Maintaining compliance with HIPAA, TCPA, the FTC, and the host of other regulatory boards is complicated. An inadvertent error can result in massive fines, but there is much to be gained from a smart online strategy if you avoid the minefield of potential violations. For the next five weeks, we’re breaking down five marketing landmines that risk HIPAA and regulatory compliance. Each article will cover one of the five landmines, and each article will conclude with an opportunity for readers to download a white paper that explains all five landmines in greater detail. Our goal is to help you ask the right questions about your practice; and ask your vendors the right questions. If they get HIPAA wrong, you will be the person who burns. Let’s get started.
If you work with a third party vendor (also known as Third Party Administrators or Business Associates) to capture reviews for posting online, HIPAA applies. With the potential for steep consequences, covered entities should be vigilant about third party business agreements. This means the vendor should be a formal HIPAA Business Associate with signed documentation acknowledging as such and they must securely store and transmit Protected Health Information (PHI). We already know random HIPAA audits are here. Do NOT take shortcuts.
If the vendor is not a HIPAA Business Associate, and you provide PHI to this vendor, you need a valid HIPAA compliant authorization from each patient to disclose Protected Health Information to this vendor. Even if a vendor IS a HIPAA Business Associate, they will still need a valid HIPAA compliant authorization if they disclose PHI to the public – a patient review, for example. Make sure your Business Associate agreement indemnifies you if the vendor creates a HIPAA problem.
Consider this real life example…
A plastic surgeon took before and after pictures of his patient. The patient gave written authorization to use these photos on his website. The patient’s only restrictions: Her eyes must be covered with black stripe and her name not be revealed. The surgeon’s vendor had software to make these changes for upload. While the doctor’s website (also managed by the vendor) honored these requests, Google indexed the full set of pictures exposing the patient’s full face and her name. Both were revealed in a search of the patient’s name. Perhaps the vendor’s software was inadequate. The practice had properly engaged the vendor with a formal HIPAA Business Associate Agreement obligating it to appropriately safeguard protected health information as required by HIPAA and HITECH. The agreement also indemnified the surgeon for any legal or regulatory fallout.