Undeniably, technology has transformed the way dentistry is delivered and how we communicate with patients. With these changes come federal and/or state laws such as HIPAA, mandating patient privacy and requiring data security.
The HIPAA Privacy Rule allows covered entities (CE) including dentists and physicians to use protected health information (PHI) only for treatment, payment and healthcare operations (TPO). “Healthcare operations” is defined as quality assessment and improvement activities, competency assurance activities, conducting or arranging for medical reviews, audits, legal services, insurance functions and business planning. Any use or disclosure of PHI that is not for TPO, such as marketing, requires written authorization from the patient.
The Privacy Rule defines marketing as “communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” A primary goal of social media is to share patient testimonials, photos, treatment information, etc., to promote your practice and the services you offer.
Should you always obtain patient permission before posting such information on social media? Should it be verbal or written permission? You may be wondering if the general “consent to use patient information for educational purposes” statement on your new patient forms is sufficient. The answer is no.
Based on the Privacy Rule requirements, patient authorization must be written and contain specific information as to what is or is not to be shared. This unequivocally rules out using a blanket consent statement to use a patient’s information for educational purposes. A HIPAA-compliant authorization must include a description of PHI to be used or disclosed, the authorized recipient, a description of the purpose of the requested use or disclosure and, among other requirements, it must include an expiration date or event and the right to revoke.
One Florida patient found her before/after X-rays posted on her dentist’s website without her permission and filed a complaint with the Office of Civil Rights. As it turns out, a website vendor had created a new mock website for the practice, which accidentally went live before patient authorization was obtained. Nevertheless, the practice found itself in the middle of an informal investigation. Fortunately, once the situation was corrected no fines or penalties were levied against the practice.
Balance social media marketing and patient privacy requirements by understanding the requirements of the Rule. Stay abreast of when authorization is needed and when it’s not. For example, it is considered acceptable marketing to send patients of record a letter announcing a new partner or new service through your newsletter. Remember, though, patients have the right to opt out of those communications as well. However, for the social media examples described above it’s best to obtain written and specific authorization. Check your HIPAA manual for an Authorization Form or consult an attorney or qualified consultant.
Do you have questions or perhaps an experience you’d like to share? Ask us in the comments below or send an email to: socialmedia@pattersoncompanies.com
Just last week I spoke with a doctor who thought “implied consent” was sufficient to post patient photos on social media. She was surprised when I told her signed consent was necessary. Thank you, Linda, for the confirmation, allowing all of us to feel more HIPAA confident and social savvy 🙂
Rita, thank you for helping to inform doctors/teams as well. It’s important they become HIPAA and social savvy. HIPAA marketing authorizations are similar to the old record keeping adage–If it’s not written it didn’t happen.
How do I sort hipaa policy and standard operating procedures? I have to sort privacy, hitech security and breach notification. I think I have to sort it by subject like sw/hw/social media… When I compare what the OCR audits cover, there are numerous points that make the sorting task overlap with PCI security, ee handbook and general social media policies. Advice on managing policies vs instruction?
When it comes to sorting policies, bear in mind that your policies must accurately reflect your current processes and not conflict with one another. I recommend that you: 1) lay the policies in question side-by-side; 2) highlight areas where they overlap and; 3) identify areas where they conflict. Correct any conflicting information then determine what can be streamlined by simply referencing one policy within another. Here’s a similar example. We create a separate Security Policy and Contingency Plan for clients. Instead of including the majority of the details of the Contingency Plan within the Security Policy, we simply reference the Contingency Plan within the Security Policy. Some HIPAA-required items such as workforce sanctions may work best for you to have within your HR manual, instead of your HIPAA manual, which is OK. Hopefully, doing this exercise will spark some additional ideas for you.
This is a great article! Because of these regulations most dental offices don’t use Social Media in the way it was intended and as a result don’t drive much engagement or new patient referrals. Unfortunately in the dental world there are too many Facebook pages that have generic, boring content that nobody cares about ie. “tooth jokes”.
However, because of HIPAA, Facebook has become a huge opportunity for those practices that can figure out how to get the consent. At Social Dental we have patent-pending technology that allows our clients to 1. Take the photo 2. Get the signature 3. Post to Social Media all on an ipad. It takes less than 1 minute to do and with our custom signs makes the process fun and engaging!
If you do it the right way, social media can become your #1 stream for new patients. It all comes back to the stories and relationships but you have to make sure that you are compliant when you share. If you would like to find out more about our media consent platform let me know! Paul Jones (402) 204-0200
do i have to declare tat i had patient consent??