On-line dental advertising and marketing: Staying HIPAA compliant in 2023


Learn Time:6 Minute, 6 Second

Most dental practices are actively engaged in some technique of digital advertising and marketing. It may very well be sending out affected person emails, writing weblog posts, web site search engine optimization, social media advertising and marketing or paid promoting.

The HIPAA Privacy Rule states that sufferers have particular controls over whether or not their protected well being data (PHI) is used for advertising and marketing functions. Most types of dental digital advertising and marketing usually are available contact with ePHI (electronically protected well being data) and must be explored for HIPAA compliance.

This publish will focus on a few of the frequent digital advertising and marketing methods and the way they need to be evaluated for dental HIPAA compliance.

HIPAA-compliant dental web sites

HIPAA compliance in dental website design is barely required if the web site collects, shops or transmits PHI. In case your web site solely supplies service-related content material, instructions, dental biographies and phone data, then there isn’t any want for HIPAA compliance.

However, most web sites have consumption kinds, affected person pictures, evaluations, stay chat, e mail subscriptions, on-line funds, affected person portals and on-line scheduling. In case your web site has any of this content material or performance, it falls underneath the HIPAA Privateness Rule.

To be protected, it’s best to contact your dental web site firm and discover out the next:

  1. Do you’ve a enterprise affiliate settlement (BAA) out of your dental web site firm?
  2. Do you’ve sub-BAA’s from third-party integration corporations that accumulate, retailer or transmit ePHI? For instance, on-line affected person kinds, scheduling, funds, and so on.
  3. Are your web site kinds compliant? HIPAA has specific encryption requirements for ePHI being submitted by a affected person kind. In my expertise most kinds are not compliant.
  4. Is any ePHI saved along with your web site internet hosting firm? In that case, your internet hosting firm should seize, transmit and retailer ePHI with the HIPAA encryption necessities talked about above. And, it’s best to get a BAA.
  5. Does your web site have prominently positioned HIPAA Notice of Privacy Practices? And has a HIPAA lawyer reviewed the discover for compliance?
  6. Is your web site safe sockets layer (SSL) encrypted?
  7. Are your e mail servers encrypted?

For extra detailed directions, I not too long ago wrote a HIPAA compliant dental website guide that ought to make it easier to out.

However in the event you can test the packing containers above you’re in fairly fine condition. There are extra duties related to HIPAA compliance, however relating to your web site being HIPAA compliant, this record is a good begin.

HIPAA compliance with affected person pictures

Affected person pictures which are identifiable in any means are thought-about PHI. Identifiable PHI may very well be a affected person within the background of a photograph, identify or initials, identifiable birthmarks and tattoos.

Affected person pictures used internally for coaching and documentation doesn’t require HIPAA consent. However, if the photograph is used externally for academic functions, i.e., at a seminar, a convention, or being despatched to a different medical skilled, you need to get a signed HIPAA consent form from the affected person.

An often-overlooked violation with affected person pictures is storage. The digital camera in your mobile phone is just not encrypted. ePHI should be saved with an encryption commonplace or AES 256. For those who take a photograph utilizing your mobile phone digital camera after which go away the workplace with the photograph saved in your cellphone, you violate HIPAA.

The options are the next:

  1. Get a signed HIPAA consent form with all affected person pictures.
  2. Take pictures utilizing a tool that by no means leaves the workplace and is encrypted.
  3. Obtain a HIPAA-compliant photograph app with accredited encryption requirements.

For those who’d wish to go along with possibility three we’ve developed a HIPAA photo app as a part of our social media advertising and marketing providers.

Posting identifiable affected person data to your social media accounts requires written authorization from the affected person for that particular photograph.

Some dental practices have sped up the affected person photograph authorization course of with a single common kind. Often it is a kind that’s included within the supplies {that a} new affected person indicators once they come to their first appointment and permits the observe to make use of any pictures for advertising and marketing functions.

Many dentists really feel that this ‘common kind’ checks off the HIPAA compliance field, but it surely’s essential to do not forget that the affected person is the one who brings a criticism.

If a affected person doesn’t keep in mind signing the shape giving specific authorization for a social media publish with their PHI, it’s a must to ask your self, “Have you ever actually checked the field?”

One of the best and most secure motion is to get a signed consent kind for every photograph you publish to your social media accounts.

HIPAA-compliant fame administration

Responding to on-line affected person evaluations is likely one of the most complex areas of HIPAA compliance. The HIPAA Privateness Act was enacted in 1996, waaaaaaay earlier than social media and on-line evaluations.

The web has taken over, and a few of the legal guidelines within the HIPAA act appear out of vogue. For instance, a affected person provides your observe a Google evaluation and mentions that they acquired an implant. In accordance with HIPAA, you aren’t allowed to acknowledge that they’re a affected person. Effectively, it’s not like they’re not your affected person; they admitted it. Nonetheless, you’re not allowed to acknowledge it.

One of the best plan of action is to answer evaluations with vagueness.

Affected person Assessment: An enormous thanks to Dr. So & So. I’ve been coming to ABC Dental for greater than ten years. They’ve not solely been superb with me, however my husband simply had a full mouth reconstruction surgical procedure and is doing nice. We extremely advocate Dr. So & So.

Non-Compliant Response: Thanks a lot for being a valued affected person of our observe. We’re so glad that you simply loved your expertise. Your husband is certainly one of our favourite sufferers. We look ahead to seeing you once more.

Criticism Response: We’re devoted to delivering the very best oral well being care attainable. We love to listen to about constructive and profitable experiences. Thanks for the evaluation.

Responding to evaluations reveals that you simply care. Simply ensure not to acknowledge that the individual reviewing is a affected person of your observe.

If you wish to use the evaluation in your advertising and marketing then you need to get a signed HIPAA consent kind from the affected person.

HIPAA-compliant e mail advertising and marketing

Sending PHI by way of e mail doesn’t violate HIPAA. The OCR (Office of Civil Rights) says that if a affected person needs their PHI despatched to them by way of e mail, then the Coated Entities and Enterprise Associates should comply.

The OCR additionally states {that a} Coated Entity and Enterprise Associates ought to take ‘affordable steps to make sure that the affected person understands the dangers of sending PHI by way of e mail.

A dental observe wanting to remain compliant ought to do the next to make sure they’re crossing their T’s and dotting their I’s.

  1. Make sure that the server containing the emails is encrypted.
  2. Guarantee that there’s end-to-end encryption within the sending of emails.

Suppose a affected person requests PHI by way of an unsecured e mail course of. In that case, the affected person should authorize verbally or in writing that they perceive the dangers related to sending PHI by way of an unsecured technique.


Staying HIPAA compliant requires data of HIPAA rules and modifications or updates to the Privateness Rule. It is best to all the time seek the advice of along with your HIPAA lawyer. This publish is for academic functions solely and doesn’t represent authorized recommendation. Concerning the creator: Adrian Lefler is a dental marketing expert and a founding member of My Social Practice. He lives in Draper, Utah, along with his 4 tremendous snarky youngsters, skilled partner chef, one superior canine and one dumb canine.

– – –


Source link

About Author


We Bring The Latest Articles Every Day Here In This Website You Will Find Tons Of Articles Related To Dental Care

Leave a Comment