In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here, this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may already take precautions to protect your patients’ PHI within your clinic, you must also extend the same level of care to your marketing efforts. Failing to do so could land you in some very hot water. With that in mind, we’ve compiled some tips to help you ensure you’re:

  1. sending HIPAA-compliant marketing emails, and
  2. maintaining HIPAA-compliant social media channels.

Before we jump into that, though, we must say this: while we here at WebPT are well-versed in researching and writing about HIPAA, we are not attorneys, nor are we compliance experts. Therefore, please take the following information as just that: information. It is general in nature, will not be suitable for everyone, and should not be construed as legal or expert advice. We strongly encourage you to speak with a certified compliance expert—such as Rick Gawenda of Gawenda Seminars or Tom Ambury of the PT Compliance Group—as well as a healthcare attorney to decide what’s right for your business before you implement any strategy, including any of the ideas outlined below.

With that out of the way, here’s the healthcare provider’s guide to HIPAA-compliant marketing:

The Profitable PT: 5 Simple Strategies for Private Practice Success - Regular BannerThe Profitable PT: 5 Simple Strategies for Private Practice Success - Small Banner

HIPAA-Compliant Emails

As WebPT’s Charlotte Bohnett and Brooke Andrus write in this post, “few tech inventions have endured the way email has.” In fact, the authors cite this infographic, stating that “95% of online consumers use email, and 91% check their accounts once a day.” As a result, businesses see a $44.25 average return on investment for every $1 they spend on email marketing. With all that in mind, it’s no wonder email remains a crucial piece of any successful marketing campaign. However, with HIPAA rules around marketing being “murky at best”—especially following the introduction of the 2013 HIPAA omnibus ruling—many providers have shied away from this potentially profitable pathway. But there is a way for your practice to reap the benefits of email marketing while remaining fully HIPAA compliant. Here’s how:

1. Include a marketing communications opt-in form in your intake paperwork.

That way, you’ll know which patients you can market to via email and which ones you can’t. As Bohnett and Andrus advise, be sure your opt-in form “clearly explain(s) the types of communications you will send,” as well as “how those communications will benefit them.” If a patient decides to opt out, you must respect his or her decision. Additionally, you are legally obligated to provide your patients with the option to unsubscribe at any time—and you must comply with all unsubscribe requests.

2. Ensure your email provider understands—and complies with—HIPAA.

This is important, because any breach on the part of your email vendor will ultimately fall on you. That could mean costly fines as well as broken trust with patients. It’s always your responsibility to vet your software vendors and make sure they’re on the ball when it comes to HIPAA compliance. While we’re talking specifically about marketing emails here, if you plan to discuss a patient’s health information via email—with that patient’s consent, of course—you must take additional precautions, like encrypting your messages or using a secure messaging service with which you have a signed HIPAA business associate agreement.

3. Never send patient PHI as part of an email marketing message—unless you have express written permission from the patient and you’ve discussed it with an attorney.

As Bohnett and Andrus suggest, “stick to communication that is appropriate and relevant to large groups of readers—like sharing great content that speaks to, say, a segment of patients who are runners or a segment of patients who participate in aquatic therapy.” You could also use marketing emails to promote new cash-pay wellness services or share clinic news. It’s also worth noting here that patient email addresses fall under the PHI umbrella as well, so be sure your emails are going out to a blind list (i.e., one that isn’t visible to any individual recipient), and never sell or disclose email addresses “unless expressly allowed under HIPAA law.”

HIPAA-Compliant Social Media Channels

Today, everyone’s using social media, including your patients, who—as we explain here—do so to “make informed decisions about their health.” Thus, as a healthcare provider, you should be using it, too. That being said, because you’re covered by HIPAA, you must take some additional precautions to ensure you’re using it safely. After all, “social media is anything by private—and it’s practically permanent, because once you put something online, chances are good it’s going to live forever.” With that in mind, here are eight tips for ensuring you’re keeping your social media channels HIPAA-compliant:

  1. As Tom Ambury advises here, keep your business and personal accounts separate.
  2. Develop—and enforce—a comprehensive social media policy; then, train your staff on it.
  3. Ensure all staff members who have access to your social media accounts are well-supervised and know who to ask for help should a complicated situation arise.
  4. Implement a system that enables you to track, archive, and retrieve all electronic communications—you’ll need them as evidence should you find yourself facing a lawsuit or breach accusation.
  5. Designate someone to approve all posts before they get published. And if that’s not possible, this Forbes article recommends adopting technology capable of monitoring your posts in real-time and flagging any that could be problematic.
  6. Write pre-approved copy that your staff can use to provide general status updates and respond in potentially tricky scenarios.
  7. Never, ever post medical advice or PHI on social media—unless you have express written permission from the patient and you’ve discussed it with an attorney. As this article says, “patient posts do not imply consent”—and it’s never a good idea to “violate privacy or post PHI.”
  8. Institute an audit schedule to regularly monitor all accounts for professionalism and compliance. Then, follow up with feedback and/or additional training.

To learn more about what constitutes ePHI—that is, protected health information “sent or stored electronically”—check out this article from LuxSci. You may be surprised to learn that there are 18 different individual identifiers that—if paired with any kind of protected health information, even something as seemingly innocuous as an appointment with a particular doctor—are considered ePHI.

How does your practice ensure your marketing efforts—via both email and social media—are HIPAA-compliant? Share your strategies in the comment section below.

  • Common Questions from Our Patient Sticker Shock Webinar Image

    articleMar 31, 2017 | 33 min. read

    Common Questions from Our Patient Sticker Shock Webinar

    From copays and deductibles to payer contracts and benefits verification, understanding all the nuances of third-party insurances is tough enough for healthcare providers—let alone their patients. In WebPT’s most recent webinar— Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans —co-hosts Heidi Jannenga, PT, DPT, ATC/L, the cofounder and president of WebPT, and WebPT CEO Nancy Ham provided a lot of great advice on how to have productive conversations about healthcare costs with your patients—without …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • Is Your Practice HIPAA-Compliant? [Quiz] Image

    articleDec 12, 2018 | 1 min. read

    Is Your Practice HIPAA-Compliant? [Quiz]

    Back in 1996—long before the days of social media and smartphones—Congress passed the Health Insurance Portability and Accountability Act (HIPAA) as a means of governing the manner in which providers, insurers, and business associates collect, share, and use patient protected health information (PHI). Ultimately, it’s in everyone’s best interest to ensure that patient information remains private, but adhering to all HIPAA rules can be a daunting task for even the most seasoned provider—especially in the age of …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • Give to Get: The How and Why of Patient Loyalty Programs Image

    articleSep 28, 2017 | 8 min. read

    Give to Get: The How and Why of Patient Loyalty Programs

    It’s common knowledge that acquiring new patients is significantly more expensive than keeping existing ones. How much more expensive? According to this Harvard Business Review article —which WebPT’s Kylie McKee cited here —“Depending on which study you believe, and what industry you’re in, acquiring a new customer is anywhere from five to 25 times more expensive than retaining an existing one.” Even if your numbers are on the low end of that range—and that seems unlikely for …

  • Founder Letter: 3 Ways to Become a Better PT, OT, or SLP in 2019 Image

    articleJan 8, 2019 | 11 min. read

    Founder Letter: 3 Ways to Become a Better PT, OT, or SLP in 2019

    It’s official; we’ve closed out 2018 and are stepping into a brand-new year. While I don’t recommend saving up those important intentions and resolutions for the kick-off of a new year, it does represent a potent time to release the things that no longer serve us—and embrace more of what does. In the past, I’ve used this occasion to put out some predictions for the year to come—and I’ve done that again here —but right now, I’d …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz] Image

    articleNov 22, 2016 | 1 min. read

    Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz]

    Using social media for your healthcare practice is a great way to connect with your patients on a more personal level. And while that’s exciting—and awesome—it also comes with some risks. After all, when you put your practice out there on the good ol’ World Wide Web, you have to take even more care to protect your patients’ privacy and comply with all HIPAA regulations . So, in the spirit of testing your social-media savvy, take this …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.