As healthcare practitioners already know, the goal of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) is to protect the privacy and security of Protected Health Information (PHI). One thing many do not realize is that HIPAA has some very specific rules about how to protect PHI on the Internet.
First, it is important to understand the terminology.
Covered entity: the health care practitioner
Covered service: the type of treatment that can be received from the covered entity
Covered benefits: why patients will be better if they receive treatment from the covered entity
If you, a covered entity, have a website which provides information about your covered service or benefits, your notice of privacy practices must be blatantly posted on the website, with a link to download the notice. If a complaint is made against you regarding a potential breach of HIPAA, one of the first things an investigator will do is look at your website, so it is very important to make sure the notice is conspicuous.
HIPAA defines a website as “a collection of material placed on a computer server-based file archive that is publicly accessible over the Internet.” 45 CFR § 164.520(c)(3)(I)
Besides your own company website, this also includes sites such as Facebook and LinkedIn where you have a company page, group, or profile telling about your services. You must post your downloadable/linked privacy notice there, as well.
Pursuant to HIPAA, patient testimonials need the patient’s explicit HIPAA authorization in order to be considered compliant—even though the patient is the one writing the testimonial. 45 CFR § 164.508(b)
Facebook is very careful in saying that users are responsible for the content on their own pages. That includes patient testimonials on your page. This does not include a patient writing a testimonial on their own website or Facebook profile. However, if a testimonial is posted on the healthcare practitioner’s website or social media page, where the healthcare provider has control over that website or social media page, HIPAA authorization is required.
Overall, if a healthcare practitioner is considered a covered entity under HIPAA, then as a result, the healthcare provider must be very careful in what patient information is accessible to the public—whether directly in their office or on their website—and whether that information can be linked to a specific individual—a picture, name, address, telephone number, Social Security number, type of diagnosis or treatment, etc.— because that information is considered protected under HIPAA regulation.
When HIPAA was created in 1996, the Internet as we know it was still in its infancy. Although HIPAA has been updated since its inception as a result of the way our society moves and grows with technology, it is likely it will continue to be revised in the future. The concepts and goals remain the same, but certain details change over time, and it is the practitioner’s responsibility to know these changes. As our society continues to utilize the Internet & social media as a means for people to get their information, it becomes even more important.
Remember, the responsibility still falls on you, the covered entity, to stay HIPAA-compliant.
Is your website HIPAA-compliant? Contact us with any questions or comments.
Stephanie J. Rodin, Esq.
Rodin Legal, P.C.
Tel: (917) 345-8972
Fax: (917) 591-4428