HIPAA

3 Common Things Fertility Practices Do On the Internet that Make HIPAA Lawyers Cringe

By Griffin Jones

"We must all obey the great law of change. It is the most powerful law of nature."--Edmund Burke

In the summer of 2015, I asked my e-mail list of fertility doctors if if they had any questions about the Health Insurance Portability and Accountability Act (HIPAA) as it relates to internet marketing. Except I didn't write HIPAA. I wrote HIPPA. Thankfully, someone who read the e-mail, corrected me. I was a little embarrassed. I knew what the acronym stood for, but I still wrote it incorrectly. Why would I spell it that way? 

What happens when patients want to engage with you?

What happens when patients want to engage with you?

It wasn't until several weeks later that I realized why I would misspell such a commonly known acronym. It's because nearly everyone spells it that way. You may have made this mistake, I see it from physicians frequently, even on their websites (sometimes even from lawyers). Heck, even the Substance Abuse and Mental Health Services Administration misspells HIPAA. My observation isn't that we're all phonetic spellers, it's that we don't have a great deal of familiarity with such a broad legal statute.

Technology, culture, and the law

I don't envy your position of having to handle protected health information (PHI). So why, as a marketer, am I so interested in learning more about privacy regulations? Because technology moves faster than the law can possibly hope to keep pace with. I'll take this one step further; the way human beings annex technology into their daily lives moves faster than they can properly regulate it. We see legislation failing to keep up with assisted reproductive technology (ART) across the field. We see antiquated laws or delays in new regulations for driverless cars, music sharing, and even new currencies like Bitcoin. Why wouldn't we expect a similar legal lag in privacy and communication?

Unlike many disciplines in medicine, and contrary to what some people in our own space still seem to believe, fertility is an extremely social category. The #infertility hasthtag has been posted on Instagram 142,335 times--up 30% from when I reported on the rise of Instagram among the infertility community, three months ago. Patients post medical records with their practice and doctor's name. Sometimes they just say hello. When do we engage? When do we not?

The phrase "social media" does not appear anywhere in HIPAA, so we are left to turn to lawyers to interpret the law. That's why I interviewed seven of them. Their insight spans beyond my scope of internet marketing, and I suggest you educate your team on HIPAA because all of the attorneys agreed that training is the best way to prevent a breach. I recommend you consult your own attorney often and that is not me. I'm just someone who knows how infertility patients communicate and what they use to connect, which leads me to observe some scenarios in which fertility centers may be at risk of privacy law violations.

Be human, be careful

We have to imagine that future laws and statutes will have to be more explicit with rules of engagement between patients and providers in digital media and communication technology. I hope that legislators involve physicians, patient advocacy groups, and tech developers in their consideration of new regulations, because I worry that a lack of understanding in how communication technology is actually used could lead to limits on patients' free speech, and ultimately hinder the standard of care. Reservedly, I'm optimistic because millennials are only beginning to change healthcare and we are a demographic that demands online engagement. In the meantime, I am paying very close attention to how policies and technologies develop, so that we can continually adjust and evolve when called for. I'll say it one last time--I'm not an attorney. Talk to an attorney. Maybe I'm too conservative, but this is how I see the intersection of law, culture, and technology at this moment. From what I observe as someone who monitors the fertility marketing landscape, these are common mistakes:

1). Posting pictures of baby collages

In 2014, the New York Times published an article about fertility centers having to take down baby photos in their office because it is a violation of HIPAA to display any of the 18 identifiers of PHI without explicit authorization. 

18 identifiers of Protected Health Information; from  UCSF

18 identifiers of Protected Health Information; from UCSF

It seems that most of the fertility centers took down the baby photos, though they didn't necessarily have to. It is possible for you to post baby photos to your website or social media accounts and keep them in the office for public view. If you have a signed HIPAA authorization on record for every image in the collage or baby wall, for the purposes of external marketing and social media, you are allowed to post those pictures. If I were a betting man, however, my hunch would be that you have not done that.

2). Sharing pictures from the fertility center baby reunion. 

Trust me, I know how this hurts. The picture of everyone--team members, physicians, former patients, spouses, and adorable children--makes for the best fertility center cover photo of all time. Many of you have this very picture on your websites, place pages, and social media accounts. Again, unless you have a signed authorization from every single patient in the picture, this isn't legal. Would it be likely that the Office of Civil Rights (OCR) would take action against you? I doubt it, but I always play it cautious in this space. Just last month, a physical therapy provider agreed to pay $25,000 in fines for posting pictures of patients to their website without the proper authorization. This doesn't mean you can't post the incredible pictures of your wonderful baby reunion, it means you should have HIPAA authorization forms on-hand at the event. 

HIPAA Authorizations have six core elements:

  1.  A specific and meaningful description of the information to be used or disclosed.
  2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  3. The name or other specific identification of the persons(s), or class of persons, to whom the fertility practice may make the requested use or disclosure (i.e., the intended recipients).
  4. Description of each purpose of the requested use or disclosure. 
  5. Must contain an expiration date or an expiration event.
  6. The signature of the individual and the date.

And they must include these three statements:

  1. Individual’s right to revoke the Authorization.
  2. Clarification that the covered entity is not permitted to condition the provision of treatment on the execution of a valid Authorization. 
  3. Explanation that there is a potential that the information may be re-disclosed by the recipient of the information and that the recipient may not be required to comply with the Privacy Rule.

You can borrow an example of a simple authorization form from Tulane University Medical Group. Most of the people at your baby reunions really want you to use their picture. A socially appropriate way of asking their permission might be

  • "Hi everyone, we would hate to leave you out of our event photos, but we can only share them publicly if we have your authorization. Please come over to our table to sign the form if you'd like to be in the pictures." If you have a photographer on site, you may even consider having a team member accompany them with a clipboard of the appropriate forms. Don't worry, in an environment like your baby reunion, most people would be disappointed if you didn't ask.

3). Publicly responding with too much information

Often when I see this, it is in response to a negative review. Physicians sometimes refute complaints by using details to support their argument. This makes for poor marketing, atrocious customer service, and worse yet, it may be illegal. If any of the 18 patient identifiers can be traced to that person's review account (a full face photo in Yelp, a name on Facebook, and e-mail address on a Google account, etc.), that would be a breach of PHI. Please, please, please, resist the temptation to respond to a reviewer with any of their information.

This is an example of a potentially illegal, and otherwise awful way of responding to a fertility patient review

This is an example of a potentially illegal, and otherwise awful way of responding to a fertility patient review

To be fair, it is isn't only the negative reviews in which I see doctors and nurses respond with too much information. Sometimes, with the very best of intentions, doctors and nurses comment on a patient photo to the effect of "I'm so glad we could help you through this. That was such a hard time for you." We suppose this is of much lower risk than responding with too much information to a negative review; after all, do you think a person who was very upset with you wouldn't take the first chance they could get to file a complaint? But once more, I would rather play it safe. If you look at the way I respond to patients, I really don't even acknowledge that they were a patient at the practice. We want to be human, authentic, and emotionally sensitive in our engagements, but we also want to make sure we don't add any patient information. We can tell them their photo is lovely, thank them for their kind words, and wish them a great week. If it is a complaint, we can tell them we are sorry to hear that and we would like to hear more from them offline. That's it. Keep it very simple.

Pay attention and adjust accordingly

There is a lot of fear mongering on the web about privacy and patient engagement, and I'm concerned that practices will be afraid to engage their patients online, which is a critical part of patient relations in our connected world. Equally, extreme caution is necessary to protect the trust and privacy of our communities. Because we want to engage our patients effectively, authentically, and respect privacy laws, we have to be smart. You should consult with your attorney often because this is just one of the many areas of our field and our world that is changing faster than laws can keep pace with. I am guardedly optimistic that as new generations impact healthcare, more widely-adopted practices for patient engagement will establish themselves. In the meantime, we can pay attention to legal, technological, and social developments and continually evolve our policies and habits. 

Avoid Common HIPAA Violations: An Interview with George Indest

By Griffin Jones

This is the seventh interview in a series that explores the crossroads of the Health Insurance Portability and Accountability Act (HIPAA) and digital media.

George Indest

George Indest

George Indest practices healthcare law in Florida and across the country. Mr. Indest’s comments don’t provide legal advice, but they do offer us some insight on how the Health Insurance Portability and Accountability Act (HIPAA) impacts digital media for fertility centers. I asked Mr. Indest about some of the more common mistakes that practices have made to lead to a HIPAA breach.

Indest: Very often, breaches are inadvertent disclosures of protected health information (PHI) to people who didn’t have authorization to view it. Unauthorized disclosures may even include the patient’s immediate family members. Unless the patient has signed a HIPAA authorization for their family members to be able to view their information, the provider cannot release those records. There are several inadvertent mistakes that lead to HIPAA breaches, often including unintended recipients of patient information. This can include sending or forwarding an e-mail to the wrong person, replying to all instead of to an individual, or sending a fax to a recipient whose number is only one digit different from the intended recipient.

What happens when a patient releases their own information on a blog, place page, or social media channel operated by the practice?

The patient is free to release whatever information they want. That in no way effects the practice or the covered entity. I know of no legal obligation to take down patient posts. If the channels are open to the public, it’s the patient’s right and decision to disclose that information. That’s not covered by HIPAA. But, if the channels are open to the public, the covered entity needs to make warnings available that the practice does not have control over who can see that information.

What are the implications when the practice responds to the patient? Does a general response disclose a patient-physician relationship?

I don’t think there’s any sort of violation at all in a response that doesn’t contain PHI. Social interactions take place between patients and physicians all the time. There’s no breach of anyone’s confidentiality unless medical information is discussed. With that said, I have read of breaches wherein a practice responded to a patient’s Better Business Bureau (BBB) complaint and disclosed some of their records to refute the complaint. This is an unauthorized disclosure of PHI and a clear HIPAA violation. The patient is free to release whatever information they want, but that doesn’t authorize the practice to do the same. Even if it is a positive review, where the practice wants to share or retweet information that the patient has already made public, it would be on the safe side to get HIPAA authorization.

What should healthcare providers be doing right now to ensure HIPAA compliance?

The Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) have indicated more HIPAA audits and investigations. There are more law suits and more complaints of breaches than ever before. Personnel need constant training. They need constant reminders of HIPAA risks. Go overboard in your risk assessment and risk management. There are plenty of plaintiff attorneys looking for suits and there are plenty of things that shouldn’t be occurring. Personnel not directly involved in a patient’s care should not be viewing that patient’s records, and it’s a risk that happens far too often. Education and training need to be provided on an ongoing basis.

George Indest is the principal of the Health Law Firm in Altamonte Springs, Florida. The Health Law Firm, concentrates in representing health care providers, exclusively. Their attorneys include those Board Certified in Health Law. If you would like to learn more from George’s legal expertise, you can contact him here.

Preparing for HIPAA Compliance Audits: An Interview with Valerie Breslin Montague

By Griffin Jones

This is the sixth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Valerie Breslin Montague

Valerie Breslin Montague

Valerie Breslin Montague is an attorney who specializes in HIPAA in Chicago, IL. Ms. Montague’s comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. I started the interview with a topic that we are all very interested in--what are the implications when patients include their own information on a practice’s website, blog, place page, or social media channel?

Montague: Generally, under federal and state privacy laws, when a patient is forthcoming with their own information, that’s not a disclosure by the practice. Anything posted by the patient would be their disclosure. With that said, it would be wise for practices to include that publicly in their social media policy. Patients should know that social media channels and review sites are public places, and anything posted on the internet should be considered permanent. The practice should inform the public that they do not have control over who can see that information, once posted. When responding to patient comments, it would be wise to do so in a general manner (such as “thank you” or “we appreciate that”). I wouldn’t confirm the patient’s visit, or add any new information.

Is there a danger of disclosing the physician-patient relationship even if it’s a basic acknowledgement of the comment?

I don’t think there’s any guidance here, but I don’t believe that’s something that would be enforced as a HIPAA violation. I think the government would have a hard time arguing that was a breach of PHI. If the government wanted to be very overreaching, I suppose they could, but I don’t see a very big risk there. The practice wouldn’t want to do anything to amplify or further share the patient’s message, such as adding a hash tag, tagging another person, or retweeting or sharing the post, without a proper HIPAA authorization.  The practice can directly message or e-mail the commenter, to ask them to complete a HIPAA authorization. Then they can share the posted content for purposes agreed upon in the authorization.

Why don’t the department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) issue guidelines on practice engagement on digital media?

Hopefully OCR will in the near future but its focus now is on enforcement and audits.

Tell us about the pending round of HIPAA compliance audits.

OCR has been warning of a second round of audits for more than a year. The first round of HIPAA compliance audits took place in 2012. This time, the audit will include both covered entities (healthcare providers and health insurers) and their “business associates” (EHR providers, billing companies, etc.) The agency has said they will audit a large scope of entities from large health systems to small practices.

What are common vulnerabilities that might be exposed for healthcare providers during these audits?

 It’s very common to have HIPAA policies in place for privacy obligations. Providers have been doing a pretty good job of keeping up in that respect. Some smaller or newer business associates may need more help. Where I’m concerned that many people may fail to meet compliance is their requirement to do a security risk assessment. They need to check the security of everything that impacts PHI. Once strengths and weaknesses have been analyzed, a risk management plan has to be implemented.

Not having a “business associate” contract in place is also a risk for both the healthcare provider and the business associate. The arrangement, not the agreement, determines if the relationship exists, and both parties are culpable if a signed contract is not in place.

What should healthcare providers be doing right now to ensure HIPAA compliance?

Providers should be prepared for risks before any incidents might occur. It is much easier to correct security weaknesses before an audit or investigation, and much more difficult to do so in the midst of one. Our firm (Nixon Peabody) works with providers and their vendors to review HIPAA compliance programs and implement any necessary updates before issues arise. OCR will definitely investigate any mass breach that involves over five hundred people and they may investigate smaller breaches and complaints, especially if it is a high profile case.

 It’s important to be proactive to determine where your practice stands, relative to compliance, before a complaint or breach requires it.

Valerie Breslin Montague focuses her practice on regulatory compliance, nonprofit governance and tax exemption, and HIPAA/health information privacy and security. She is a partner at the firm, Nixon Peabody, in Chicago. If you would like to learn more about HIPAA compliance and risk management, you can contact her here.


Legal Considerations When Responding to Online Patient Reviews: An Interview with Eric Goldman

Eric Goldman

Eric Goldman

This is the third interview in a series which explores digital media and the law, including questions about HIPAA and online engagement.  Eric Goldman is a professor at Santa Clara University School of Law. While Mr. Goldman's answers don't provide us with legal advice, they do give us some insight into how fertility practices might consider the law when responding to patient reviews online.

Jones: Should physicians respond to reviews written about them online? Why or why not?

Goldman: In most circumstances, physicians either should not respond to online reviews or respond generically by thanking the reviewer and indicating that the physician appreciates and carefully considers online feedback. It rarely makes sense to get into substantive discussions with reviewers online. Not only could such discussions implicate HIPAA, but physicians often look thin-skinned and petty when they attempt to debate fact matters online. Furthermore, increasing the number of comments to a review may actually cause search engines to rank the content higher (a counterproductive result if the review is negative). If the physician chooses to engage a negative review about the facts (which is rarely if ever advisable), the response should discuss the office’s general practices and not discuss how those practices were applied in the reviewer’s specific situation.

J: What information should physicians never include in their responses to reviews?

G: Given the boundaries of HIPAA, there are few circumstances where a physician can discuss any individual facts about the reviewer. Indeed, it is potentially problematic to even acknowledge that the reviewer is a patient.

J: Are there different implications for responding to patients when their identities are public (ex. Facebook) vs. when they are anonymous (ex. RateMDs)?

G: I couldn’t think of any.

J: Are responses to reviews considered protected health information (PHI) if the patient posted the information?

G: It’s a risky practice for physicians to confirm information that a patient or family member voluntarily publicly disclosed.

J: What should physicians and practices always be wary of regarding online reviews and their public reputation?

G:

  1. Prospective patients are increasingly looking at other patients’ reviews when selecting physicians. I know many physicians wish this weren’t true, but there’s no point pining for an alternative universe.
  2. Prospective patients are savvy enough to discount outlier reviews. If one negative review is surrounded by multiple positive reviews, it will have minimal effect on the physician’s reputation.
  3. Patients’ reviews of their physicians are overwhelmingly positive, i.e., in some cases 90%+ of patients’ reviews are positive.
  4. If a physician deals with dozens or hundreds of patients, inevitably there will be a few unhappy patients who will vent online.For these reasons, physicians should be actively encouraging their patients to review them online. This will better inform future prospective patients, and it usually will help create a base of positive reviews that will insulate the physician from the occasional negative reviews that inevitably will come.

G: A final thought: getting negative feedback never feels good, but it can provide a candid insight into the patient’s experiences. If the physician can overcome the emotional sting of a negative review, there may be valuable customer feedback that can help physicians do a better job meeting their patients’ needs.

If you would like to read a short essay by Mr. Goldman which explores how doctors and other healthcare professionals have responded to patient reviews of their services and addresses how they should deal with patient reviews in the future, you can find it here.

1 Big Unexpected HIPAA Risk Facing Fertility Centers Online: An Interview with Rachel Yaffe

By Griffin Jones

This is actually the second interview in a series exploring the Health Insurance Portability and Accountability Act (HIPAA) that I recorded in August of 2015 and published in September. The Fertility Bridge blog was not active in its current form, then. I wanted to make sure this interview was in the blog archives because (speaking for myself) HIPAA is not always as common sense as we would like it to be. Rachel Yaffe practices healthcare law in Chicago. Ms. Yaffe's comments are not legal advice, they simply offer us some insight into how HIPAA might impact a fertility center's digital media strategy. In this interview we discuss

  • What are the implications when a patient posts their own information on a fertility center's website, place page, or social media channel?
  • Should practices follow patients on platforms like Twitter and Instagram?
  • Should practices have personal Facebook pages for their business?

Rachel Yaffe represents physicians, medical practices, laboratories, pharmacies, and other healthcare clients in corporate, transactional and regulatory matters. She practices with the firm, McDonald Hopkins in Chicago. If you would like to learn more about HIPAA compliance from Rachel, you can contact her here.