HIPAA Compliance for Medical Practices
67.5K views | +8 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Keeping Your Online Medical Marketing HIPAA-Compliant

Keeping Your Online Medical Marketing HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

Medical marketing is at least three years behind any other industry for two reasons: First, HIPAA laws determine how patient information is gathered, stored and used. Second, the FDA imposes regulations on how medical practices can market their products and services.

Each day, millions of Americans search for health information online. Because online search is a major part of healthcare consumers’ decision-making, there is a risk that their protected health information (PHI) could be accidentally exposed by a medical facility, causing a HIPAA violation.

As a medical practitioner, it is your responsibility to ensure that any protected health information (PHI) you are collecting for your patients is safe and protected. Technological advancements can certainly add more efficiency to routine operations, but new technologies may bring new concerns with HIPAA compliance.

HIPAA compliance is one of the biggest concerns for medical practitioners, and for a good reason: Privacy violations can result in severe consequences, including hefty penalties and even jail time. To make matters more complicated, the HIPAA law is vague on what actions medical practices must take to make their digital marketing efforts HIPAA-compliant.

 

So, what best practices can you follow to keep your online marketing efforts HIPAA-compliant?

HIPAA compliance and digital marketing

Online marketing is vital for the growth of medical practices, as many patients turn to online sources to learn more about symptoms and treatment options and to search for nearby medical practices. Most medical practices have a website, and many use email marketing and social media to reach out to the target audience. Security is the biggest concern in these media. The following guidelines will help you stay HIPAA-compliant.

 

1. A HIPAA-compliant website: If you want potential patients to find your practice online, it is critical for you to have an active online presence. However, HIPAA laws are a concern. While it can be challenging to have a HIPAA-compliant website, it is not impossible. However, you must ensure your practice website has these elements to comply with HIPAA laws:

 

  • Patient data must be encrypted: Patient-related information contained in contact forms, appointment request forms and online check-in forms is at risk and must be encrypted. You can protect the private information by using an SSL certificate on your website. SSL complies with HIPAA’s data encryption standards and keeps private patient information safe.
  • Store data on a HIPAA-compliant server: Your server should have an antivirus, offsite backup, firewall and OS patch management in order to stay HIPAA-compliant. Also, make sure data is encrypted when you are storing it on the server.
  • Use a secure network to transmit HIPAA-protected information: You should never send HIPAA-protected information through an unencrypted network to an insecure email account. If you want to send or receive HIPAA-protected information by email, it must be encrypted end-to-end. A good alternative would be to store private information on your HIPAA-compliant server and set up email alerts to notify you any time new data is submitted.
  • Properly dispose of patient-related information: Practices are legally required to retain patient records for a particular period. When you are finally disposing of private information, it is recommended to delete all backups, archives as well as history stored on your server.
  • Regularly update privacy policy on your practice website: Your privacy policy must be regularly updated to keep up with any changes in your practice’s privacy policy to stay HIPAA-compliant.

 

2. HIPAA-compliant email marketing: It is important to design an email marketing strategy that will keep your practice on the right side of HIPAA compliance. Follow these basic tips:

  • An email containing PHI must be encrypted: Even basic information as simple as a name and email address of a patient can be considered PHI. So the best practice is to encrypt all professional emails. You can either choose to manually encrypt each professional email before sending it out or use a HIPAA-compliant automated service.
  • Make sure email marketing services are HIPAA-compliant: Just because you are paying for a service, do not make the mistake of assuming it is HIPAA-compliant. In fact, many email marketing services are designed for corporate use. When choosing an email marketing service, ensure that it offers HIPAA-compliant emails.
  • Never send email communication to patients who did not request it: Most practices ask for patients’ email addresses on their sign-in forms. However, unless the patient has indicated that he or she wishes to receive emails from your practice, you should avoid sending any email. You can simplify this process by adding a question about the patient’s communication preferences on your sign-in forms. However, even when the patient requests email communication, you must ensure appropriate safety measures.
  • Inform patients about the potential risks of email communication: Despite taking all security measures on your end, there is a good chance that your patients’ email services are not secure enough to prevent potential breaches. It is important that your patients understand this risk before agreeing to email communication with your practice.

 

3. HIPAA-compliant social media marketing: Social media can be a great way for practices to reach out to potential and current patients. However, staying HIPAA-compliant is a major concern. A slip-up will not only make your practice look bad, but it can also put you in trouble with the law. With some effort and knowledge, your practice can be active on social media without violating HIPAA. Follow these guidelines:

 
  • Stay up-to-date: Laws may change, so it is sage advice to regularly check for updates and make sure your social media efforts are in line with the current laws. You can look up the U.S. Department of Health and Human Services website for the most up-to-date information.
  • Create a social media policy for your practice: A social media policy will let your employees know what is allowed to post, and what is not allowed. In your social media policy, you can also establish roles and responsibilities for staff members who will be posting on your practice’s behalf.
  • Never include any identifiers in posts: With so much of the information available online, even an insignificant detail could help users identify your patient. Basic details such as date, time and location can give away a patient’s identity. When positing on social media, you must make sure to remove the following identifiers:
    • Name
    • Location
    • Dates
    • Contact numbers
    • E-mail addresses
    • Social security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle serial numbers and license plate numbers
    • Device identifiers and serial numbers
    • URLs
    • IP address numbers
    • Biometric identifiers such as finger and voice prints
    • Full-face photographs
    • Other unique identifying numbers, characteristics or codes
  • Keep separate social media profiles for personal and professional use: Even if you are an individual physician, you should have a separate personal profile for discussing anything outside of healthcare. The same goes for your employees. Your employees should be instructed not to accept a friend request from a patient as that could lead to conversations that may violate HIPAA guidelines.

Staff training: An integral part of HIPAA compliance

According to industry reports, of the 268 breach incidents reported to the Department of Health and Human Services in 2015, nearly 73 percent of the incidents occurred at providers’ sites. While network security at the providers’ sites is a vital concern, the vast majority of incidents have more human causes.

Nearly four of every five breach incidents at the providers’ sites have nothing to do with server-network hacking. They are mistakes rooted in human behavior. These events could have been prevented by staff, had they been trained on HIPAA laws.

The most basic requirement of HIPAA is training. The law requires appropriate training for every employee on his or her responsibilities to protect patient information. Training should aim at engaging employees through case studies of actual breaches. Training programs should include real-life exercises in which staff members are presented situations and choices that have led others into privacy breaches. During the training sessions, decisions should be discussed, situations should be simulated, new and more efficient processes should be established, and a sense of responsibility should be fostered.

 

Even with safety measures in place to protect your patients’ private information, it is still possible for a violation to occur if employees are not informed. You should provide HIPAA compliance training to employees when they start working at your practice. This training should include information about the HIPAA privacy rules, violations and monitoring patient record requests.

In order for your medical practice to be HIPAA-compliant, each staff member must be HIPAA-compliant. It is your responsibility to educate, inform and train your employees on HIPAA regulations and the consequences of non-compliance.

 

At Practice Builders, our team of online marketing and HIPAA-compliance experts will work closely with you to ensure an optimum patient experience. Through content marketing, HIPAA-compliant emails, social media and strategic SEO, we help you grow your medical practice while you focus on providing top-notch care for your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Multi-Line Agencies and Privacy Requirements 

Multi-Line Agencies and Privacy Requirements  | HIPAA Compliance for Medical Practices | Scoop.it

It’s important to train all staff in a multi-line agency on HIPAA Compliance

There is a great deal of crossover within a multi-line agencies. Cross-selling group or individual health insurance and other benefits, between personal lines and key commercial lines clients, has been one of the best ways to preserve a long-term relationship. To do this well, there’s going to have to be some exchange of often confidential information between different teams. Plus, the reality that there is often little to no physical or electronic separation between team members means that you need to worry about having your bases completely covered in case of an unintentional breach. Simply said: It’s very important that all parties are properly trained on these regulations — one of many reasons a multi-line agency will often require all staff to be trained on HIPAA.

Protecting PHI, NPPI and PII

Across your agency, you may have multiple agents that will have access to or come in contact with Protected Health Information (PHI), Non-Public Personal Information (NPPI) and Personally Identifiable Information (PII). In our experience, agents handling long-term care, vision, Medicare, dental and health insurances are reluctant to refer clients to agents who sell life, auto, home, commercial liability, 401(k), and Workers’ Comp if these agents are not properly trained on their responsibilities to safeguard clients’ Protected Health Information (PHI).

Gramm-Leach-Bliley (GLB) is an entirely separate federal law (from HIPAA) that dictates what insurance agents can do with personally identifiable information collected from or about consumers, or resulting from a transaction with consumers. This is commonly called Non-Public Personal Information (NPPI). Insurance agents are prohibited from disclosing NPPI as defined in GLB to nonaffiliated third parties without notifying the client or providing an opportunity for the client to opt out.

Non-health related insurances are considered financial products and are regulated by the privacy and security obligations of GLB. Many of these privacy and security concerns overlap when it comes to PHI, NPPI and PII. Everyone within your agency, whether they are working on health insurance or not, has to understand and appreciate the need for privacy of all the client information you handle.

For those of you selling products in the Federal Marketplaces (FFM), there are major concerns when it comes to privacy. Personally Identifiable Information (PII), is defined as information that can be used to distinguish or trace an individual’s identity. Information qualifies as PII in the  Marketplaces when used alone or combined with other personal or identifying information linked or linkable to a specific individual. For example, a name, date and place of birth, Mother’s maiden name, an IP address, and or biometric records are some examples of PII. This is the broadest definition of individual information to date, and it is important to remember that it is not limited to only health information. PII includes financial information as well.

Marketing Guidelines

Marketing means that an agent encourages individuals to use a product or service. HIPAA, GLB and ACA have very different marketing guidelines. Under HIPAA, agents may use an individual’s PHI for marketing purposes only in face-to-face meetings and to identify clients to whom they want to give promotional gifts of nominal value. The agent may use PHI to market or handle issues related to the health insurance product itself, including marketing to different carriers. For any other uses of PHI, the agent must receive prior written authorization from the client.

GLB marketing guidelines allow an agency to shop for the best price on life insurance or other coverages with a variety of carriers, with a proper agreement in place, and a Notice of Privacy Practices given to the client. An agency is able to take NPPI and disclose it to third parties without additional authorizations.

According to Marketplace rules, you are prohibited from cross marketing to a SHOP client, even if you have written permission from the client to market, or you are in a face-to-face meeting. This is an important distinction from HIPAA where you can cross market in face-to-face meetings, or if you have a signed agreement from the client. You could be fined or prohibited from selling into the SHOP or FFM if you are found to be in violation of these cross marketing rules. It is permissible to leave a list of other services, and tell the client to call if they are interested.

HIPAA, GLB and ACA require you to protect personal information about your clients, adopt policies and procedures, provide privacy notices to your clients on a yearly basis, and ensure your staff understands their responsibilities. Most of these requirements for HIPAA, GLB and the ACA can be fulfilled with the same set of documents, which are part of the Total HIPAA compliance documents and training.

Smart multi-line agencies will take advantage of meeting federal requirements with one combined effort. Meeting these compliance requirements gives your organization a good reputation because it is clear you’re dedicated to taking all the steps possible in order to protect your clients’ information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.