If you’ve been in the home care or healthcare field for any length of time, you’re undoubtably familiar with HIPAA – the Health Insurance Portability and Accountability Act of 1996. HIPAA set national standards for how to protect patients and their private health information.
As employers in the home care industry, most understand that HIPAA covers information that would be collected in a client file – from date of birth to information about health conditions.
HIPAA is also designed to cover marketing efforts. The HIPAA Privacy Rule provides patients with control over how their protected health information (PHI) is used and disclosed for marketing purposes. Because of this, it’s important that all home care marketing efforts comply with HIPAA standards to ensure that no PHI is being disclosed, putting your agency at risk for a potential violation.
What is Protected Health Information?
Before covering common ways in which protected health information (PHI) can be disclosed, it’s necessary to define the HIPAA identifiers that are considered personally identifiable information.
When the following information is paired with a client’s physical or mental health condition, payment information for health care services, or general health care information, it becomes PHI because it could be used to identify a single individual.
- Names — full name, last name or initials
- Geographic identifiers — Anything smaller than state, including city, county, street address, and ZIP code
- Dates — Birth, discharge, admittance, and death dates
- Telephone and fax numbers
- Email addresses
- Social Security numbers
- Driver’s license information
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate or license numbers
- Vehicle identifiers — serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Names of relatives
- Internet Protocol (IP) address numbers
- Web URL
- Biometric identifiers — including finger and voice prints
- Full face photographic images and any comparable images
- Any other characteristic that could identify the individual
Common HIPAA Pitfalls in Home Care Marketing
A home care agency’s website is frequently the most common source of HIPAA marketing violations. Because of this, it’s important to make sure that any portion of your site that requests site visitors to share information is done in a way that does not disclose PHI.
- Forms. Contact forms on your website should only be gathering a minimal amount of basic information and should not include a field that might inadvertently entice site visitors to disclose PHI. If the contact form on your site features a “comments” field that allows site visitors to include a message, it should be removed or a disclaimer should be added emphasizing that details about a loved one’s health condition should not be included on the form.
- Data Collection. All data collected from the forms on your website should be stored independent of your site in a secure, backed-up, and encrypted CRM.
- Comment Section. Turn off the comment feature on any pages of your site, including blog posts. Having the comment feature turned on could lead to the inadvertent disclosure of PHI by a client, family member, or potential client.
- Work with third-party vendors that provide HIPAA compliant forms that can be integrated into your site.
- Make sure your website is HTTPS enabled. HTTPS provides an added layer of security by encrypting data that is moved over the internet.
Social media continues to be a cost-effective way to target a large audience. No matter what platforms an agency uses, information about services can be shared with potential clients as well as existing clients. However, it is important to be mindful of potential PHI disclosure issues.
- Client Photos. While it may seem natural to feature photos of clients engaged with your care staff, do not post photos of clients without consent, even if the client is not identified. Photos of clients should only be posted if your agency has received express written permission to do so, and even then, should not include the client’s full name or any health-related information. While an unattributed photo of a client may seem harmless, just by posting a photo of the client, even without disclosing his or her name, you have identified that individual as a client of your agency.
- If your agency does have written permission to post the client’s photo, it should only be featured in a post that broadly brings attention to the work your agency does and should not be featured in a post about a specific diagnosis. For example, if a client’s photo is featured in a post about the specialized Alzheimer’s care your agency offers, that client’s PHI is disclosed.
- It is also recommended that agencies do not post photos that feature clients where their face is blurred out or where only their back is shown. In each of these cases there may be objects in the photo that could lead to identification.
- Posts and Messaging. Social media posts should not be worded in ways that elicit site visitors to disclose PHI – either about themselves or about loved ones in the comments section.
- Additionally, do not use public posts or the private messaging feature on social media to collect or ask about client-specific information. These sites are not encrypted and are not designed to follow HIPAA rules.
- Instead of posting photos of clients, consider featuring photos of caregivers (again, only after receiving written permission to do so) or invest in stock photos.
- Maintain an up-to-date social media policy and hold routine training sessions to ensure that staff members are aware of best practices when it comes to protecting client PHI. Your agency’s social media policy should be sufficiently broad to also cover staff members’ personal social media accounts, ensuring that they are not posting photos, names or other potentially identifiable information about clients.
Email is another cost-effective way to reach a large base of potentially interested consumers. Whether through a monthly enewsletter or a drip campaign, email can provide existing and potential clients with relevant information about family caregiving and about your agency’s services.
- Data Storage. Names, email and physical addresses, and any other information about clients, their families, or potential clients, should be stored in a secured and encrypted off-site system with routine backups.
- Email Campaigns. With a large database of people on your agency’s email list, it makes sense to segment people into groups to ensure they are receiving only the emails that are most relevant to their current situation. If segmentation is built around PHI, clients must be given an opt-in option and elect to receive these emails.
- Work with third-party partners who are well-versed in HIPAA-compliance. Ensure that all emails are encrypted – meaning that only the sender and recipient have access to the email’s content.
- Ensure that third-party email marketing firms execute a business associate agreement (BAA) with your agency which protects PHI.
- Ensure that any off-site servers that are used to store email addresses or client PHI are encrypted and regularly backed up.
At corecubed, we have decades of experience in creating robust digital marking strategies for home care agencies that increase digital footprint and reach, while remaining compliant and protective of client data. Learn how our team of experts can help:
- Design a user-friendly website
- Produce engaging, timely and educational blog content
- Develop email marketing campaigns to nurture potential clients
- Manage social media management outreach
- And much more