social media marketing

Why did these 9 patients just leave word-of-mouth referrals for their fertility doctors on Instagram?

By Griffin Jones

**Fertility Bridge does not endorse any of the programs or doctors mentioned. They come from responses from our Instagram community**

"The only thing that matters is the lab"

That's what a board-certified reproductive endocrinologist (RE) told me over lunch at the 2016 American Society for Reproductive Medicine (ASRM) annual scientific congress. "The patient experience doesn't matter. The only thing that matters is if they get a baby or not." My efforts to show him all of the evidence to the contrary were fruitless. That was the end of the conversation. Why try to convince the inconvincible?

In some perverse way, it excites me when people are so neglectful of what our patient population demands. Meritocracy might be a lofty ideal, but I love working with fertility clinics who take IVF cycles from people who think like that. A slop-eating grin came over my face as I stared at his plate and thought of the perfect metaphor:

I'm going to eat your lunch.  

Who are they and what did people say?

Who are they and what did people say?

Satisfied don't mean delighted

A 2014 study by Software Advice states that 61% of patients evaluate their new doctor before their first appointment. Over 40% of new patients of Fertility Bridge clients confirm having read online reviews before scheduling their first visit. Nearly 30% say they were referred by a friend.

Bain's Net Promoter System suggests that patients can be divided into three categories across a satisfaction scale from 0 to 10. The single question is, "how likely are you to recommend our practice to a friend or family member?" Those who answer between 0 and 6 are called detractors. They actively discourage others from coming to your practice. Those who respond with a 7 or 8, are labeled passive, because their referral rates are less than 50% of those who respond with a 9 or 10. Finally, those who respond with 9 or 10 are promoters, people who sing the practice's praises to anyone who will listen. You can read more about using your practice culture to turn patients into promoters in Chapter 2 of the free e-book, The Ultimate Guide to Fertility Marketing.

I know many of these promoters very well. They brought me into the field of reproductive health in the first place. After all, people don't get so fired up after they buy a power washer from the Home Depot. So, among thousands of people in the trying-to-conceive (#ttc) community on Instagram, who are actively undergoing or pursuing fertility treatment I asked them the question. Would you recommend your fertility clinic, and why?

1). By Name in New England

Absolutely and I actually have. The first place we went to was terrible and I've shared that with people who have asked for recommendations. I wish I had done some thorough research beforehand but I wasn't aware how common infertility is and how many clinics were out there. The second place was beyond anything I could have hoped for! We saw Dr. Gargiulo at the Center For Reproductive Care (CRC) in Stratham, NH. We are less than an hour away from Boston which is home to some of the top hospitals in the country so we fortunately have a large number of places to choose from. The entire staff at CRC was absolutely fantastic.

I was greeted by name every single time I walked into the office and the nurses were amazing when it came to making the entire process less stressful and knowing when to crack a joke to lighten the mood. The thing that really set CRC apart was the welcome packet. In addition to the typical insurance forms they included an illustrated book that talked about how to talk to all of the different people in your life from co workers to your spouse. Also, they make sure to include that due to the sensitivity of this journey, no one under the age of 18 is allowed into the office for any reason. Reading that one policy was the moment I knew we had finally found the place that truly focuses on their patients and not their numbers.

2). Memorable in Montana

I totally would! I should mention, my RE and her partner are the only ones in the state. Even if she wasn't, I would still recommend her. Her name is Dr. Stacy Shomento with Billings Clinic. Dr. Shomento is in Bozeman, and that is the staff I know and love! She has a pile of patients, but always gives you lots of time and takes a personal interest in you. She also has a stellar, amazing, outgoing staff. Infertility is very personal and invasive. Having a comfortable relationship with the medical staff is a must for me.

She took the time to make personal connections and remembered us, not just our chart. Really, because RE's are so busy, you end up dealing a lot with your nurse, so they really need to be awesome.

3). Compassion in California

I totally would!!!! Coastal Fertility in Irvine, CA is the best! So compassionate. Dr. Werlin rocks!!! He's amazing!!!

4). Knowledge in New Jersey

I would. More specifically, I would recommend my doctor, even though all the doctors are great. Dr. Marcus Jurema from Reproductive Medicine Associates of New Jersey (RMANJ) is what every reproductive endocrinologist should be. I'm thankful I have him in my corner. My doctor is part of RMANJ and was originally with IVFNJ before the merge. I've had several issues with several staff members with both practices.

There's very little communication within the company within different departments (billing, nurses, etc). I'm sure that's because the company is just so big. With that being said, RMA has the best labs in the state, maybe the East Coast. Because of that, I can't leave. Plus, my doctor is amazing.

He teaches as he goes. He knows I need technical info, good or bad. I can't have anything sugar coated. I'm a medical assistant so I research everything. He knows that and will give it to me straight, while also holding my hand through the bad stuff. He's been with me from day one, with every cycle and every loss.

5). Benign in Boston

We switched doctors for our last round of IVF, but we stayed at the same clinic, IVF New England. The nurses are magnificent and since that's who you're interacting with the most, it's invaluable. I never felt like a number there, even though they're a bigger clinic. I always knew I was in good hands, even after 4 failures with my first doctor. It took me a long time to decide to switch. It broke my heart to try someone new, because I trusted him implicitly.

My new RE, Dr. Pauli is amazing. I don't regret not going to him sooner but I'm so glad I did. We were successful on our first round with him and I'm currently 11 weeks pregnant. I love that both doctors called with results of the bigger tests (pgd, era etc) and called to check in on us. Dr. P. called me once with results while he was on vacation.

I have nothing but good things to say about IVFNE. They're not perfect, and some of their methods aren't for everyone. But they are perfect for us. Even if we never got pregnant, I wouldn't feel any differently.

6). Education in the OC

Yep!!!! HRC Fertility in Newport Beach!! I think the best thing about HRC is the coordinator is amazing financing and they can do preimplantation genetic screening (PGS) with a fresh transfer. My doctor was very, very busy all the time, but he did give me pregnant the first time. He never did an ultrasound which I thought was odd but I love the girl who did my ultrasounds.

My doctor was always kind, and answered all my questions but the relationship was definitely not personal. I don't care about that; I want results, and he provides results.

My tech was wonderful because she would walk me through exactly what she was doing. During stims, she would explain what she was counting, what she was looking for, and what she saw. Same after I became pregnant. They followed me for 11 weeks.

7). Making changes in Maryland

Our first one, absolutely not. We were a paycheck at [a very large fertility practice group] and never felt like patients. Our RE told me that our son "must have been a lucky egg and I wanted to go cry in the car, go ahead". It was the worst year of my life. My new doctor, Dr. Mary Ann Sorra with Natural Fertility, actually held my hand when I was put under for a laparoscopy. It feels so nice to finally be cared about.

8). Looked After in Louisiana

Definitely. Arklatex Fertility and Reproductive Health with Dr. Vandermolen. I just felt like they're all so patient. Any time I had questions, I could call the nurse and she would call me right back. They knew me by name. The success rate for the doctor is pretty high, which is always a plus. When I first went to him, he told me what was going on. I felt like I had options instead of having him tell me what I was going to do.

9). Genial in Jersey

Absolutely! RMANJ, because of their lab. I was told I was going to be treated as a number, but on the contrary, I got to talk with my RE personally. He even called me right before my egg retrieval to know how I was doing. The nurse was always on top of things and answered me right away.

The transfer was very detailed oriented. They addressed yeast infections and progesterone levels while my previous clinic always dismissed my concerns.

"A great lab is necessary, but not sufficient"--Jake Anderson-Bialis

While I chose not to include the names of these volunteer promoters, they are perfectly willing to share their experiences with thousands of other people in the infertility community on Instagram. We often believe that people only recommend their IVF center online if they become pregnant or have a baby. We're told that they'll leave negative comments if they have a failed cycle, but research from Fertility Bridge and Fertility IQ show that that's not exactly true.

True for almost every fertility clinic review we read.

True for almost every fertility clinic review we read.

"No question, if a patient has a good result, they're more likely to recommend their fertility doctor/clinic," says Fertility IQ co-founder, Jake Anderson. "With that said, when we look at patients who had failed cycles, it's very clear who is likely to recommend the doctor, and who definitely won't."

It seems that the contrapositive is also valid; when we look at patients who've had successful cycles, it's clear who will be the source of future patients in the form of word-of-mouth referrals. Many people have success at their fertility centers and are "satisfied", but we see in these recommendations that it's compassion and personal connection that turn former IVF patients into zealous promoters of their practices. So the next time a competing fertility doctor tries to convince you that the patient experience is meaningless, and clinical outcomes are all that matter, don't feel disappointed when you can't change his mind. Eat his f'ing lunch.

_________________

For strategy on improving the patient experience, read chapter 2 of my free e-book, The Ultimate Guide to Fertility Marketing, by clicking the button below.

 

 

 

3 Common Things Fertility Practices Do On the Internet that Make HIPAA Lawyers Cringe

By Griffin Jones

"We must all obey the great law of change. It is the most powerful law of nature."--Edmund Burke

In the summer of 2015, I asked my e-mail list of fertility doctors if if they had any questions about the Health Insurance Portability and Accountability Act (HIPAA) as it relates to internet marketing. Except I didn't write HIPAA. I wrote HIPPA. Thankfully, someone who read the e-mail, corrected me. I was a little embarrassed. I knew what the acronym stood for, but I still wrote it incorrectly. Why would I spell it that way? 

What happens when patients want to engage with you?

What happens when patients want to engage with you?

It wasn't until several weeks later that I realized why I would misspell such a commonly known acronym. It's because nearly everyone spells it that way. You may have made this mistake, I see it from physicians frequently, even on their websites (sometimes even from lawyers). Heck, even the Substance Abuse and Mental Health Services Administration misspells HIPAA. My observation isn't that we're all phonetic spellers, it's that we don't have a great deal of familiarity with such a broad legal statute.

Technology, culture, and the law

I don't envy your position of having to handle protected health information (PHI). So why, as a marketer, am I so interested in learning more about privacy regulations? Because technology moves faster than the law can possibly hope to keep pace with. I'll take this one step further; the way human beings annex technology into their daily lives moves faster than they can properly regulate it. We see legislation failing to keep up with assisted reproductive technology (ART) across the field. We see antiquated laws or delays in new regulations for driverless cars, music sharing, and even new currencies like Bitcoin. Why wouldn't we expect a similar legal lag in privacy and communication?

Unlike many disciplines in medicine, and contrary to what some people in our own space still seem to believe, fertility is an extremely social category. The #infertility hasthtag has been posted on Instagram 142,335 times--up 30% from when I reported on the rise of Instagram among the infertility community, three months ago. Patients post medical records with their practice and doctor's name. Sometimes they just say hello. When do we engage? When do we not?

The phrase "social media" does not appear anywhere in HIPAA, so we are left to turn to lawyers to interpret the law. That's why I interviewed seven of them. Their insight spans beyond my scope of internet marketing, and I suggest you educate your team on HIPAA because all of the attorneys agreed that training is the best way to prevent a breach. I recommend you consult your own attorney often and that is not me. I'm just someone who knows how infertility patients communicate and what they use to connect, which leads me to observe some scenarios in which fertility centers may be at risk of privacy law violations.

Be human, be careful

We have to imagine that future laws and statutes will have to be more explicit with rules of engagement between patients and providers in digital media and communication technology. I hope that legislators involve physicians, patient advocacy groups, and tech developers in their consideration of new regulations, because I worry that a lack of understanding in how communication technology is actually used could lead to limits on patients' free speech, and ultimately hinder the standard of care. Reservedly, I'm optimistic because millennials are only beginning to change healthcare and we are a demographic that demands online engagement. In the meantime, I am paying very close attention to how policies and technologies develop, so that we can continually adjust and evolve when called for. I'll say it one last time--I'm not an attorney. Talk to an attorney. Maybe I'm too conservative, but this is how I see the intersection of law, culture, and technology at this moment. From what I observe as someone who monitors the fertility marketing landscape, these are common mistakes:

1). Posting pictures of baby collages

In 2014, the New York Times published an article about fertility centers having to take down baby photos in their office because it is a violation of HIPAA to display any of the 18 identifiers of PHI without explicit authorization. 

18 identifiers of Protected Health Information; from  UCSF

18 identifiers of Protected Health Information; from UCSF

It seems that most of the fertility centers took down the baby photos, though they didn't necessarily have to. It is possible for you to post baby photos to your website or social media accounts and keep them in the office for public view. If you have a signed HIPAA authorization on record for every image in the collage or baby wall, for the purposes of external marketing and social media, you are allowed to post those pictures. If I were a betting man, however, my hunch would be that you have not done that.

2). Sharing pictures from the fertility center baby reunion. 

Trust me, I know how this hurts. The picture of everyone--team members, physicians, former patients, spouses, and adorable children--makes for the best fertility center cover photo of all time. Many of you have this very picture on your websites, place pages, and social media accounts. Again, unless you have a signed authorization from every single patient in the picture, this isn't legal. Would it be likely that the Office of Civil Rights (OCR) would take action against you? I doubt it, but I always play it cautious in this space. Just last month, a physical therapy provider agreed to pay $25,000 in fines for posting pictures of patients to their website without the proper authorization. This doesn't mean you can't post the incredible pictures of your wonderful baby reunion, it means you should have HIPAA authorization forms on-hand at the event. 

HIPAA Authorizations have six core elements:

  1.  A specific and meaningful description of the information to be used or disclosed.
  2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  3. The name or other specific identification of the persons(s), or class of persons, to whom the fertility practice may make the requested use or disclosure (i.e., the intended recipients).
  4. Description of each purpose of the requested use or disclosure. 
  5. Must contain an expiration date or an expiration event.
  6. The signature of the individual and the date.

And they must include these three statements:

  1. Individual’s right to revoke the Authorization.
  2. Clarification that the covered entity is not permitted to condition the provision of treatment on the execution of a valid Authorization. 
  3. Explanation that there is a potential that the information may be re-disclosed by the recipient of the information and that the recipient may not be required to comply with the Privacy Rule.

You can borrow an example of a simple authorization form from Tulane University Medical Group. Most of the people at your baby reunions really want you to use their picture. A socially appropriate way of asking their permission might be

  • "Hi everyone, we would hate to leave you out of our event photos, but we can only share them publicly if we have your authorization. Please come over to our table to sign the form if you'd like to be in the pictures." If you have a photographer on site, you may even consider having a team member accompany them with a clipboard of the appropriate forms. Don't worry, in an environment like your baby reunion, most people would be disappointed if you didn't ask.

3). Publicly responding with too much information

Often when I see this, it is in response to a negative review. Physicians sometimes refute complaints by using details to support their argument. This makes for poor marketing, atrocious customer service, and worse yet, it may be illegal. If any of the 18 patient identifiers can be traced to that person's review account (a full face photo in Yelp, a name on Facebook, and e-mail address on a Google account, etc.), that would be a breach of PHI. Please, please, please, resist the temptation to respond to a reviewer with any of their information.

This is an example of a potentially illegal, and otherwise awful way of responding to a fertility patient review

This is an example of a potentially illegal, and otherwise awful way of responding to a fertility patient review

To be fair, it is isn't only the negative reviews in which I see doctors and nurses respond with too much information. Sometimes, with the very best of intentions, doctors and nurses comment on a patient photo to the effect of "I'm so glad we could help you through this. That was such a hard time for you." We suppose this is of much lower risk than responding with too much information to a negative review; after all, do you think a person who was very upset with you wouldn't take the first chance they could get to file a complaint? But once more, I would rather play it safe. If you look at the way I respond to patients, I really don't even acknowledge that they were a patient at the practice. We want to be human, authentic, and emotionally sensitive in our engagements, but we also want to make sure we don't add any patient information. We can tell them their photo is lovely, thank them for their kind words, and wish them a great week. If it is a complaint, we can tell them we are sorry to hear that and we would like to hear more from them offline. That's it. Keep it very simple.

Pay attention and adjust accordingly

There is a lot of fear mongering on the web about privacy and patient engagement, and I'm concerned that practices will be afraid to engage their patients online, which is a critical part of patient relations in our connected world. Equally, extreme caution is necessary to protect the trust and privacy of our communities. Because we want to engage our patients effectively, authentically, and respect privacy laws, we have to be smart. You should consult with your attorney often because this is just one of the many areas of our field and our world that is changing faster than laws can keep pace with. I am guardedly optimistic that as new generations impact healthcare, more widely-adopted practices for patient engagement will establish themselves. In the meantime, we can pay attention to legal, technological, and social developments and continually evolve our policies and habits. 

What Canadian Fertility Centres Need to Know About the Law and Digital Media

By Griffin Jones

A patient’s health information is sacred and a fertility practice’s community of adoring supporters is invaluable. In a world where social media and communication technology develop years ahead of the law, how do we safeguard both privacy and engagement without sacrifice to one or the other? I have interviewed several attorneys regarding the Health Information Portability and Accountability Act (HIPAA) and other regulatory schemes in the United States, but I’ve yet to investigate the law relevant to you, the leaders in reproductive health across Canada.

Dr. Alan West

Dr. Alan West

That is, until now. Dr. Alan West is a physician and a partner at the law firm of Gowling WLG in Toronto. He specializes in healthcare advertising law. Mr. Evan Atwood is a senior associate at the same office who specializes in consumer and healthcare privacy law. You should always consult an attorney for specific legal advice, which Dr. West and Mr. Atwood do not give here, but they offer us some education about how the law can pertain to a Canadian fertility clinic’s internet presence.

Federal and provincial regulations

“We don’t have HIPAA. My head spins when I have to deal with HIPAA.” West clarifies. “We have a mix of federal and provincial laws”. Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act), applies to health information as well as consumer information and applies only in provinces that haven’t passed their own statutes with privacy protections equivalent to those contained in the federal statute. .

Several provinces, including British Columbia and Ontario, have their own health privacy laws. In Ontario, the law is called PHIPA (the Personal Health Information Protection Act).  Atwood explains, “Both fortunately and unfortunately, the law does not explicitly state what information is prohibited from being released without authorization.” Unlike HIPAA in the United States, which has a data set of 18 identifying factors (name, date of birth, license plate number, etc.) for Protected Health Information (PHI), there is no concept of a data set in Canadian privacy law. The principles are much more general.

HIPAA’s 2013 Omnibus rule, adds liability to “business associates”, those who receive and send PHI to “covered entities” (healthcare providers). The obligations of a business associate are explicit. Again, in Canada, the law is not as specific, but the health records custodian (you, the fertility centre) is obliged to see that its vendors only store that data on behalf of the health records custodian, with the same protections in place.  

“The law is always behind the actual practice of medicine.”

Mr. Evan Atwood

Mr. Evan Atwood

In some provinces, medical practices are prohibited from mentioning the brand names of pharmaceuticals and devices in their advertisements. The regulation of marketing falls more on the practices than on the drug companies. “Doctors are allowed to advertise their own services, but they are not supposed to identify or associate themselves with specific products or drugs. Although many do so.” West finds. West and Atwood point to the example of “physician locators”, search engines within pharmaceutical or manufacturer websites, that list nearby physician offices who administer their products. These websites may be impermissibly marketing directly to the consumer, but “I know of no prosecution for using brand names in advertising,” West says.

West offers some insight as to why there is a lack of enforcement of some laws in healthcare advertising. Provincial boards of medical examiners have limited resources, and they spend their attention on investigating serious cases of fraud and malpractice, not on the use of brand names in advertising, which in some instances, have found their way into the public vernacular. In some provinces, there is no obligation to investigate every complaint that is reported to the provincial board. In others, such as Ontario, the board is obliged to investigate every written complaint. They might not take an enforcement action, but the risk is higher because they have to at least open the file.

This is important to know, because what is permissible in one province, may be prohibited by another province’s advertising law. In Ontario for instance, under the Medicine Act, patient testimonials are not permissible. Nonetheless, some medical practices may include testimonials on their websites, including some fertility centres. Whether you use testimonials on your website or not, what about the content posted by a patient to your Facebook or Google Places profile? In that case, it might be advisable not to solicit reviews. “It might not be the intent of the law, but I would rather be the prosecuting attorney than the defendant in such a scenario,” West opines. “As the law is written, I think the doctor has an obligation to police the postings on his or her social media channel”.

“The law has not caught up to reality, to put it mildly”, Atwood adds. “Still, there’s never been a prosecution for what a patient has put on a provider’s social media channel”.

Digital Media and Privacy Law

This wisdom comes with regard to provinces with regulations prohibiting patient testimonials, not with regard to health privacy. Consent is implied when a patient posts his or her own information on a clinic’s blog or social media channel. The doctor can leave it on their site. “Doctors and practices are allowed to respond to reviews and comments because the patient waives his or her right to privacy when they post their own information” West says.

“Implied consent has limits,” Atwood cautions. “You can’t take that content and use it somewhere else”. Failing to obtain the proper consent is a mistake that Atwood and West commonly see. Though Canadian law does not specify six core elements for what is required in an authorization (as in HIPAA), expressed, written consent should be obtained whenever you use patient information outside of what is specified in the law.

West leaves us with a bit of caution. While provincial boards have not yet enforced certain regulations, such as those against the use of brand names in physician advertising, he believes punitive measures could be likely in the future. “Be forewarned of enforcement action. That may be something we see quite a bit more.”

Get specific legal advice

In every country, the technologies and media that people use to communicate develop much more rapidly than the laws that regulate them. We have to engage our online communities in a way that respects patient privacy and also complies with the law. In my opinion, Canada’s laws seem to follow common sense more so than the ambiguity of other regulatory schemes, but I’m not an attorney. I recommend you always consult an attorney about the federal, provincial, and local regulations specific to your area.

Dr. Alan West is a partner in Gowling WLG's Toronto office, practicing primarily in areas of law related to pharmaceuticals and health care.

Mr. Evan Atwood is a senior associate at Gowling WLG’s Toronto office, with experience in guiding clients with advertising compliance issues with Health Canada.

What Are We Doing? An Interview on Forming Social Media Policy with Paul Anderson

By Griffin Jones

This is the eighth interview in a series that explores the implications of patient privacy and the effective use of digital media. This piece centers on the importance of forming a social media policy. Paul Anderson is director of risk management publications at ECRI Institute.

Paul A. Anderson

Paul A. Anderson

Jones: You don’t tell practices that they have to be on social media, but what do they need to consider?

Anderson: Your patients, colleagues, and even your competitors are using social media. You want to know what patients are saying. If it’s positive, you want to thank them and share that. If it’s negative, you want to be aware of what they’ve said. If you’re not participating in social media, you’re missing part of your constituency. If you’re not using it, they’re going to sail right past you. You’re not in the space where people are talking.

There is often worry from physicians about participating in that space where people are talking. What about the risk? What about privacy?

Providers have a lot of misconceptions and fears about HIPAA. And of course, there is cause for concern. You don’t want to identify a patient in any way without their authorization. It is much better to get patients to tell their own stories, because patients can tell their own story to whomever they want. Practices should consult someone who is experienced with HIPAA compliance. I also recommend thoroughly educating someone in the practice on compliance issues, and having that person in charge of advising the social media policy. That person can be the word of caution and help the practice be smart about what they are doing. The first thing an agency will look for when investigating a privacy complaint is to see if there was a policy in place. The second thing they’ll look for is, “did we teach anyone about it?”

Many fertility centers participate in social media, but have yet to put a policy in place. Where do they start?

They first have to identify their goals. “Are we just going to monitor or are we going to engage people? Who’s going to approve content? Who’s going to post? What is our voice? Is it formal and academic? Or informal and casual?” Depending on the size of the practice, an individual or a committee should be placed in charge of initiating and enforcing the policy. Someone needs to be in charge of posting, because if a practice has a social media account, but never posts anything, that doesn’t look very good. I’m in favor of being active by posting and promoting content. You only do that when you have a well-defined reason for doing that and goals to employ.

How should practices respond to negative reviews?

One first has to be aware of the risks. If the review is too hostile to address productively, it’s perfectly reasonable to just leave it alone. If it’s negative commentary, take that conversation offline. There’s a lot of high emotions. You don’t want to inflame the situation.  Your response may be as simple as, “We hear your concern. We value your feedback. We’d like to talk to you. Here’s our phone number.” You can get a sense pretty quickly if the situation is resolvable. If it’s not, you have to disengage and try to balance that with positive reviews.

How about responding to positive reviews?

It’s never bad to say thank you, or when someone’s said “thank you” to say “you’re welcome.” Keep it simple. You don’t want to say too much but you’ve got to engage. Social media is a marketing tool that isn’t one-way.

Who is a healthcare provider with an exemplary social media policy?

The folks at the Mayo Clinic really have one of the best social media presences in all of healthcare. They have a center for social media and educational boot camps and social media trainings for employees. They’re very active on social, you can follow them almost everywhere. Their policy and their practices in place are really great resources.

But how does a small fertility practice implement a good social media policy?

Whoever’s going to spearhead this initiative better know how to use social media. Familiarity with the platforms and their nuances is necessary in order to be able to use them to effectively communicate. Define why you are going to use social media, first. If you can articulate that clearly, that will drive the rest of your conversation.

Paul Anderson is the director of risk management publications at ECRI Institute, an independent, non-profit, research institute that works with all sizes of healthcare providers from single practitioners to large research hospitals. They help practices with risk, quality, and patient safety management. You can learn more about ECRI Institute and their services here


Avoid Common HIPAA Violations: An Interview with George Indest

By Griffin Jones

This is the seventh interview in a series that explores the crossroads of the Health Insurance Portability and Accountability Act (HIPAA) and digital media.

George Indest

George Indest

George Indest practices healthcare law in Florida and across the country. Mr. Indest’s comments don’t provide legal advice, but they do offer us some insight on how the Health Insurance Portability and Accountability Act (HIPAA) impacts digital media for fertility centers. I asked Mr. Indest about some of the more common mistakes that practices have made to lead to a HIPAA breach.

Indest: Very often, breaches are inadvertent disclosures of protected health information (PHI) to people who didn’t have authorization to view it. Unauthorized disclosures may even include the patient’s immediate family members. Unless the patient has signed a HIPAA authorization for their family members to be able to view their information, the provider cannot release those records. There are several inadvertent mistakes that lead to HIPAA breaches, often including unintended recipients of patient information. This can include sending or forwarding an e-mail to the wrong person, replying to all instead of to an individual, or sending a fax to a recipient whose number is only one digit different from the intended recipient.

What happens when a patient releases their own information on a blog, place page, or social media channel operated by the practice?

The patient is free to release whatever information they want. That in no way effects the practice or the covered entity. I know of no legal obligation to take down patient posts. If the channels are open to the public, it’s the patient’s right and decision to disclose that information. That’s not covered by HIPAA. But, if the channels are open to the public, the covered entity needs to make warnings available that the practice does not have control over who can see that information.

What are the implications when the practice responds to the patient? Does a general response disclose a patient-physician relationship?

I don’t think there’s any sort of violation at all in a response that doesn’t contain PHI. Social interactions take place between patients and physicians all the time. There’s no breach of anyone’s confidentiality unless medical information is discussed. With that said, I have read of breaches wherein a practice responded to a patient’s Better Business Bureau (BBB) complaint and disclosed some of their records to refute the complaint. This is an unauthorized disclosure of PHI and a clear HIPAA violation. The patient is free to release whatever information they want, but that doesn’t authorize the practice to do the same. Even if it is a positive review, where the practice wants to share or retweet information that the patient has already made public, it would be on the safe side to get HIPAA authorization.

What should healthcare providers be doing right now to ensure HIPAA compliance?

The Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) have indicated more HIPAA audits and investigations. There are more law suits and more complaints of breaches than ever before. Personnel need constant training. They need constant reminders of HIPAA risks. Go overboard in your risk assessment and risk management. There are plenty of plaintiff attorneys looking for suits and there are plenty of things that shouldn’t be occurring. Personnel not directly involved in a patient’s care should not be viewing that patient’s records, and it’s a risk that happens far too often. Education and training need to be provided on an ongoing basis.

George Indest is the principal of the Health Law Firm in Altamonte Springs, Florida. The Health Law Firm, concentrates in representing health care providers, exclusively. Their attorneys include those Board Certified in Health Law. If you would like to learn more from George’s legal expertise, you can contact him here.

Preparing for HIPAA Compliance Audits: An Interview with Valerie Breslin Montague

By Griffin Jones

This is the sixth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Valerie Breslin Montague

Valerie Breslin Montague

Valerie Breslin Montague is an attorney who specializes in HIPAA in Chicago, IL. Ms. Montague’s comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. I started the interview with a topic that we are all very interested in--what are the implications when patients include their own information on a practice’s website, blog, place page, or social media channel?

Montague: Generally, under federal and state privacy laws, when a patient is forthcoming with their own information, that’s not a disclosure by the practice. Anything posted by the patient would be their disclosure. With that said, it would be wise for practices to include that publicly in their social media policy. Patients should know that social media channels and review sites are public places, and anything posted on the internet should be considered permanent. The practice should inform the public that they do not have control over who can see that information, once posted. When responding to patient comments, it would be wise to do so in a general manner (such as “thank you” or “we appreciate that”). I wouldn’t confirm the patient’s visit, or add any new information.

Is there a danger of disclosing the physician-patient relationship even if it’s a basic acknowledgement of the comment?

I don’t think there’s any guidance here, but I don’t believe that’s something that would be enforced as a HIPAA violation. I think the government would have a hard time arguing that was a breach of PHI. If the government wanted to be very overreaching, I suppose they could, but I don’t see a very big risk there. The practice wouldn’t want to do anything to amplify or further share the patient’s message, such as adding a hash tag, tagging another person, or retweeting or sharing the post, without a proper HIPAA authorization.  The practice can directly message or e-mail the commenter, to ask them to complete a HIPAA authorization. Then they can share the posted content for purposes agreed upon in the authorization.

Why don’t the department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) issue guidelines on practice engagement on digital media?

Hopefully OCR will in the near future but its focus now is on enforcement and audits.

Tell us about the pending round of HIPAA compliance audits.

OCR has been warning of a second round of audits for more than a year. The first round of HIPAA compliance audits took place in 2012. This time, the audit will include both covered entities (healthcare providers and health insurers) and their “business associates” (EHR providers, billing companies, etc.) The agency has said they will audit a large scope of entities from large health systems to small practices.

What are common vulnerabilities that might be exposed for healthcare providers during these audits?

 It’s very common to have HIPAA policies in place for privacy obligations. Providers have been doing a pretty good job of keeping up in that respect. Some smaller or newer business associates may need more help. Where I’m concerned that many people may fail to meet compliance is their requirement to do a security risk assessment. They need to check the security of everything that impacts PHI. Once strengths and weaknesses have been analyzed, a risk management plan has to be implemented.

Not having a “business associate” contract in place is also a risk for both the healthcare provider and the business associate. The arrangement, not the agreement, determines if the relationship exists, and both parties are culpable if a signed contract is not in place.

What should healthcare providers be doing right now to ensure HIPAA compliance?

Providers should be prepared for risks before any incidents might occur. It is much easier to correct security weaknesses before an audit or investigation, and much more difficult to do so in the midst of one. Our firm (Nixon Peabody) works with providers and their vendors to review HIPAA compliance programs and implement any necessary updates before issues arise. OCR will definitely investigate any mass breach that involves over five hundred people and they may investigate smaller breaches and complaints, especially if it is a high profile case.

 It’s important to be proactive to determine where your practice stands, relative to compliance, before a complaint or breach requires it.

Valerie Breslin Montague focuses her practice on regulatory compliance, nonprofit governance and tax exemption, and HIPAA/health information privacy and security. She is a partner at the firm, Nixon Peabody, in Chicago. If you would like to learn more about HIPAA compliance and risk management, you can contact her here.


A Look Into Practice-Wide HIPAA Education with Ashley Trotto

By Griffin Jones

This is the fifth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Ashley N. Trotto

Ashley N. Trotto

Ms. Ashley Trotto practices health care law in Knoxville, Tennessee. Ms. Trotto’s comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. The reason I’ve reached out to Ms. Trotto and other experts in healthcare law is because there is surprisingly little guidance online about HIPAA and social media. Much of the information available is vague or may even be incorrect. I asked Ms. Trotto why there is so little information on the subject.

Trotto: The information that is online is often gray, which is understandable because the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) have not issued guidelines regarding social media and HIPAA. But it’s coming. We don’t know when, but the agencies will have to issue guidelines eventually.

The greatest unknown for healthcare providers in social media may be when a patient posts their own information. I think we all know to never post protected health information (PHI) on our websites or social media without express written consent.

You would think it’s common knowledge not to post patient information without authorization, but apparently it’s not as common as we might think. If you read some of the briefs of these breaches, most of them are inadvertent. There are 18 different identifiers that are addressed in HIPAA’s privacy rule. A staff member may believe that they are not publishing patient information, but many factors can be used to identify a patient. There have been breaches where the practice or staff members have shared information without the patient’s explicit consent. While any consent would be better than none, HHS has specific regulations regarding what is needed for a HIPAA authorization.

For this reason, I recommend against publishing any patient information whatsoever unless accompanied by a HIPAA authorization for the explicit use of marketing and social media. What happens when patients post their own information to a fertility practice’s blog, place page, or social media channel?

Physicians can’t stop patients from posting their own information. A big concern would be if patients posted content that included information about other patients. The practice would want to take that down, but a patient is free to talk about their own information wherever they like.

Is acknowledging a patient comment or review with a simple “Thank you”, or “We take your concern very seriously, please call us at…” disclosure of the patient-physician relationship?

 Generally, no. I wouldn’t be concerned about responding where the patient has already disclosed that information. However, that the doctor or practice must be very careful not to offer medical advice or include any additional information that the patient did not.

What should healthcare providers be doing right now to ensure HIPAA compliance?

The greatest action a practice can take to prevent a breach of HIPAA is to implement team-wide education. We need everyone in the practice to know what HIPAA is, what PHI is, and what a breach is. Practice-wide education is key, and policy drafting is second. Practices need to have a privacy officer who is in charge of HIPAA compliance so it may make sense to bring in outside firms who can help explain the complex law and implement training procedures.

Generally, I think the biggest thing is just being aware. The smallest mistake could be a breach. There is a recent example of a HIPAA breach where a medical practice used an online scheduling calendar in which users could see the names of other people who had scheduled appointments, and their appointment times. The breach wasn’t intentional, but the calendar was not secure, and the practice was found in violation.

To name just one HIPAA risk to look out for would be extremely difficult. But to name one thing that you can do to protect your practice—that would absolutely be education and training for the entire team.

Ashley Trotto focuses her practice on Affordable Care Act (ACA) compliance. She practices with the firm, Kennerly Montgomery, in Knoxville, Tennessee. If you would like to learn more from Ashley’s expertise, you can contact her here.

Start With The Law: An Interview on HIPAA and Social Media with Paul Hales

Paul Hales

Paul Hales

This is the fourth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Paul Hales is an attorney from St. Louis, who specializes entirely in HIPAA law. Mr. Hales’ comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. Mr. Hales gives us some background on the Act.

Hales: We have to start with the law. My focus is on enabling practitioners to make use of social media and comply with the law. HIPAA was passed in 1996 with two objectives;

  1. To be able to keep insurance when switching from one provider to another.
  2. To have a uniform code for information and payment

It has had further additions since.

  • The privacy regulations were added in 2003. 
  • The HIPAA security rule was added in 2005 
  • HITECH was passed in 2009. 
  • In 2013, the Omnibus rule was added to HIPAA to extend liability to “business associates”.

What is a business associate?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

What are common areas in which covered entities and businesses associates fail to meet HIPAA compliance?

  • Protected Health Information (PHI) is made up of 18 identifiers, including but not limited to name, e-mail address, full face photos, and date of birth. 
  • Under HIPAA, every health care practice or organization must designate a privacy officer. The privacy officer must perform a risk-analysis.
  • Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of privacy rights and practices with respect to patients’ personal health information.

What about when a patient posts their own information on a blog, social media channel, or place page operated by the practice?

It’s important to look at how HIPAA defines a website, which is any site that provides information about a covered entity’s services or benefits. Therefore, if a patient posts their own information to a site that’s owned by the practice, that is unauthorized PHI on the practice’s site. The practice has to obtain HIPAA authorization before allowing any patient content to be published to its sites.

What is necessary in a HIPAA authorization?

HIPAA Authorizations have six core elements:

  1.  A specific and meaningful description of the information to be used or disclosed.
  2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  3. The name or other specific identification of the persons(s), or class of persons, to whom the covered entity may make the requested use or disclosure (i.e., the intended recipients).
  4. Description of each purpose of the requested use or disclosure. 
  5. Must contain an expiration date or an expiration event.
  6. The signature of the individual and the date.

 

A HIPAA authorization must also include three statements.

  1. Individual’s right to revoke the Authorization.
  2. Clarification that the covered entity is not permitted to condition the provision of treatment on the execution of a valid Authorization. 
  3. Explanation that there is a potential that the information may be re-disclosed by the recipient of the information and that the recipient may not be required to comply with the Privacy Rule.

What should fertility practices be conscious of right now to minimize risk of HIPAA violations?

Recently, there has been more enforcement, and soon there will be audits. On February 16, 2016 the Office of Civil Rights (OCR) settled an enforcement action against Complete P.T., Pool & Land Physical Therapy, Inc. for impermissibly disclosing patient information in the form of testimonials on their website. HIPAA is a very extensive law. There is a lot of information on the internet that is simply wrong. HIPAA regulations are very demanding and products cannot ensure compliance. No product can be HIPAA compliant. It’s how a covered entity uses a product that makes it compliant or not.

Paul Hales is an attorney who provides legal services and consultation regarding HIPAA compliance. His software, the HIPAA e-tool helps covered entities and business associates with a complete HIPAA compliance solution. If you’re interested in an educational webinar with Mr. Hales, you can register here.

1 Big Unexpected HIPAA Risk Facing Fertility Centers Online: An Interview with Rachel Yaffe

By Griffin Jones

This is actually the second interview in a series exploring the Health Insurance Portability and Accountability Act (HIPAA) that I recorded in August of 2015 and published in September. The Fertility Bridge blog was not active in its current form, then. I wanted to make sure this interview was in the blog archives because (speaking for myself) HIPAA is not always as common sense as we would like it to be. Rachel Yaffe practices healthcare law in Chicago. Ms. Yaffe's comments are not legal advice, they simply offer us some insight into how HIPAA might impact a fertility center's digital media strategy. In this interview we discuss

  • What are the implications when a patient posts their own information on a fertility center's website, place page, or social media channel?
  • Should practices follow patients on platforms like Twitter and Instagram?
  • Should practices have personal Facebook pages for their business?

Rachel Yaffe represents physicians, medical practices, laboratories, pharmacies, and other healthcare clients in corporate, transactional and regulatory matters. She practices with the firm, McDonald Hopkins in Chicago. If you would like to learn more about HIPAA compliance from Rachel, you can contact her here.

Every Fertility Center Needs a HIPAA Compliant Social Media Strategy: An interview with Mike Bossenbroek

By Griffin Jones

This was the first interview that I did in a series exploring the Health Insurance Portability and Accountability Act (HIPAA) and its implications regarding digital media. I originally recorded this interview in August of 2015,  before the Fertility Bridge blog was active in its current form. Per usual, my video intro is corny, and very crudely edited, but the content is very valuable because practices should educate themselves about HIPAA considerations in social media as much as they can.

Michael Bossenbroek practices healthcare law in Michigan. Of course, Mr. Bossenbroek's comments are NOT legal advice, but they give us important information to consider about how fertility centers should approach social media and patient engagement. In this interview, we address

  • What are some things that a HIPAA compliant social media policy should include?
  • Where should a fertility practice's social media policy be visible?
  • What else should fertility practices consider when deciding their activity on social media?

Michael Bossenbroek is a partner at Wachler & Associates, P.C.  in Royal Oaks Michgian. Mr. Bossenbroek practices in all areas of health care law, including representing clients in matters relating to HIPAA compliance. If you'd like to learn more about HIPAA compliance from Mike, you can contact him here.