"We must all obey the great law of change. It is the most powerful law of nature."--Edmund Burke
In the summer of 2015, I asked my e-mail list of fertility doctors if if they had any questions about the Health Insurance Portability and Accountability Act (HIPAA) as it relates to internet marketing. Except I didn't write HIPAA. I wrote HIPPA. Thankfully, someone who read the e-mail, corrected me. I was a little embarrassed. I knew what the acronym stood for, but I still wrote it incorrectly. Why would I spell it that way?
It wasn't until several weeks later that I realized why I would misspell such a commonly known acronym. It's because nearly everyone spells it that way. You may have made this mistake, I see it from physicians frequently, even on their websites (sometimes even from lawyers). Heck, even the Substance Abuse and Mental Health Services Administration misspells HIPAA. My observation isn't that we're all phonetic spellers, it's that we don't have a great deal of familiarity with such a broad legal statute.
Technology, culture, and the law
I don't envy your position of having to handle protected health information (PHI). So why, as a marketer, am I so interested in learning more about privacy regulations? Because technology moves faster than the law can possibly hope to keep pace with. I'll take this one step further; the way human beings annex technology into their daily lives moves faster than they can properly regulate it. We see legislation failing to keep up with assisted reproductive technology (ART) across the field. We see antiquated laws or delays in new regulations for driverless cars, music sharing, and even new currencies like Bitcoin. Why wouldn't we expect a similar legal lag in privacy and communication?
Unlike many disciplines in medicine, and contrary to what some people in our own space still seem to believe, fertility is an extremely social category. The #infertility hasthtag has been posted on Instagram 142,335 times--up 30% from when I reported on the rise of Instagram among the infertility community, three months ago. Patients post medical records with their practice and doctor's name. Sometimes they just say hello. When do we engage? When do we not?
The phrase "social media" does not appear anywhere in HIPAA, so we are left to turn to lawyers to interpret the law. That's why I interviewed seven of them. Their insight spans beyond my scope of internet marketing, and I suggest you educate your team on HIPAA because all of the attorneys agreed that training is the best way to prevent a breach. I recommend you consult your own attorney often and that is not me. I'm just someone who knows how infertility patients communicate and what they use to connect, which leads me to observe some scenarios in which fertility centers may be at risk of privacy law violations.
Be human, be careful
We have to imagine that future laws and statutes will have to be more explicit with rules of engagement between patients and providers in digital media and communication technology. I hope that legislators involve physicians, patient advocacy groups, and tech developers in their consideration of new regulations, because I worry that a lack of understanding in how communication technology is actually used could lead to limits on patients' free speech, and ultimately hinder the standard of care. Reservedly, I'm optimistic because millennials are only beginning to change healthcare and we are a demographic that demands online engagement. In the meantime, I am paying very close attention to how policies and technologies develop, so that we can continually adjust and evolve when called for. I'll say it one last time--I'm not an attorney. Talk to an attorney. Maybe I'm too conservative, but this is how I see the intersection of law, culture, and technology at this moment. From what I observe as someone who monitors the fertility marketing landscape, these are common mistakes:
1). Posting pictures of baby collages
In 2014, the New York Times published an article about fertility centers having to take down baby photos in their office because it is a violation of HIPAA to display any of the 18 identifiers of PHI without explicit authorization.
It seems that most of the fertility centers took down the baby photos, though they didn't necessarily have to. It is possible for you to post baby photos to your website or social media accounts and keep them in the office for public view. If you have a signed HIPAA authorization on record for every image in the collage or baby wall, for the purposes of external marketing and social media, you are allowed to post those pictures. If I were a betting man, however, my hunch would be that you have not done that.
2). Sharing pictures from the fertility center baby reunion.
Trust me, I know how this hurts. The picture of everyone--team members, physicians, former patients, spouses, and adorable children--makes for the best fertility center cover photo of all time. Many of you have this very picture on your websites, place pages, and social media accounts. Again, unless you have a signed authorization from every single patient in the picture, this isn't legal. Would it be likely that the Office of Civil Rights (OCR) would take action against you? I doubt it, but I always play it cautious in this space. Just last month, a physical therapy provider agreed to pay $25,000 in fines for posting pictures of patients to their website without the proper authorization. This doesn't mean you can't post the incredible pictures of your wonderful baby reunion, it means you should have HIPAA authorization forms on-hand at the event.
HIPAA Authorizations have six core elements:
- A specific and meaningful description of the information to be used or disclosed.
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- The name or other specific identification of the persons(s), or class of persons, to whom the fertility practice may make the requested use or disclosure (i.e., the intended recipients).
- Description of each purpose of the requested use or disclosure.
- Must contain an expiration date or an expiration event.
- The signature of the individual and the date.
And they must include these three statements:
- Individual’s right to revoke the Authorization.
- Clarification that the covered entity is not permitted to condition the provision of treatment on the execution of a valid Authorization.
- Explanation that there is a potential that the information may be re-disclosed by the recipient of the information and that the recipient may not be required to comply with the Privacy Rule.
You can borrow an example of a simple authorization form from Tulane University Medical Group. Most of the people at your baby reunions really want you to use their picture. A socially appropriate way of asking their permission might be
- "Hi everyone, we would hate to leave you out of our event photos, but we can only share them publicly if we have your authorization. Please come over to our table to sign the form if you'd like to be in the pictures." If you have a photographer on site, you may even consider having a team member accompany them with a clipboard of the appropriate forms. Don't worry, in an environment like your baby reunion, most people would be disappointed if you didn't ask.
3). Publicly responding with too much information
Often when I see this, it is in response to a negative review. Physicians sometimes refute complaints by using details to support their argument. This makes for poor marketing, atrocious customer service, and worse yet, it may be illegal. If any of the 18 patient identifiers can be traced to that person's review account (a full face photo in Yelp, a name on Facebook, and e-mail address on a Google account, etc.), that would be a breach of PHI. Please, please, please, resist the temptation to respond to a reviewer with any of their information.
To be fair, it is isn't only the negative reviews in which I see doctors and nurses respond with too much information. Sometimes, with the very best of intentions, doctors and nurses comment on a patient photo to the effect of "I'm so glad we could help you through this. That was such a hard time for you." We suppose this is of much lower risk than responding with too much information to a negative review; after all, do you think a person who was very upset with you wouldn't take the first chance they could get to file a complaint? But once more, I would rather play it safe. If you look at the way I respond to patients, I really don't even acknowledge that they were a patient at the practice. We want to be human, authentic, and emotionally sensitive in our engagements, but we also want to make sure we don't add any patient information. We can tell them their photo is lovely, thank them for their kind words, and wish them a great week. If it is a complaint, we can tell them we are sorry to hear that and we would like to hear more from them offline. That's it. Keep it very simple.
Pay attention and adjust accordingly
There is a lot of fear mongering on the web about privacy and patient engagement, and I'm concerned that practices will be afraid to engage their patients online, which is a critical part of patient relations in our connected world. Equally, extreme caution is necessary to protect the trust and privacy of our communities. Because we want to engage our patients effectively, authentically, and respect privacy laws, we have to be smart. You should consult with your attorney often because this is just one of the many areas of our field and our world that is changing faster than laws can keep pace with. I am guardedly optimistic that as new generations impact healthcare, more widely-adopted practices for patient engagement will establish themselves. In the meantime, we can pay attention to legal, technological, and social developments and continually evolve our policies and habits.