As a board-certified aesthetic professional, it goes without saying that you go to great lengths to protect patient privacy. However, it now appears that you may need to go even further.
Earlier this year, the Dept. of Health and Human Services (HHS) announced new HIPAA rules than not only update the Act’s privacy and security measures but expand them in new directions. At 536 pages, the new rule isn’t exactly a page-turner so here are 4 ways the changes may impact your practice:
Expanded liability: If you use a marketing agency or other vendor to maintain your practice website and/or manage your social media presence, be aware that these “business associates” are now also bound by HIPAA. Like you, they must take appropriate steps to protect against data breaches. Equally important, however, their potential liability does nothing to minimize yours.
Proof of compliance: The new rule requires covered entities, including those business associates, to develop written contracts that formalize acceptable uses of protected health information (PHI) and how data breaches will be reported.
Tighter marketing restrictions: The rule also mandates that authorization must be obtained before releasing PHI for marketing purposes. Needless to say, getting patient consent before using patient testimonials, images in before and after galleries, etc., has always been a good idea; now, appropriate patient consent forms must be completed and kept on file.
Protecting privacy in a social setting: When HIPAA was enacted in 1996, there was no such thing as social media. Today, it forms a major focus both for patients seeking information and for doctors’ marketing efforts, which is why it’s more important than ever that you monitor who among your staff has access to PHI, what they’re sharing via social media and that all such content conforms to HIPAA standards.
Much has changed in health care since HIPAA was enacted over fifteen years ago, said HHS Secretary Kathleen Sebelius in announcing the update. The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.
Needless to say, the better you protect patient privacy, the better you protect yourself.
The new rules don’t require compliance until Sept. 23, 2013, but now is a good time to review your internal HIPAA safeguards and alert your marketing partners about the changes that may impact them. And while you’re at it, it’s never a bad time to revisit your code of conduct for social media interactions and make sure your staff is on the same page.