Although healthcare providers are aware of the importance of engaging with patients online, many shy away from digital healthcare marketing for fear of accidentally violating the Health Insurance Portability and Accountability Act, or HIPAA. In fact, roughly 38 percent of providers claim that they do not respond to patient feedback because they are concerned about HIPAA compliance, according to PatientPop data.
A HIPAA violation can mean fines, sanctions, and even loss of license in extreme cases. In 2018, the U.S. Department of Health and Human Services (HHS) collected a record $28 million in HIPAA penalties. The agency recently announced, however, that it would set annual limits on fines based on culpability, meaning someone who was completely neglectful of HIPAA compliance would receive a larger fine than someone who has a process in place to abide by the law.
Regardless, providers must take special care never to reveal a patient’s protected health information, or PHI, without the patient’s written consent. In this blog post, we outline the varying types of protected health information to help you feel more confident about marketing your practice online while protecting your patients’ PHI..
Types of protected health information
Protected health information refers to anything that could reveal the identity of a patient. Although some types of PHI are fairly obvious — such as a patient’s name — others may be easier to accidentally reveal — such as a patient’s city or even county of residence. When writing a blog or social media post, take special care to never reveal the following health information.
Patient’s name or nickname
Using a patient’s name or nickname is a PHI HIPAA violation. In addition to names and nicknames, using a patient’s social media handle or anything related to the patient’s naming identity is exposing a patient’s PHI and is forbidden.
Address or geographical location
HIPAA requires healthcare workers to withhold almost all information about the address of a patient to prevent revealing crucial PHI of a patient. Privacy laws also forbid the disclosing of any geographic information about a patient more detailed than the state-level, including a patient’s city and county.
HIPAA protects almost all dates related to an individual and their healthcare treatment, including date and time of a medical appointment and the patient’s age. Privacy laws forbid you from revealing any of the following patient PHI:
- Date of death
- Date of appointment
- Admission date
- Discharge date
- The exact age of a patient
Protected health information includes a patient’s contact information and any other number that could identify them. Here are a few important numbers that are considered part of a patient’s PHI that you should watch out for:
- Telephone numbers
- Fax number
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
You might like: 5 medical marketing ideas to outpace the competition
Vehicle or device serial information
Revealing a patient’s license plate number is a clear HIPAA violation of a patient’s PHI, but so is identifying any other information about their vehicle including color, make, or model. Be sure not to describe the vehicle in any way that might be identifiable to others. In a small town, any information about a vehicle could reveal a patient’s identity.
IP address, URLs, and social media
IP addresses, URLs, and social media handles are considered PHI and are protected under HIPAA. Make sure not to tag your patients or mention their usernames when sharing original content or commenting on other posts. You also want to take special care not to share their website information or their personal email addresses.
Fingerprint or voiceprint
Protected health information also includes a patient’s fingerprint and voiceprint. Even if you never share a patient’s face or name, you can’t use their voice in any promotional or other materials. HIPAA protects voices because they could identify patients. (Think of Gilbert Gottfried.)
When promoting your healthcare practice, you may want to feature photos of your patients on your website, but a patient’s image is also PHI and is protected under HIPAA. HIPAA states that photographic images violate a patient’s privacy rights. This includes any photo of a patient — from a headshot to a picture of a hand or leg.
Anything else that compromises a patient’s identity
With enough detective work, most biographical information could reveal someone’s identity. Do not disclose a patient’s occupation, marital status, or information about their family, income, or race.
Additional tips for HIPAA PHI compliance
Most healthcare providers would never intentionally reveal protected health information, but it’s important to be mindful of anything you’re sharing online. If you’re taking a picture of your desk or going live on social media account, it’s possible you might have protected health information visible in the background.
If you want to include your patients on any of your practice’s healthcare marketing materials, it’s important to speak to an attorney who can help create a set of best practices, including consent forms and retention of photographic rights. A patient must give you their written consent via the proper channels.
Although this post is intended to help healthcare providers, it should not replace the advice of legal counsel. Always consult your attorney or legal services team if you have doubts about whether your digital marketing efforts could violate HIPAA PHI or otherwise put your healthcare practice at risk.
Interested in responding to online reviews or building a social media presence without violating HIPAA? Download “The doctor’s guide to HIPAA-compliant digital marketing” for help.