What Does HIPAA-Compliant Internet Marketing Look Like?
Jonathan Fashbaugh, Pro Impressions Marketing Group
Posted on September 22, 2014
Over the past couple of years, legislation designed under the auspices of protecting patient privacy has made nearly every aspect of patient communication more difficult—at least if your practice has made an effort to stay compliant with the new HIPAA/HITECH regulations. When it comes to Internet marketing, HIPAA-compliance is a nuisance, but it’s also an area where many dental practices are most exposed for a potential HIPAA privacy breach.
Why Should I Care?
Why did I choose HIPAA-compliance as the first Internet marketing blog post on the new Inside Dentistry blog? It's certainly not because it’s the most exciting or most lucrative development for dental practices. I chose it because it’s an issue that many dentists are still a bit perplexed by, and when it comes to Internet marketing, most practices aren't aware that their website could be a patient privacy liability.
If your office is investing money in marketing on the Internet, this should mean that your website receives emails from prospective patients. This can pose a major HIPAA-compliance problem on its own, but there's also storage of email leads, as well as online patient forms that can pose additional risks.
These risks mean that, should a leak of protected health information occur, your practice would have to send out notifications and deal with the potential legal fallout, not to mention fines from the Health and Human Services Office of Civil Rights.
I’m not a lawyer, so I can’t comment on the specifics of what that liability could amount to, but none of that sounds like fun.
What Do I Have to Do to be Compliant?
Wouldn’t it be nice if someone would lay out exactly what you need to do to make your dental practice HIPAA-compliant? Or better yet, wouldn't it be great if someone had a company that did it all for you and made your office compliant-guaranteed! Sorry, there is no such thing. There are two main reasons you won’t find someone who will guarantee HIPAA compliance for your practice.
1. The regulations are vague and open to interpretation.
2. Compliance relies on behavior—not just hardware.
The HIPAA rules are fairly specific about the dire consequences that can fall upon an organization that discloses patient information without the patient's consent, whether the organization does so willfully or not, but it’s fairly vague about how far an organization such as a dental practice must go to prevent such a leak.
The Health and Human Services website states:
"Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients’ privacy."
So, what reasonable safeguard is appropriate for your dental practice? How much money should you invest to prevent a hypothetical breach that may never come? No one will say for sure- yours truly included.
What I will say, is that this is what I think a HIPAA-compliant dental Internet marketing campaign might look like.
What Is a HIPAA-Compliant Website?
If you truly wanted to prevent any chance of your website ever causing a HIPAA breach for your practice, all you would have to do is remove any means of a patient ever contacting you through it. Of course, this would also prevent prospective patients from contacting you via the website too.
The point is, the information on your website and the way it is presented has no bearing on the HIPAA-compliance of your website. The only thing that matters is how it handles information that is passed through it because this information could be deemed to be of a protected nature.
How Does HIPAA-Compliant Email Work?
Essentially, HIPAA-compliant email boils down to these components:
1. A signed business associate agreement between the email provider and the office
2. Encrypted storage of emails containing protected patient information
3. Server access and back-up must comply with regulations
4. Protected information is NEVER transmitted without the appropriate encryption
Numbers 1, 2, and 3 on the above lists are easy. It’s the last piece that makes things difficult. You can pay for an email service that follows all the rules to provide HIPAA-compliant email hosting, but if a member of your team doesn't follow the rules and sends an email without using the proper encryption, congratulations, you’ve just breached HIPAA/HITECH privacy regulations.
Unfortunately, this could apply to your website as well.
Collecting the information securely from a prospective patient isn’t a problem. Your Web team simply needs to add an SSL connection and valid certificate to your website. When implemented correctly, this adds the https rather than simply http in front of your domain in a Web browser. The S stands for “secure.”
The problem comes when the information is transmitted from the server to your office. This is usually accomplished by email.
There really isn't an easy way for you to send email using encryption. This difficulty is purposely built in. It’s what makes it secure. The idea is, I have a key that I use to lock up the information, and you have the only other key that unlocks the information. But I have to give you the key somehow, and when it comes to easy communication between doctor and patient, that extra step—the second key—really messes things up.
For your practice’s website to send you patient inquiries, it has to somehow use the same process as a HIPAA-compliant email system. The easiest way to accomplish this is for you to log in to the server via an encrypted connection using a username and password. You would then read the emails and call the patient, and reply via an encrypted email.
My company doesn't offer the above system—not in its entirety. We have pieces of the puzzle. Other companies have other pieces of the puzzle. That’s the problem is that trying to accomplish true compliance—whatever that is—is so difficult and enigmatic that it’s hard to justify investing in a system that does it all.
What Can Be Done Now
There are some fairly easy things that you and your Web team can do to make your practice more HIPAA compliant. One might go as far as to call these reasonable safeguards...maybe.
First, make sure that you’ve signed a business associate agreement with your Web team that says that they will abide by HIPAA. If they’re not making reasonable safeguards on their end and they're not willing to sign the agreement, it’s time to protect your practice by finding a new company.
Second, ask your Web team not to keep a copy of any email inquiries on the server or on any of their computers. If there are no emails stored, then they don’t need to be encrypted and can’t be leaked. Your practice must still store any protected information it receives in compliance with HIPAA/HITECH regulations, but at least you have it all in one place.
Third, change your team’s email habits. Do not send emails with protected patient information. If you’re emailing with a patient, see if you can get them on the phone instead. No one expects you to ask patients, “Are you using a secure line?” when you speak with them, but they are concerned with a pimple-faced teenager with too much time on their hands learning that you have a patient in your care who sometimes needs a filling. It’s a mad world we live in, but it’s the truth.
You should pay for a HIPAA-compliant email system. There are a number of them out there. Some are better than others, but all of them have the same lynch pin: your team has to use the encryption when sending email. You'll probably find that that “second key” I mentioned early is frustrating to patients and team members. Computer-illiterate patients who can barely manage regular email will find encrypted email solutions infuriating. The only HIPAA-compliant work around is to not use email. Have the patient call you, call them yourself, or ask them to come into the office so you can do everything in-house.
Are You Absolutely Sure That This Is Necessary?!
No, I’m not, but I would hate for that one irate and unreasonable patient who is looking for any way to hurt you and your practice to cost you thousands of dollars in legal fees simply because they heard about privacy rules or the growing importance of encryption by way of media coverage on NPR, Fox News, and other major news outlets, and think that they’ve caught you with your pants down.
I really see only two solutions for the average dental practice:
Use discipline, time, and money to go high tech and do it right
Use discipline and time to go low tech again and do it right.
Anything in the middle will leave you exposed because this is the environment that gave birth to HIPAA in the first place.
About the Author
Jonathan Fashbaugh has been working with dentists on their marketing for ten years. He is the president of Pro Impression Marketing Group, holding a degree in Digital Media Arts from Full Sail University. He has written many articles about website design and search engine optimization in publications like Ortho Tribune, Dental Economics, AGD Impact and others. He has also taught Internet marketing courses at the Las Vegas Institute for Advanced Dental Studies. You can learn more about Jonathan and Pro Impressions Marketing Group at http://www.proimpressionsgroup.com.