Does marketing data trigger HIPAA Privacy?

You're walking into murky territory in that A/V content (such as a recorded or transcribed phone call) is wide open, so if I were in your shoes I'd apply stringent security/protocols to your CRM. If you record a phone call that starts with "Hi my name is [name] and I just contracted [disease] and will be undergoing [procedure]"...you've just captured and housed a LOT of PHI. Perhaps an end-run here (if applicable) would be to disclaim prior to capturing the phone call: "please do not talk about personal or confidential health matters" (kinda like the placards you might see in hospital elevators).

Your affiliation with customers who are HIPAA covered entities (if you end up transacting with PHI/PII) will make you a "business associate" (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). Read about the contractual needs there between you and the covered entities.

Lastly, do your homework to make sure the access/info you provide is TRULY anonymous if it need be so. Phone numbers, IP Addresses, etc., are examples of PII (personally identifiable information) under HIPAA. NIST Guidance on PII: http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf (e.g. search for 'phone number'). Remember, though, if you are a business associate of a covered entity, you're allowed to exchange and/or use PHI under pre-defined rationale.

I don't think this is a complete answer, but here's some thoughts & links based on what you've described/asked that I believe should help.

HIPAA only applies to health information, primarily as it applies to the interactions between health care providers and health insurance agencies.

Unless I'm misunderstanding something, it doesn't sound like you're doing anything with health information, nor does it sound like your agency is a "covered entity" under HIPAA. You can take the "Am I a covered entity" quiz on the HIPAA website to learn more about it, but it doesn't sound like HIPAA applies to what you're doing.

(That doesn't mean you shouldn't protect the data anyway, just on general principle though :))

HIPAA does only apply to health insurance companies, providers, and such, but since you are a company providing resources to one of these covered entities, they may have a business requirement of compliance for their data. (and any log files or other items that would be related to their business).

With that said, it can be a sticky situation as far as liability, and you need not only programatic "compliance", but also your lawyers to look into what implications any breach or risks would have for everybody involved.