If you re-purpose a third party review for your use, without the patient’s written authorization, and it has any protected health information (including, for example, little more than the patient’s name) for your site, you’d have a HIPAA problem. The fact that a review is already public is immaterial. The fact that you have disclosed protected health information without the patient’s authorization is material.
Member has chosen to not make this information public.
In my last post, we discussed how HIPAA impacts rules and regulations related to capturing reviews for posting online. We limited the discussion to working with vendors to help you capture and post online reviews. Such vendors must be HIPAA Business Associates. And if Protected Health Information is posted online, you need a formal HIPAA authorization to do so.
Onward to the final topic.
Telephone Consumer Protection Act (TCPA):
Everyone has a smartphone. Why not just send links to smartphone and have the patient post their online reviews directly?
Welcome to the Telephone Consumer Protection Act of 1991.
When passed, that law’s goal was minimize telemarketing nuisances and junk faxes. The law has been updated to deal with smart phones.
Any business (or vendor that works with a business) that sends automated text messages must comply with TCPA. Get it wrong and the penalty is $500 per text or actual damages, whichever is greater.
Example: $500 x 1,000 texts = $0.5 million.
There is no statutory cap on damages. For lawyers, TCPA is manna from heaven.
TCPA gives a roadmap for compliance. Is the text message informational? Is the text message marketing material? If both, or ambiguous, one should assume it will be treated as marketing.
An informational text is one that is solely of benefit to the consumer (patient). An example would be a scheduling appointment reminder.
A marketing text includes any “material advertising of commercial availability or quality of any property, good, or services.” Does this include a link to post a review on an online review site? Who knows? But, given that penalties can be in the multi-millions, and that many insurance policies exclude such coverage, a reasonable approach is to treat such text messages as marketing messages, and comply.
To comply with TCPA for sending automated informational text messages, you need “prior express consent” from the patient. This is typically easy. If the patient voluntarily gives you their mobile number, you’ve complied.
To comply with TCPA for sending automated marketing (or combination informational/marketing) text messages, you need “prior express written consent” from the patient. This is a bigger deal. Such documentation and disclosure start to look like HIPAA authorization releases.
- Identify each specific seller to whom content is being provided.
- Identify the consumer’s phone number.
- Indicate an affirmative agreement (i.e., I agree/consent).
- Disclose that the consumer is authorizing the seller to engage in advertising or telemarketing (i.e., offers for products/services).
- Disclose that the calls will be made using automated technology.
- Disclose that the consumer is not required to provide consent as a condition of purchasing goods or services.
- Obtain a written signature from the consumer (either electronically through E-Sign or handwritten).
To recap, if you work with a vendor to collect reviews, and they use automated technology to send text messages, don’t cut corners. Understand your obligations with prior express written consent. What a difference one word makes.
Our Series Comes to a Close
Our series on Capturing Patient Reviews and Pesky Regulatory Details comes to a close. I’d love to say there are no other constraints. Unfortunately, there are. This includes state medical licensing bodies that regulate advertising in the medical fields.
Still, I don’t intend to throw the baby out with the bathwater. I’m a fan of online reviews. They’re here to stay. Healthcare is no exception. Just asking patients to post reviews is hard work. Vendors have popped up offering technology to solve the problem. Before you ink a multi-year agreement, get comfortable YOUR vendor understands and follows FTC, HIPAA, and TCPA.
Jeff Segal, MD, JD, is a member of MCSMN, founder of Medical Justice Systems, and CEO of eMerit.
We are in the middle of a three part blog series (to the right on this page) on Regulations Related to Capturing Reviews. The same principles apply. The 3 part series addresses HIPAA, Federal Trade Commission, and TCPA (under the FCC).
In my last post, we discussed how the Federal Trade Commission impacts rules and regulations related to capturing reviews for posting online. To recap, the guiding principle is not to pay for reviews. No money, no gift cards, no discounts on future goods or services. If you do offer such perks, you must disclose that in the review. Otherwise, both the patient and you may incur liability.
Onward to the next federal constraint.
HIPAA and online reviews is an entire topic unto itself. Here, I’m going to focus solely on working with vendors to help you capture online reviews. I’m not getting into responding to posts, positive or negative, in a HIPAA-compliant way. We can tackle that subject at a later date.
If you work with a vendor to capture reviews for posting online, HIPAA likely applies.
This means the vendor should be a formal HIPAA Business Associate and securely store and transmit Protected Health Information (PHI). Random HIPAA audits are here. Don’t take shortcuts.
What is considered Protected Health Information? Many things. It includes the patient’s name, their email address, OR their mobile number. Notice I used the word “OR” and not “AND.”
With few exceptions (defined by statute), any time you disclose such Protected Health Information to a third party, such as a vendor, that party must either be a HIPAA Business Associate. Or you need a formal HIPAA compliant authorization from each patient.
A valid HIPAA authorization must meet certain requirements (Please don’t kill the messenger)
- Identify the disclosing health care provider,
- Identify the recipient(s)
- Label the purpose
- Define an expiration date or event
- (Can be electronic)
- Must include:
- failure to sign will not affect treatment or payment for treatment;
- may revoke the authorization at any time;
- information may no longer be protected by HIPAA once disclosed.
- Must be a stand-alone document
To bring this home, when working with vendors to help you gather and post online reviews, if Protected Health Information is transmitted:
- The vendor must be a HIPAA Business Associate and securely transmit and store PHI
- If the vendor is not a HIPAA Business Associate, you need a valid HIPAA compliant authorization from each patient to disclose Protected Health Information
- Even if a vendor IS a HIPAA Business Associate- if they disclose PHI, you/they will need a valid HIPAA compliant authorization to disclose that information, in this case, a review, to the public.
We’ll tackle one more constraint imposed by federal agencies and statutes in Part 3.
Disclosure: Jeff Segal, MD, JD, is a member of MCSMN, founder of Medical Justice Systems, and CEO of eMerit.
Online reviews have changed the consumer landscape in influencing buying decisions. Healthcare is affected by the same dynamic. Healthcare marketing departments have embraced online patient reviews as the next new thing. Such reviews provide valuable information for quality control, marketing, public relations, and risk management.
A Marketing Department’s mission often collides with the Legal and Regulatory Compliance Department. In spite of the natural conflict, coexistence is possible, as long as marketers are aware of legal and regulatory constraints.
We’ll tackle the alphabet soup of relevant federal agencies and statutes over three posts. Federal Trade Commission, HIPAA (as enforced by the Office of Civil Rights for Department of Health and Human Services, and the Telephone Consumer Protection Act.
Let’s get started.
Federal Trade Commission (FTC):
The FTC mandates that if you pay a person for an online review, the reviewer must disclose the payment in the review. And payment is interpreted broadly. It includes a discount, free services, or a gift.
Assume a doctor offers a $25 Amazon gift card to any patient who writes a post that successfully lands on Google reviews.
A review that would get the attention of the FTC might look like this:
“Dr. Smith saved my mother’s life when he came to the ICU at 2AM.”
A review that would comply with FTC guidelines might look like this:
“Dr. Smith saved my mother’s life when he came to the ICU at 2AM. He also gave me a $25 Amazon gift card to write this review.”
While compliant, it looks like the review was bought and paid for. That’s precisely why the FTC frowns on paying for reviews.
Simple rule of thumb. Don’t pay for reviews. And remember, payment means any consideration, including discounts and gifts.
We’ll tackle other constraints imposed by federal agencies and statutes in Part 2 and 3.
Disclosure: Jeff Segal, MD, JD, is a member of Mayo Clinic Social Media Network, founder of Medical Justice Systems, and CEO of eMerit.
I think you larger point is the most salient. If one is going to run with a sms marketing campaign, use an experienced vendor that understands the regulations. Then run it by counsel who understands FCC related issues, including TCPA.
My cautionary tale was focused on some vendors that promise the ease of sms texting to capture reviews when they have made no effort to educate on the need for upfront explicit written consent. Some of these vendors have never heard of the acronym TCPA.
Finally, the FCC rules for TCPA were updated in 2015 (thought they are still being appealed). Unfortunately, the updated rules are not friendly for sms text marketing. FCC Commissioner Michael O’Rielley was quoted “I am beyond incredibly disappointed in the outcome today. It will lead to more litigation and burdens on legitimate businesses without actually protecting consumers…by bad actors.” His vote did not carry the day.
Be cautious about using any system which uses texts to solicit and capture reviews for posting to online sites. These are governed by TCPA (Telephone Consumer Protection Act). These rules were recently updated (2015) and require upfront written explicit consent to solicit any text based reviews for marketing. And reviews which end up on online sites would likely meet that criteria. The required documentation is extensive and rivals HIPAA authorization for disclosing protecting health information. The difference is that TCPA violations (unlike HIPAA) allows a private cause of action and class action status. Each text sent without prior written consent can trigger $500 fine. This can add up quickly and insurance generally does not cover it. Lawyers can sniff the money.
In Kolinek v. Walgreen, Walgreens settled a class action suit for $11 million. What horrible thing did Walgreens do? A consumer provided his mobile number to Walgreens when he picked up a prescription. The pharmacist allegedly stated the number would only be used to verify his identity for future refills. Walgreens then sent text messages reminding the consumer to pick up his refills. (Here, the number was not actually used to “verify his identity”; it was just a helpful reminder about refills.) The consumer filed a TCPA class action lawsuit. Multimillion dollar settlement. By the way, each consumer received about $20. The lawyers received millions.
I’ll speak with Dan about doing a webinar on regulatory concerns vis a vis capturing reviews in healthcare. Will address HIPAA, TCPA, and Federal Trade Commission.
We’ve collected over 150,000 reviews for our clients (eMerit). These reviews are uploaded to the dominant review sites typically found on page one of a Google search. For those practices that have embraced the process, we can document upward movement in two domains: (a) If you’re a new patient, did you find the doctor on (and choose the doctor from) the Internet? (b) If you found the doctor the traditional ways, friends/family/referring doctor, did you still go to the Internet to validate your decision? This translates into new patient volume and revenue, decreased “leakage”, improved staff morale, and easier recruitment process for bringing on new talent. I attached three case studies.