HIPAA + Medical Spa Marketing: What you need to know to stay out of the brig.

medical-spa-md-hipaa

What does HIPAA mean for your medical spa’s marketing?

HHS, which implements, enforces, and offers helpful information about HIPAA and related topics, has provided specific information on healthcare marketing to help clear up some confusion. They define marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” 

That’s a pretty broad description.

The key function of marketing is telling a story that compels someone to purchase a product or service. However, healthcare marketers are not able to access these stories to tell without consent from that person since that would mean using their protected health information (PHI). 

Beyond this central definition, marketing can also refer to an arrangement between a covered entity (CE) and another organization where the CE gives PHI to the other organization in exchange for payment, whether direct or indirect, so that the other entity can then make communication about their products or services. This part of the definition doesn’t have any exceptions but the individual must authorize this usage before that exchange can happen. Covered Entities cannot sell these lists under any circumstances without approval from each and every person on the list. 

Within the scope of the definition of healthcare marketing by the HHS, organizations are still required to receive clear and direct consent from the patient before their protected health information is used in any of these ways. 

Take free HIPAA risk assessment

Take free HIPAA risk assessment

What is NOT considered Healthcare Marketing 

Just as the HHS has clearly defined what marketing is in the context of healthcare & PHI, they have also laid out the exceptions to this definition. There are three exceptions to the marketing definition laid out above which allows these communications to occur without approval from the patient, assuming that they comply with HIPAA in any other ways as necessary. 

The first exception is that communication is not considered marketing if it describes a health-related service or product that is provided by or included in a plan of benefits of the CE making the communication. This means that an email or posting from a covered entity can include a product and service that they offer without being considered marketing. CEs are allowed to let their client lists know about a new piece of equipment they have or a new facility that is being built. 

Another exception to the HHS definition of marketing is that if a form of communication is created for the treatment of the individual that it is sent to, then it is not considered marketing and does not need their approval. This often looks like a healthcare provider sending the patient a prescription refill reminder or a referral for a discussed follow-up testing. Since these types of correspondence are regular parts of the treatment of that individual, they are not marketing. 

The last exception from marketing is a communication that occurs during the care coordination case management process of working with a patient. This is typically where a recommendation for an alternate provider or treatment is suggested and presented. As long as that is part of their treatment and is their genuine recommendation for their patient, then it is not considered marketing but merely a part of caring for the patient. 

HIPAA Compliant Healthcare Marketing

If you are having trouble distinguishing between marketing activities and typical treatment activities, there are a few things to keep in mind. Sometimes in the course of recommending a treatment, a doctor or healthcare provider recommends the purchase of a medicine or product of some sort. This is not considered marketing by the HHS, as the benefit of this product is being portrayed and it is within the regular operations of the healthcare industry. 

Specifically for marketing, the main thing to keep in mind is getting written authorization for any uses of PHI in a campaign or communication that you may be sending out. 

There are many do’s and don’ts to healthcare marketing and complying with HIPAA as a whole that it may seem complicated at times. That is why Accountable exists to simplify the process and steps of achieving HIPAA compliance. Getting written authorization for use of PHI in marketing is important, but there are many other steps that need to be taken for complete compliance.  

Understanding The HITECH Act: HIPAA On Steroids

By Jeffrey Segal MD JD and Michael J. Sacopulos JD

Understanding the law before you send your patients any e-mail.

Snail mail is becoming less popular as the calendar pages turn. E-mail and social media networks have changed how we communicate. Before clicking the send button in an e-mail template, healthcare professionals should better understand that HIPAA violations have also entered a new era. More cases are prosecuted with assessment of both statutory civil fines and criminal penalties.

A little background: Even though HIPAA passed in 1996, little prosecution followed when patient privacy was violated. Since the law took effect in 2003, nearly 45,000 complaints were filed with the Health and Human Services (HHS) Office for Civil Rights. Of these complaints, only 775 cases were referred to the Department of Justice or the Centers for Medicare and Medicaid Services for investigation. None resulted in direct civil monetary penalties.

Then, in 2009 the HITECH Act (“HIPAA on steroids”) was enacted. This act intended to increase HIPAA confidentiality protections of Electronic Protected Heath Information(ePHI), instill tough civil and criminal penalties for violations, mandate notification of breaches of HIPAA protected heath information, and extend the definition of covered entities to include business associates. A tall order indeed.

For example under the tougher HITECH Act, in April 2010 a former employee of a hospital was sentenced to four months in prison for accessing the medical records of his coworkers and various celebrities. He had no “valid” reason for accessing these records.

According to the Health and Human Services (HHS), penalties have increased. Prior to the HITECH Act, the HHS Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision.

Just how "high tech" are physicians when it comes to communicating with patients?

A survey by the health information firm Manhattan Research in 2009 found that 42 percent of physicians had some online communication with patients.

The American Academy of Family Physicians reported in a 2009 survey that just 6 percent of responding members had performed a Web-based consultation - that number was more than double the 2.6 percent who had done so in 2008.

But is all of this electronic communication legal?

The HITECH Act requires that all communications involving ePHI be encrypted.  HHS recently adopted National Institute of Standards and Technology guidelines for encryption.  This means that if a physician wants to consult, refer, or prescribe for a patient by e-mail, the e-mail had better be encrypted.  Of course most patients do not have software to decrypt.  So what alternatives do healthcare providers have? And, more importantly, how can this be made easy and pragmatic. Email was designed to simplify, not complicate.

Healthcare providers may seek their patient's consent to communicating via unencrypted e-mail.  While HHS does not provide a standard form for securing patient consent, basic "informed consent" strategies should apply.  First, get the patient's consent in writing.  The patient should not be given just a binary choice – but a menu of choices.  For example, a patient may wish to electronically receive information on appointment dates but not test results.  The consent document – as is standard with most routine HIPAA forms -should also note that the patient may withdraw his or her consent at a later time. This can be part of an expanded HIPAA form the patient signs when first seeing you in the office.

Here are some more recommendations when communicating with patients electronically:

1) A physician may be held responsible for a delay when responding to a patient's e-mail. Solution: A physician that wishes to accept e-mail from patients should use an auto response feature that informs the patient that a) the physician typically responds to e-mail within XXX number of hours/days; b) if the patient requires immediate attention, the patient should telephone the physician's office or contact an emergency healthcare provider.  

2) If a patient initiates an e-mail with a physician, Rachel Seeger of HHS Office for Civil Rights says that it is assumed that the patient consents to unencrypted communication.  "If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual”.

3) If a physician does end up sending a patient an e-mail, double check the recipients’ e-mail address before clicking the send button. This is to prevent the e-mail from being sent to the wrong person, therefore sharing private information to an unintended party. Good advice also in the non-healthcare world.

4) Add any e-mail a patient sends (and any response) to the patient's chart.

5) In the HITECH Act code 170.210 section B states that the date, time, patient identification and user identification must be recorded when electronic health information is created, modified, deleted, or printed; and an indication of which actions occurred must also be recorded. This means if you send an email to a patient with protected health information – and delete it – you will need a record of what was deleted and when. This is not dissimilar to crossing out a line in a paper medical record- updating the record – with a date of the update.

6) Since communicating with patients via e-mail is becoming stricter, more physician offices and hospitals are using portals as a means of communication. This allows the patient to sign in with a secure username and password to view their records and communicate with their physicians. The security rule allows for Electronic Protected Heath Information (e-PHI) to be sent over an electronics open network, as long as it is adequately protected.  Of course, this is more complicated than using Outlook or gmail.

The HITECH Act has ushered in a new era of technology requirements and standards that must be met by physicians.  Given HHS's recent enforcement efforts, physicians should use caution when electronically communicating with patients.  By working within the boundaries of the six points above, physicians should comply with the HITECH Act. 

Jeffrey Segal MD JD and Michael J. Sacopulos JD are with Medical Justice, a Medical Spa MD Select Partner that protects physicians from frivilous lawsuits.

Submit a guest post and be heard.