One of the biggest mistakes you can make as a health professional is to violate the rules of HIPAA, or the Health Insurance Portability & Accountability Act.
The law was first introduced in 1996 to ensure that employees had health insurance while switching jobs. It also aimed to eliminate fraud and illegal use of one’s private health information, and focused on privacy.
The Privacy Rule came into effect in 2003, and was solidified to protect personal health information including healthcare, treatment and payment.
Under the law, there are certain actions that are acceptable without a written authorization and many that aren’t. We’ve also compiled a list of things that must be present in order to perform an authorization to share information under HIPAA.
Summary of the Do’s and Don’ts of HIPAA
As a rule of thumb, healthcare data should not be used in online marketing. If you feel like you’re questioning whether or not you’re crossing the line into non-compliance, you should never go through with the campaign.
What can you do?
- Create an email list through forms that specifically state that the information provided will be used for marketing purposes
- Provide testimonials that parallel the experiences of most other patients
- Share medical records with other doctors to determine the best fit program
- Remind a patient of their prescription
- Disclose information to communicate with the government for health programs
What can’t you do?
- Share that you served a celebrity to gain more credibility
- Include a patient in a newsletter if they have not signed a consent form
- Post pictures of patients receiving treatment
- Share a patient’s own post about their experience
- Provide false testimonials
- Sell protected health information to third parties
- Share health information with a telemarketer
10 Things You Must Include in a HIPAA Authorization
- Description of the information being disclosed
- The name of the person or organization who is authorized to make the disclosure
- The name of the individual to whom the PHI may be disclosed
- A description of the purpose of the disclosure
- An expiration date for the disclosure
- The signature of the individual disclosing their information
- The date the authorization was signed
- A statement about the revocation of the authorization
- A statement concerning the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits
- A statement that states that once the information is disclosed, it may be re-disclosed to individuals/organizations not subject to HIPAA and may no longer be protected by HIPAA