HIPAA guidelines outline multiple types of Protected Health Information (PHI). PHI refers to anything — vague or specific — that could reveal the identity of a patient.2 A physician or other healthcare worker that reveals a patient’s condition or treatment plan along with personally identifiable information has violated HIPAA, unless they have received prior written consent. Prior to HIPAA, no legislation existed that protected an individual’s health information.
Using a patient’s name or nickname is a HIPAA violation. In addition to names and nicknames, using a patient’s social media handle or anything related to the patient’s naming identity is forbidden.
HIPAA requires healthcare workers to withhold almost all information about the address of a patient. Privacy laws forbid the disclosing of any geographic information about a patient more detailed than the state-level. Protected information includes a patient’s city and county, too.
You must cautiously check anecdotal stories used in your marketing to ensure they do not inadvertently reveal geographical information.
For example, when posting generally on social media, a rheumatologist who treats a patient suffering from Lyme Disease must not reveal that their patient fell ill after visiting her family in Long Island, N.Y., where she suffered a tick bite. Why? That geographical information could allow others to identify the patient.
HIPAA protects almost all dates related to an individual and their medical treatment. Privacy laws forbid you from revealing any of the following:
This particular PHI frustrates many physicians who want to provide references for other patients. For example, a fertility doctor who wants to blog about a certain case cannot include her patient’s age, even though that might help explain her patient’s concerns. HIPAA forbids revealing a specific age, so the doctor must compromise and give an age range (early 40s, for example) to describe her patient instead.
Reputable doctors would never intentionally give out a patient’s contact information, but what about by accident? Ever written a patient’s number on a Post-It for your afternoon callbacks? Make sure that protected information doesn’t get picked up in a candid photo that lands on your Instagram page. Here are a few important numbers to watch out for:
This information cannot be shared anywhere.
Be careful with paperwork laying around the office that might share these identifying pieces of information.
Remove any personal identifiers if there will be people coming around the office or if you’re doing a Facebook Live stream from your desk. Sweep the area before you “Go Live.”
Revealing a patient’s license plate number is a clear violation, but so is any identifying information about their vehicle. Be sure not to describe the vehicle in any way that might be identifiable to others. In a small town, any information about a vehicle could reveal a patient’s identity.
Even if you have permission to write a story or case study about one of your patients, you must still protect their identity. Don’t include their email address, link to their personal or business website, or mention their social media handle when you share your post.
You can’t host a recorded Q&A session with a patient (for instance, in a podcast) even if their face is never shown. HIPAA protects voices, too, because they identify patients easily.
HIPAA states that photographic images violate a patient’s privacy rights. A photograph of a hand or a leg counts, even if it seems less harmful than a headshot.
If you feel the need to use photographs to properly market your practice or educate patients, talk to your attorney about how to protect yourself and your practice.
A plastic surgery practice, for example, might want to use before-and-after photos in their marketing campaign to demonstrate its skills and services. An attorney can help the practice create a set of best practices for using photos in marketing campaigns, including consent forms and retention of photographic rights.
With enough detective work, most biographical information could reveal too much. Do not disclose a patient’s occupation, marital status, or information about their family, income, or race.
Digital marketing is an effective way to attract new patients and position yourself as an expert in your field. Keep the following HIPAA marketing concepts in mind when planning your posts, tweets, and shares. Don’t forget: HIPAA also applies when you’re using your website to engage with reviews.
Keep information about your patients’ cases as general as possible. Remember, even when telling a story anecdotally, you should never include specifics or PHI.
A good rule of thumb: If you wouldn’t say it in a coffee shop or a grocery store, you shouldn’t post it online.
Regularly posting on social media is a great tactic for engaging with your patients and establishing yourself as an expert in your field. Before posting pictures to platforms such as Instagram and Twitter, you should scan each photo to ensure it is free of potential privacy violations.
Perhaps you’re attending a webinar about this year’s flu virus during your lunch break. You grab a sandwich and a coffee and tune in at your desk. This is a great opportunity to snap a quick picture and share what you’re learning with your Instagram followers. But before you think up your catchy caption, you need to ensure there’s nothing in the photo that could get you into trouble.
How often do you have a Post-It note on your computer screen with a patient’s phone number written on it? Or your afternoon files sprawled across your desk for you to review when you get a free moment? All of this information might be visible in the periphery of your otherwise innocuous Instagram post.
Here are a few other common photo violations to avoid:
A primary care physician would like to share a post on her practice’s Facebook business page about a patient she saw earlier in the day. Which of the following posts does not violate HIPAA?
“A patient came in to see me recently because their thumb and wrist were causing a great deal of pain. I determined the pain was likely caused by overuse of a large smartphone. Repetitive scrolling and handling of these devices, although fun, is unnatural. The patient required a cortisone shot and might require a cast or brace soon. I urged this patient to try using a stylus pen or a desktop computer whenever possible.”
“Earlier today, a 26-year-old who is on her phone all day for work as a social media coordinator came to me because her wrist and thumb were causing her a great deal of pain. I gave her a cortisone shot and suggested she do her work on a desktop computer rather than her phone. I believe repetitive scrolling on social media sites is causing inflammation of her tendon.”
The PCP should choose Option 1, as there is no mention of information that can help identify the patient. It is vague, but it still describes the situation.
Option 2 violates HIPAA. The post reveals exactly when the patient saw the doctor, her gender, her age, and her occupation. Option 1 tells the same story, but protects the patient’s identity. There is no mention of her age, her gender, her occupation, or when she saw her provider.
Similar to other media platforms, these are the most important HIPAA marketing rules to keep in mind:
Ensure testimonials and reviews posted directly to your website are posted voluntarily. No information can be posted without a patient’s consent if it is about them or if it is their testimonial or review.
Doctors and other healthcare providers take great pride in their work, so it can be disheartening to see a less-than-stellar review on one of their online profiles. But bad reviews happen occasionally, and it’s essential that you respond to them right away. Your response will likely resolve the issue, but just as importantly, it will show other potential patients that you are gracious and empathetic.
When responding to reviews on online profiles, it might be difficult to respond without revealing any identifying information. Stay calm and stay vague.
Never respond to the patient with their name or any identifying information. Additionally, do not discuss what service they were treated for.
Violating HIPAA on your review sites can hurt your online reputation and can potentially lead to other more severe consequences.
HIPAA does not prevent you from engaging with patients; it just means you have to be careful when doing so. Take precaution, and do not refer to a patient by name without prior consent, and keep your conversations vague. Read on for more suggestions on how to engage online without violating HIPAA.
Bad reviews can happen to the best of us, but it’s essential to respond to them right away before further damage is done. When responding to a negative review, it’s important to keep HIPAA privacy laws in mind. It can be easy to forget when you’re in the midst of responding to a disgruntled patient.
Avoid confirming the reviewer is your patient, and never directly mention anything about the patient or the treatment and services.
Prepare a short and polite response, and acknowledge any misperceptions or inaccurate information. Here’s an example: “Thanks for bringing this to my attention. I understand you are frustrated. Would you mind giving me a call to discuss this matter? Thank you again for your honest feedback.”
If you would like to create your own template for responding to reviews, run it by your attorney.
Keep your message short and to the point to avoid violating HIPAA. The longer your response, the more likely you are to overshare protected information or appear defensive.
Why respond to the review at all? Your primary goal is to show other potential patients that you did everything you could to resolve the issue. You might also manage to repair the damaged relationship between your practice and the disgruntled patient.
If you are still struggling with how to respond to reviews, here are a few more suggestions:
Review: “I had an unpleasant experience at this doctor’s office. The staff was rude and no one was able to answer my questions. They do not focus on giving their patients personal time.”
HIPAA-compliant response: “Thank you for bringing this to our attention. Please call our office at [phone number], so we can better assist you.”
Review: “I saw the doctor 45 minutes after my appointment time due to filling out paperwork and the staff being behind schedule.”
HIPAA-compliant response: “Thank you for your feedback. Our patients’ convenience is our top priority. Via our patient portal, patients can fill out required documents ahead of time if they so choose. We would love to hear more about your experience. Please do not hesitate to give us a call at [phone number].”
Even when responding to positive reviews, it is important to not reveal any identifying information. If you decide to showcase a patient’s positive review on your website or blog, get written consent prior to sharing their feedback. When displaying their review, only use their first name and last initial.
Seventy-one percent of all internet users visited social media websites in 2017.3 If you’ve set up business profiles for your practice, know that you might receive comments from current or prospective patients on those profiles.
Similar to when responding to an online review, never disclose protected health information when engaging on social media.
It might be a good idea to train your office staff on how to engage on social media without violating HIPAA.
Some scenarios where you would consider engaging with people on social media include:
With the information outlined here, doctors, dentists, and other healthcare providers should have a better understanding of HIPAA regulations and how they impact marketing. Use this information when marketing your practice or engaging with patients on social media, blogs, websites, and review sites. And remember, always consult your attorney or legal services team if you have doubts about whether your digital marketing efforts could violate HIPAA or otherwise put your practice at risk.