Beware of the nuances of HIPAA compliance, especially when it comes to email, social media, and marketing practices.
HIPAA compliance is not just a question of following a few black-and-white rules. The HIPAA privacy rule was created to protect a patient’s privacy and identifiable information””from their name, to their contact information, to their reason for coming in, to diagnoses and test results, and more””as their personal information travels through the healthcare system.
Heather Jousma, of Innereactive Media, specializes in website and social media development. She offered her perspective on a few of the big-ticket issues that are part of the HIPAA-meets-online-use landscape.
RACHEL BOZEK: Why do you think it’s important for ECPs to be HIPAA compliant?
HEATHER JOUSMA: Other than the obvious reason of it being required by the law, practices should strive to be HIPAA compliant for the safety and happiness of their patients.
RACHEL: Regarding email communications, what is an example of an action that ECPs might not realize is a violation of HIPAA?
HEATHER: Even if the emails are staying internal with the practice, using an email source such as Hotmail, Yahoo, or AOL, does not provide the level of security necessary to maintain HIPAA compliance. Few email providers offer this level of security through email, but one that does is Google Apps for Work.
RACHEL: On social media, Facebook in particular, what are some big ‘no-no’ items when it comes to HIPAA for ECPs?
HEATHER: Facebook, as well as other social media platforms, has made it more challenging for practices to stay HIPAA compliant. Even if a practice is not using social media for professional reasons, there is a good chance at least some of its staff goes on Facebook, or posts photos from within the office on Instagram. Unknowingly, these staff members could be breaking the HIPAA privacy rule by revealing a patient’s identity or personal information that may be shown on a document or screen that’s in a picture, and the practice could be held accountable for any damages suffered.
RACHEL: What are the repercussions of violations of this nature?
HEATHER: Repercussions for violating HIPAA compliance differ based on the purpose of the post and to whom the information was disclosed. For example, if a staff member were to post something about a patient on their personal page, which they thought was seemingly harmless and could not disclose the patient’s identity, but then the patient found out and was upset, this would be considered an unintentional violation and would be accompanied by a minimal fee. However, let’s say a patient leaves a bad review and in a moment of fury, an office posts a very specific update calling out the patient’s name, contact information, or health information, this is considered a willfully negligent violation, and could come with a higher fee and a potential of jail time.
RACHEL: What do you suggest in terms of ways to ensure that staff are aware of and adhere to HIPAA compliance guidelines?
HEATHER: Educate the staff regularly. Most HIPAA violations occur because people are unaware they are breaking the rules. Doctors and technicians are more likely aware of of HIPAA regulations than front desk staff, especially if they have never worked in a healthcare practice before. It is not only important to educate the staff, but also patients. When patients are granted access to areas where they could potentially see other patients’ information, practices should post a sign stating that no pictures are allowed in the area. This could prevent someone from accidentally capturing something in the background of a photo.
RACHEL: What do you suggest for people working or accessing patient info on personal devices?
HEATHER: My short answer is don’t do it.
Rachel Bozek is a freelance writer who includes the optical field as one of her areas of expertise.