Undeniably, technology has transformed the way dentistry is delivered and how we communicate with patients. With these changes come federal and/or state laws such as HIPAA, mandating patient privacy and requiring data security.
The HIPAA Privacy Rule allows covered entities (CE) including dentists and physicians to use protected health information (PHI) only for treatment, payment and healthcare operations (TPO). “Healthcare operations” is defined as quality assessment and improvement activities, competency assurance activities, conducting or arranging for medical reviews, audits, legal services, insurance functions and business planning. Any use or disclosure of PHI that is not for TPO, such as marketing, requires written authorization from the patient.
The Privacy Rule defines marketing as “communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” A primary goal of social media is to share patient testimonials, photos, treatment information, etc., to promote your practice and the services you offer.
Should you always obtain patient permission before posting such information on social media? Should it be verbal or written permission? You may be wondering if the general “consent to use patient information for educational purposes” statement on your new patient forms is sufficient. The answer is no.
Based on the Privacy Rule requirements, patient authorization must be written and contain specific information as to what is or is not to be shared. This unequivocally rules out using a blanket consent statement to use a patient’s information for educational purposes. A HIPAA-compliant authorization must include a description of PHI to be used or disclosed, the authorized recipient, a description of the purpose of the requested use or disclosure and, among other requirements, it must include an expiration date or event and the right to revoke.
One Florida patient found her before/after X-rays posted on her dentist’s website without her permission and filed a complaint with the Office of Civil Rights. As it turns out, a website vendor had created a new mock website for the practice, which accidentally went live before patient authorization was obtained. Nevertheless, the practice found itself in the middle of an informal investigation. Fortunately, once the situation was corrected no fines or penalties were levied against the practice.
Balance social media marketing and patient privacy requirements by understanding the requirements of the Rule. Stay abreast of when authorization is needed and when it’s not. For example, it is considered acceptable marketing to send patients of record a letter announcing a new partner or new service through your newsletter. Remember, though, patients have the right to opt out of those communications as well. However, for the social media examples described above it’s best to obtain written and specific authorization. Check your HIPAA manual for an Authorization Form or consult an attorney or qualified consultant.
Do you have questions or perhaps an experience you’d like to share? Ask us in the comments below or send an email to: firstname.lastname@example.org