A provider utilizing your organization’s medical device on a patient snaps a quick photo, posts it on a social media website and adds your hashtag. A marketing coordinator on your team sees the post and reposts it to your organization’s page. Good social media marketing, right?
The critical step that was missed was getting a signed HIPAA authorization form on file from the patient. Even if the provider has one on file, it would be better for your organization to have a copy of it.
HIPAA compliance applies across all marketing. Online marketing in particular can be fast-paced and have lower quality assurance. Here are basic guidelines for HIPAA compliant digital marketing:
- Remove PHI. From the get-go, even in brand or target market studies, remove PHI (protected health information) from a dataset to ensure privacy for participants. This de-identification process minimizes the detail shared across the entire marketing team and third-party marketing partners. To be sure, remove health status, provision of care, any detail about payment for care and any other private data. To be even more sure, leave in only data that could be safely posted online or publicly.
- Use common sense. From writing online advertising copy to posting on social media to updating web portals, your team is inundated everyday with messaging tasks – with getting eyes on the message and users to act. That kind of pressure makes common sense wane. Remind the team: if they wouldn’t say it in an elevator, don’t say it online. This simple reminder helps the team think twice about posting what may be private information.
- Speak generally. Rather than addressing particular cases or featuring real patients, address general conditions and treatments. A post like this seems innocuous enough: “A patient arrived in the Kansas City emergency room last night with complications from stage-4 breast cancer…” But community members who know her well may easily trace it back to the actual person. Better to address research, treatment options and possible outcomes rather than individual cases.
- Get it in writing. Case studies and testimonials from actual patients make for stronger marketing. Before even gathering source materials for these types of projects, ensure the team contacts the patient directly to explain the project and ask permission to feature them. Then have the patient sign a model release form stating that your organization has rights to use their likeness and story. Consult your legal team or attorney for a HIPAA authorization form.
- Two sets of eyes. First, have all staff complete HIPAA compliance training. Next, be sure that every person on the team has a team member pre-checking online posts for HIPAA compliance, even before it goes to legal for approval. This is the most basic of quality assurance systems, and larger organizations may require much more sophisticated ones.
- When in doubt, leave it out. Enough said.
Marketing challenges abound in the medical device industry. Fact is, your organization is far more likely to be hit with a wrongful termination lawsuit by a former employee than a HIPAA suit. Still, the federal government’s Department of Health and Human Services (HHS) is cracking down on marketing departments and agencies, even dinging them for faulty form submission solutions on healthcare websites.
Today is the day to button up loose ends and be sure that the team is pushing out HIPAA compliant marketing across the board.