Before you call your brand-new rehab therapy marketing plan complete, you’ll want to make sure you’ve dotted your i’s and crossed your t’s on all things HIPAA. After all, there are several HIPAA requirements that healthcare providers must adhere to when they promote their services to potential patients. Run afoul of these rules, and your PT, OT, or SLP practice may end up with some hefty fines. With that in mind, here’s a rundown of HIPAA marketing guidelines. But first, some background on HIPAA:
In 1996, Congress established the Health Information Portability and Accountability Act (HIPAA) in part to ensure patients’ health information remained private and protected. As such, under HIPAA’s Privacy Rule, covered entities (i.e., healthcare providers) must be judicious in their handling and use of patients’ protected health information (PHI).
Then, in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act provided specific guidelines on how healthcare providers and supporting businesses could handle PHI for marketing purposes. As of 2013, all providers are required to obtain prior authorization from patients before using or disclosing their PHI for marketing purposes.
Now, let’s take a look at how these HIPAA guidelines apply to some common marketing scenarios:
As WebPT’s Brooke Andrus and Charlotte Bohnett explain in this blog post, the guidelines for what constitutes a HIPAA-governed marketing email are broad. In fact, according to this resource, even emails that don’t contain PHI—but do promote a product or service for which you receive compensation—are subject to the rules.
That’s why—instead of establishing a different protocol for each type of marketing email you send—WebPT recommends having patients opt in to receiving all marketing emails during the intake process. That way, you have written authorization to email them with updates about everything happening at your clinic.
Just be sure you also provide your subscribers with an option to unsubscribe at any point—and that you honor any unsubscribe requests you receive. Oh, and because email addresses are also considered PHI, absolutely no selling or disclosing them.
Testimonials are a great way to share patient stories and market your practice to new patients—after all, social proof is an excellent conversion tool. But because testimonials almost always contain PHI, you’ll absolutely need to obtain prior written permission from patients before sharing their stories. And that stands regardless of the channel you use (e.g., your website, email, social media, or ad). Skip that step and you’ll be in hot water, for sure.
According to the Compliancy Group, the patient’s written “authorization should include specific reasons as to why the patient is consenting to sign the form” as well as “a full and accurate description of precisely what patient information (i.e., photographs or videos of the patient) can be used in a testimonial, and how that information will be used.” That’s in addition to:
- The patient’s full name, date, and signature;
- The practice’s name and contact information;
- Authorization date of expiry; and
- Instructions for patients to revoke authorization at any time.
Social media is an excellent marketing tool for connecting with your audience and reaching new prospects, but it can also be a HIPAA landmine. That’s because, as explained in this guide, “social media is anything but private—and it’s practically permanent, because once you put something online, chances are good it’s going to live forever.” After all, “You might think you deleted that unfortunate tweet or photo, but if someone took a screenshot of it, it’s most definitely not gone for good.”
So, what is a rehab therapy practice to do? First, develop a HIPAA-compliant social media policy; then, train your staff on it. Most importantly, you’ll want to refrain from providing medical advice or posting any PHI on social media (without prior written permission, of course). According to the HIPAA Journal, PHI “includes any text about specific patients as well as images or videos that could result in a patient being identified.” Instead, use your social media channels for “posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.”
It’s also a good idea to track and archive your posts and conversations—just in case you ever need them to support your side of the story. For more “tips for keeping your practice socially safe,” check out this guide. The above-cited HIPAA Journal article has its own social media guidelines that are worth a read as well. Interestingly enough, they recommend against “enter[ing] into social media discussions with patients who have disclosed PHI on social media.” Instead, ask the poster to take the conversation offline by calling your office.
There you have it: the basics for making your PT, OT, or SLP clinic’s marketing HIPAA-compliant. Have more HIPAA-for-marketing questions? Send them on over in the comment section below, and we’ll do our best to find you an answer.
Note: We do our best to summarize our understanding of these rulings at the time that we publish our posts, but there’s a lot of information out there—and a lot that changes. As always, we recommend that you speak with a compliance consultant or healthcare attorney for compliance and legal advice, as this article is meant for general educational purposes only.