Types of PHI

Patient’s name or nickname

Using a patient’s name or nickname is a HIPAA violation. In addition to names and nicknames, using a patient’s social media handle or anything related to the patient’s naming identity is forbidden.

Address or geographical location

HIPAA requires healthcare workers to withhold almost all information about the address of a patient. Privacy laws forbid the disclosing of any geographic information about a patient more detailed than the state-level. Protected information includes a patient’s city and county, too.

For example, when posting generally on social media, a rheumatologist who treats a patient suffering from Lyme Disease must not reveal that their patient fell ill after visiting her family in Long Island, N.Y., where she suffered a tick bite. Why? That geographical information could allow others to identify the patient.

Dates

HIPAA protects almost all dates related to an individual and their medical treatment. Privacy laws forbid you from revealing any of the following:

• Birthdate
• Date of death
• Admission date
• Discharge date
• The exact age of a patient

This particular PHI frustrates many physicians who want to provide references for other patients. For example, a fertility doctor who wants to blog about a certain case cannot include her patient’s age, even though that might help explain her patient’s concerns. HIPAA forbids revealing a specific age, so the doctor must compromise and give an age range (early 40s, for example) to describe her patient instead.

Important numbers

Reputable doctors would never intentionally give out a patient’s contact information, but what about by accident? Ever written a patient’s number on a Post-It for your afternoon callbacks? Make sure that protected information doesn’t get picked up in a candid photo that lands on your Instagram page. Here are a few important numbers to watch out for:

• Telephone numbers
• Fax number
• Social Security number
• Medical record number
• Health plan beneficiary number
• Account number
• Certificate/license number 

This information cannot be shared anywhere.

Remove any personal identifiers if there will be people coming around the office or if you’re doing a Facebook Live stream from your desk. Sweep the area before you “Go Live.”

Vehicle or device serial information

Revealing a patient’s license plate number is a clear violation, but so is any identifying information about their vehicle. Be sure not to describe the vehicle in any way that might be identifiable to others. In a small town, any information about a vehicle could reveal a patient’s identity.

IP address, URLs, and social media

Even if you have permission to write a story or case study about one of your patients, you must still protect their identity. Don’t include their email address, link to their personal or business website, or mention their social media handle when you share your post.

Fingerprint or voiceprint

You can’t host a recorded Q&A session with a patient (for instance, in a podcast) even if their face is never shown. HIPAA protects voices, too, because they identify patients easily.

Photos

HIPAA states that photographic images violate a patient’s privacy rights. A photograph of a hand or a leg counts, even if it seems less harmful than a headshot.

A plastic surgery practice, for example, might want to use before-and-after photos in their marketing campaign to demonstrate its skills and services. An attorney can help the practice create a set of best practices for using photos in marketing campaigns, including consent forms and retention of photographic rights.

Anything else that compromises a patient’s identity

With enough detective work, most biographical information could reveal too much. Do not disclose a patient’s occupation, marital status, or information about their family, income, or race.

Tips for following HIPAA when marketing your practice online

Digital marketing is an effective way to attract new patients and position yourself as an expert in your field. Keep the following HIPAA marketing concepts in mind when planning your posts, tweets, and shares. Don’t forget: HIPAA also applies when you’re using your website to engage with reviews.

Keep information about your patients’ cases as general as possible. Remember, even when telling a story anecdotally, you should never include specifics or PHI.

When sharing on social media

Regularly posting on social media is a great tactic for engaging with your patients and establishing yourself as an expert in your field. Before posting pictures to platforms such as Instagram and Twitter, you should scan each photo to ensure it is free of potential privacy violations.

Perhaps you’re attending a webinar about this year’s flu virus during your lunch break. You grab a sandwich and a coffee and tune in at your desk. This is a great opportunity to snap a quick picture and share what you’re learning with your Instagram followers. But before you think up your catchy caption, you need to ensure there’s nothing in the photo that could get you into trouble.

How often do you have a Post-It note on your computer screen with a patient’s phone number written on it? Or your afternoon files sprawled across your desk for you to review when you get a free moment? All of this information might be visible in the periphery of your otherwise innocuous Instagram post.

Here are a few other common photo violations to avoid:

• Sharing before-and-after treatment photos posted without obtaining patient consent via a signed release form that has been designed and reviewed by your attorney
• Posting desktop screenshots that might include open windows with patient identifiable information
• Tagging a patient on a social media post

Does this violate HIPAA?

A primary care physician would like to share a post on her practice’s Facebook business page about a patient she saw earlier in the day. Which of the following posts does not violate HIPAA?

Option 1:

“A patient came in to see me recently because their thumb and wrist were causing a great deal of pain. I determined the pain was likely caused by overuse of a large smartphone. Repetitive scrolling and handling of these devices, although fun, is unnatural. The patient required a cortisone shot and might require a cast or brace soon. I urged this patient to try using a stylus pen or a desktop computer whenever possible.”

Option 2:

“Earlier today, a 26-year-old who is on her phone all day for work as a social media coordinator came to me because her wrist and thumb were causing her a great deal of pain. I gave her a cortisone shot and suggested she do her work on a desktop computer rather than her phone. I believe repetitive scrolling on social media sites is causing inflammation of her tendon.”

Answer:

The PCP should choose Option 1, as there is no mention of information that can help identify the patient. It is vague, but it still describes the situation.

Option 2 violates HIPAA. The post reveals exactly when the patient saw the doctor, her gender, her age, and her occupation. Option 1 tells the same story, but protects the patient’s identity. There is no mention of her age, her gender, her occupation, or when she saw her provider.

When updating your website

Similar to other media platforms, these are the most important HIPAA marketing rules to keep in mind: 

• Never reveal any patient PHI. Keep it vague, and have a second set of HIPAA-aware eyes to ensure there are no HIPAA violations before you post anything.
• Screen photographs and videos before posting on your website. Make sure there are no papers with patient information lurking in the background of the photo or video.
• Talk to your attorney before taking any action that could violate HIPAA. An attorney can let you know whether a patient can waive their rights in a given circumstance.

Ensure testimonials and reviews posted directly to your website are posted voluntarily. No information can be posted without a patient’s consent if it is about them or if it is their testimonial or review.

When managing your online reputation

Doctors and other healthcare providers take great pride in their work, so it can be disheartening to see a less-than-stellar review on one of their online profiles. But bad reviews happen occasionally, and it’s essential that you respond to them right away. Your response will likely resolve the issue, but just as importantly, it will show other potential patients that you are gracious and empathetic.

When responding to reviews on online profiles, it might be difficult to respond without revealing any identifying information. Stay calm and stay vague.

Violating HIPAA on your review sites can hurt your online reputation and can potentially lead to other more severe consequences.

How to engage online without violating HIPAA

HIPAA does not prevent you from engaging with patients; it just means you have to be careful when doing so. Take precaution, and do not refer to a patient by name without prior consent, and keep your conversations vague. Read on for more suggestions on how to engage online without violating HIPAA.

Replying to online reviews without violating HIPAA

Bad reviews can happen to the best of us, but it’s essential to respond to them right away before further damage is done. When responding to a negative review, it’s important to keep HIPAA privacy laws in mind. It can be easy to forget when you’re in the midst of responding to a disgruntled patient.

Prepare a short and polite response, and acknowledge any misperceptions or inaccurate information. Here’s an example: “Thanks for bringing this to my attention. I understand you are frustrated. Would you mind giving me a call to discuss this matter? Thank you again for your honest feedback.”

If you would like to create your own template for responding to reviews, run it by your attorney.

Keep your message short and to the point to avoid violating HIPAA. The longer your response, the more likely you are to overshare protected information or appear defensive.

Why respond to the review at all? Your primary goal is to show other potential patients that you did everything you could to resolve the issue. You might also manage to repair the damaged relationship between your practice and the disgruntled patient.

If you are still struggling with how to respond to reviews, here are a few more suggestions:

Scenario 1

Review: “I had an unpleasant experience at this doctor’s office. The staff was rude and no one was able to answer my questions. They do not focus on giving their patients personal time.”

HIPAA-compliant response: “Thank you for bringing this to our attention. Please call our office at [phone number], so we can better assist you.”

Scenario 2

Review: “I saw the doctor 45 minutes after my appointment time due to filling out paperwork and the staff being behind schedule.”

HIPAA-compliant response: “Thank you for your feedback. Our patients’ convenience is our top priority. Via our patient portal, patients can fill out required documents ahead of time if they so choose. We would love to hear more about your experience. Please do not hesitate to give us a call at [phone number].”

Even when responding to positive reviews, it is important to not reveal any identifying information. If you decide to showcase a patient’s positive review on your website or blog, get written consent prior to sharing their feedback. When displaying their review, only use their first name and last initial.

Engaging on social media or writing a blog without violating HIPAA

Seventy-one percent of all internet users visited social media websites in 2017.3 If you’ve set up business profiles for your practice, know that you might receive comments from current or prospective patients on those profiles.

It might be a good idea to train your office staff on how to engage on social media without violating HIPAA. 

Some scenarios where you would consider engaging with people on social media include: 

• Your patient writes a comment on your social media post about their experience at your practice. Is it OK for you to confirm the person is a patient? No, the doctor cannot confirm the person is a patient on social media without getting prior written consent. Even if they are commenting about their experience, you must verify it is OK to acknowledge them as a patient. 
• Your patient reaches out to you through Facebook Messenger to get more information about their appointment or records. This is not a secure network. Do not share any PHI through social media chat tools, as they are not secure. Respond to the patient and tell them to give the office a call to get more information.
• Your patient sends you a friend request on social media. Doctors and other healthcare providers should not accept friend requests from patients on social media platforms.4 Keep your work and home lives separate to avoid any issues.

With the information outlined here, doctors, dentists, and other healthcare providers should have a better understanding of HIPAA regulations and how they impact marketing. Use this information when marketing your practice or engaging with patients on social media, blogs, websites, and review sites. And remember, always consult your attorney or legal services team if you have doubts about whether your digital marketing efforts could violate HIPAA or otherwise put your practice at risk.