What is protected health information? A primer for healthcare providers

Although healthcare providers know the importance of engaging with patients online, many shy away from digital healthcare marketing for fear of accidentally violating the Health Insurance Portability and Accountability Act, or HIPAA. 

The impact of HIPAA (protected patient information) is far-reaching. It protects a broad set of information about patients that ranges from their name to health status, medical history, physical appearance, and more. Patient age is also HIPAA-protected. 

When it comes to your practice’s healthcare marketing, accidentally disclosing patients' protected health information (PHI) is a top HIPAA concern. According to The HIPAA Journal, 2 of the top 10 most common HIPAA violations involve revealing PHI.

Private practice is competitive, and you need a healthcare marketing strategy that includes responding to online reviews and engaging patients on social media. However, providers must take special care never to reveal PHI without patients’ written consent.

Below, we outline 9 types of PHI to help you feel more confident about marketing your practice online while safeguarding your patients’ PHI.

Protected health information refers to anything that could reveal the identity of a patient. Although some types of PHI are fairly obvious — such as a patient’s name — others may be easier to accidentally reveal, such as a patient’s city or even county of residence.

When creating marketing materials, writing a blog, or posting to social media, ensure you avoid revealing the following information. 

Using a patient’s name or nickname is a PHI HIPAA violation. In addition to names and nicknames, using a patient’s social media handle or anything related to the patient’s naming identity exposes a patient’s PHI and is forbidden.

HIPAA requires healthcare workers to withhold almost all information about the address of a patient to prevent revealing crucial PHI of a patient. Privacy laws also forbid the disclosing of any geographic information about a patient more detailed than the state level, including a patient’s city and county.

Is age HIPAA-protected?" is a common question in the healthcare industry, and the answer is yes. HIPAA protects almost all dates related to an individual and their healthcare treatment, including the date and time of a medical appointment and the patient’s age. 

Privacy laws forbid you from revealing any of the following patient PHI:

Protected health information includes a patient’s contact information and any other number that could identify them. Here are a few important numbers that are considered part of a patient’s PHI that you should watch out for:

Revealing a patient’s license plate number is a clear HIPAA violation of a patient’s PHI, but so is identifying any other information about their vehicle, including color, make, or model. Be sure not to describe the vehicle in any way that might be identifiable to others. In a small town, any information about a vehicle could reveal a patient’s identity.

IP addresses, URLs, and social media handles are considered PHI and are protected under HIPAA. Make sure not to tag your patients or mention their usernames when sharing original content or commenting on other posts.

You also want to take special care not to share their website information or their personal email addresses.

Protected health information also includes a patient’s fingerprint and voiceprint. Even if you never share a patient’s face or name, you can’t use their voice in promotional or other materials. Voices are unique indicators of who we are, and HIPAA protects voices because they could identify patients. 

Naturally, you’d want to feature photos of your happy, satisfied patients on your website, but a patient’s image is PHI and protected under HIPAA, which states that photographic images violate patient privacy rights.

This is certainly true for photos of patients' faces but also remains true for snapshots of other parts of the body. When promoting your healthcare practice, you may want to feature photos of your patients on your website, but a patient’s image is also PHI and protected under HIPAA.

HIPAA states that photographic images violate a patient’s privacy rights. This includes any photo of a patient — from a headshot to a picture of a hand or leg.

With enough detective work, most biographical information could reveal someone’s identity. Do not disclose a patient’s occupation, marital status, or information about their family, income, or race.

Most healthcare providers would never intentionally reveal protected health information, but it’s essential to be mindful of anything you share online.

Take, for example, the case of a private practice that has a close relationship with a long-time patient. For an upcoming milestone birthday, the practice posts a photo of the front office staff with this patient as an Instagram story and writes, “Happy 40th birthday to our dear friend!” Since age is HIPAA-protected, this would be a violation. 

Or consider a provider who is trying to be more active on social media as part of their digital marketing strategy. They decided to start a Facebook Live from their office desk but didn’t realize that protected health information was visible in the background. This, too, would be a HIPAA violation.

If you want to include your patients in any of your practice’s healthcare marketing materials, be sure to speak to an attorney who can help create a set of best practices, including consent forms and retention of photographic rights. A patient must give you their written consent via the proper channels.

Although this post is intended to help healthcare providers, it should not replace the advice of legal counsel. Always consult your attorney or legal services team if you have doubts about whether your digital marketing efforts could violate HIPAA-protected PHI or otherwise put your healthcare practice at risk.