Online dental marketing: Staying
HIPAA compliant in 2023
Adrian LeflerOctober 17, 2022
Staying HIPAA compliant requires knowledge of HIPAA
regulations and changes or updates to the Privacy Rule. Adrian
Lefler of My Social Practice shares some of the common digital
marketing strategies for dental practices and how they should be
evaluated for HIPAA compliance.
SHARE
Read Time:6 Minute, 6 Second
Most dental practices are actively engaged in some strategy of digital
marketing. It could be sending out patient emails, writing blog posts, website
SEO, social media marketing or paid advertising.
The HIPAA Privacy Rule states that patients have specific controls over
whether their protected health information (PHI) is used for marketing
purposes. Most forms of dental digital marketing often come in contact with
ePHI (electronically protected health information) and should be explored for
HIPAA compliance.
This post will discuss some of the common digital marketing strategies and
how they should be evaluated for dental HIPAA compliance.
HIPAA-compliant dental websites
HIPAA compliance in dental website design is only required if the website
collects, stores or transmits PHI. If your website only provides service-related
content, directions, dental biographies and contact information, then there is
no need for HIPAA compliance.
But, most websites have intake forms, patient photography, reviews, live chat,
email subscriptions, online payments, patient portals and online scheduling. If
your website has any of this content or functionality, it falls under the HIPAA
Privacy Rule.
To be safe, you should contact your dental website company and find out the
following:
- Do you have a business associate agreement (BAA) from your dental
website company? - Do you have sub-BAA’s from third-party integration companies that
collect, store or transmit ePHI? For example, online patient forms,
scheduling, payments, etc. - Are your website forms compliant? HIPAA has specific encryption
requirements for ePHI being submitted through a patient form. In my
experience most forms are not compliant. - Is any ePHI stored with your website hosting company? If so, your
hosting company must capture, transmit and store ePHI with the HIPAA
encryption requirements mentioned above. And, you should get a BAA. - Does your website have prominently placed HIPAA Notice of Privacy
Practices? And has a HIPAA attorney reviewed the notice for
compliance? - Is your website secure sockets layer (SSL) encrypted?
- Are your email servers encrypted?
For more detailed instructions, I recently wrote a HIPAA compliant dental
website guide that should help you out.
But if you can check the boxes above you’re in pretty good shape. There are
additional tasks associated with HIPAA compliance, but regarding your
website being HIPAA compliant, this list is a great start.
HIPAA compliance with patient photography
Patient photos that are identifiable in any way are considered PHI. Identifiable
PHI could be a patient in the background of a photo, name or initials,
identifiable birthmarks and tattoos.
Patient photography used internally for training and documentation does not
require HIPAA consent. But, if the photo is used externally for educational
purposes, i.e., at a seminar, a conference, or being sent to another medical
professional, you must get a signed HIPAA consent form from the patient.
An often-overlooked violation with patient photography is storage. The
camera on your cell phone is not encrypted. ePHI must be stored with an
encryption standard or AES 256. If you take a photo using your cell phone
camera and then leave the office with the photo saved on your phone, you
violate HIPAA.
The solutions are the following: - Get a signed HIPAA consent form with all patient photos.
- Take photos using a device that never leaves the office and is
encrypted. - Download a HIPAA-compliant photo app with approved encryption
standards.
If you’d like to go with option three we’ve developed a HIPAA photo app as
part of our social media marketing services.
HIPAA-compliant social media marketing
Posting identifiable patient information to your social media accounts
requires written authorization from the patient for that specific photo.
Some dental practices have sped up the patient photo authorization process
with a single universal form. Usually this is a form that is included in the
materials that a new patient signs when they come to their first appointment
and allows the practice to use any photography for marketing purposes.
Many dentists feel that this ‘universal form’ checks off the HIPAA compliance
box, but it’s important to remember that the patient is the one who brings a
complaint.
If a patient doesn’t remember signing the form giving explicit authorization for
a social media post with their PHI, you have to ask yourself, “Have you really
checked the box?”
The best and safest action is to get a signed consent form for each photo you
post to your social media accounts.
HIPAA-compliant reputation management
Responding to online patient reviews is one of the most complicated areas of
HIPAA compliance. The HIPAA Privacy Act was enacted in 1996, waaaaaaay
before social media and online reviews.
The internet has taken over, and some of the laws in the HIPAA act seem out
of fashion. For example, a patient gives your practice a Google review and
mentions that they received an implant. According to HIPAA, you are not
allowed to acknowledge that they are a patient. Well, it’s not like they’re not
your patient; they admitted it. Still, you’re not allowed to acknowledge it.
The best course of action is to respond to reviews with vagueness.
Patient Review: A huge thank you to Dr. So & So. I’ve been coming to ABC
Dental for more than ten years. They’ve not only been amazing with me, but my
husband just had a full mouth reconstruction surgery and is doing great. We
highly recommend Dr. So & So.
Non-Compliant Response: Thank you so much for being a valued patient of our
practice. We’re so glad that you enjoyed your experience. Your husband is one of
our favorite patients. We look forward to seeing you again.
Complaint Response: We are dedicated to delivering the highest oral health
care possible. We love to hear about positive and successful experiences. Thank
you for the review.
Responding to reviews shows that you care. Just make sure not to
acknowledge that the person reviewing is a patient of your practice.
If you want to use the review in your marketing then you must get a signed
HIPAA consent form from the patient.
HIPAA-compliant email marketing
Sending PHI via email does not violate HIPAA. The OCR (Office of Civil Rights)
says that if a patient wants their PHI sent to them via email, then the Covered
Entities and Business Associates must comply.
The OCR also states that a Covered Entity and Business Associates should
take ‘reasonable steps to ensure that the patient understands the risks of
sending PHI via email.
A dental practice wanting to stay compliant should do the following to ensure
they are crossing their T’s and dotting their I’s. - Ensure that the server containing the emails is encrypted.
- Ensure that there is end-to-end encryption in the sending of emails.
Suppose a patient requests PHI via an unsecured email process. In that case,
the patient must authorize verbally or in writing that they understand the risks
associated with sending PHI via an unsecured method.
Conclusion:
Staying HIPAA compliant requires knowledge of HIPAA regulations and
changes or updates to the Privacy Rule. You should always consult with your
HIPAA attorney. This post is for educational purposes only and does not
constitute legal advice. - This was posted on “Off the Cusp”, Patterson Dental, 10/19/2022
mycusped.wordpress.com 