At a Glance
- Protected health information (PHI) refers to anything that could reveal the identity of a patient. Healthcare providers must not reveal a patient’s PHI without their written consent.
- When marketing healthcare services online, providers should avoid revealing any details that could compromise patient privacy and violate HIPAA regulations.
- If providers want to include patient stories or photos in marketing materials, they must obtain the patient’s written consent using proper legal forms and procedures. It’s best to consult an attorney to ensure compliance with HIPAA and other privacy regulations.
Although healthcare providers know the importance of engaging with patients online, many shy away from digital healthcare marketing for fear of accidentally violating the Health Insurance Portability and Accountability Act, or HIPAA.
The impact of HIPAA (protected patient information) is far-reaching. It protects a broad set of information about patients that ranges from their name to health status, medical history, physical appearance, and more. Patient age is also HIPAA-protected.
Below, we outline 9 types of PHI to help you feel more confident about marketing your practice online while safeguarding your patients’ PHI.
What are the types of protected health information?
Protected health information refers to anything that could reveal the identity of a patient. Although some types of PHI are fairly obvious — such as a patient’s name — others may be easier to accidentally reveal, such as a patient’s city or even county of residence.
“Although some types of PHI are fairly obvious, others may be easier to accidentally reveal. ”
When creating marketing materials, writing a blog, or posting to social media, ensure you avoid revealing the following information.
List of Protected Patient Data
1. Patient’s name or nickname
Using a patient’s name or nickname is a PHI HIPAA violation. In addition to names and nicknames, using a patient’s social media handle or anything related to the patient’s naming identity exposes a patient’s PHI and is forbidden.
2. Address or geographical location
HIPAA requires healthcare workers to withhold almost all information about the address of a patient to prevent revealing crucial PHI of a patient. Privacy laws also forbid the disclosing of any geographic information about a patient more detailed than the state level, including a patient’s city and county.
3. Patient dates
Is age HIPAA-protected?" is a common question in the healthcare industry, and the answer is yes. HIPAA protects almost all dates related to an individual and their healthcare treatment, including the date and time of a medical appointment and the patient’s age.
Privacy laws forbid you from revealing any of the following patient PHI:
- Date of death
- Date of appointment
- Admission date
- Discharge date
- The exact age of a patient
4. Important patient numbers
Protected health information includes a patient’s contact information and any other number that could identify them. Here are a few important numbers that are considered part of a patient’s PHI that you should watch out for:
- Telephone numbers
- Fax number
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
5. Vehicle or device serial information
Revealing a patient’s license plate number is a clear HIPAA violation of a patient’s PHI, but so is identifying any other information about their vehicle, including color, make, or model. Be sure not to describe the vehicle in any way that might be identifiable to others. In a small town, any information about a vehicle could reveal a patient’s identity.
6. IP addresses, URLs, and social media
IP addresses, URLs, and social media handles are considered PHI and are protected under HIPAA. Make sure not to tag your patients or mention their usernames when sharing original content or commenting on other posts.
“Make sure not to tag your patients or mention their usernames when sharing original content or commenting on posts. ”
You also want to take special care not to share their website information or their personal email addresses.
7. Fingerprint or voiceprint
Protected health information also includes a patient’s fingerprint and voiceprint. Even if you never share a patient’s face or name, you can’t use their voice in promotional or other materials. Voices are unique indicators of who we are, and HIPAA protects voices because they could identify patients.
8. Patient photos
Naturally, you’d want to feature photos of your happy, satisfied patients on your website, but a patient’s image is PHI and protected under HIPAA, which states that photographic images violate patient privacy rights.
This is certainly true for photos of patients' faces but also remains true for snapshots of other parts of the body. When promoting your healthcare practice, you may want to feature photos of your patients on your website, but a patient’s image is also PHI and protected under HIPAA.
HIPAA states that photographic images violate a patient’s privacy rights. This includes any photo of a patient — from a headshot to a picture of a hand or leg.
9. Anything else that compromises a patient’s identity
With enough detective work, most biographical information could reveal someone’s identity. Do not disclose a patient’s occupation, marital status, or information about their family, income, or race.
Additional tips for HIPAA PHI compliance
Most healthcare providers would never intentionally reveal protected health information, but it’s essential to be mindful of anything you share online.
Take, for example, the case of a private practice that has a close relationship with a long-time patient. For an upcoming milestone birthday, the practice posts a photo of the front office staff with this patient as an Instagram story and writes, “Happy 40th birthday to our dear friend!” Since age is HIPAA-protected, this would be a violation.
“If you want to include your patients in any of your marketing materials, be sure to speak to an attorney who can help create a set of best practices. ”
Or consider a provider who is trying to be more active on social media as part of their digital marketing strategy. They decided to start a Facebook Live from their office desk but didn’t realize that protected health information was visible in the background. This, too, would be a HIPAA violation.
If you want to include your patients in any of your practice’s healthcare marketing materials, be sure to speak to an attorney who can help create a set of best practices, including consent forms and retention of photographic rights. A patient must give you their written consent via the proper channels.
Although this post is intended to help healthcare providers, it should not replace the advice of legal counsel. Always consult your attorney or legal services team if you have doubts about whether your digital marketing efforts could violate HIPAA-protected PHI or otherwise put your healthcare practice at risk.
You Might Also Be Interested In
Learn how to create a seamless patient experience that increases loyalty and reduces churn, while providing personalized care that drives practice growth in Tebra’s free guide to optimizing your practice.