This week on the Dr. Marketing Tips podcast, we ask Florida Healthcare Law Firm attorney Jacqueline A. Bain to answer HIPAA-related questions sent in by listeners. 

Check out the full interview with Corey and Jackie in this extended episode. If you have a question not addressed here, DM us on Twitter @drmarketingtips and we’ll do our best to get it answered for you. 

Tune in to discover: 

• When you should (and shouldn’t) respond to online reviews 
• What’s OK to include in your practice newsletter to patients
• How to avoid HIPAA mistakes with automated messages promoting follow-up procedures
• What you can do to stay HIPAA-compliant with patient testimonials
• When you should (and shouldn’t) respond to online reviews 
• What to do in the case of a data breach
• How to remarket to patients without breaking any laws 
• What happens when your docs won’t use HIPAA-compliant solutions to text PHI

Transcript Notes

PA system: Dr marketing tips, paging Dr marketing tips. Dr marketing tips, you’re needed in the marketing department.

Intro/ExitVoice: Welcome to the Dr Marketing Tips podcast, your prescription to the answers you seek to grow your medical practice easier, better, and faster. This show is all about connecting practice administrators and medical marketing professionals with peers working in practices, learning from experiences, making mistakes, and sharing successes. Let’s get started.

Corey: Hello and welcome to the Dr Marketing Tips podcast. I’m Corey, one of your hosts for this crazy little labor of love that we’ve got here. And with me today is a very special guest. I’ve got Jacqueline, Jackie Bain of the Florida Healthcare Law Firm. So welcome Jackie.

Jackie: Hi, how are you?

Corey: Doing well, thank you. Happy to have you. So Jackie is part of a select group of Florida licensed attorneys, with both deep healthcare industry experience, and a certification in healthcare compliance by the Healthcare Compliance Association. Her background focus is on corporate transactions for healthcare providers and businesses. And she graduated from the state university of New York at Albany, and the state university of New York at Buffalo Law School. So for today’s episode we asked our loyal listeners, that’s you guys, to submit your questions regarding everything HIPAA. And we thought we would have Jackie answer. So with that said Jackie, are you ready to go?

Jackie: I’m ready. Hit me.

Corey: Good, all right. So Charlotte in Florida asks, “We were discussing the idea of sending a specific campaign to folks we know had a cosmetic procedure, and then following up with automated messages to try to get them to convert into doing another procedure. So is that a HIPAA violation, because we’re leveraging their health data to market a procedure?

Jackie: So this is a pretty complicated question. True to lawyer style, I’m going to say, “maybe.” The answer really depends on the other procedure. If you’re trying to leverage them into a second procedure, is there a financial reason why you’re leveraging them to do that? For instance, if it’s a second procedure that includes Botox, is Botox giving you some financial incentive to to do the second procedure? And if there is no financial incentive directly or indirectly, meaning you’re not benefiting from it financially, other than the patient paying for the procedure, then you are fine to follow up with an automated message to try to bring them back into wherever you’re treating them.

Jackie: The second part of that is following up with an automated message. And the answer as to whether or not that violates HIPAA really depends on where you’re leaving that automated message. If you’re going to be leaving it on a a voicemail, you’re probably okay under HIPAA. But if you’re going to be leaving it on something like a public answering machine, it might not be necessarily something that the patient wants her husband to know about, or her father to know about, or or anything like that. So you have to use your common sense when you’re leaving messages, especially if they’re automated messages, because it’s sounds a whole lot like there isn’t a whole lot of thought going on as to how the patient will be affected by the automated message.

Jackie: I would say follow up with someone who’s a person on the phone, and is able to chat with the patient, in order to see if that procedure is something he or she would like to do. If you leave an automated message, you just don’t know who that message is going to. And if that message says something like, “Hey you loved your first procedure, and we are offering a second procedure that’s somewhat related to your first procedure,” then that could be viewed as a potential violation of HIPAA. But again, it really focuses down on whether or not your common sense would tell you if something’s a HIPAA violation.

Corey: I hear ya. And just out of curiosity, so we were talking about automated phone messages there. Would the same thing apply to email?

Jackie: Yeah, so email is not a safe form of communication under HIPAA. If you’re going to be emailing your current patients because of something that they’ve had done in the past, that’s a form of communication that has to be encrypted from end-to-end communication under HIPAA. So that means that only the person sending and the person receiving understand what they’re seeing.

Corey: Gotcha okay, very cool. Okay, so hopefully that’ll help Charlotte there. So let’s see. Denise in Florida as well. She says, “What types of messages are acceptable to send in monthly email newsletters?” Oh, there’s email right there. Is just sending an email newsletter by itself a HIPAA violation?

Jackie: So sending an email newsletter by itself is not normally a HIPAA violation. The only way it could be a HIPAA violation is again, if you’re receiving any sort of financial remuneration, anything at all in return for you sending that email out. So you’ve got someone sponsoring your email, or something like that. If you’ve got someone giving you something of value in order to be on the email. So if it’s a local business who says, “Hey if I can raise something for your email newsletter, I will give you something, money off your next car wash.” or something like that.

Jackie: So, and it’s not to say you can’t market it under HIPAA. If you choose to do it, and you’re receiving anything that is of value while you’re marketing, your patients have to have given you consent in order to receive that communication. So most times people put it not only in… It’s got to be in your notice of privacy practices that you give your patients when they first come into your office. But generally there’s another document that your patients should sign saying, “I’m okay with marketing.” If you have that signed document for every patient who receives your email newsletter, then you can go ahead and receive financial incentives in order for sending out the newsletter. But until you have that document signed, if you’re receiving anything of value in return for a placement in the email newsletter, then you need to have the documents signed.

Corey: So what I’m hearing is if you’re doing a practice newsletter in any way, if you’re just announcing a new location, maybe you wrote a new blog post for the website, that’s totally fine?

Jackie: Totally fine. Now one more thing, no patient information in the newsletter, unless that patient has given you consent to be featured.

Corey: Of course yeah, perfect. Okay, let’s go to Matthew in Georgia. He said, “We’ve been doing patient testimonials, and having them sign a video waiver,” but he wants to know if that’s enough. So he asked, “By signing this waiver for the video, does that also give us permission to include the image studies, and chart information, and everything associated with that case if deemed necessary,” or the patient testimonial he’s working on?

Jackie: So the answer to that is probably not. Having a patient sign a testimonial and a video waiver doesn’t necessarily mean that the patient understands that their entire chart might be visible, or portions of their chart might be visible to the public who’s on the receiving end of that video. In an ideal world, your video waiver would have something along the lines of, “And you can use my entire medical record as a backup to this video testimonial.”

Jackie: I always caution against testimonials where the healthcare provider asks the patient to participate, because being a healthcare provider puts you in a unique position to have an influence over your patients. And using that influence in order to promote your business is not something that is viewed kindly by regulators, HIPAA, and state regulators in general.

Jackie: What I like to say to people who want to use patient testimonials, is to have a sign or something like that in your waiting room that says, “We love patient testimonials. If you’re interested, please approach us and ask.” So that way the patient has the option of asking to participate, or not, rather than being in an uncomfortable situation where somebody asks them to participate, and them having to say yes or no.

Corey: And if they’re volunteering, I would imagine that they are more than willing to share whatever information that they have.

Jackie: That’s true. Yeah, I think for them to say, “Yeah, you can go ahead and use my face, and my likeness, but I don’t want you sharing my [crosstalk] is not necessarily something that they would want, that you would want. But I think you have to walk that thin line as carefully as you can [inaudible] need for patients [inaudible] promote your business.

Corey: Yeah, absolutely. All right, so let’s stay on the the video release topic. And we’ve got a question here from Maureen. And she says, “Following a video or photo shoot with a patient, how long do I actually need to keep the releases?”

Jackie: I would keep the releases for as long as you’re using the video. You want to make sure that you have the backup in place if somebody comes back and says, “I didn’t want that. I didn’t want whatever you’re using.” You can say, “Well you signed the release.” And you have it on hand. Releases aren’t, they don’t take up a lot of memory in your computer files. So I would keep them for at least as long as you’re using the video, and probably for a couple of years afterward, just in case you’re approached, and you can show that you’re protected.

Corey: Great. Great. And this one comes from Debbie in Florida. She says, “Do data breaches count as HIPAA violations?”

Jackie: Absolutely. If you believe that somebody has been in your files, and you did not give them permission, or that it’s not necessary for their job for them to be in your files, that would likely be counted as the HIPAA breach by the Office for Civil Rights , which is a division of Health and Human Services.

Corey: So in addition to the fact that you had this data breach, and you’ve got to track that down, it only gets worse because of the HIPAA violation.

Jackie: That’s true. It only gets worse. And just so everybody is aware, most states also have a mini HIPAA, or a state version of HIPAA. Here in Florida it’s called the Florida Information Protection Act. So you not only have to report to OCR if you’ve got a data breach or a HIPAA violation, you also need to report to wherever your state tells you to report as well. And often the state timelines are a lot tighter than the federal timelines. So you want to be sure as soon as you recognize you have a breach, you want to get legal help involved to determine exactly who you need to report to, and how you need to report.

Corey: So in other words, good luck and Godspeed.

Jackie: Yeah, it’s a lot, and it can be really overwhelming, but there are consultants and attorneys out there to help you through it. You don’t have to go through it alone. Data breaches are happening with increasing frequency, and you want to make sure that you are on top of your obligations. You should have a policy and a procedure in place of how you deal with the data breach. It’s actually required under HIPAA, so you want to make sure that you know exactly who you contact, when you contact them, and what happens next once a data breach happens in your business.

Corey: Hey guys, Corey here, cohost of the Dr Marketing Tips podcast, and I wanted to interrupt this episode just for a minute to tell you about Insight Training Solutions. So Insight Training Solutions is an ongoing employee engagement and training platform for your medical practice, meaning employees can log on and take these medical practice specific trainings whenever and wherever they are. And each training is meant to increase employee engagement, improve practice reputation, and develop some patient service mindsets. If we’re being honest, something that we all know some of the employees may lack, not calling anybody out by name.

Corey: But one of the cool things about Insight Training Solutions is they’re always developing new content. And they just released 10 steps to a phenomenal patient experience, where you’ll learn how to create a phenomenal patient experience, strengthen job security, and discover customer service secrets for your entire team.

Corey: So this course is in addition to the other ones they already have, which include communication across generations, and how to understand today’s multigenerational workforce, and how to develop overall patient experience. This is another course, the new approach to customer service. We’ve also got eight ways to wow patients.

Corey: And you can sign up for a free trial to see what everything is about at InsightTrainingSolutions.io. That’s InsightTrainingSolutions.io, or just Google Insight Training Solutions. You’ll be glad you did.

Corey: So for this next question, I thought this was funny. It was actually, I don’t remember what the email was, but there was no name associated with it. And it’s funny how they worded the response here, you’ll hear it. “So hypothetically, if I didn’t have a HIPAA compliant business associate agreement with a vendor when they started, but I got one signed six months later, are we okay? And also, does the vendor share any of the blame, or does it fall all on us?”

Jackie: Okay so hypothetically, if you do not have a business associate agreement with someone, and you later put one in place, the business associate agreement is generally effective from the date that you sign it. So the date that you sign it, you’re okay. Prior to it, it’s questionable. And it’s hard for me to tell you if you’re okay or not, because I know what your vendor was doing with that information that you were giving them access to while you were not under a business associate agreement with them.

Jackie: You definitely want to ask them for assurances of some kind in writing, that they were treating your protected health information, or your business’s protected health information, with the due care and process that they needed to, had you had a business associate agreement in place the whole time.

Jackie: The vendor does share blame. Actually in 2013 HIPAA was updated, so that business associates take just as much of blame as covered entities do, or healthcare providers do under HIPAA. So there is blame on both sides to be laid there. But most importantly for your business, you want to make sure you have an assurance in writing that you’re vendor was proper with the information before you had the business associate agreement in place.

Corey: So hypothetically, anonymous might be in trouble it sounds like?

Jackie: Hypothetically anonymous, You’re probably going to want to talk to somebody about getting something in writing. Yeah.

Corey: All right so moving on, Dan from Texas says, “My doc sometimes texts PHI back and forth on their phones. I know that’s a HIPAA violation, but how can I get them to stop? Any advice there?”

Jackie: So this is something that we run across all the time, of doctors, they know about HIPAA, they know enough to be scared about HIPAA, but when it comes down to practice, it’s just easier for them to text around images, or anything like that, so that the patients are treated a little faster. The only way you can get them to stop is by putting a policy in place, and disciplining them for continuing to violate that policy. Whether that means you’re holding up pay, or you’re putting the notes to file.

Jackie: Repeated violations of HIPAA actually increase your sanctions. If OCR ever comes in and says, “Hey you’ve reported a breach, or somebody complained about a breach, let us look through everything else that’s ever happened in your business.” And you’re able to show that you knew your doctors were texting back and forth and did nothing about it. It actually increases your level of culpability, which increases your potential penalties under HIPAA.

Jackie: So you get them to stop by scaring them to stop. And then the other thing is a lot of software is out there now, apps and things like that, that allow for HIPAA compliant text messaging. It’s a little bit more onerous than the text messaging you have on your regular cell phone, but it’s an easy way for physicians, and nurse practitioners, and PAs to text photos and things like that around without actually violating HIPAA.

Corey: And definitely worth the investment there.

Jackie: Definitely. But people see the fines for HIPAA, they’re huge. And they are absolutely, they will put a physician practice out of business, especially if your level of culpability is increased, because you didn’t actually do what you needed to do under HIPAA the whole time.

Jackie: So you want to make sure that you’re on top of it, and your doctors understand that this isn’t a game. treating patients is obviously their first priority, but second priorities is safeguarding the information that their patients choose to give them a full picture. A patient always wants to give a full picture of their health to their physicians in order to get the best treatment. And if they don’t feel comfortable doing that, because they’re afraid it’s going to get out, because the doctor’s not safeguarding it appropriately, it really interferes with the doctor patient relationship.

Corey: Yeah, absolutely. All right, so Lauren here in South Carolina, she says, “Sometimes our therapists will pose with patients once they’ve completed all their rehab. So we can post that story on social media. The patients consent, but we don’t have photo releases for everyone. So should we delete the ones we don’t have signed consent for, even though the patient agreed, was happy, and is no longer in our care. Some of those are years old.

Jackie: Yes, yes you should. A patient’s consent can be given orally. The problem with oral consent is there’s no record of it. So if the patient does come back and say, “Why are you still using my photo? My life circumstances for have changed. I was really happy when I gave you that oral consent, but now I’m not happy. I want you to take it down. I can’t believe that people in my community might’ve seen that.” You want to make sure that you’ve got the written consents in place.

Corey: Okay, yeah absolutely. That totally makes sense. All right, so Patty in Louisiana says, “I recently heard some staff gossiping about a patient within earshot of other patients. I don’t think they used her name, but is this a HIPAA violation if someone can put two and two together?”

Jackie: Yes, it is. You want to absolutely make sure that your staff understands again, that they are dealing with patients who are dealing with real life. So if you’re in a small town, and you’re using patient names, full names within ear shot of other patients, you are absolutely putting yourself at risk of a complaint to OCR.

Corey: Alrighty, and then the last question that we’ve got here, this is from Ashley in Florida, and she says, “We’re running a digital remarketing ad that advertises our fertility practice. Is that a HIPAA violation?” And for those of you listening that don’t know, a remarketing campaign is basically following someone who’s visited your website, but they didn’t complete a goal. So for example, if you wanted appointment requests or phone calls to count as a goal, someone goes to your website, they don’t do one of those things. You can track them with a pixel, and then give them an ad. You’re probably familiar with that. If you’ve been to Amazon, you maybe looked at a pair of shoes, and then did not buy the shoes, and they follow you around everywhere. So Ashley’s asking is this okay to do for her fertility practice?

Jackie: Yeah, that’s totally fine. The patient hasn’t established a physician patient relationship with you at that point, so there’s no requirement for you to safeguard their data.

Corey: Okay, perfect, perfect. Okay, so we’re just about out of time for today’s episode. Jackie, if our listeners want to connect with you, how should they go about doing that?

Jackie: Sure, so my law firm is located in Delray Beach, but we service clients all over the United States. You can call us. It’s (561) 455-7700, or our website is www.FloridaHealthcareLawFirm.com.

Corey: Awesome. Well thank you again for joining us today, and I think we really learned a lot.

Jackie: Great, I’m so happy to help.

Corey: All right, so that’ll do it for now. Thanks again for everyone who submitted a question, and took the time to tune into this episode of the Dr Marketing Tips podcast. And we’ll catch you in the next one.

Intro/ExitVoice: Thanks for listening to the DrMarketingTips.com podcast. If there’s anything from today’s show you want to learn more about, check out DrMarketingTips.com for our podcast resource center, with all the notes, links, and goodies we mentioned during the show.

Intro/ExitVoice: If you’re not already a subscriber to our show, please consider pressing the subscribe button on your podcast player, so you never miss one of our future episodes. And if you haven’t given us a rating or review yet on iTunes, please find a spare minute and help us reach and educate even more of our medical practice peers. Thanks again for listening, and we’ll catch you next time. Doctor’s orders.

Subscribing and Rating Our Podcast

If you like what you heard, please take a few seconds and subscribe, rate and review our show on Apple Podcasts. Here’s how:

Subscribe

To subscribe, click this link to open Apple Podcasts on your computer and then click “Listen on Apple Podcasts ” button next to the artwork. This will redirect to the Apple Podcasts app where you click the “+Subcribe” button on the righthand side.

Ratings and Reviews

To leave us a rating and review, scroll down to the “Ratings and Reviews” section below the episode listings. Then, you can click the button that says “Write a Review” and proceed to give us 5 stars *wink*.

Thank You for Your Support.