Most dental practices are actively engaged in some strategy of digital marketing. It could be sending out patient emails, writing blog posts, website SEO, social media marketing or paid advertising.
The HIPAA Privacy Rule states that patients have specific controls over whether their protected health information (PHI) is used for marketing purposes. Most forms of dental digital marketing often come in contact with ePHI (electronically protected health information) and should be explored for HIPAA compliance.
This post will discuss some of the common digital marketing strategies and how they should be evaluated for dental HIPAA compliance.
HIPAA compliance in dental website design is only required if the website collects, stores or transmits PHI. If your website only provides service-related content, directions, dental biographies and contact information, then there is no need for HIPAA compliance.
But, most websites have intake forms, patient photography, reviews, live chat, email subscriptions, online payments, patient portals and online scheduling. If your website has any of this content or functionality, it falls under the HIPAA Privacy Rule.
To be safe, you should contact your dental website company and find out the following:
- Do you have a business associate agreement (BAA) from your dental website company?
- Do you have sub-BAA’s from third-party integration companies that collect, store or transmit ePHI? For example, online patient forms, scheduling, payments, etc.
- Are your website forms compliant? HIPAA has specific encryption requirements for ePHI being submitted through a patient form. In my experience most forms are not compliant.
- Is any ePHI stored with your website hosting company? If so, your hosting company must capture, transmit and store ePHI with the HIPAA encryption requirements mentioned above. And, you should get a BAA.
- Does your website have prominently placed HIPAA Notice of Privacy Practices? And has a HIPAA attorney reviewed the notice for compliance?
- Is your website secure sockets layer (SSL) encrypted?
- Are your email servers encrypted?
For more detailed instructions, I recently wrote a HIPAA compliant dental website guide that should help you out.
But if you can check the boxes above you’re in pretty good shape. There are additional tasks associated with HIPAA compliance, but regarding your website being HIPAA compliant, this list is a great start.
Patient photos that are identifiable in any way are considered PHI. Identifiable PHI could be a patient in the background of a photo, name or initials, identifiable birthmarks and tattoos.
Patient photography used internally for training and documentation does not require HIPAA consent. But, if the photo is used externally for educational purposes, i.e., at a seminar, a conference, or being sent to another medical professional, you must get a signed HIPAA consent form from the patient.
An often-overlooked violation with patient photography is storage. The camera on your cell phone is not encrypted. ePHI must be stored with an encryption standard or AES 256. If you take a photo using your cell phone camera and then leave the office with the photo saved on your phone, you violate HIPAA.
The solutions are the following:
- Get a signed HIPAA consent form with all patient photos.
- Take photos using a device that never leaves the office and is encrypted.
- Download a HIPAA-compliant photo app with approved encryption standards.
If you’d like to go with option three we’ve developed a HIPAA photo app as part of our social media marketing services.
Posting identifiable patient information to your social media accounts requires written authorization from the patient for that specific photo.
Some dental practices have sped up the patient photo authorization process with a single universal form. Usually this is a form that is included in the materials that a new patient signs when they come to their first appointment and allows the practice to use any photography for marketing purposes.
Many dentists feel that this ‘universal form’ checks off the HIPAA compliance box, but it’s important to remember that the patient is the one who brings a complaint.
If a patient doesn’t remember signing the form giving explicit authorization for a social media post with their PHI, you have to ask yourself, “Have you really checked the box?”
The best and safest action is to get a signed consent form for each photo you post to your social media accounts.
Responding to online patient reviews is one of the most complicated areas of HIPAA compliance. The HIPAA Privacy Act was enacted in 1996, waaaaaaay before social media and online reviews.
The internet has taken over, and some of the laws in the HIPAA act seem out of fashion. For example, a patient gives your practice a Google review and mentions that they received an implant. According to HIPAA, you are not allowed to acknowledge that they are a patient. Well, it’s not like they’re not your patient; they admitted it. Still, you’re not allowed to acknowledge it.
The best course of action is to respond to reviews with vagueness.
Patient Review: A huge thank you to Dr. So & So. I’ve been coming to ABC Dental for more than ten years. They’ve not only been amazing with me, but my husband just had a full mouth reconstruction surgery and is doing great. We highly recommend Dr. So & So.
Non-Compliant Response: Thank you so much for being a valued patient of our practice. We’re so glad that you enjoyed your experience. Your husband is one of our favorite patients. We look forward to seeing you again.
Complaint Response: We are dedicated to delivering the highest oral health care possible. We love to hear about positive and successful experiences. Thank you for the review.
Responding to reviews shows that you care. Just make sure not to acknowledge that the person reviewing is a patient of your practice.
If you want to use the review in your marketing then you must get a signed HIPAA consent form from the patient.
Sending PHI via email does not violate HIPAA. The OCR (Office of Civil Rights) says that if a patient wants their PHI sent to them via email, then the Covered Entities and Business Associates must comply.
The OCR also states that a Covered Entity and Business Associates should take ‘reasonable steps to ensure that the patient understands the risks of sending PHI via email.
A dental practice wanting to stay compliant should do the following to ensure they are crossing their T’s and dotting their I’s.
- Ensure that the server containing the emails is encrypted.
- Ensure that there is end-to-end encryption in the sending of emails.
Suppose a patient requests PHI via an unsecured email process. In that case, the patient must authorize verbally or in writing that they understand the risks associated with sending PHI via an unsecured method.
Staying HIPAA compliant requires knowledge of HIPAA regulations and changes or updates to the Privacy Rule. You should always consult with your HIPAA attorney. This post is for educational purposes only and does not constitute legal advice. About the author: Adrian Lefler is a dental marketing expert and a founding member of My Social Practice. He lives in Draper, Utah, with his four super snarky kids, professional spouse chef, one awesome dog and one dumb dog.
– – –