How Doctors Can Avoid 5 Marketing Landmines that Risk HIPAA & Regulatory Compliance
Date: Wednesday, April 26th
Time: 1:00pm CST
Maintaining compliance with HIPAA, TCPA, the FTC, and the host of other regulatory boards is complicated. An inadvertent error can result in massive fines, but there is much to be gained from a smart online strategy if you avoid the minefield of potential violations.
Slide 1 - Introduction
Hi everyone and welcome to today's webinar, How Doctors Can Avoid 5 Marketing Landmines that Risk HIPAA & Regulatory Compliance. My name is Michael Roberts. I'm the director of marketing here with P3 Inbound. I'll be getting us started here and getting our hosts set up. There's a couple of things I want to make sure we cover for this topic. It's very timely, very glad that we're getting a chance to go over this very important information.
On the sidebar you should see some information there where you have an option to ask questions. That's something that we will be having a Q&A at the end, so if you want to have any questions that you want to pop up there that's something that we'll all be able to see and to address at the end there, so feel free to please send along any questions you may have. If we don't get to it during this webinar we will be able to make sure that we're following up through email as well, so again, please feel free to ask any questions you may have.
Slide 2 - Hosts
Our presenters today are Dr. Jeff Segal and Scott Zeitzer. Dr. Segal is a founder of eMerit, an online reputation management marketing company, and Scott is the founder of P3 Inbound. It's an online marketing company which includes different things like web design, paid search, and content marketing. Both of these guys are very passionate about helping practices serve their communities more effectively, and both of them have been doing so for quite some time.
Guys, if you could please give us a quick introduction about yourselves and just tell us more about your background in health care? Dr. Segal, we'll start with you.
I'm Jeff Segal. I'm the founder of both Medical Justice and eMerit. I'm a neurosurgeon by training. I also have a law degree. In one sense I'm just still trying to figure out what I want to do with my life. But to make a long story short, Medical Justice is an entity that we formed to help people, help doctors, from being sued for frivolous reasons. I was sued one time for what I perceived to be a frivolous reason and began a long odyssey. I realized how difficult the medical legal process was, then if we could find ways to make it more palatable for physicians and dentists, that would be a great thing.
Medical Justice has been a passion but along the way I was introduced to one doctor who was being slammed on the internet, a website called MySurgeryNightmare.com. This began a second process for me to try and figure out what can be done to help doctors avoid mischief on the internet, and I learned at the same time that the internet can bring a great deal of good in terms of marketing to a doctor's practice, so eMerit is a culmination of that. It is a platform designed to tap into the voice of the patient, have it amplify to many of the review sites. In fact, we'll be talking about some of this today. So, that is my passion. My passion is keeping doctors out of harm's way but also helping great doctors get the word out to the world at large. Scott?
Hey there. I'm Scott Zeitzer. I'm the president of P3 Inbound. I've been in the healthcare industry for most of my adult life. I started out using my biomedical engineering degree to sell medical devices to orthopedic and spine surgeons. After working with these surgeons for 10 years, I saw a real need to help them with marketing their practices and getting good information to patients and helping them communicate more effectively with their patients. I formed P3 Inbound, which is an online marketing platform for medical practices.
All right. Let's launch and march forward. Next slide.
Slide 3 - Why This Matters for Healthcare Right Now
Marketing is something that a lot of practices don't think about, but I think gone are the days where you could just ignore it. You know, 20, 30 years ago if you just planted a flag, the world did beat a path to your door. All you needed to be was available, affable, and have ability, and you would have a successful practice. There really was no need to market other than to show up and do a good job and be available.
But the internet has changed this, and there are other seismic changes going on in health care right now in terms of the various relationships between referring physicians and those who are taking care of patients. We like to say that even if you're not actively marketing your practice, Google is marketing it for you, so why not take control over to the extent that you can take control over it?
I'm a believer. I do think marketing is a good thing for a practice. It's a good way for the world to find out what you do so they can have an understanding as to the type of skills you bring to the table and the types of experiences they will have when they see you. But what makes this challenging is that marketing does not take place in a vacuum. Marketing is beholden to a number of regulations. This would include HIPAA. It would include regulations from the Federal Trade Commission, medical licensing boards, dental licensing boards, Attorney Generals. The list goes on and on, and we'll talk about how to do marketing safely.
Marketing is a challenge with respect to this alphabet soup of regulatory bodies, and HIPAA is the most challenging for doctors, but it can be done. I think the first pearl I want to impart today, is why this is important, is that HIPAA is spelled H-I-P-A-A. The vast majority of the public spells it H-I-P-P-A, and perhaps that's some variation of something you would find in a zoo, but for all practical purposes HIPAA is H-I-P-A-A, and it's been around for approximately 20 years.
Now, for about at least 10 of those years HIPAA wasn't a big problem. It was a minor problem. What I mean by that? Well, when it launched HIPAA had a collection of rules with respect to how information needed to be kept private and confidential. The only way that patient information could be disclosed would be either with the patient's authorization, typically written authorization, or if there was a federal exception allowing you to disclose without the patient's signature.
There are a number of those. That would include financial information. It would include treatment information as well as operational information, so there are large buckets of things that can be done in health care where you really don't need the patient's permission to disclose information. Particularly from one doctor to another, if it's for taking care of the patient, but by and large marketing doesn't really fall into that. Marketing is heavily regulated, and the price for getting it wrong can be quite high.
10 years ago, 20 years ago, if you got it wrong you may get a note from the Office of Civil Rights, which is the federal branch that oversees HIPAA, and they would say, “This is what you did wrong. Please don't do it again.” But we didn't really see penalties, either civil or criminal penalties, and cash payments that needed to be made for any breaches of HIPAA, and that world has changed. That world has changed significantly, to the point that if you aren't thinking HIPAA as you address or divulge or disclose patient information, you get it wrong, there is a pretty good chance that somebody will be writing a big check. We want to make sure and give you the tools to think about HIPAA so that to the extent you are marketing—and we are big believers in marketing—you get it done right.
What about marketing? Well, we typically think of HIPAA as it relates to just the medical record, and the goal with HIPAA is not to take the medical record and post it out for the world to see. But it's hard to do this with marketing particularly, as we start thinking about online reviews, because if there's an online review, typically it's a patient who has posted it with protected health information. The default assumption is that if a patient has posted their protected health information out on a review site, that they've already outed themselves. Why couldn't you respond? Why can't you just acknowledge that this was indeed your patient and set the record straight?
Well, HIPAA doesn't allow you to do that, although it seems intuitive. It would seem intuitive that given that this patient has already established that they are your patient and they had a procedure done by you, you should be able to set the record straight. In fact, in America we say the solution to offensive speech is more speech, so you should be able to do it, but the way the rules of HIPAA are set up you cannot do that. You cannot respond specifically related to protected health information without the patient's written authorization.
Now, you can respond generally, and we'll spend a little bit of time talking about how to respond generally, but in terms of getting into a debate about the back-and-forth of what happened with health care, can't really do that. That's why all this is important right now and let's dive in a little bit deeper.
Slide 4 - Quick Review of HIPAA and its Regulatory Relatives
Hey there. It's Scott again, and yeah, as Jeff mentioned HIPAA came out way back in 1996 and there really wasn't active enforcement because there wasn't a lot of specific guidelines put together. By 2009 HITECH was enacted and by 2013 the HIPAA omnibus rule was in effect, which brought even more penalties for breaches, and audits were actively underway. Third-party administrators, TPAs, were now held accountable with significant civil and criminal penalties for failing to properly comply with requirements. I think the take away here is that penalties are being put out there, audits are underway, and it's not just about the practice. It's about the people with which you outsource to as well, and I think that's a critical issue that needs to be reviewed on a regular basis. Why don't we get to the next slide?
Slide 5 - What We Hope You Take Away
Everyone assumes that they're HIPAA compliant and that's a bad assumption. As I mentioned, enforcement is here, and taking the time to review for you and your third-party vendors is critical. Everything in-house may be good—may not be, you really do need to review it—but don't assume that because you hired someone to, say, make your website or to help you with some other marketing need, that they're automatically being HIPAA compliant. You are still responsible, which is critical. You are still responsible if something occurs.
Go ahead Jeff.
Slide 6 - Landmine #1
All right. Online reviews. Online reviews is something that nobody thought about 10 years ago. I know I wasn't thinking about it, but they have become the dominant path for marketing a practice today. Your website is your message to the world. Online reviews are your patient's descriptions of your practice to the world, and they both work hand in glove with each other, and they're both important, but online reviews are what your patients are telling to the world. It can be maddening to see what you perceive to be a work of fiction, exaggeration, or hyperbole about you online. I mean, if you're taking care of one to 2,000 patients a year don't be surprised if you make an occasional patient angry, and that occasional patient vents their spleen on the internet about you.
Now, the human instinct here is to tell your side of the story. It's to go ahead and get your side out so that the public will understand precisely what happened, but you cannot really do that. You can't describe or disclose what is protected health information without the patient's written authorization. I know people have tried clever ways with respect to having the patient sign an agreement in advance that if the patient does post something you'll be able to disclose. But, a patient can always withdraw their consent, or to not renew their consent, to disclose information. Even if they have given you that permission upfront, they may be able to take it away down the road. Whatever HIPAA giveth, HIPAA taketh away.
I know it is amazingly maddening. We just spoke with a woman this morning. She's a plastic surgeon. Her patient had an unusual complementation but ultimately is doing well, and this plastic surgeon does not take to being kindly to being called a butcher, a charlatan, etc. on the internet. In point of fact this plastic surgeon is a very caring, adept surgeon that went to the end of the earth to help this patient, but the patient doesn't seem to be appreciative of that fact. They're just looking at the process. They didn't like the process and now they want the whole world to know.
HIPAA is different than other industries in, if I go to a hotel room and I describe the room as being disgusting, the Ritz-Carlton or the Holiday Inn are both free to respond to what I wrote. There is no HIPAA as it relates to the hotel business. Likewise, if I go to a restaurant and I say, “The food was horrible, the service was bad, and I got food poisoning.” they are free to respond. But with HIPAA it's challenging to respond. You can respond. There are ways to respond, but you need to be very careful.
In particular, you cannot even disclose that an individual was your patient. Let me repeat that because this is real important. You can't acknowledge that a particular patient was your patient. Now, many reviews are anonymous, or they're written anonymously, so you may be able to be more free in terms of how you respond if the patient has not given their name, but to the extent that there's information that would allow the public to connect the dots, then merely acknowledging that that is your patient could be a breach of HIPAA.
What are some ways that this would happen? Well, if the patient uses their initials but their picture is on there—we see this on occasion on Yelp—responding that, “Yes, I know you're my patient and I know we did X, Y, and Z, but here's what really happened.” That would be a disclosure, an unauthorized disclosure.
To take this even further, and this is a ridiculous example but it's a true story, there was the chief resident at the Scottsdale Mayo Clinic working in the emergency room, and a patient came in with some type of trauma, and on his penis as they were putting in the Foley catheter, there was a tattoo that said “Hot Rod.” The resident just took a picture of nothing other than the penis with the Foley catheter, but it said “Hot Rod,” and somehow it got out of the hospital confines. I don't know how because I don't think he posted it anywhere but I think he sent it to one other individual. That other individuals sent it to other people. Before you know it, it was out on the internet.
You certainly can't see the patient's face. There's no name attached to it but the patient's tattoo artist says, “That's my patient.” Apparently, it's not a very common tattoo to have “Hot Rod” posted on the penis. The doctor was outed for having disclosed protected health information, and he was disciplined as such. This is not really, he was not disclosing as it was relates to marketing. My point is it's very easy to do if you're not thinking about it. If you think about HIPAA, you'll not create a problem, but if you're not thinking about it and you're just thinking, “Is the patient's name acknowledged? Is the patient otherwise identified?” That's the way you need to figure out how to stay safe.
Next slide, please.
Slide 7 - Avoiding Landmine #1
Some tips with respect to the back and forth. Even if you have decided that you can get into the game and respond without revealing any protected health information, it probably makes sense just to say your piece and move on. There is no benefit in terms of having a deep debate with a patient when your message is really to the public at large. If the goal is to have your point made to the patient, the easier thing to do, and probably the more proper thing to do, is to pick up the phone and call the patient. If you call the patient you may be able to persuade them of the facts, but if you get into a detailed debate on the internet, going back and forth multiple times, you'll find a couple things happen.
One, it's very unlikely you're going to persuade the patient, and you will have turned a minor problem into a major problem. Number two, do not be shocked if people pile on. You end up looking like a bully, so if you're going back and forth three to four times, that sometimes is like a candle to a moth. Others who may have been on the fence in terms of wanting to react or respond will jump in, so you will have taken a minor problem and multiplied it. Just resist the urge. I like one and done. That's our motto. Get your point across and be done.
Those are negative reviews. What about positive reviews? Some people say it's good to respond to positive reviews, thanking the patient for, typically, the thanks. I'm actually not a fan of responding to positive reviews, only because most reviews will be positive, so it will require a greater time commitment to react and respond to them. Number two, you'll run out of authentic original material and soon you'll find yourself posting the exact same canned response, making you look inauthentic. If you were just thanking someone for the thanks, I would probably not do it. I think it probably is a good idea to respond one and done to negative reviews if you can do it without disclosing any protected health information, and you just need to be careful.
What is protected health information? It's not just the patient's name. Anything that could identify this particular patient, and that includes acknowledging that this particular patient was indeed your patient. It could be their email address, a phone number, their picture, a tattoo that says “Hot Rod” on various parts of the anatomy, all of these are part of the puzzle which can be used to actually identify this particular patient. Responding is okay, but do it carefully and don't reveal any protected health information, and I would limit it to one and done for negative reviews.
Next slide, please.
Slide 8 - Landmine #2
All right, so I do believe, and I think many share this belief, that reviews on third-party sites are probably the best way you can market your practice. Your website is your message to the world. The review sites are your patient's message to the world, and they both work together with each other. I think it's inarguable that having 100 reviews is having is better than having three reviews because if you only have three reviews there's a good chance that one or two of them may be negative and you will have what we call a denominator problem, meaning that you just don't have enough reviews, and when you get an inevitable bad review, there's not enough of a buffer of reviews to give a countervailing story, countervailing picture. You want a representative picture.
Many doctors say, “Wouldn't it be great if we could identify who in advance will just give me positive reviews?” There are indeed platforms that exist out there which will collect reviews, and if the review is a four or a five on a scale of 1 to 5, they then get passed on to the request, “Would you upload these to the internet?” which means that reviews that rate one, two, or three don't go up to the internet. Well, this seems like a good idea but it's not such a great idea.
Next slide, please.
Slide 9 - Avoiding Landmine #2
Here's why. When you filter a review, which ultimately gets uploaded to the internet, it then triggers several regulatory bodies to pay attention to this. That would include the Board of Medicine, the Board of Dentistry, the Attorney General, and/or the Federal Trade Commission. Why does this matter? Well, it matters because reviews online, particularly if you are soliciting them, are a source or a type of advertising or marketing. We've already established that reviews and marketing go hand-in-hand with each other, and if you're cherry-picking a collection of reviews so only the good ones get uploaded, the various regulatory bodies view that as potentially deceptive, and in a sense it is.
I mean, you are only letting the good ones go up and if you're going to do that, that should really be limited to your own website and a testimonial page. Everybody knows a testimonial is probably just the good stuff. You know, testimonials are cherry-picked, but reviews that are out there, particularly if they're solicited, should reflect a broad swath of the public at large.
This is more than just academic. This is more than just Jeff Segal coming up with a potential conclusion. This past year, and I can't recall if it happened in 2017 or the end of 2016, the New York Attorney General issued fines against two organizations, one of which was an urgent care center in New York, precisely for this problem, namely cherry-picking the good reviews for uploading to the internet. Between these two organizations, the check that had to be written, or the checks that had to be written, was up to $150,000.
There's no reason to do this. I think many of your patients will ultimately give you constructive and indeed positive feedback, and I think having an occasional negative out there is far better than having 100% positive reviews. My favorite adage to all of this is that the solution to pollution is dilution. Let me repeat that. The solution to pollution is dilution, and every surgeon who's listening to this will understand that particular phrase. You are going to get an occasional negative review that's out there. It's not the end of the world. The public understands you cannot make everyone happy. The way this is addressed is by having the other people, namely your happy people, participate in the conversation.
Next slide please, and Scott.
Slide 10 - Landmine #3
Hey there. I'm back. It's Scott. I seem to be the person bringing up the reminders of difficult issues, and audits are here. The turnaround to that is, if you're prepared, you will pass with flying colors, and part of that is just getting everything in place and preparing it so that you are ready if a question is asked. As I mentioned, auditing is occurring and the Office of Civil Rights is responsible for these audits. If you are “lucky” enough to be audited this is what you'll need to have.
One, the most recent HIPAA Security Risk Assessment, an SRA, and documented work plan to address any issues discovered in the SRA. That's number one. Evidence of documented HIPAA security and privacy policies and procedures, including evidence that your organization has implemented and is following the policies. Evidence that employees have received periodic HIPAA security and privacy training. We believe that this should be occurring at least once a year and you should be documented that it is occurring once a year. Evidence of a security incident incident response plan.
The bottom line is that the potential for mistake is always there, but if you have the preparation and the documentation in place, the fines will be assigned accordingly. They will see that you are prepared. They will see that it is an honest mistake. They will see that you're not trying to avoid or trying to trick anybody, that simply a mistake was made, so I think the key thing here would be to be prepared with good documentation.
Let me go to the next slide, please.
Slide 11 - Avoiding Landmine #3
Get your practice HIPAA compliant. Conduct that SRA. Establish the HIPAA security and privacy policies, and provide the ongoing HIPAA training for your staff. Remember, just because you're doing it once a year and you hire somebody six months later, they haven't gotten any training. Part of your on boarding process should be HIPAA training as well.
It wouldn't hurt to present to your lawyer or your lawyer's office, and have them review all this documentation. It's better to be proactive than reactive. Maybe get another set of eyes to take a look at it as well. I think that's kind of critical here. The documentation, and being proactive about it, and keeping everybody in the loop, I think are critical to success.
Why don't we go to the next slide, please?
Slide 12 - Landmine #4
Marketing your practice with third-party vendors—that's me. I'm a third-party vendor. Jeff's a third-party vendor. Just because we're third-party vendors doesn't mean that you've ceded any kind of issues or potentials for fine because you're outsourcing to someone, as I mentioned earlier. The practice is ultimately responsible for HIPAA. There's an example that I've got of a plastic surgeon that took before and after pictures of his patient, and then the patient to gave written authorization to use the photos on the website with the following restriction: that her eyes must be covered with a black stripe and her name not be revealed. Okay.
The surgeon's vendor had software to make these changes for the upload, and while the doctor's website—also managed by the vendor—honored these requests, Google somehow indexed the full set of pictures exposing the patient's full face and her name, so both were reviewed in a search of the patient's name. Obviously not a good situation, and perhaps the vendor's software was inadequate.
The takeaway from there is like, hey, that's an issue for the practice as well as for the vendor. The practice had properly engaged the vendor with a formal HIPAA business associate agreement—critical—obligating it to appropriately safeguard protected health information as required by HIPAA and HITECH, and the agreement also indemnified the surgeon for any legal or regulatory fallout. I think that's kind of a critical point here out of all that. A mistake was made, but the business agreement was put together where the issues and fines would fall upon the vendor because of the way the business agreement was made.
Why don't we get to the next slide?
Slide 13 - Avoiding Landmine #4
There's this issue about these business agreements. They are business associates agreements, or BAAs, and you should make sure all your third-party vendors are signing HIPAA business associate agreements if they will have access to patient health information. They should probably be created and reviewed by your legal representative. I think, again, critical to make sure everybody understands the expectations that are appropriate, understands the issues surrounding HIPAA and the implications if they're not followed.
That's it for me. I can hand it back to Jeff.
Slide 14 - Landmine #5
Great. There we ago. By the way, we have standard HIPAA business associate agreements we give to all of our clients. We have templates that we can share with any of you, if you just reach out to us. We'll have contact information at the end.
Well, right now we’re at landmine number five. This is the final landmine of the webinar, and it's related to the alphabet soup of other regulators that are out there. And some of you may have heard of this. I'm guessing most of you have not. TCPA is called the Telephone Consumer Protection Act, and it's overseen by the FCC, or Federal Communication Commission. The FTC is the Federal Trade Commission. These are all entities in Washington. And briefly, the TCPA was created 20 years ago to protect against junk faxes and telemarketers calling you when you eat dinner, but it also is implicated with use of platforms for texting.
Next slide, please.
Slide 15 - Avoiding Landmine #5
There are platforms that are out there that are reasonably cavalier, and they are used to give patients information, texting platforms to provide information that typically is helpful to the patient. When I go to see my dentist, I get a reminder related to an upcoming appointment as part of the scheduling software that they have, and the government suggests that if I have given my cell phone number to the practice, that's all I really need to do. That's informational texting but if texting is used for marketing, if texting is used for marketing, you need to get explicit upfront written permission from the patient to use the platform for marketing.
What might that look like? If texting is used to solicit reviews which were posted to third-party sites, which ultimately are used for marketing, then we believe you probably need to get explicit written consent upfront. Now, this is a hassle and I know most platforms don't include this, and most practices don't ask for it. To the extent you get it wrong, this is an expensive misstep. The price for getting it wrong is $50 to $150 per text that goes up, that goes out. Not a big number, but if you look at the number of texts that go out, you can see how that number would balloon dramatically in a very short period of time.
Class-action attorneys are always on the lookout for this. They're patients too, and if they see a practice engaged in this, they go from their patient hat to their plaintiff attorney hat and engage in class-action. There was a settlement not too long ago with Walgreens to the tune of $11 million. Walgreens thought that it was doing some type of informational texting, which is perfectly appropriate and permitted, but somehow exceeded the scope of what they were asking permission to do. $11 million was transferred from Walgreens to the class, and each particular plaintiff, each patient, got probably $10 to $30, mostly of Walgreens coupons, and the attorneys made off with a bundle.
Just be careful. We're not big fans of using texting platforms to solicit online reviews, unless it includes a mechanism to get the patient's written authorization upfront to use that for gathering reviews and marketing.
Then, my final point is related to the Federal Trade Commission. Don't pay for reviews. Don't give discounts for reviews. Don't give anything of value for reviews. The Federal Trade Commission actually says you can do it. It's okay, but it needs to be disclosed in the review, or else the doctor and the patient are both liable. So, what might a compliant review look like? It might look like, “Dr. Segal saved my life. Got to the intensive care unit in the middle of the night and I'm eminently thankful for his dedication to his patients and the profession. (Dr. Segal gave me a $25 Amazon gift card for this review.)”
That would be compliant, but by disclosing that I gave the patient an Amazon gift card, I've completely and totally devalued that wonderful review. So, I would argue: don't pay for reviews. Don't give discounts for reviews. Don't do extra procedures for patients or give them credit in your bank, in the doctor bank for reviews. You don't really need to do it, and it creates issues or problems. Will the Federal Trade Commission find out about it then beat a path to your door? Probably not, but most of these are complaint driven, disgruntled employees, ex-spouses, competitors. It's a pretty big laundry list.
Anyway, I'm going to close right here. I think five landmines is plenty. We don't mean to be Debbie Downers right here. I think our larger point is that marketing is a necessity for a practice in 2017 and beyond. There are things you need to watch out for and be careful about. That means selecting vendors who know what they're talking about to keep you out of harm’s way, people who are steeped in health care. With that, let me have Scott wrap up, do a conclusion, and then we'll take questions.
Slide 16 - Conclusion
Yeah, thanks Jeff. I agree with you. Don't hide from the internet and/or social media. There's really no way to do that. You will be defined by other people if you're not proactive about it. There are definitely risks. We talked quite a bit about that, but they are manageable as long as you've got people who have good experience with dealing with these issues. My perspective on this has always been that a well-informed and a well educated patient is a happier patient, and that's what I know everybody is looking for. Ultimately, you and your patients will benefit. You need to paint a clearer picture and just sent some better expectations, and I think that this can all be accomplished. But the critical part here, the critical take away here is, understand your risks, manage those risks, and work with people who do the same. That's it for me.
Great, and for me, but now it's time to listen to the public at large.
Slide 17 - Questions
Yeah. I have some good questions coming in. and I'm going to take the easy one, and then I'm going to give you guys all the hard questions.
Good. That's in line with your past activities. I appreciate that.
Exactly. Exactly. We have a question, “Is there going to be a recording of this webinar that we can share with the team?” Yes. We will have this recorded, and this information will be coming to you through your email. So the email that you used to register for the event, we'll be sending up follow-up information. That's the easy one, guys. You get the hard ones from here on out.
Here's a question, so going back to text messaging, we were specifically talking about trying to get text messages to solicit online reviews. This question was, “What about using text messaging for internal surveying only? Do you need to get written agreement beforehand as well?”
That's a great question. The TCPA, or Telephone Consumer Protection Act, is triggered by this, but that is not considered marketing information. An internal survey for use only inside the office is considered okay, so you don't need explicit written permission. You need just what is called “explicit permission,” and I know they sound the same, but the less restrictive is the one that's for information. That includes internal surveys and if a patient merely gives you their cell phone number that's considered explicit permission. Don't need that in writing.
You still have some issues as it relates to HIPAA, a separate law as it relates to texting, and it's probably helpful upfront when a patient first comes to a practice that they sign off on what you're capable of doing and what they want you to do. Most patients are pretty comfortable with texting and their emails. You just get it in writing. There's a template that can be used when the patient first sees you, and it says little more than, “Many patients are comfortable with texting and email. That is not considered a secure means of communication, but it's something that most patients like. If you fall into that category, let us know if that's okay with you.”
Once you get them to sign off on that, for the most part, for informational texts, the sky's the limit. You can keep doing that until they withdraw their consent. For marketing, it's a little bit deeper. You need their written express consent for the marketing, so it's a little bit more involved, requires more upfront planning. There you go.
Great. Very good. Thank you. We have another one. “What if we have a company that reaches out to patients that write negative reviews online? Is this okay?”
Repeat the question, so the company actually is acting as your agent reaching out to a particular patient online to, I assume, get more information, see what the problem is, and hopefully resolve the problem.
If that's what's going on, if they're acting as your agent, then they need to be deputized as someone who is a formal HIPAA business associate. Meaning, that the only way that they could really reach out to this patient is if they have enough information to know who they are, knowing that you're a patient, and knowing that they're are patient. Doing so would entail that they are working for you, and if they're working for you they need to be beholden to HIPAA, which means they need to be a formal HIPAA business associate, that five page document that Scott referred to earlier.
They can do that. They can do that in the same way that you could do it as a physician. If they're working as your agent, even though they are third-party, they are an arm of your organization with access to just enough information to help solve the problem, so yeah. It can be done, and I would think of it conceptually as someone who is potentially working in your office. They just happen to be an outsourced entity, but you definitely want to make sure that they are a HIPAA business associate because if they do little more than take notes, for example, those notes would be considered protected health information. And ultimately, you want to make sure that they don't take those notes and then display them on a billboard or sky-write across the city with what they've found.
As unlikely as that might be.
Okay, we've got one more question here. We've got a couple that we'll see if we have time for and again, we will have a video recording of this so if anybody needs to jump to another meeting or such. The question is, “If we don't actively solicit reviews, so with everything that we've been talking about here is the practice is being very proactive in getting out there and engaging people, but if we don't actively solicit reviews are we bypassing a lot of the risks noted here as it relates to HIPAA?”
Yes. I mean HIPAA's still there but if you're not marketing your practice and you're just waiting for the world to happen, then yes, you certainly don't incur much of the risk. I would argue that you're also forfeiting or forgoing much of the benefit, so it's not dissimilar to a surgeon who does a range of different procedures. If you've decided that you really can't stomach the idea of any patient ever having a complication, you may limit yourself to only the simplest procedures of all. In which case, you may or may not have a lucrative practice because, it certainly will be a smaller practice than one where you would take all comers and see all types of cases with all shapes and sizes.
But you would've certainly honored the constraint that you have, is that you don't want to incur much if any risk. It's the same thing here, that if you want to avoid marketing your practice and just sit on the sidelines, you will certainly minimize your risk, but I think you do so by forgoing so much of the benefit. And I would argue, because marketing can be done safely if you get the right partners, really the risk to benefit ratio is one that it really does still make sense to engage in active marketing.
Yeah, I'd throw my two cents in on that. Yes, you will avoid the risk. Obviously, you're not involved with the conversation, but because you're not involved with that conversation you're also losing control of your voice. I remember when I was at Johnson & Johnson as a sales rep there was, I believe that somebody in the legal office was saying that sales reps weren't allowed to do a particular activity, and I think it was as simple as writing down information for the upcoming day while they were on the road. They were afraid that the information could be lost, etc. I remember the vice president of sales saying, “You know, I know how to ameliorate risk. We can simply, everybody can just stay at home and not sell anything and then we'll never get sued.”
I always kind of took that with me. You can avoid gone online and marketing. You can avoid any reputation marketing, etc., but if you do you will lose your voice, and so I think it's better to try to find the right balance, and it can be found fairly easily.
By the way, for those whose questions have not been answered, we will do our best to get answers to you and we'll try and get them posted either to, maybe to one of our blog sites so that everyone could benefit from the question that the individuals posed.
All right. Guys, thanks so much, and thank you to everyone that was able to join us. Again, we will have a video of this information. We'll also have follow-up information through written means as well. Thanks so much and have a great day.