendor to provide?\"},{\"@type\":\"Question\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"If patient identifiers or patient-specific clinical details enter the workflow (for example, in notes, attachments, or integrations pulling patient fields), treat it as a different review path and involve counsel and security early.\"},\"name\":\"What would make a recruiting workflow higher risk under HIPAA?\"},{\"@type\":\"Question\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Process immediately, confirm once, add the person to a central suppression list across channels, propagate to all users\/campaigns, and log the action for audit. Do not continue outreach after a clear stop.\"},\"name\":\"How should we handle \\\"STOP\\\" requests from clinicians?\"},{\"@type\":\"Question\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"At minimum: Deliverability Rate (delivered\/sent), Bounce Rate (bounced\/sent), Reply Rate (replies\/delivered), Connect Rate (connected\/total dials), and Answer Rate (human answers\/connected calls), each reported with denominators and trends.\"},\"name\":\"What metrics indicate an outreach program is under control?\"},{\"@type\":\"Question\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Start with our trust methodology, then review our acceptable use and your internal outreach compliance requirements.\"},\"name\":\"Where can we review Heartbeat.ai\u2019s trust approach?\"}]}<\/script><\/p>","protected":false},"excerpt":{"rendered":"<p>Procurement-ready clarification on HIPAA and recruiting contact data: separate provider contact info from PHI, document the no patient data boundary, and verify opt-out, audit, and outreach controls.<\/p>","protected":false},"author":5,"featured_media":54164,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_yoast_wpseo_focuskw":"HIPAA and recruiting contact data","_yoast_wpseo_title":"HIPAA and recruiting contact data: procurement clarification | Heartbeat.ai","_yoast_wpseo_metadesc":"Procurement-focused guidance on HIPAA and recruiting contact data: provider contact info vs PHI, no patient data boundary, opt-out handling, audit logs, and outreach compliance controls.","_custom_permalink":"trust-methodology\/not-hipaa-no-patient-data","footnotes":""},"categories":[1],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\r\n<title>HIPAA and recruiting contact data: procurement clarification | Heartbeat.ai<\/title>\r\n<meta name=\"description\" content=\"Procurement-focused guidance on HIPAA and recruiting contact data: provider contact info vs PHI, no patient data boundary, opt-out handling, audit logs, and outreach compliance controls.\" \/>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_US\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"HIPAA and recruiting contact data: procurement clarification | Heartbeat.ai\" \/>\r\n<meta property=\"og:description\" content=\"Procurement-focused guidance on HIPAA and recruiting contact data: provider contact info vs PHI, no patient data boundary, opt-out handling, audit logs, and outreach compliance controls.\" \/>\r\n<meta property=\"og:url\" content=\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/\" \/>\r\n<meta property=\"og:site_name\" content=\"Heartbeat.ai\" \/>\r\n<meta property=\"article:published_time\" content=\"2026-02-01T18:29:58+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2026-02-27T19:31:22+00:00\" \/>\r\n<meta property=\"og:image\" content=\"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png\" \/>\r\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\r\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\r\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\r\n<meta name=\"author\" content=\"Ben Argeband\" \/>\r\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\r\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ben Argeband\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#article\",\"isPartOf\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/\"},\"author\":{\"name\":\"Ben Argeband\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/#\/schema\/person\/7b323ddce9b211907423482e2f9db173\"},\"headline\":\"HIPAA and recruiting contact data: what procurement should verify (no patient data)\",\"datePublished\":\"2026-02-01T18:29:58+00:00\",\"dateModified\":\"2026-02-27T19:31:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/\"},\"wordCount\":2498,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/#organization\"},\"image\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png\",\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/\",\"url\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/\",\"name\":\"HIPAA and recruiting contact data: procurement clarification | Heartbeat.ai\",\"isPartOf\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#primaryimage\"},\"image\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png\",\"datePublished\":\"2026-02-01T18:29:58+00:00\",\"dateModified\":\"2026-02-27T19:31:22+00:00\",\"description\":\"Procurement-focused guidance on HIPAA and recruiting contact data: provider contact info vs PHI, no patient data boundary, opt-out handling, audit logs, and outreach compliance controls.\",\"breadcrumb\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#primaryimage\",\"url\":\"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png\",\"contentUrl\":\"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png\",\"width\":1024,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/heartbeat.ai\/healthcare\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HIPAA and recruiting contact data: what procurement should verify (no patient data)\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/#website\",\"url\":\"http:\/\/heartbeat.ai\/resources\/\",\"name\":\"Heartbeat.ai\",\"description\":\"\",\"publisher\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/heartbeat.ai\/resources\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/#organization\",\"name\":\"Heartbeat.ai\",\"url\":\"http:\/\/heartbeat.ai\/resources\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2021\/04\/Heartbeat.ai-logo.png\",\"contentUrl\":\"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2021\/04\/Heartbeat.ai-logo.png\",\"width\":704,\"height\":126,\"caption\":\"Heartbeat.ai\"},\"image\":{\"@id\":\"http:\/\/heartbeat.ai\/resources\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/#\/schema\/person\/7b323ddce9b211907423482e2f9db173\",\"name\":\"Ben Argeband\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/heartbeat.ai\/resources\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/0.gravatar.com\/avatar\/6356f96884d5a313d758128b3d9aaef7?s=96&d=mm&r=g\",\"contentUrl\":\"http:\/\/0.gravatar.com\/avatar\/6356f96884d5a313d758128b3d9aaef7?s=96&d=mm&r=g\",\"caption\":\"Ben Argeband\"},\"url\":\"http:\/\/heartbeat.ai\/resources\/author\/ben-argeband\/\"}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HIPAA and recruiting contact data: procurement clarification | Heartbeat.ai","description":"Procurement-focused guidance on HIPAA and recruiting contact data: provider contact info vs PHI, no patient data boundary, opt-out handling, audit logs, and outreach compliance controls.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/","og_locale":"en_US","og_type":"article","og_title":"HIPAA and recruiting contact data: procurement clarification | Heartbeat.ai","og_description":"Procurement-focused guidance on HIPAA and recruiting contact data: provider contact info vs PHI, no patient data boundary, opt-out handling, audit logs, and outreach compliance controls.","og_url":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/","og_site_name":"Heartbeat.ai","article_published_time":"2026-02-01T18:29:58+00:00","article_modified_time":"2026-02-27T19:31:22+00:00","og_image":[{"width":1024,"height":1024,"url":"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png","type":"image\/png"}],"author":"Ben Argeband","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ben Argeband","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#article","isPartOf":{"@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/"},"author":{"name":"Ben Argeband","@id":"http:\/\/heartbeat.ai\/resources\/#\/schema\/person\/7b323ddce9b211907423482e2f9db173"},"headline":"HIPAA and recruiting contact data: what procurement should verify (no patient data)","datePublished":"2026-02-01T18:29:58+00:00","dateModified":"2026-02-27T19:31:22+00:00","mainEntityOfPage":{"@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/"},"wordCount":2498,"commentCount":0,"publisher":{"@id":"http:\/\/heartbeat.ai\/resources\/#organization"},"image":{"@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#primaryimage"},"thumbnailUrl":"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png","articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#respond"]}]},{"@type":"WebPage","@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/","url":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/","name":"HIPAA and recruiting contact data: procurement clarification | Heartbeat.ai","isPartOf":{"@id":"http:\/\/heartbeat.ai\/resources\/#website"},"primaryImageOfPage":{"@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#primaryimage"},"image":{"@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#primaryimage"},"thumbnailUrl":"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png","datePublished":"2026-02-01T18:29:58+00:00","dateModified":"2026-02-27T19:31:22+00:00","description":"Procurement-focused guidance on HIPAA and recruiting contact data: provider contact info vs PHI, no patient data boundary, opt-out handling, audit logs, and outreach compliance controls.","breadcrumb":{"@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#primaryimage","url":"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png","contentUrl":"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2026\/02\/not-hipaa-no-patient-data-3aa05bdd.png","width":1024,"height":1024},{"@type":"BreadcrumbList","@id":"http:\/\/heartbeat.ai\/resources\/trust-methodology\/not-hipaa-no-patient-data\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/heartbeat.ai\/healthcare\/"},{"@type":"ListItem","position":2,"name":"HIPAA and recruiting contact data: what procurement should verify (no patient data)"}]},{"@type":"WebSite","@id":"http:\/\/heartbeat.ai\/resources\/#website","url":"http:\/\/heartbeat.ai\/resources\/","name":"Heartbeat.ai","description":"","publisher":{"@id":"http:\/\/heartbeat.ai\/resources\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/heartbeat.ai\/resources\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"http:\/\/heartbeat.ai\/resources\/#organization","name":"Heartbeat.ai","url":"http:\/\/heartbeat.ai\/resources\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/heartbeat.ai\/resources\/#\/schema\/logo\/image\/","url":"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2021\/04\/Heartbeat.ai-logo.png","contentUrl":"https:\/\/hc.heartbeat.ai\/wp-content\/uploads\/2021\/04\/Heartbeat.ai-logo.png","width":704,"height":126,"caption":"Heartbeat.ai"},"image":{"@id":"http:\/\/heartbeat.ai\/resources\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"http:\/\/heartbeat.ai\/resources\/#\/schema\/person\/7b323ddce9b211907423482e2f9db173","name":"Ben Argeband","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/heartbeat.ai\/resources\/#\/schema\/person\/image\/","url":"http:\/\/0.gravatar.com\/avatar\/6356f96884d5a313d758128b3d9aaef7?s=96&d=mm&r=g","contentUrl":"http:\/\/0.gravatar.com\/avatar\/6356f96884d5a313d758128b3d9aaef7?s=96&d=mm&r=g","caption":"Ben Argeband"},"url":"http:\/\/heartbeat.ai\/resources\/author\/ben-argeband\/"}]}},"_links":{"self":[{"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/posts\/54165"}],"collection":[{"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/comments?post=54165"}],"version-history":[{"count":1,"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/posts\/54165\/revisions"}],"predecessor-version":[{"id":54229,"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/posts\/54165\/revisions\/54229"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/media\/54164"}],"wp:attachment":[{"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/media?parent=54165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/categories?post=54165"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/heartbeat.ai\/resources\/wp-json\/wp\/v2\/tags?post=54165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}