Social Media Posting Compliance Requires Patients To Sign A Dental HIPAA Form
BEFORE 1996, DOCTOR-PATIENT CONFIDENTIALITY WAS SIMPLE for healthcare professionals—just speak in hushed voices behind closed doors. Of course HIPAA (and its many facets) has changed that.
Occasionally we have dentists ask us, “How does social media affect HIPAA compliance?” or “How does HIPAA compliance affect social media?”
The good news is that it isn’t as complicated as you may think.
Yes, there are a few negative stories out there about physicians who were cited for unprofessional conduct related to posting confidential information about their patients online. But these instances have been very, very rare.
By putting a few social media marketing simple safeguards in place, and using just a little common sense, this should be a non-issue for your practice.
What Is A Photo HIPAA Consent Form?
A photo HIPAA consent form is a document that patients sign to confirm that they have received a Notice of Privacy Practices statement from the medical practice.
The HIPAA consent form should clearly state how the dental office will use or share patient information. The dental office provides this form to the patient before treatment.
The HIPAA form provides the dental practice with legal permission to use the photo for treatment and or marketing purposes.
What Is A Photo PHI Release Form?
PHI stands for Protected Health Information and is the legal term used in the HIPAA Privacy Rule.
Patient PHI protects personal information that is held by medical professionals. According to the HIPAA Privacy Rule, dentists can disclose patient photography to colleagues or use it for marketing purposes if the patient has signed a HIPAA consent form.
How Often Should A HIPAA Form Be Signed For Patient Photos?
In a dental practice, patient photos are used for many purposes. In some situations, an identifiable photograph is used for treatment and documentation. Dentists often share patient photography with specialists or use identifiable photos in medical journals, seminars, and educational settings.
With the proliferation of photography published online, the advent of social media, and digital marketing, getting permission to use patient photography in each case has become essential. The HIPAA Privacy Rule is not clear in all patient photo use situations, so it behooves a dentist to ensure they are watching their back. It is better to be sure safe than sorry.
With each identifiable patient photo, it’s recommended that the covered entities get a signed HIPAA-compliant form. When done, there is virtually no risk of successful litigation over the use of the patient photo.
Is It A HIPAA Violation To Take A Picture Of A Patient?
If there is no signed patient consent form and the photo identifies the patient, the image’s storage, handling, and sharing is a violation of the HIPAA Privacy Rule.
One of the most overlooked issues regarding HIPAA dental photography is storage. Suppose a dentist takes an identifiable picture of a patient without signed consent and has no intention of sharing the photograph for marketing or educational purposes. In that case, the dentist still violates the HIPAA Privacy Rule because the photo is on a device that is not encrypted.
The most common way medical professionals get in trouble is through the loss or theft of a mobile device that has PHI saved on the device’s camera.
HIPAA Compliant Photography Best Practices
GET A CONSENT FORM SIGNED FOR EACH PATIENT’S PHOTO
Is it safe for a dental practice to get one global consent form signed by a patient that covers all patient photography indefinitely? The question is not clearly defined in the HIPAA Privacy Rule. It’s up to the dentist to decide how they want to regulate and manage compliance. But is it safe to do this? Not really. The safest and surest process would be to have a consent form signed for each patient photo. If this is done, there is no question that the practice has consent to use the image, and litigation would likely fail.
USE ENCRYPTED PHOTO APPLICATIONS
Photo PHI when stored, must be stored in an encrypted fashion. The encryption security is AES 256. AES stands for Advanced Encryption Standard and is an algorithm that uses 256 bits of information to encrypt the data. If a dentist takes a picture using their cell phone without an encryption application, the photo is being stored on an unencrypted device, and they violate HIPAA.
There are encryption apps on the market. The encryption application we recommend was developed for the singular purpose of solving patient photo consent for the dental industry.
DELETE PHOTO PHI
The HIPAA Privacy Rule states that electronic PHI requires covered entities to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” The statement would include computers, mobile devices, disks, hard drives, and anything else that can carry electronic PHI.
Unpacking this statement, it’s evident that if a dentist takes patient photos on their cell phone without using an encrypted application and leaves the office without deleting them, they violate HIPAA.
A solid policy would be to delete any PHI on cell phones at the end of each day.
SOCIAL MEDIA POSTING IS REGULATED BY HIPAA COMPLIANCE
Remember that the same rules that apply to your patients’ privacy before using social media tools apply to everything you do in your office, including social media. HIPAA was signed into effect in 1996, long before social media emerged. How HIPAA regulates social media posting is a complex issue and is a bit of the wild wild west.
What’s Included In A Dental HIPAA Form For Patient Consent?
THE PARTIES INVOLVED: You must include the name of your practice (the covered entity) or the name of the dentist as the party who is requesting the and will be receiving the PHI. The authorization must be in writing and contain all elements in order to be valid.
A DESCRIPTION OF USE: The HIPAA consent form should clearly define how the image will be used, and for how long the consent is being given.
AUTHORIZATION: The patient must sign the document and it should also include a date stamp. In the event that the party giving consent is a minor or a special needs patient with a legal guardian, the guardian must sign the form.
EXPIRATION DATE: Consent should be given for a specific period of time.
PATIENTS RIGHT TO REVOKE: In clear language the patient should understand that they can revoke the use of their image in writing at any time. The consent form should also include simply steps on how the revocation process should happen.
HEALTH BENEFITS ARE NOT CONDITIONAL: The consent form should also clearly explain that health benefits will not be withheld from the patient if the consent form is not signed or the revocation process is exercised.
We’re Not Attorneys
Please keep in mind that we are not attorneys. We don’t even play attorneys on TV. My Social Practice does not provide legal advice, so the information in this blog post is suggestions. Additional compliance rules vary significantly from state to state and country to country. If you feel like you need more advice than what we have provided here, be sure to consult your attorney.
Avoiding Dental HIPAA Violations: Conclusion
You don’t need to worry about comments others make on your social media accounts or in the comment section of your dental website blog. The consensus is that dentists cannot be held liable for postings made by other parties.
However, if something appears on your Facebook wall or in your dental website blog that you consider questionable, and simple course of action would be to delete it.
Remember to regularly watch your Facebook feed, Instagram, and TikTok accounts, as well as your dental website blog. The rule of thumb with any comment is to respond. Still, if the patient has shared PHI in the comment, it would be wise not to verify the information by responding.
So, there you go. I hope that helps you think this through—and we hope it helps you not worry about it too much. And once again, if you have more concerns or questions, be sure to visit with your attorney. HIPAA compliance related to social networking doesn’t need to be a problem for your practice.
About the Author: Adrian Lefler is a dental marketing expert and one of the founding members of My Social Practice. My Social Practice is a digital dental marketing company located in Salt Lake City, Utah. Adrian is passionate about helping dental practices grow. If you’d like to book Adrian or one of the other members of My Social Practice’s speaking team, you can do that HERE. Interested in learning more about the benefits of SEO for dentists, our dental websites service? Learn More Here.