A Look Into Practice-Wide HIPAA Education with Ashley Trotto

By Griffin Jones

This is the fifth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Ashley N. Trotto

Ashley N. Trotto

Ms. Ashley Trotto practices health care law in Knoxville, Tennessee. Ms. Trotto’s comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. The reason I’ve reached out to Ms. Trotto and other experts in healthcare law is because there is surprisingly little guidance online about HIPAA and social media. Much of the information available is vague or may even be incorrect. I asked Ms. Trotto why there is so little information on the subject.

Trotto: The information that is online is often gray, which is understandable because the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) have not issued guidelines regarding social media and HIPAA. But it’s coming. We don’t know when, but the agencies will have to issue guidelines eventually.

The greatest unknown for healthcare providers in social media may be when a patient posts their own information. I think we all know to never post protected health information (PHI) on our websites or social media without express written consent.

You would think it’s common knowledge not to post patient information without authorization, but apparently it’s not as common as we might think. If you read some of the briefs of these breaches, most of them are inadvertent. There are 18 different identifiers that are addressed in HIPAA’s privacy rule. A staff member may believe that they are not publishing patient information, but many factors can be used to identify a patient. There have been breaches where the practice or staff members have shared information without the patient’s explicit consent. While any consent would be better than none, HHS has specific regulations regarding what is needed for a HIPAA authorization.

For this reason, I recommend against publishing any patient information whatsoever unless accompanied by a HIPAA authorization for the explicit use of marketing and social media. What happens when patients post their own information to a fertility practice’s blog, place page, or social media channel?

Physicians can’t stop patients from posting their own information. A big concern would be if patients posted content that included information about other patients. The practice would want to take that down, but a patient is free to talk about their own information wherever they like.

Is acknowledging a patient comment or review with a simple “Thank you”, or “We take your concern very seriously, please call us at…” disclosure of the patient-physician relationship?

 Generally, no. I wouldn’t be concerned about responding where the patient has already disclosed that information. However, that the doctor or practice must be very careful not to offer medical advice or include any additional information that the patient did not.

What should healthcare providers be doing right now to ensure HIPAA compliance?

The greatest action a practice can take to prevent a breach of HIPAA is to implement team-wide education. We need everyone in the practice to know what HIPAA is, what PHI is, and what a breach is. Practice-wide education is key, and policy drafting is second. Practices need to have a privacy officer who is in charge of HIPAA compliance so it may make sense to bring in outside firms who can help explain the complex law and implement training procedures.

Generally, I think the biggest thing is just being aware. The smallest mistake could be a breach. There is a recent example of a HIPAA breach where a medical practice used an online scheduling calendar in which users could see the names of other people who had scheduled appointments, and their appointment times. The breach wasn’t intentional, but the calendar was not secure, and the practice was found in violation.

To name just one HIPAA risk to look out for would be extremely difficult. But to name one thing that you can do to protect your practice—that would absolutely be education and training for the entire team.

Ashley Trotto focuses her practice on Affordable Care Act (ACA) compliance. She practices with the firm, Kennerly Montgomery, in Knoxville, Tennessee. If you would like to learn more from Ashley’s expertise, you can contact her here.