With nearly 90 percent of consumers searching online for health-related information, digital marketing has taken the medical industry by storm. But before you start planning out your marketing efforts, you must be aware of the laws regarding the sharing of patient-related information. As a practitioner, these laws are likely already top of mind, but digital marketing takes information sharing — and compliance issues — to a whole new level.
When the internet was still in its infancy, U.S. Congress passed the Health Information Portability and Accountability Act, commonly referred to as HIPAA. As you’re likely aware, this legislation details privacy and security regulations for protecting sensitive health information. And if you plan to market your practice digitally, you must comply with HIPAA rules.
So how can you leverage digital marketing to grow your patient base while remaining compliant with HIPAA laws? Here are a few strategies every practice owner should consider:
Importance of Obtaining a Business Associate Agreement
A business associate agreement is a contract between a HIPAA-covered entity and a vendor that details the types of protected health information that will be shared with the vendor. If you plan to use outside vendors for your digital marketing, it is imperative that each vendor signs a BAA.
This contract also details the appropriate technical, administrative and physical safeguards that must be in place to secure protected health information and comply with HIPAA law. These safeguards include data encryption standards, allowable use of PHI and allowable disclosures. In the event of a security breach, the contract also stipulates the actions that must be taken to notify the affected individuals and remedy the situation.
Because a BAA holds each vendor accountable for the proper use and disclosure of PHI, to protect your practice, avoid working with vendors who are not willing to sign an agreement. Without a complete BAA in place, your practice can be held liable if the vendor violates HIPAA law. Keep in mind that only vendors who will have access to PHI must sign a BAA. For all digital marketing endeavors, a BAA will apply.
HIPAA Compliant Reputation Management
Responding to patient reviews is a key component of managing your practice’s reputation. Local business reviews are the online version of word-of-mouth advertising, and according to consumers, they’re a major deciding factor when it comes to selecting medical providers.
As a practice owner, you must make sure your reviews and responses accurately reflect your practice and services. However, when it comes to medical practice reviews, you must adhere to laws regarding protected health information and patient privacy. These laws make communicating with your audience a bit trickier, and if you inadvertently fail to follow them, you could face legal repercussions. How can you interact with your reviewers while complying with HIPAA regulations? Here’s what to do and what to avoid to comply with HIPAA regulations:
Define a Response Strategy
Work with your team to define a specific response template for both positive and negative reviews. Outlining a strategy will help everyone on your team determine how to address patient feedback, especially if it is negative. Keep your responses as neutral as possible, and in the case of negative reviews, refer the reviewer to your practice’s private messaging channels.
Take the Conversation Private
If you’ve received a particularly negative review, it can be tempting to try to clear your name online — but doing so may backfire. Instead, respond to the reviewer and ask that person to get in touch with you via alternative, HIPAA-compliant communication channels. Offer your email or phone number in your response, or ask them to stop by your office. When you personally address negative reviews, you may be able to persuade reviewers to edit or remove negative information. Plus, personally addressing patient concerns can work wonders for bolstering your reputation.
Avoid Sharing PHI Via Personal Messaging
Sharing personal information via social media messaging channels is a violation of HIPAA law. If a patient would like to discuss their concerns, and they contact you via private messaging, direct that person to the appropriate communication channel. If your employees manage your social media channels, instruct them to message patients — and even potential patients — using secure, HIPAA-compliant messaging.
Avoid Disclosing Specifics
When responding to patient reviews, whether positive or negative, don’t get into specifics. Don’t mention specific medical issues, names, outcomes or anything else that might identify the reviewer. Instead, convey general information and refer back to your practice policies. Thank the patient for their feedback, and express that your practice policy is to perform the best quality care for each patient you serve.
When you address the patient’s specific issue, acknowledge that the reviewer visited your practice or even address that person by name, you essentially verify that you indeed served that patient — a glaring violation of HIPAA policy.
Avoid Sharing Photos
If you’ve had a particularly positive outcome with a patient, it can be tempting to share their photos in response to their positive review — but this is a definite HIPAA violation. Even if sharing a photo seems harmless, someone online may recognize the patient, which is a violation of the patient’s privacy and rights under HIPAA law.
HIPAA Compliant Chat
Live chat can be a great way to communicate with patients and prospects, provided your chat service is HIPAA compliant. According to recent marketing surveys, nearly 90 percent of consumers prefer communicating with businesses via live chat — so if you’re not currently using chat, chances are you’ll soon implement the service.
Whether you currently use a chat feature or you’re contemplating adding live messaging, a single incidence of using unsecured communication services could land you a fine of up to $50,000. To protect your patients and your practice, it is critical that your chat service complies with HIPAA security rules. Here’s what to look for in a HIPAA-compliant chat service:
- Encryption of patient information
- HTTPS security
- Third-party HIPAA compliance certification
- Multi-factor user authentication
HIPAA Compliant Email Marketing
According to marketers, email has one of the highest ROIs of any marketing channel, with a whopping $44 return on every $1 spent. It can be a powerful marketing tool for your practice, but in many cases, it’s not necessarily a secure form of communication. Whether you plan to send out weekly newsletters or communicate one-on-one with your patients, follow these tips to stay HIPAA compliant:
Ensure End-to-End Encryption
Email services that encrypt in-transit messages don’t provide enough security to satisfy HIPAA’s stringent security rules. Instead, end-to-end encryption ensures both in-transit and stored emails are fully encrypted. With end-to-end encryption, access controls provide further security, allowing only the sender and the recipient access to each message.
The type of encryption matters, too. While Data Encryption Standard has long been considered secure, with more recent advances in technology, that may no longer be the case. The Office for Civil Rights does not specify the type of encryption required for emails; however, it’s important to consult the current National Institute of Standards and Technology recommendations.
For the vast majority of small practices or those lacking an in-house IT staff, a third-party, HIPAA-compliant email service provider will provide the best security protection.
While HIPAA rules regarding retention of patient emails are somewhat ambiguous — the law doesn’t detail email retention specifically — patients have the right to request information on disclosures of PHI. To ensure you can furnish this information in the event of a request, you must maintain an archive of patient communication emails.
Ideally, an encrypted email archiving service should be utilized as HIPAA does require that electronic communications containing PHI be stored for a period of six years. State laws may also mandate that emails be stored for a specified time period, so you’ll need to review laws pertaining to your location. When in doubt, seek legal advice.
Obtain Patient Consent Prior To Sending Emails
Even if you use a HIPAA-compliant email service provider, you must obtain consent from each patient if you plan to communicate ePHI via email. You are required to inform your patients of the inherent risks of communicating via email prior to sending any form of communication. Should your patients accept the risks and consent to email correspondence, you may send emails containing ePHI.
HIPAA Compliant Web Hosting
Many health care providers are looking for ways to streamline their processes by taking their data, IT infrastructure and applications online. But beware: Not every web hosting service complies with HIPAA security and privacy laws. As a healthcare provider, you must ensure that all PHI is properly secured, and if you’re using the web, a HIPAA compliant web hosting service is necessary.
When seeking secure web hosting services, keep in mind that there is no single HIPAA certifying body that can guarantee a hosting service meets HIPAA requirements. While third-party audits may be performed by HIPAA specialists, they provide only a brief glimpse of compliance, limited to a specific period of time. To ensure your hosting service meets HIPAA security and privacy laws, look for the following features:
- Multi-factor authentication controls
- Event log management
- Offsite backup storage and secure data backups
- Data recovery assistance
- Encrypted VPNs for handling PHI
- Intrusion prevention, including a robust firewall
- HIPAA-compliant data storage centers
- 100 percent server uptime service level agreement and availability
If a web hosting service has undergone third-party HIPAA or HITECH assessments, this is typically a strong indication that the service is HIPAA compliant. While HIPAA compliance certification is not officially recognized, obtaining a certification of this type demonstrates a vendor’s commitment to providing secure web hosting.
HIPAA Compliant Web Design
If you plan to collect, store or transmit PHI on your website or on a server connected to your website, you must ensure HIPAA compliance. On your site, all in-motion and at-rest data must be encrypted. Examples of collected PHI include:
- Online patient forms
- Contact forms that include name, phone number, symptoms, medications, medical services or any other potentially identifying information.
- Live chat
- Patient testimonials and reviews
- Patient portals
Essentially, any information-collecting tool on your website must be fully encrypted to satisfy HIPAA rules. If you store PHI on a server, that server must also be encrypted and secure. Here’s how to ensure your website remains HIPAA compliant:
- Implement an SSL certificate for your website.
- Implement multi-factor authentication that allows access only by authorized individuals.
- Partner with HIPAA-compliant web hosting services.
- Send emails via HIPAA-compliant email providers.
- Encrypt and secure all web forms on your site.
- Enact policies for PHI backup, deletion and restoration.
HIPAA Compliant Forms
Collecting PHI via online forms is incredibly convenient, especially if your office is looking to cut down on paper or move toward cloud storage. However, these forms must be properly secured and encrypted to comply with HIPAA security and privacy rules. If you don’t have an in-house IT staff to generate HIPAA-compliant forms, using a HIPAA-compliant form service is your best option. Here’s what to look for in a HIPAA-compliant form service:
- Access controls to ensure only authorized individuals may access sensitive form data.
- Automatic logout from administrative accounts used to access form data.
- Audit logs
- No PHI may be included in email communications if the service sends reports or notifications to administrators via email.
Keep in mind: You may elect to use a form service that is not prepared to sign a BAA. However, if you do not have a BAA with your form provider, you may not collect PHI via the forms that service creates.
HIPAA Compliant Social Media Use
If you’re implementing digital practice marketing, chances are you’ve dabbled in advertising your practice and services on social media. Whether that means sharing patient testimonials, educating your audience or even sharing photos, you must follow HIPAA law.
Because HIPAA law was enacted long before the advent of social media, there are no specific HIPAA rules regarding social platforms. However, according to HIPAA privacy rules, PHI — including names, testimonials, specific conditions and photos — may only be shared on social channels with the express written consent of the patient in question.
- Posting patient photos without written consent
- Posting any potentially identifiable information
- Sharing photos that contain PHI, even if those photos do not include people
- Sharing PHI or identifying information via private group or chat
- Patient gossip, even if a name is not included
One thing to note: You may use social media to post practice information, health tips, event details, staff information and marketing messages with no fear of repercussion, as long as your posts do not contain PHI.
Maintaining HIPAA compliance requires constant diligence and attention. Because technology is constantly changing, you must stay abreast of industry changes, along with amendments and additions to HIPAA rules. With the proper teams and agreements in place, you can take full advantage of digital marketing to grow your practice without the fear of legal repercussions.