Welcome to Healthcare Marketing Rx, where our goal is to help your healthcare marketing get healthy and stay that way. This video focuses on making sure that you’re using HIPAA compliant website forms.
We are a HIPAA compliant healthcare marketing agency, but we are not lawyers. We’re providing this information based on our experience as a HIPAA compliant agency. It’s general information about getting HIPAA compliant online reviews for our clients based only on our experience. Please do not construe this as legal advice.
Please do consult with your healthcare attorney for specific questions. And throughout this video, you’re going to hear me refer to healthcare attorneys a few times. They’re really good to have. They’re different from a general business attorney. Healthcare laws are much more specific. If you do not have a healthcare attorney, we highly recommend that you find a good one.
We’re pretty sure that you have forms on your website that you want people to fill out. The most common example is a contact us form.
You ask for the name, an email, maybe a phone number, and then you’ve got a box in which people can type in pretty much whatever they want. The other type of forms that we see commonly are patient forms or new patient forms. And what we almost always see is that they’re PDFs that you would like the patient to download, print out, fill out, and then bring with them to their next appointment. It’s very safe from a HIPAA point of view. Unfortunately, very few patients actually take the time to do all of that.
Let’s go back to that Contact Us form, and let’s start over on the right where it says “How Can We Help”, depending on what somebody types into this form, they can be really deep dive PHI.
For example, if you are a podiatrist, when somebody describes their diabetic foot ulcers that are getting worse or they’ve had ingrown toenails, et cetera, et cetera. That’s definitely PHI. If they also put in any of their contact information that now counts as PHI also because it’s paired with clinical information. You have a responsibility to protect that information, just like you do all the other Phi that you collect.
One way to have a HIPAA compliant website form is to change the form. The easiest way is to get rid of the form completely. Instead, just list your contact information (phone number, email) so that prospective patients can contact you. As a marketing agency we prefer not to do that. We want to make things as easy as possible for people to contact you. And if they can just fill out a simple form online, it’s much easier for them. That’s even more true if they do it after hours. One of the truisms of marketing is to make it as easy as possible for potential patients to contact you.
We also prefer to have the box where patients can put in more information. Healthcare practice like to have that information because they want to know what’s going on. It helps when somebody in the practice calls them back. They’ve got a little bit of information about the reason that that prospective patient contacted you in the first place.
Your other option is to get HIPAA compliant website forms in one way or another, and then pair it with HIPAA compliant website hosting. HIPAA compliant website hosting is a separate Healthcare Marketing Rx topic.
We get this question. “But that person isn’t a patient when they fill out the contact form!”
Our opinion is that your contact form should be HIPAA compliant. Here’s the scenario: your prospective patient fills out a contact form on your website. So far so good. What if they become an actual patient? That’s what you want, isn’t it? You want these people to become actual patients. That’s why you opened up your practice.
What tends to happen is that all that information that’s on the contact us form stays in the website. Nobody ever gets rid of it. Your risk is a data breach or an audit. In fact, nobody has to steal any data. If your contact forms hold PHI that others can see (for example, your website developer or your website hosting provider who can just log in and look around), then you’ve got all the risk you need. We see contact forms in websites that go back months or years.
Your other option is to make sure somebody is going into your website, scrubbing that data and deleting old contact forms. We just never see that happen.
Generally speaking, two things have to be true:
BAA stands for business associate agreement. BAAs are required by HIPAA. They’re very dense, legal documents. They can be a dozen pages, but generally speaking, here’s what they cover with respect to PHI:
With a BAA in place, the Office of Civil Rights (OCR) is much happier because they see a BAA. OCR is the federal agency that will investigate a breach or conduct an audit. There are usually state agencies as well.
The other broad category of things that you want to see is that they talk the talk. They use appropriate wording on their website or their materials like:
You don’t have to see all of these terms. But you want to see terms that at least sound like these. Inside each term are more specific descriptions of how they do each one, not to great levels of detail, but they give you some assurances that they’ve thought this through and that they’re doing these things.
In our opinion you should switch to one that is HIPAA compliant. To find good alternatives,
Once you find one or two and you start evaluating them, part of your evaluation should be with your health care attorney. Have them review the business associate agreement if they give you one.
We hope this has helped you and opened your eyes a bit to an issue that could be a problem but it’s pretty easy to solve.
At MarketVisory Group we offer website design services as part of our done for you marketing packages and as a standalone service. If you have questions about our services or about us, please contact us using MarketVisory Group’s contact page.