Marketing

Market Effectively–and Legally–to Your Patients

By Pamela Miller, OD, FAAO, JD

There are exciting marketing opportunities with social media, e-mail and texting. But before you “send,” protect your patients’ HIPAA privacy rights–and your practice, in the process.

With so much information about our patients at our fingertips via software like practice management systems and electronic health records and through social media platforms, it is tempting to market as much as possible without first considering the consequences to our patients’ privacy. The protections your patients are guaranteed under the Health Insurance Portability and Accountability Act (HIPAA) extend to the marketing you do. Here are some of my top tips for legally protecting your practice when contacting patients for marketing purposes. Remember, as with all legal matters, always consult with your state optometric board and your attorney before taking action.

Include Disclaimers When Marketing
Eye Health Products

Technology allows you to send e-mail to patients with specific eyecare needs, such as all contact lens wearers with astigmatism or all dry eye patients.

But when you send out a marketing piece about an exciting new contact lens that improves vision for astigmatic patients, or a new medication for dry eye, include a disclaimer that acknowledges that you will need to examine the patient first to determine if the new lens or medication is right for them.

Sample Wording:
“This product may or may not be right specifically for you. Only a thorough eye exam can determine if this is the right product for you. Give us a call today to book your next appointment.”

Use Discretion When Mailing

EHR gives doctors the ability to target promotions to patients with specific conditions. For example, you could send a communication about an upcoming sale on nutraceuticals to all patients diagnosed with macular degeneration or an educational piece to all patients with diabetes on the importance of regular exams. However, if you don’t take precautions, doing so could risk your patient’s privacy.

For instance, let’s say you send an open postcard via the postal mail to the home of a patient with diabetes. It states: “Ms. Jones, diabetes patients like you have to be careful, as you are at risk for many eye conditions including glaucoma and diabetic retinopathy. Call us now to schedule your next appointment.” If you are going to send such a communication, it must be in a sealed envelope, addressed specifically to the patient. Also, it is a good idea to get your patient’s permission in their records or on your web site in the form maybe of a sign-up sheet in the office or on your web site to receive this kind of super-targeted communication. Since the nature of the promotion is so revealing of the patient’s private medical history, it also is essential to verify that you have the patient’s correct address on file.

Since family and even roommates or housemates are liable to accidentally open a person’s mail, the smartest route may be to use more generic wording that does not call out the patient by name: “Diabetes is a disease that can cause complications to a person’s eye health and vision. If you have been diagnosed with diabetes, give us a call so we can assess your risk and help you maintain your eye health.”

Use Even More Discretion in E-Blasts and Text Messages

E-mail and text messaging makes marketing easier than ever, but, unfortunately, it also makes patient privacy mishaps much more likely. Unlike the postal mail that allows for sealed envelopes addressed specifically to the patient, e-mail and texting is more dicey. E-mail often is opened by people other than the patient in the form of an e-mail address that is used by a married couple, one used by a whole family or an e-mail address that is the patient’s work e-mail account and, therefore, open to review by the patient’s employer.

If you plan to do e-mail marketing, have patients “opt-in” by signing up to receive your communications, and if you plan to send messages targeted to their specific diagnoses, have them opt-in for that, too. Second, have the patient verify that the e-mail address you have on file is not only correct, but an address that they would feel comfortable having private information sent to. You might want to remind them that work e-mail addresses never have a guarantee of privacy which means an employer or even the insurance company that covers the patient’s health care could have access to any information sent.

Consider offering a consent form for patients to fill out prior to sending them private information electronically: “How would you prefer we contact you regarding your appointments and follow-up care (including prescription pick-up) and about your diagnoses or potential areas of concern – [ ] e-mail [ ] text [ ] regular mail? Please verify your e-mail ________ text_______ regular mail_______ addresses.”

Phone Lights Up with a Text Message, and Everybody Around Sees Your Diagnosis

Targeted marketing messages that reference a particular condition and are sent to a patient’s cell phone are even riskier. People carry their phones with them everywhere, so what happens when a patient is in a business meeting, at a party or in line at the grocery store and their phone lights up with a text message noting their recent diagnosis of glaucoma and how important it is for them to see the doctor regularly to monitor the condition? Like all other forms of marketing communication, ask patients permission to send text messages and then be sure to only send generic or general messages rather than messages that reveal a patient’s condition: “Glaucoma is a silent stealer of sight. Visit our practice to learn more about this condition and receive care to preserve life-long eye health.”

Beware of Messages Revealing How Much a Patient Has Spent in Your Office

Information about patients’ past purchases is not legally protected medical information, but it is information many patients do not want to share with others. Let’s say you intend to send trunk show invitations to all patients who spent more than $300 on frames during their last visit. The invitation, whether sent via postal mail, e-mail or text message, should not make reference to any dollar amount spent by the patient. For instance, you would not want to say: “Please join us for our Big Spenders Fall Trunk Show in which all loyal patients who spent at least $300 during their last visit will be rewarded with a 30 percent discount on their next frame purchase.” A better invitation: “As one of our most loyal patients, we would be honored if you attended our upcoming Fall Trunk Show Extravaganza.”

Carefully Monitor Your Practice’s Posts to Social Media Pages

When promoting your practice on your Facebook page, be careful not to inadvertently reveal private patient information. Just the fact that a patient is visiting your practice as a patient is protected information. If you post pictures of your office, don’t post pictures of patients who have not signed off on a consent form giving you permission to use their photo for marketing purposes. Similarly, don’t feature quotes from patients who have not given their consent to make those comments public for marketing use. You also need to be careful when sharing success stories about “unnamed” patients. When sharing these kinds of stories, it is possible for people to guess who you are talking about if you give enough identifying information, especially if you practice in a small town or the kind of neighborhood where everyone knows one another.

For instance, you may be revealing too much if you are telling a story about a recent emergency eyecare success that involved a patient doing renovations to the widow’s walk at the top of her house and that patient is one of the few or the only one in town with a widow’s walk, or a story of a patient injured while fixing a damaged awning to a restaurant everyone knows that patient owns.

Monitor What Others Post to Your Social Media Pages

You and your staff may be well aware of the kinds of photos, comments and stories that are legally safe to post to your Facebook page, but your patients have no such awareness. Up to a few times a day, check your most heavily used social media pages for potential trouble. For instance, what happens if a patient posts a picture to your Facebook “timeline” taken at your office that also shows a few other fellow patients seated around her? Or, what if a patient who had a great experience in your office not only enthuses about the help you gave her, but goes on to reveal the eye health issues that brought her best friend with her to the office that day? These are posts that, despite the good intentions and good free advertising for you, must be removed immediately.

As a safeguard, consider posting a sign prominently in your office that reads: “We respect the privacy of all our patients and request that you refrain from taking any photos without the express permission of the doctor or our staff. Thank you for your understanding.”

If you happen to have patients who are well known figures such as local officials or even more well known celebrities, beware of the likelihood that patients will use their cell phones to snap photos of the well-known people in your office and then post the pictures online to social media pages like your Facebook page, or even to their own Facebook page or elsewhere. Unlike your own social media pages, you don’t have access to remove photos from their accounts, but you should get in touch with the patient who posted the pictures and ask that they remove them immediately. If they don’t comply, you could even threaten a lawsuit as the photos violate the photographed patient’s privacy.

Don’t Reveal Private Information in Responding to Online Reviews

It is possible that a patient may reveal private medical information about himself in writing a review about your practice: “I recently got diagnosed with macular degeneration, and I was so excited to see Dr. Smith because she is known as the best macular degeneration specialist around here, but I was very disappointed. The exam didn’t seem that thorough and then the staff tried to sell me nutraceuticals that I already told them I didn’t want.” Even though the patient mentioned her diagnosis herself, don’t repeat anything about the patient’s private medical history in your response. Don’t say: “Sorry for your unfavorable experience, Mary. I know you said you have macular degeneration, but I didn’t see any evidence of it during your exam and you don’t have vision insurance and said you can’t afford to see another specialist, so there was nothing more we could do for you.”

A better response would be caring, but much more general: “Mary, I’m so sorry you were unhappy with the service you received in our office. We are eager to help you with all of your eye health and vision needs. We’d love it if you gave us a second chance. Please give us a call or e-mail our office about a convenient time when you could visit us again.”

Carefully Review Marketing Messages Prepared and Sent by Third Parties

Small businesses like independent ODs often use third party agencies or services to put marketing materials together and then send out the materials themselves. Remember, that even though you are no longer the one crafting or sending out the messages, your practice is still liable for the consequences. It is not the marketing vendor’s liability, money or reputation that is at stake; it’s yours. So, set up a protocol with any marketing partners that mandates that you, as practice CEO, must review and sign off on any marketing messages that are sent out in your name.

It is particularly important to retain control of your patient database when another healthcare practitioner or office may seek to advertise their services. For example, your local laser care center may offer to do a direct mailing to your patients at their own expense, touting your care and services as well as their own. The prudent practitioner should strongly consider whether he or she wishes to release their patient list. The better option would be for you to control the mailing (or e-mail) addresses, rather than releasing them to another office.

Train Your Staff Not to Violate Patient Privacy in Marketing

In many offices it is not the doctor or a third-party service but members of the doctor’s staff who post to Facebook, respond to negative reviews, and put together and send out e-blasts. For that reason, you must train your staff on the kinds of marketing messages that will not violate your patients’ privacy and what they should do if they notice that a patient’s private information has been compromised online by someone outside the practice.

Failsafe: Have a Person Outside Your Practice Review Marketing Messages

After you and your staff proof marketing messages, have an independent third party review them to ensure that the messages don’t come across as offensive or as suggestive that a patient personally has a specific condition.

Related ROB Articles

Make Your Office HIPAA-Compliant

Manage Angry Patients: Avoid Lawsuits

Protect Your Patients–and Your Practice–When Treating Minors

Pamela Miller, OD, FAAO, JD, DPNAP,has a solo optometric practice in Highland, Calif. She is an attorney at law, holds a therapeutic license, is California State Board-certified and glaucoma-certified to prescribe eye medications, and offers comprehensive vision care, contact lenses, visual therapy and low vision services. To contact her: drpam@omnivision.com

To Top
Subscribe Today for Free...
And join more than 35,000 optometric colleagues who have made Review of Optometric Business their daily business advisor.