Updated October 25, 2018
It’s been 22 years since the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress. So you’d think all healthcare companies would all be pros navigating the intricacies of the law by now, right? Not quite – since the compliance date of the Privacy Rule in 2003, the Office for Civil Rights (OCR) has received over 186,453 HIPAA complaints and has initiated over 905 compliance reviews. And many of these violations of HIPAA marketing rules are not intentional.
The stakes are high for companies that aren’t clear on the rules. So far in 2018, healthcare companies have already paid as much as $4.3 million in penalties. From impermissible uses of health information to lack of safeguards for protecting health information, medical companies need to get this right.
In the fast-paced world of social media, understanding HIPAA marketing rules is even more important. “I didn’t know” or “I didn’t mean to” doesn’t hold up well to the scrutiny of prosecutors. Make sure you’re prepared by discovering how to avoid these 8 common HIPAA violations in your healthcare company.
We Increased Leads for a Plastic Surgeon by 335% In 90 Days. Want to Know How We Did It? Download Our Free Case Study Now!
8 Surprising Ways You Violated HIPAA Marketing Rules Today
1. You’re using “Opt-In” email encryption.
Healthcare businesses like the ease of using “opt-in” email encryption because it allows for email-as-usual if the sender so desires or HIPAA-compliant encryption when selected. There’s the caveat: when selected. There is some margin of human error involved in the system. Say an employee begins writing an email, steps out for a cup of coffee, returns, and hits “send” without thinking — or explicitly encrypting (by checking a box or entering a code word like “secure” in the subject line). That employee has just violated HIPAA, and there are no “take backs.”
The Fix: Get a HIPAA-compliant email provider who has signed a Business Associate Agreement with your company. Encrypt everything sent from email addresses that send or receive electronic personal health information. Or employ an opt-out mechanism instead.
2. You’re using your smartphone for business.
It’s not uncommon to text other people in your practice about patient scheduling. For instance, you may leave your office and get a text from a nurse that your patient (name and contact number included) had a reaction to a medication you prescribed. Sending or receiving this text passes through multiple points of possible interception and is a violation of the law. Even texting something as seemingly innocuous as a patient’s appointment time is a violation of HIPAA.
The Fix: Use a HIPAA-compliant SecureChat app for your mobile device for strong encryption, audit trails, proper archiving, and the necessary Business Associate Agreement required for compliance.
3. You snapped a photo or video of a patient on your smartphone without permission.
Out of the millions of violations of HIPAA marketing rules, there have only been a handful of cases that involved workers willfully taking humiliating or degrading photos or videos of patients to post on social media. More often than not, medical professionals take photos to share with colleagues to receive a second opinion on a condition or to share a status update for conditions like infections that need to be monitored from day to day. In other cases, you may snap a photo of your patient with consent but unknowingly violate HIPAA when sharing it online.
The Fix: Use apps like DocbookMD that allow photos to be taken within a secured app — without any data stored on your phone or accessible without the necessary passcodes and agreements. Never post identifiable pictures of patients or hospital facilities on social media, regardless of the intent.
4. You let your child play with your smartphone.
These days, many young children borrow their parents’ phones to play games. However, if your phone contains an app that can access personal health information records, then you are putting yourself at risk for a HIPAA breach if this information is seen or sent unintentionally.
The Fix: Use the pin-lock feature on your messaging app, password-protect your phone…and get your kid a tablet for playing games!
5. Your web intake forms aren’t secure.
Who wants to sift through endless amounts of paperwork or enter data manually, when they can access electronic information filled out by the patients themselves? Web intake forms are a very efficient way to collect information and there are endless programs that can help you create such forms — but (you guessed it!) not all are HIPAA-compliant.
The Fix: Work with a dedicated HIPAA compliance solution to meet your web intake needs. Update your website form pages with Transport Layer Security to ensure the protection of sensitive data.
6. There are shared logins in your system.
A common, yet sloppy, move involves having shared logins or email addresses for a particular health information system. However, HIPAA requires every person within an organization to have a unique login and password. Regular audits are necessary to track employee logins and uses of the system for full accountability.
The Fix: Don’t be lazy. Assign unique logins and highly secure passwords.
7. You took the “set it and forget it” approach to HIPAA.
We find many healthcare organizations initially took great strides to get into compliance with HIPAA when the law first came out in 1996. Then they sat back and forgot about it. Every new employee was not necessarily trained in HIPAA compliance, nor were people trained on how to spot and report breaches. New modifications to HIPAA are being added all the time, so you need to be current on your understanding of the law — something a marketing agency can help you with!
The Fix: Train your employees how to be HIPAA compliant. Conduct annual risk assessments. Put policies into place that ensure regular HIPAA reviews and the minimization of data leaks.
8. Your smartphone or tablet was lost or stolen.
The size and portability of mobile devices makes them an ideal target for theft, not to mention an easy item to lose in the hustle and shuffle of a busy life. Lost or stolen computers have led to millions of breached records over the years.
The Fix: Keep better inventory of mobile devices used by staff. Keep mobile technology stored in lockers. Install radio frequency ID tags on portable devices. Report theft or loss immediately.
The Bottom Line:
HIPAA compliance is not easy. It’s also not cheap. Though the government would like you to believe it’ll only cost your organization $1,000 or so to remain compliant, most small healthcare companies are spending $4,000 – $12,000 on technology, training, and solutions to ensure they’re following all of the various HIPAA marketing rules. And bigger companies can spend anywhere from $50,000 – $100,000 on HIPAA compliance.
That’s why working with a marketing agency that specializes in healthcare companies, like Mod Girl Marketing, can help you ensure you’re staying compliant and add another layer of protection from the millions of dollars you could face in fines for a data breach — not to mention the tarnish of your good reputation and rapport with your patients! Contact us today to find out how we can help your healthcare company expand your online presence without violating HIPAA.