Most dental practices understand much how HIPAA impacts their in-office procedures. But did you know that your website and marketing can make patient information vulnerable too? From contact forms on your website to tracking pixels to email and SMS marketing, your practice may be collecting and transmitting personal health information (PHI) from patients every day. But is that data protected up to HIPAA standards?
HIPAA requires more than just a simple password: when patient data is collected online it needs to be encrypted and stored in a HIPAA-compliant server; it must be accessible only to those who need it and those who will treat it with the same level of care as your medical staff; and it must not be visible to or stored by third parties who are not secured under a Business Associate Agreement.
Do you know if your website and marketing data meet these standards? If the answer is no, you may be putting your organization at risk.
Digital patient privacy is becoming a big issue
During the past few years, the government, attorneys, and media have directed more scrutiny than ever toward common web-based practices that leave sensitive information exposed to hackers or noncompliant third parties.
In the summer of 2022, The Markup, a national news publication, uncovered the fact that many large health systems were improperly using the Meta pixel to track sensitive data about visitors to their websites. Some of these organizations sent details such as the patient’s name, conditions, and doctors they were seeing back to Meta, the social media giant that owns Facebook and Instagram. This data was intended to improve their advertising campaigns, but Meta does not store data in a HIPAA-compliant manner. Moreover, Meta can then use the data collected about users for its own financial gain.
In response, the Department of Health & Human Services and the Department of Justice have taken an increased interest in protecting online patient privacy. Together, the two federal departments have released new guidelines, pursued organizations that have inappropriately gathered or sold data, and asked for increased funding to protect digital patient and consumer privacy.
Lawmakers across the nation are vigorously taking up the mantle of consumer and patient privacy. Many states have passed consumer privacy laws that are set to take effect in 2024, 2025, or 2026.
Taking digital patient privacy seriously will not only protect your organization from costly lawsuits (HIPAA breaches carry civil and criminal penalties with fines for every patient record exposed,) but will also future proof your organization. Dental practices must educate themselves to find a balance between patient privacy and effective marketing practices.
Audit your dental practice’s digital presence
Across your digital strategy, you’re likely using many different tools and platforms. Now is the time to consider:
- Do your website, marketing analytics, or other platforms collect any data that merit additional protection, especially under HIPAA? This may include name, phone number, email address, birth date, insurance information, and medical information.
- Often HIPAA-compliant tools cost more money. If you need to upgrade to a HIPAA-compliant tool, can you leverage that to collect more data and create a more robust marketing strategy?
- Do you have a Business Associate Agreement (BAA) on file with each company that either provides a platform to collect personal information or has access to patient information?
Embrace transparency
It is crucial to communicate openly with patients about how their data is collected and used. Some states have specific laws dictating how you must communicate this information.
- Review and update your privacy policy and/or terms of service.
- Consider opt-in cookie consent.
- Consider how you would provide a patient with their data if asked, and how you might erase it if asked.
Stay informed about new laws and regulations
Many states are passing new laws such as the California Consumer Privacy Act, and the HHS continues to update its guidance. Dental practices should review new consumer privacy laws that were passed, and the HHS’ new provisions requiring health-care websites to meet WCAG 2.1 AA standards by May 2026 (for large organizations) or May 2027 (for small organizations.) Be aware that these standards also apply to social media, email, and in-person communication. Your compliance teams and legal counsel needs to stay up to date. Seek additional legal resources, if needed.
Invest in forward-thinking practices and technology
For a long time, dental practices have been allocating most of their marketing budgets to advertising and design, while neglecting to invest in high-quality analytics. Investing in HIPAA-compliant tools and tracking technologies will help future proof your practice against upcoming state and federal laws and regulations. This investment will also enable you to collect richer and more connected data, empowering your organization to understand ROI better and allocate its budget more effectively.
