HIPAA Interviews

What Are We Doing? An Interview on Forming Social Media Policy with Paul Anderson

By Griffin Jones

This is the eighth interview in a series that explores the implications of patient privacy and the effective use of digital media. This piece centers on the importance of forming a social media policy. Paul Anderson is director of risk management publications at ECRI Institute.

Paul A. Anderson

Paul A. Anderson

Jones: You don’t tell practices that they have to be on social media, but what do they need to consider?

Anderson: Your patients, colleagues, and even your competitors are using social media. You want to know what patients are saying. If it’s positive, you want to thank them and share that. If it’s negative, you want to be aware of what they’ve said. If you’re not participating in social media, you’re missing part of your constituency. If you’re not using it, they’re going to sail right past you. You’re not in the space where people are talking.

There is often worry from physicians about participating in that space where people are talking. What about the risk? What about privacy?

Providers have a lot of misconceptions and fears about HIPAA. And of course, there is cause for concern. You don’t want to identify a patient in any way without their authorization. It is much better to get patients to tell their own stories, because patients can tell their own story to whomever they want. Practices should consult someone who is experienced with HIPAA compliance. I also recommend thoroughly educating someone in the practice on compliance issues, and having that person in charge of advising the social media policy. That person can be the word of caution and help the practice be smart about what they are doing. The first thing an agency will look for when investigating a privacy complaint is to see if there was a policy in place. The second thing they’ll look for is, “did we teach anyone about it?”

Many fertility centers participate in social media, but have yet to put a policy in place. Where do they start?

They first have to identify their goals. “Are we just going to monitor or are we going to engage people? Who’s going to approve content? Who’s going to post? What is our voice? Is it formal and academic? Or informal and casual?” Depending on the size of the practice, an individual or a committee should be placed in charge of initiating and enforcing the policy. Someone needs to be in charge of posting, because if a practice has a social media account, but never posts anything, that doesn’t look very good. I’m in favor of being active by posting and promoting content. You only do that when you have a well-defined reason for doing that and goals to employ.

How should practices respond to negative reviews?

One first has to be aware of the risks. If the review is too hostile to address productively, it’s perfectly reasonable to just leave it alone. If it’s negative commentary, take that conversation offline. There’s a lot of high emotions. You don’t want to inflame the situation.  Your response may be as simple as, “We hear your concern. We value your feedback. We’d like to talk to you. Here’s our phone number.” You can get a sense pretty quickly if the situation is resolvable. If it’s not, you have to disengage and try to balance that with positive reviews.

How about responding to positive reviews?

It’s never bad to say thank you, or when someone’s said “thank you” to say “you’re welcome.” Keep it simple. You don’t want to say too much but you’ve got to engage. Social media is a marketing tool that isn’t one-way.

Who is a healthcare provider with an exemplary social media policy?

The folks at the Mayo Clinic really have one of the best social media presences in all of healthcare. They have a center for social media and educational boot camps and social media trainings for employees. They’re very active on social, you can follow them almost everywhere. Their policy and their practices in place are really great resources.

But how does a small fertility practice implement a good social media policy?

Whoever’s going to spearhead this initiative better know how to use social media. Familiarity with the platforms and their nuances is necessary in order to be able to use them to effectively communicate. Define why you are going to use social media, first. If you can articulate that clearly, that will drive the rest of your conversation.

Paul Anderson is the director of risk management publications at ECRI Institute, an independent, non-profit, research institute that works with all sizes of healthcare providers from single practitioners to large research hospitals. They help practices with risk, quality, and patient safety management. You can learn more about ECRI Institute and their services here

Avoid Common HIPAA Violations: An Interview with George Indest

By Griffin Jones

This is the seventh interview in a series that explores the crossroads of the Health Insurance Portability and Accountability Act (HIPAA) and digital media.

George Indest

George Indest

George Indest practices healthcare law in Florida and across the country. Mr. Indest’s comments don’t provide legal advice, but they do offer us some insight on how the Health Insurance Portability and Accountability Act (HIPAA) impacts digital media for fertility centers. I asked Mr. Indest about some of the more common mistakes that practices have made to lead to a HIPAA breach.

Indest: Very often, breaches are inadvertent disclosures of protected health information (PHI) to people who didn’t have authorization to view it. Unauthorized disclosures may even include the patient’s immediate family members. Unless the patient has signed a HIPAA authorization for their family members to be able to view their information, the provider cannot release those records. There are several inadvertent mistakes that lead to HIPAA breaches, often including unintended recipients of patient information. This can include sending or forwarding an e-mail to the wrong person, replying to all instead of to an individual, or sending a fax to a recipient whose number is only one digit different from the intended recipient.

What happens when a patient releases their own information on a blog, place page, or social media channel operated by the practice?

The patient is free to release whatever information they want. That in no way effects the practice or the covered entity. I know of no legal obligation to take down patient posts. If the channels are open to the public, it’s the patient’s right and decision to disclose that information. That’s not covered by HIPAA. But, if the channels are open to the public, the covered entity needs to make warnings available that the practice does not have control over who can see that information.

What are the implications when the practice responds to the patient? Does a general response disclose a patient-physician relationship?

I don’t think there’s any sort of violation at all in a response that doesn’t contain PHI. Social interactions take place between patients and physicians all the time. There’s no breach of anyone’s confidentiality unless medical information is discussed. With that said, I have read of breaches wherein a practice responded to a patient’s Better Business Bureau (BBB) complaint and disclosed some of their records to refute the complaint. This is an unauthorized disclosure of PHI and a clear HIPAA violation. The patient is free to release whatever information they want, but that doesn’t authorize the practice to do the same. Even if it is a positive review, where the practice wants to share or retweet information that the patient has already made public, it would be on the safe side to get HIPAA authorization.

What should healthcare providers be doing right now to ensure HIPAA compliance?

The Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) have indicated more HIPAA audits and investigations. There are more law suits and more complaints of breaches than ever before. Personnel need constant training. They need constant reminders of HIPAA risks. Go overboard in your risk assessment and risk management. There are plenty of plaintiff attorneys looking for suits and there are plenty of things that shouldn’t be occurring. Personnel not directly involved in a patient’s care should not be viewing that patient’s records, and it’s a risk that happens far too often. Education and training need to be provided on an ongoing basis.

George Indest is the principal of the Health Law Firm in Altamonte Springs, Florida. The Health Law Firm, concentrates in representing health care providers, exclusively. Their attorneys include those Board Certified in Health Law. If you would like to learn more from George’s legal expertise, you can contact him here.

Preparing for HIPAA Compliance Audits: An Interview with Valerie Breslin Montague

By Griffin Jones

This is the sixth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Valerie Breslin Montague

Valerie Breslin Montague

Valerie Breslin Montague is an attorney who specializes in HIPAA in Chicago, IL. Ms. Montague’s comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. I started the interview with a topic that we are all very interested in--what are the implications when patients include their own information on a practice’s website, blog, place page, or social media channel?

Montague: Generally, under federal and state privacy laws, when a patient is forthcoming with their own information, that’s not a disclosure by the practice. Anything posted by the patient would be their disclosure. With that said, it would be wise for practices to include that publicly in their social media policy. Patients should know that social media channels and review sites are public places, and anything posted on the internet should be considered permanent. The practice should inform the public that they do not have control over who can see that information, once posted. When responding to patient comments, it would be wise to do so in a general manner (such as “thank you” or “we appreciate that”). I wouldn’t confirm the patient’s visit, or add any new information.

Is there a danger of disclosing the physician-patient relationship even if it’s a basic acknowledgement of the comment?

I don’t think there’s any guidance here, but I don’t believe that’s something that would be enforced as a HIPAA violation. I think the government would have a hard time arguing that was a breach of PHI. If the government wanted to be very overreaching, I suppose they could, but I don’t see a very big risk there. The practice wouldn’t want to do anything to amplify or further share the patient’s message, such as adding a hash tag, tagging another person, or retweeting or sharing the post, without a proper HIPAA authorization.  The practice can directly message or e-mail the commenter, to ask them to complete a HIPAA authorization. Then they can share the posted content for purposes agreed upon in the authorization.

Why don’t the department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) issue guidelines on practice engagement on digital media?

Hopefully OCR will in the near future but its focus now is on enforcement and audits.

Tell us about the pending round of HIPAA compliance audits.

OCR has been warning of a second round of audits for more than a year. The first round of HIPAA compliance audits took place in 2012. This time, the audit will include both covered entities (healthcare providers and health insurers) and their “business associates” (EHR providers, billing companies, etc.) The agency has said they will audit a large scope of entities from large health systems to small practices.

What are common vulnerabilities that might be exposed for healthcare providers during these audits?

 It’s very common to have HIPAA policies in place for privacy obligations. Providers have been doing a pretty good job of keeping up in that respect. Some smaller or newer business associates may need more help. Where I’m concerned that many people may fail to meet compliance is their requirement to do a security risk assessment. They need to check the security of everything that impacts PHI. Once strengths and weaknesses have been analyzed, a risk management plan has to be implemented.

Not having a “business associate” contract in place is also a risk for both the healthcare provider and the business associate. The arrangement, not the agreement, determines if the relationship exists, and both parties are culpable if a signed contract is not in place.

What should healthcare providers be doing right now to ensure HIPAA compliance?

Providers should be prepared for risks before any incidents might occur. It is much easier to correct security weaknesses before an audit or investigation, and much more difficult to do so in the midst of one. Our firm (Nixon Peabody) works with providers and their vendors to review HIPAA compliance programs and implement any necessary updates before issues arise. OCR will definitely investigate any mass breach that involves over five hundred people and they may investigate smaller breaches and complaints, especially if it is a high profile case.

 It’s important to be proactive to determine where your practice stands, relative to compliance, before a complaint or breach requires it.

Valerie Breslin Montague focuses her practice on regulatory compliance, nonprofit governance and tax exemption, and HIPAA/health information privacy and security. She is a partner at the firm, Nixon Peabody, in Chicago. If you would like to learn more about HIPAA compliance and risk management, you can contact her here.

A Look Into Practice-Wide HIPAA Education with Ashley Trotto

By Griffin Jones

This is the fifth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Ashley N. Trotto

Ashley N. Trotto

Ms. Ashley Trotto practices health care law in Knoxville, Tennessee. Ms. Trotto’s comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. The reason I’ve reached out to Ms. Trotto and other experts in healthcare law is because there is surprisingly little guidance online about HIPAA and social media. Much of the information available is vague or may even be incorrect. I asked Ms. Trotto why there is so little information on the subject.

Trotto: The information that is online is often gray, which is understandable because the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) have not issued guidelines regarding social media and HIPAA. But it’s coming. We don’t know when, but the agencies will have to issue guidelines eventually.

The greatest unknown for healthcare providers in social media may be when a patient posts their own information. I think we all know to never post protected health information (PHI) on our websites or social media without express written consent.

You would think it’s common knowledge not to post patient information without authorization, but apparently it’s not as common as we might think. If you read some of the briefs of these breaches, most of them are inadvertent. There are 18 different identifiers that are addressed in HIPAA’s privacy rule. A staff member may believe that they are not publishing patient information, but many factors can be used to identify a patient. There have been breaches where the practice or staff members have shared information without the patient’s explicit consent. While any consent would be better than none, HHS has specific regulations regarding what is needed for a HIPAA authorization.

For this reason, I recommend against publishing any patient information whatsoever unless accompanied by a HIPAA authorization for the explicit use of marketing and social media. What happens when patients post their own information to a fertility practice’s blog, place page, or social media channel?

Physicians can’t stop patients from posting their own information. A big concern would be if patients posted content that included information about other patients. The practice would want to take that down, but a patient is free to talk about their own information wherever they like.

Is acknowledging a patient comment or review with a simple “Thank you”, or “We take your concern very seriously, please call us at…” disclosure of the patient-physician relationship?

 Generally, no. I wouldn’t be concerned about responding where the patient has already disclosed that information. However, that the doctor or practice must be very careful not to offer medical advice or include any additional information that the patient did not.

What should healthcare providers be doing right now to ensure HIPAA compliance?

The greatest action a practice can take to prevent a breach of HIPAA is to implement team-wide education. We need everyone in the practice to know what HIPAA is, what PHI is, and what a breach is. Practice-wide education is key, and policy drafting is second. Practices need to have a privacy officer who is in charge of HIPAA compliance so it may make sense to bring in outside firms who can help explain the complex law and implement training procedures.

Generally, I think the biggest thing is just being aware. The smallest mistake could be a breach. There is a recent example of a HIPAA breach where a medical practice used an online scheduling calendar in which users could see the names of other people who had scheduled appointments, and their appointment times. The breach wasn’t intentional, but the calendar was not secure, and the practice was found in violation.

To name just one HIPAA risk to look out for would be extremely difficult. But to name one thing that you can do to protect your practice—that would absolutely be education and training for the entire team.

Ashley Trotto focuses her practice on Affordable Care Act (ACA) compliance. She practices with the firm, Kennerly Montgomery, in Knoxville, Tennessee. If you would like to learn more from Ashley’s expertise, you can contact her here.

Start With The Law: An Interview on HIPAA and Social Media with Paul Hales

Paul Hales

Paul Hales

This is the fourth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Paul Hales is an attorney from St. Louis, who specializes entirely in HIPAA law. Mr. Hales’ comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. Mr. Hales gives us some background on the Act.

Hales: We have to start with the law. My focus is on enabling practitioners to make use of social media and comply with the law. HIPAA was passed in 1996 with two objectives;

  1. To be able to keep insurance when switching from one provider to another.
  2. To have a uniform code for information and payment

It has had further additions since.

  • The privacy regulations were added in 2003. 
  • The HIPAA security rule was added in 2005 
  • HITECH was passed in 2009. 
  • In 2013, the Omnibus rule was added to HIPAA to extend liability to “business associates”.

What is a business associate?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

What are common areas in which covered entities and businesses associates fail to meet HIPAA compliance?

  • Protected Health Information (PHI) is made up of 18 identifiers, including but not limited to name, e-mail address, full face photos, and date of birth. 
  • Under HIPAA, every health care practice or organization must designate a privacy officer. The privacy officer must perform a risk-analysis.
  • Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of privacy rights and practices with respect to patients’ personal health information.

What about when a patient posts their own information on a blog, social media channel, or place page operated by the practice?

It’s important to look at how HIPAA defines a website, which is any site that provides information about a covered entity’s services or benefits. Therefore, if a patient posts their own information to a site that’s owned by the practice, that is unauthorized PHI on the practice’s site. The practice has to obtain HIPAA authorization before allowing any patient content to be published to its sites.

What is necessary in a HIPAA authorization?

HIPAA Authorizations have six core elements:

  1.  A specific and meaningful description of the information to be used or disclosed.
  2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  3. The name or other specific identification of the persons(s), or class of persons, to whom the covered entity may make the requested use or disclosure (i.e., the intended recipients).
  4. Description of each purpose of the requested use or disclosure. 
  5. Must contain an expiration date or an expiration event.
  6. The signature of the individual and the date.


A HIPAA authorization must also include three statements.

  1. Individual’s right to revoke the Authorization.
  2. Clarification that the covered entity is not permitted to condition the provision of treatment on the execution of a valid Authorization. 
  3. Explanation that there is a potential that the information may be re-disclosed by the recipient of the information and that the recipient may not be required to comply with the Privacy Rule.

What should fertility practices be conscious of right now to minimize risk of HIPAA violations?

Recently, there has been more enforcement, and soon there will be audits. On February 16, 2016 the Office of Civil Rights (OCR) settled an enforcement action against Complete P.T., Pool & Land Physical Therapy, Inc. for impermissibly disclosing patient information in the form of testimonials on their website. HIPAA is a very extensive law. There is a lot of information on the internet that is simply wrong. HIPAA regulations are very demanding and products cannot ensure compliance. No product can be HIPAA compliant. It’s how a covered entity uses a product that makes it compliant or not.

Paul Hales is an attorney who provides legal services and consultation regarding HIPAA compliance. His software, the HIPAA e-tool helps covered entities and business associates with a complete HIPAA compliance solution. If you’re interested in an educational webinar with Mr. Hales, you can register here.

Legal Considerations When Responding to Online Patient Reviews: An Interview with Eric Goldman

Eric Goldman

Eric Goldman

This is the third interview in a series which explores digital media and the law, including questions about HIPAA and online engagement.  Eric Goldman is a professor at Santa Clara University School of Law. While Mr. Goldman's answers don't provide us with legal advice, they do give us some insight into how fertility practices might consider the law when responding to patient reviews online.

Jones: Should physicians respond to reviews written about them online? Why or why not?

Goldman: In most circumstances, physicians either should not respond to online reviews or respond generically by thanking the reviewer and indicating that the physician appreciates and carefully considers online feedback. It rarely makes sense to get into substantive discussions with reviewers online. Not only could such discussions implicate HIPAA, but physicians often look thin-skinned and petty when they attempt to debate fact matters online. Furthermore, increasing the number of comments to a review may actually cause search engines to rank the content higher (a counterproductive result if the review is negative). If the physician chooses to engage a negative review about the facts (which is rarely if ever advisable), the response should discuss the office’s general practices and not discuss how those practices were applied in the reviewer’s specific situation.

J: What information should physicians never include in their responses to reviews?

G: Given the boundaries of HIPAA, there are few circumstances where a physician can discuss any individual facts about the reviewer. Indeed, it is potentially problematic to even acknowledge that the reviewer is a patient.

J: Are there different implications for responding to patients when their identities are public (ex. Facebook) vs. when they are anonymous (ex. RateMDs)?

G: I couldn’t think of any.

J: Are responses to reviews considered protected health information (PHI) if the patient posted the information?

G: It’s a risky practice for physicians to confirm information that a patient or family member voluntarily publicly disclosed.

J: What should physicians and practices always be wary of regarding online reviews and their public reputation?


  1. Prospective patients are increasingly looking at other patients’ reviews when selecting physicians. I know many physicians wish this weren’t true, but there’s no point pining for an alternative universe.
  2. Prospective patients are savvy enough to discount outlier reviews. If one negative review is surrounded by multiple positive reviews, it will have minimal effect on the physician’s reputation.
  3. Patients’ reviews of their physicians are overwhelmingly positive, i.e., in some cases 90%+ of patients’ reviews are positive.
  4. If a physician deals with dozens or hundreds of patients, inevitably there will be a few unhappy patients who will vent online.For these reasons, physicians should be actively encouraging their patients to review them online. This will better inform future prospective patients, and it usually will help create a base of positive reviews that will insulate the physician from the occasional negative reviews that inevitably will come.

G: A final thought: getting negative feedback never feels good, but it can provide a candid insight into the patient’s experiences. If the physician can overcome the emotional sting of a negative review, there may be valuable customer feedback that can help physicians do a better job meeting their patients’ needs.

If you would like to read a short essay by Mr. Goldman which explores how doctors and other healthcare professionals have responded to patient reviews of their services and addresses how they should deal with patient reviews in the future, you can find it here.

1 Big Unexpected HIPAA Risk Facing Fertility Centers Online: An Interview with Rachel Yaffe

By Griffin Jones

This is actually the second interview in a series exploring the Health Insurance Portability and Accountability Act (HIPAA) that I recorded in August of 2015 and published in September. The Fertility Bridge blog was not active in its current form, then. I wanted to make sure this interview was in the blog archives because (speaking for myself) HIPAA is not always as common sense as we would like it to be. Rachel Yaffe practices healthcare law in Chicago. Ms. Yaffe's comments are not legal advice, they simply offer us some insight into how HIPAA might impact a fertility center's digital media strategy. In this interview we discuss

  • What are the implications when a patient posts their own information on a fertility center's website, place page, or social media channel?
  • Should practices follow patients on platforms like Twitter and Instagram?
  • Should practices have personal Facebook pages for their business?

Rachel Yaffe represents physicians, medical practices, laboratories, pharmacies, and other healthcare clients in corporate, transactional and regulatory matters. She practices with the firm, McDonald Hopkins in Chicago. If you would like to learn more about HIPAA compliance from Rachel, you can contact her here.

Every Fertility Center Needs a HIPAA Compliant Social Media Strategy: An interview with Mike Bossenbroek

By Griffin Jones

This was the first interview that I did in a series exploring the Health Insurance Portability and Accountability Act (HIPAA) and its implications regarding digital media. I originally recorded this interview in August of 2015,  before the Fertility Bridge blog was active in its current form. Per usual, my video intro is corny, and very crudely edited, but the content is very valuable because practices should educate themselves about HIPAA considerations in social media as much as they can.

Michael Bossenbroek practices healthcare law in Michigan. Of course, Mr. Bossenbroek's comments are NOT legal advice, but they give us important information to consider about how fertility centers should approach social media and patient engagement. In this interview, we address

  • What are some things that a HIPAA compliant social media policy should include?
  • Where should a fertility practice's social media policy be visible?
  • What else should fertility practices consider when deciding their activity on social media?

Michael Bossenbroek is a partner at Wachler & Associates, P.C.  in Royal Oaks Michgian. Mr. Bossenbroek practices in all areas of health care law, including representing clients in matters relating to HIPAA compliance. If you'd like to learn more about HIPAA compliance from Mike, you can contact him here.