Highly Visible HIPAA Violations

If everyone is doing it, it must be okay? Has the answer to this question ever been “yes”? The same answer applies when it comes to HIPAA compliance. Don’t do something because you see competitors and colleagues doing it. If you’re investigated you can’t use those examples as a defense.

Healthcare is a competitive business. Providers are under pressure to acquire and retain patients, and marketing is a natural way to grow a business. But marketing in healthcare needs to take HIPAA into account.

There are three areas where HIPAA violations run rampant. They are highly visible across the internet: on websites and in social media; in patient reviews; and with email and texting. Healthcare marketing consultants often misunderstand the rules and give incorrect advice about how to advertise for new patients, communicate with them and keep them engaged.

Be careful about taking advice from healthcare marketing advisors who say they are “HIPAA compliant” instead of listening to qualified HIPAA legal experts. If you are investigated for a HIPAA violation, the marketing consultant is not responsible – providers are legally responsible for their own practices. Learn the rules instead and stay compliant with HIPAA.

HIPAA’s enforcement office, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has made these rules clear. If you are not following the rules, prepare yourself for paying fines or being investigated. If a patient complains to OCR, or a data breach happens and you are investigated, these violations will stand out and could make the investigation more difficult. Ignorance of the law is not an excuse.

The good news is these HIPAA violations are easy to find and easy to fix.

HIPAA Rules Covering Websites and Social Media

HIPAA applies to websites owned by covered entities (providers, health plans and health care clearinghouses). Facebook is a website and subject to the same rules.

The two biggest violations we see are 1. the Notice of Privacy Practices is not posted, and 2. patient testimonials/reviews or patient photos are posted without a valid HIPAA authorization.

Here are two simple safeguards:

1. Post the Notice of Privacy Practices (NPP) prominently on the website homepage – a link to the full NPP is permissible, but the key is that it be obvious and visible.
2. Before posting any protected health information (e.g., testimonials, photos, patient reviews), obtain a valid HIPAA authorization.

HIPAA Rules for Emails and Texts to Patients

HIPAA is unambiguous about unencrypted communications with patients. From 2005 through 2020, the Privacy and Security Rules have made clear, and top enforcement officials at OCR and CMS (the Centers for Medicare and Medicaid Services) have stated that encryption is required for electronic communications unless patients have agreed to accept the risk of unencrypted communications. Even if patients email a provider before officially becoming a patient, they have not consented to unencrypted email as a form of communication. A covered entity must warn patients and obtain their express consent to use unencrypted communication beforehand.

The reason for this rule is that email and texts are easy to steal. Medical identity theft is a big business, and cyber thieves are searching for electronic communications between a provider and a patient to steal medical identity. It’s way too easy to steal if it’s unencrypted.

It turns out, most patients prefer unencrypted email or text, but as a covered entity under HIPAA, a provider is responsible for warning patients about the risk first, and documenting the patient’s decision.

Here is a simple 3-step safeguard:

1. The “Duty to Warn” – notify the patient there is some level of risk that an unencrypted email or text message can be read by someone else.
2. Let the patient decide – if they prefer unencrypted email or text, they have the right to receive them.
3. Document your warning and the patient’s decision in writing.

HIPAA Rules Covering Patient Reviews

Patients are not required to follow HIPAA, but providers are required to protect the security and privacy of all of their patients’ protected health information. This includes names, photographs, email address, along with fifteen other unique identifiers, in connection with the provision of healthcare.

For your own website, if you want to post testimonials, obtain a valid HIPAA authorization first. For reviews on independent sites like Yelp, simply don’t respond. For a Facebook page, since it belongs to you, consider using it a Facebook business page as an informational marketing similar to a regular website, and don’t permit comments or recommendations.

Here are simple patient review safeguards:

1. Do not confirm a person is a patient of your organization (unless you have a valid HIPAA Authorization to do so)
2. Turn off Facebook “recommendations” (formerly called reviews)
3. Do not respond online to independent reviews, e.g., Yelp, Healthgrades, WebMD, etc.
4. Or, if you feel you must respond – post a very neutral statement like, We provide all patients with good patient care.

Practical Advice from The HIPAA E-Tool^®

Our clients tell us about their practices and the everyday issues they face. We have solutions that fit to make HIPAA compliance second nature. Be sure the advice you receive is qualified when it comes to HIPAA.