Patient Testimonials: Are They Putting Your HIPAA Compliance At Risk?
A good client or patient experience can help boost your healthcare organization’s reputation and encourage others to seek your services. In the world of online advertising, posting the testimonial to your organization’s website or Facebook account might be the first step to promote the great services that your organization offers and the satisfaction of your patients and clients!
Before you post that client testimonial – STOP!!!
Did you get a signed authorization from the patient to use their information as a testimonial? One of the most monumental stories from 2016 so far was a $25,000 HIPAA enforcement penalty to a physical therapy organization for not having appropriate client authorization for the use of protected health information for client testimonials posted on a website. The violations from posting full patient names with full face photography without written authorization included:
- Failure to safeguard protected health information
- Impermissible disclosure of protected health information
- Failure to implement policies and procedures regarding patient information use and disclosure with appropriate authorizations
While no malicious intent was behind the posting of the pictures and names on the company website, not having proper authorization to disclose the patient information was the reason for the fine. In addition to the fine, the physical therapy clinic also has to:
- Create policies and procedures for all aspects of HIPAA and have them APPROVED by The Department of Health and Human Services (HHS)
- Distribute all policies and procedures to their workforce within 30 days of approval from the HHS
- Get written certification from EACH employee that they have read, understand and shall follow the policies and procedures
- Create a policy that addresses 1) use and disclosures of PHI for the website / social media pages; 2) description of the process for obtaining the authorization, and 3) create a valid authorization form
- Provide annual training to all workforce members
- Report ANY workforce violations of the policies and procedures to HHS within 30 days
- Remove all protected health information from its website!
Oh, did I mention this is FOR THE NEXT 3 YEARS!!!!
Simple steps that are missed in the process of authorization for disclosure of protected health information can not only cost an organization money, but also time and energy complying with the resolution agreement. If you are going to use client testimonials on your website or social media pages, it is very important that your organization creates a policy and procedure that addresses the process for obtaining a valid authorization from the patient prior to posting the information.
Planet HIPAA has created a FREE HIPAA Compliant Client Testimonial Authorization Form for your organization’s use! Make sure to also complete your policy and procedure that goes with the use of the form!
Client testimonials can be powerful for an organization. HIPAA doesn’t stop you from using them and talking about your satisfied patients. Instead, HIPAA mandates you get written authorization from your clients to post their protected health information on the organization’s website or social media page!
In the words of Eleanor Roosevelt:
"Learn from the mistakes of others. You can’t live long enough to make them all yourself.”