MILLIONS OF AMERICANS search online for healthcare information, so digital marketing is crucial to your growth. But digital media treads a thin line between connecting with patients and violating HIPAA regulations. Here are some best practices to ensure your digital strategies are HIPAA compliant:
Website
Data on any forms provided on your website must be encrypted. Do this by using an EHR for communicating with patients, or installing an SSL (secure sockets layer) certificate on your server. Your server should have antivirus protection, a firewall, offsite backup, OS patch management and encrypted server data. Lastly, you must have an up-to-date privacy policy written on your site.
Social Media
Social media is particularly risky. You have to ensure that outgoing messages refrain from disclosing personal health information (PHI) but you may also have people reaching out with medical queries. The rule of thumb is to treat non-patients like patients and protect their PHI in the same way.
Keep public answers general. Avoid engaging in discourse about specific treatments, conditions or experiences and invite parties to call you. Keep in mind that personal identifiers go beyond a name and a face and can include a date, location, contact information or any other identifiable numbers or information. Keep personal accounts separate from office ones and ensure all staff are trained.
Email
General email marketing is not problematic but when a patient or potential patient emails your office, keep responses generic and invite them to call the office. Recommend that personal information not be disclosed via email.
Online Reviews
If a patient offers PHI in the public sphere, this doesn’t mean they consent to you confirming their status as a patient. If a patient reviews your practice online, do not confirm their patient status in your response. Nevertheless, it’s important to respond to reviews. In the case of a negative review, reply that your office takes customer satisfaction seriously and invite the reviewer to call the office.
Keep in mind that in the digital media age, correspondence is easy, public and in many cases, permanent (meaning it can’t be deleted or erased). It’s also very easy for PHI to inadvertently be exposed. Make it an office policy to keep any specific correspondence to secure networks, phone or in-person communication. Lastly, encourage your staff to stop and ask if they are unsure about how to proceed.