Guarding protected health information (PHI) is a full-time job for every member of your clinic. Marketing provides many opportunities to violate HIPAA, so marketers beware! Review the following carefully to stay compliant with HIPAA and avoid violating patient trust.
Notice: We are not attorneys and the following should not be interpreted as legal advice.Social Media Compliance Best Practices
Website Compliance Best Practices
Email Compliance Best Practices
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law requiring national standards to protect sensitive patient health information from being disclosed without a patient’s consent or knowledge.
What is PHI?
PHI stands for protected health information and is any personally identifiable medical or payment information. This information includes names, social security numbers, addresses, email addresses, birth dates, and so much more. Visit HIPAA Journal to find more examples of PHI.
Social Media Compliance Best Practices:
When it comes to social media, HIPAA violations are a common occurrence. Not only do you have to be hyper-aware of the information shared on your clinic’s social media page but you also need to educate your team to prevent them from accidentally sharing patient information. Make it a priority to coach your team on the dangers of sharing patient images and information online to prevent your clinic from becoming an unflattering news story.
Receive written consent
No marketing communication is permitted unless the patient provides authorization. Before posting a patient testimonial, photo, video, or media assets, make sure you receive a signed HIPAA Release Form and Media Release Form.
Create a content strategy
Document what can and cannot be posted by your team members and provide regular training sessions. Outline the information that can be shared when a patient provides written consent and how the authorization forms are stored.
Be mindful of PHI
Even with written consent, be mindful of the information you are sharing. When posting photos of patients who have provided authorization, assess the objects in the image's background, like open laptops that may display unauthorized PHI.
Website Compliance Best Practices:
If your website stores patient information, it needs to be HIPAA compliant. For example, if you have an online portal, a live chat, online forms, contact forms, appointment schedulers, etc.—your site needs to be HIPAA compliant. Avoid costly fines and protect sensitive information by following these best practices:
Encrypt, encrypt, encrypt
Any data that can be found on your website needs to be encrypted. Encryption is the process of scrambling data so that only authorized parties can decrypt the data and convert it back into a readable format. Furthermore, ensure data containing PHI is stored on an encrypted server with off-site backup.
Sign on the dotted line
If you are using a trusted third party to store your data or build your website, make sure they sign a Business Associate Agreement (BAA). A BAA outlines each party’s responsibility when it comes to PHI and is vitally important for protecting your clinic and your vendor’s business.
Safeguard with SSL or TLS protection
SSL and TLS are cryptographic protocols that ensure data passed between client and server authentication is encrypted. Furthermore, search engines will view your website more favorably, boosting SEO. (A bonus is that your website’s URL will change from HTTP to HTTPS in a users’ browser). Click here to learn more about SSL and TLS.
Email Compliance Best Practices:
Emails have laws and regulations unrelated to HIPAA that you should review carefully. When it comes to PHI, many of the tips outlined above, apply to emails, such as:
Beware of PHI
Never use PHI in marketing emails without receiving explicit consent from patients involved. Before corresponding via email, get direct authorization from the patient in writing or an online intake form with e-signature capabilities.
Encrypt end-to-end
Emails containing PHI should be encrypted end-to-end, which means only the sender and the recipient have access to the email message. Most popular email providers are not encrypted end-to-end, so do your homework on any marketing automation platforms you have or consider implementing. Click here to read more about end-to-end encryption.
HIPAA and marketing come down to taking careful measures to protect patient’s sensitive information. Remember, like most marketing initiatives, you can get assistance from an agency to help ensure your clinic is 100% compliant.
Do you have a tip for protecting patient data? Leave a comment below.
To view the other posts in this blog series, click here.
Sign-up for our email list to stay up-to-date on the latest SPS happenings, O&P news, and more!