July 8, 2020
Nowadays, you can shop online for anything – from chopsticks that double as LED lightsabers to a wig for your dog (seriously, we’re not kidding), and shopping online for a healthcare provider is no different. The internet plays a key role in a healthcare consumer’s decision making, in fact, according to a study released by the Pew Internet & American Life Project, “80 percent of Internet users, or about 93 million Americans, have searched for a health-related topic online.” Let’s face it, we use the internet for basically anything and everything nowadays especially as we continue to adapt in today’s COVID-19 world, which is why it’s important for your practice to understand what is and isn’t allowed when it comes to HIPAA compliance and online marketing.
Using online marketing as a tool can be extremely beneficial for practices. Most medical practices have a website and many use social media and email marketing as tools to reach potential patients – ensuring you are utilizing these platforms in a HIPAA compliant manner is imperative to marketing in the right ways while still ensuring the privacy of your patients and security of your practice.
Whether it be for your practice website, social media page, or advertisement – if you would like to use any type of patient information there are some strict guidelines to follow:
- Obtain written consent from the patient beforehand
- Remove all personally identifiable information from the post or content
- Ensure PHI is not present in any digital assets, such as photos of patients, text that includes PHI, or video
Your Practice Website
Having a HIPAA compliant website for your practice enables patients to search for information regarding the services that you provide, and ultimately drive new patients to you. The following are some key tips to follow when creating and maintaining the website for your practice:
- Whether it’s your website, an app, or your patient portal, encryption must be in place when PHI is sent or received, as well as when it is at rest.
- If your practice utilizes online contact or appointment request forms, make sure that the information collected is encrypted when stored, whether it’s on an internal server, hosted server or vendor application).
- Include an SSL certificate on your website – your IT provider can assist with this if you are unsure what an SSL certificate means.
- Store data on a HIPAA compliant server that has updated antivirus installed, a smart backup battery for power failures, offsite backup for redundancy, and firewalls for entry-level network protection.
- Ensure the website has your Notice of Privacy Practices and Privacy Policy visible and easily defined. Update these documents as necessary.
Email Marketing
If choosing to use email marketing to engage with patients there are some key safeguards you must take to ensure you’re protecting your patients’ information and aren’t setting yourself up for a HIPAA violation:
- Do not create a marketing campaign that utilizes any form of patient information without obtaining written permission first.
- If you choose to use a third-party marketing tool to send your emails, you must make sure that they are HIPAA compliant as well and you should have the proper Business Associate Agreement in place.
- When emailing content that contains PHI, it must be encrypted end-to-end.
- Never send email communications to patients who did not request it. You can simplify this authorization process by asking patients if they would like to receive emails from your practice on your sign-in sheet or patient consent forms.
- Always inform patients about the potential risks involved with email communications and the risks involved with sharing PHI electronically in general – no matter how secured and protected your practice is, breaches are always a potential concern.
Social Media
Nowadays social media platforms play a large role in consumers’ decision making. Having a strong social media presence can be a great asset to your practice, but in order to use social media to your advantage, you should follow these guidelines:
- Keep your personal social media accounts separate from your practice’s account.
- Refrain from personally friending or connecting with patients on social media sites.
- Even if a patient mentions your practice or their medical condition, treatment, or any other type of information publicly, you cannot respond to or repost the content in any way.
- If including a patient testimonial or picture for an advertisement, you should have a standard photo and video release form on hand to receive permission beforehand.
- Stay up to date on any changes to patient protection laws that may impact regulations surrounding social media use for your practice.
- Have a strong and updated social media policy for your practice to train your staff on what is and isn’t allowed to be posted. You can also establish roles and responsibilities for posting on your practice’s behalf.
- When posting something online, whether it be social media or your website – you should never include any identifiers that could link a patient to your practice. Some of these identifiers include:
- Names, email addresses, phone numbers, etc.
- Medical record information
- Full face photographs
- Other biometric identifiers
Where marketing regulations get tricky is patient reviews or comments on digital platforms. While patients are able to post a review or comment about your practice, you cannot respond in any capacity that ties the patient to your practice. A dental practice in Texas was faced with a $10,000 fine along with a 2-year corrective action plan after they responded to a patients’ Yelp review. The practice had responded to multiple reviews the investigation found, disclosing patient information including names, medical diagnoses, and more and was only hit with a small fine due to their immediate cooperation with the Office for Civil Rights.
On top of ensuring that you’re meeting all the criteria for a safeguarded online presence, you should also create a well-documented strategy that clearly outlines what’s permitted and what isn’t for your staff. This should cover the necessary policies and procedures for marketing to patient’s whether it is done online, over the phone, or in person.