The Office for Civil Rights (OCR) recently provided new lessons when it comes to mixing healthcare marketing and HIPAA. In this case, marketing is being looked at broadly to include not just communications or interactions about an organization subject to HIPAA, but also limits on the use of patient information outside the bounds of the organization. The basic message from OCR is to respect privacy, understand HIPAA’s clear requirements on marketing, and take OCR requests seriously.
No Marketing Free for All Allowed
Taking patient information to bolster a political campaign is not permissible. While that determination should be obvious, it is the underlying issue in the recent settlement with Northcutt Dental-Fairhope (Northcutt). As summarized by OCR, the owner of Northcutt decided to run for political office in 2017. As part of the campaign, Northcutt’s owner shared the names and addresses of over 3000 patients with his campaign manager. After sharing the patient information, letters were sent to each patient on the campaign letterhead, but addressed “Dear Valued Patient.” The phrase clearly shows a blending of roles.
The campaign’s use of patient information did not end with that first letter though. A second communication was sent in April 2018 that further eroded the lines between Northcutt and the campaign. The second communication went out under Northcutt’s letterhead by email and signed as if coming from Northcutt. However, the content of the email was clearly designed to promote the campaign.
The misuse of patient information in this instance resulted in a $62,500 settlement with OCR. Sharing patient information for purposes of promoting the campaign does not fall within the scope of permissible marketing.
HIPAA’s Marketing Requirements
How does HIPAA define marketing? The Privacy Rule includes a relatively straightforward definition that marketing is “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” 45 C.F.R. § 164.501 (definition of Marketing). The definition goes on to exclude certain types of communications about products or services, but the high level summary is that the exclusion all relate to the provision of services from the organization and connected to services the patient is already receiving. Communicating about the political campaign of a dental practice’s owner would clearly not fall into the exclusion, at least if common sense is being applied.
The definition of marketing does not end the story. Further into the Privacy Rule (45 C.F.R. § 164.508(a)(3) specifically), the regulations lay out how to engage in marketing that does not fall into the exclusions contained in the definition. What action is contemplated by the regulations? Getting authorization from that patient. A valid authorization needs to describe what protected health information will be disclosed and how it will be used. In the instance of the campaign, that means saying the patient information would be used for campaign communications and purposes. Presumably, even if the patients really liked their dentist, they would not want information from the dental practice being sent to the campaign, though one never knows unless the question gets asked.
While the outcome feels laughably obvious in hindsight, it is also reasonable to expect that similar situations are not all that uncommon.
Bad Online Reviews
Wanting to refute a bad online review is a natural response for most people, but that natural inclination needs to be tempered in healthcare. It should be clear, but diving into patient details and revealing specifics of treatment is not how to respond. The clear parameters are hammered home in the final determination obtained by OCR against U. Phillip Igbinadolor, D.M.D. & Associates, P.C. (UPI). After expending years trying to get UPI to respond and engage in review of the allegations, OCR finally proceed to impose a $50,000 civil monetary penalty over the actually admitted conduct.
What happened? It’s a good question and helpful to review. As summarized by OCR in a Notice of Proposed Determination, a patient visited UPI a couple of times between 2013 and 2014. In September 2015, the patient posted a negative review on UPI’s Google page, which review was posted using a pseudonym. After seeing the review, UPI posted a lengthy and detailed reply that include the patient’s real name (multiple times). The patient filed a complaint with OCR, which kicked off a standard investigation.
The rails further came off during the investigation. UPI acknowledged posting the review in an early response to OCR, but did not provide much detail into its HIPAA compliance policies and procedures. OCR repeatedly tried to get additional information or policies from UPI, but no information was provided. At one point, UPI replied to OCR that UPI would see OCR in court (this seems to be a bit of a sticking it to you factual recitation, but also not an advisable statement to make to OCR). After being stonewalled for long enough, OCR proceeded to seek imposition of a civil monetary penalty. The Notice of Final Determination informed UPI of the civil monetary penalty and that appeal rights had been lost.
Responding to Online Reviews
Given the natural expectation that no one wants an unfounded negative review to be left online, what can be done that will not cause a HIPAA headache? One approach is to reach out to the patient directly (not through whatever public platform the review is on) and talk through the issues raised in the review. A direct approach can be surprisingly effective and may reveal unexpected information. Another potential benefit of direct outreach would be fixing the relationship with the patient (if that is of interest). The direct outreach avoids any public back and forth too that can only further tarnish everyone’s reputation.
Another option is to respond generically without even necessarily acknowledging that the person posting the review is a patient. A statement can be added describing the organization’s general approach to patient care and identify how anyone can work with the organization to resolve concerns or complaints.
A third consideration would be reaching out to the site hosting the review to remove it, if it is inaccurate. While the chances of succeeding in that approach are low, it is still worth trying. In reaching out though, the organization still cannot disclose any information about the patient.
As the resolution imposed against UPI demonstrates, the worst way to respond is to drag a fight into public view and improperly disclose the patient’s information. Beyond the potential pain caused by the review, any additional back and forth or even just the act of trying to go tit for tat can cast the organization in more negative light.
All is not lost when it comes to a strong marketing presence in healthcare. Organizations just need to know the ground rules before engaging in any activity. Once those ground rules are known, then appropriate action can be taken.
This article was originally published on The Pulse blog and is republished here with permission.