When it comes to HIPAA violations and your practice, the best thing to do is err on the side of caution to avoid being one of the 230,000+ reported HIPAA rule complaints since April of 2003. Even still, there are plenty of HIPAA-related questions that can crop up as you try to implement your marketing strategy, so this article features answers to common HIPAA questions from a legal expert Florida Healthcare Law Firm attorney Jacqueline A. Bain HIPAA-related questions from practice managers around the country.
Please note: the following does not qualify as legal advice and rules and regulations may vary by state. If you have any questions, you should consult an attorney in your state.
Sending Automated Voice Messages and Emails
A practice manager asked: “We were discussing the idea of sending a specific campaign to folks we know had a cosmetic procedure and then following up with automated messages to try to get them to convert into doing another procedure. Is that a HIPAA violation because we’re leveraging their health data to market a procedure?”
Bain says that is a complicated question, so the right answer is a strong “maybe,” depending on the other procedure in question.
“If you’re trying to leverage them into a second procedure, is there a financial reason why you’re leveraging them to do that? For instance, if it’s a second procedure that includes Botox, is Botox giving you some financial incentive to do the second procedure? And if there is no financial incentive directly or indirectly, meaning you’re not benefiting from it financially, other than the patient paying for the procedure, then you are fine to follow up with an automated message to try to bring them back into wherever you’re treating them,” she continues.
When it comes to following up with an automated message via phone or email, the answer is much the same, and it depends on where you’re leaving the automated message.
She says, “If you’re going to be leaving it on a voicemail, you’re probably okay under HIPAA. But if you’re going to be leaving it on something like a public answering machine, it might not be necessarily something that the patient wants her husband to know about, or her father to know about or anything like that. If you’re going to be emailing your current patients because of something they’ve had done in the past, that’s a form of communication that has to be encrypted from end-to-end communication under HIPAA. So that means that only the person sending and the person receiving understand what they’re seeing.”
Monthly Email Newsletters
A practice manager asked: “What types of messages are acceptable to send in monthly email newsletters? Is just sending an email newsletter by itself a HIPAA violation?”
An email newsletter is not normally a HIPAA violation. The only way it could be is if you’re receiving any financial remuneration for sending the email (such as someone sponsoring the email message) or if it contains sensitive patient data.
Bain says to help ensure legitimacy. It’s best to put your email communication plans in the notice of privacy practices and include it in a separate document where patients consent to receive the messages.
Patient Testimonials
A practice manager asked: “We’ve been doing patient testimonials and having them sign a video waiver. By signing this waiver for the video, does that also give us permission to include the image studies, and chart information, and everything associated with that case if deemed necessary?
Believe it or not, the answer is that even though they signed the video release for their likeness, they didn’t sign one to include image studies and other necessary items to produce the testimonial unless it’s specifically outlined on the form they signed.
“Having a patient sign a testimonial and a video waiver doesn’t necessarily mean that the patient understands that their entire chart might be visible, or portions of their chart might be visible to the public who’s on the receiving end of that video. In an ideal world, your video waiver would have something along the lines of, ‘And you can use my entire medical record as a backup to this video testimonial,’” says Bain.
“What I like to say to people who want to use patient testimonials is to have a sign or something in your waiting room that says, ‘We love patient testimonials. If you’re interested, please approach us and ask.’ So that way the patient has the option of asking to participate, or not, rather than being in an uncomfortable situation where somebody asks them to participate, and them having to say yes or no,” she adds.
Staying on the topic of patient testimonials and video/photo releases, how long should a practice keep the patient’s release?
You are wise to keep them as long as you plan to use the video, according to Bain – and you may even want to keep them a few years after you plan on using the video, so you’re protected.
“You want to make sure that you have the backup in place if somebody comes back and says, ‘I didn’t want that. I didn’t want whatever you’re using.’ You can say, ‘Well, you signed the release,’ and you have it on hand,” she says.
Data Breaches
A practice manager asked: “Do data breaches count as HIPAA violations?”
Absolutely. If someone has been in your files, and you did not permit them to be there, that would likely be counted as a HIPAA breach by the Office for Civil Rights (OCR), which is a division of Health and Human Services.
“Just so everybody is aware, most states also have a state version of HIPAA. Here in Florida, it’s called the Florida Information Protection Act. So you not only have to report to OCR if you’ve got a data breach or a HIPAA violation, but you also need to report to wherever your state tells you to report as well. And often the state timelines are a lot tighter than the federal timelines,” says Bain. “So you want to be sure as soon as you recognize you have a breach, you want to get legal help involved to determine exactly who you need to report to and how you need to report.”
Texting PHI Between Physicians (Need to Send Patients Texts?)
A practice manager asked: “My docs sometimes text PHI back and forth on their phones. I know that’s a HIPAA violation, but how can I get them to stop? Any advice there?”
Bain says this is incredibly common and something they run across all the time. Physicians know enough to be scared about HIPAA, but when it comes down to brass tax, it’s just easier for them to text around images or PHI, so patients are treated faster.
“The only way you can get them to stop is by putting a policy in place and disciplining them for continuing to violate that policy. Whether that means you’re holding up pay, or you’re putting the notes to file,” she says. “Repeated violations of HIPAA actually increase your sanctions. If OCR ever comes in and says, ‘You’ve reported a breach, or somebody complained about a breach, let us look through everything else that’s ever happened in your business.’ You’re able to show that you knew your doctors were texting back and forth and did nothing about it. It actually increases your level of culpability, which increases your potential penalties under HIPAA.”
The best thing to do? Scare them into stopping. Then, provide a simple solution that allows for HIPAA-compliant text messaging.
“It’s a little bit more onerous than the text messaging you have on your regular cell phone, but it’s an easy way for physicians, and nurse practitioners, and PAs to text photos and things like that around without actually violating HIPAA” adds.
Photos From Years Ago on Social Media
A practice manager asked: “Sometimes our therapists will pose with patients once they’ve completed all their rehab so we can post a photo on social media. The patient consents, but we don’t have photo releases for everyone. Should we delete the ones we don’t have signed consent forms, even though the patient agreed, was happy, and is no longer in our care? Some of those are years old.”
Unfortunately, the answer here is that those old photos should be deleted if a release can’t be found.
Bain says, “Yes, a patient’s consent can be given orally; but the problem with oral consent is there’s no record of it. So if the patient does come back and says, ‘Why are you still using my photo? My life circumstances have changed. I was pleased when I gave you that oral consent, but now I’m not happy,’ you want to make sure that you’ve got the written consents in place to protect your practice.”
Talking About Patients
A practice manager asked: “I recently heard some staff gossiping about a patient within earshot of other patients. I don’t think they used her name, but is this a HIPAA violation if someone can put two and two together?”
It sure is. Bain says it’s best to regularly inform and remind staff about the implications of actions like this.
“You want to absolutely make sure that your staff understands again, that they are dealing with patients who are dealing with real life. So if you’re in a small town, and you’re using patient names, full names within earshot of other patients, you are absolutely putting yourself at risk of a complaint to OCR.”
To learn more or hear the answers directly from Bain, check out episode #208 of the DrMarketingTips Podcast.