By Caitlin E. O’Brien and Hannah M. Andazola, Attorneys
HIPAA’s Privacy Rule means health care providers must use extra caution when marketing services using patient stories. The rule, as described in 45 CFR § 164.508 “requires an individual’s written authorization before a use . . . of his or her protected health information can be made for marketing.”
Marketing is defined as any communication about a product or service that encourages people to purchase or use that product or service. This includes blog or social media posts, brochures, paper or digital e-newsletters, and any other type of marketing collateral. Sharing any information about patients for any promotional purpose is protected by the HIPAA Privacy Rule, meaning written consent from patients is essential.
We advise our healthcare clients to create a waiver that all patients have the option of signing (or declining to sign) during the standard patient intake process. This allows patients to opt in to searches for specific patient data to be used in marketing materials. To avoid any HIPAA violations, health care organizations or providers should include the following items in a patient waiver if they seek to use patient information in marketing materials:
A specific description of the information the health care provider seeks to use;
Who is authorized to use the information identified (such as the name of the health care provider);
A description of who the information will be disclosed to;
A description of each purpose of the requested use;
An expiration date that relates to the purpose of the use of the information;
The signature of the individual allowing the use and date. If a personal representative is signing the waiver, a description of his or her authority to act for the individual is required (for example, a parent if the patient is a minor);
Notice of the patient’s right to revoke the authorization in writing and any exceptions to the patient’s right to revoke; and
A statement that the health care provider may not condition treatment on whether the patient signs the authorization.
Providers must give patients who choose to sign the waiver a copy of the executed waiver. Once this occurs, the health care provider may search its records of patients with waivers on file for specific patient stories to share with the public for marketing purposes.
Competent legal counsel can help you navigate all aspects of running a successful medical practice, including making sure you are in compliance with HIPAA. Contact Smith + Malek to learn more about how we can help.