5 HIPAA Pitfalls to Watch for at Your Blog

When you decided to use a blog at your website, you checked out the basics for HIPAA-compliant blogging, and you’re pretty confident that you and your blogger know the rules. Then you read that blogs have been used as evidence in malpractice suits, and you begin to wonder. It doesn’t hurt to check on your blog every now and then to make sure you’re staying on track. Start with these five HIPAA pitfalls. They’re not the first thing you’d notice, but they have tripped people up in the past.

1. Are your pictures betraying personal information? We love spontaneous snapshots from the office or classroom. We also really want a signed model release every time a client says that he knows everyone at his office is okay with sharing photos. When it comes to patients, though, the sharing issue can go much further than just making sure you’re not featuring your patient’s face in your photos. The photo illustrating this post, for example, is a stock photo. That guy probably isn’t a doctor. But imagine that you thought this would make an awesome pose for a physician in your practice — did you remember that X-rays are protected health information, and photos often enlarge very clearly? Or maybe you’re taking a cool picture of a latte with some excellent latte art… and it happens to be sitting on top of a stack of patient files on your desk. Did you notice the identifying information in the corner of the shot?  How about the photo of your clinic, with a license plate visible in the parking lot? Truth is, photos you take at your practice have to be scrutinized very carefully before use. Stock photos are often the safest option.
2. What’s going on in the comments? A popular blog can sometimes have lively discussions in the comments. You may figure that this is not your problem. If patients or medical professionals who aren’t on your team get gossipy in the comments, that’s their problem, right? Actually, no. If it’s on your blog, they’ve made it your problem. You, your organization, or your facility will be the publisher, even if you aren’t the one who wrote, “This is Ed Mercado. I forgot to pick up my colonoscopy results. Can I find them on this website?” Moderate comments, or have your web team do so.
3. Does it all add up? We have a client who likes to write about her daily experiences at work sometimes. It’s our job to make sure the posts she writes are SEO-optimized — and HIPAA-compliant. No post is published with any identifying information in it. But if you sometimes sail near the wind, you should consider that all the posts together could combine to allow someone to connect the dots. Write about seeing a celebrity in your rehab facility without naming names, write that one of your favorite celebrity patients is back, write that you brought a favorite flower to one of your rehab patients — someone in your community could put two and two (plus someone’s Instagram feed) together.
4. Double check your examples. Again, this shouldn’t be an issue with a professional blogger. If you write your own blog, though, it’s easy to miss indiscretions in your examples. If you’re talking about a specific medication, for example, and you give examples of people who might receive such a prescription, you may very well think of specific patients. Your focus is on the main point of your blog post. The examples just spring to your mind, and before you know it, you’re mentioning a Danish construction worker in his fifties, a teen age violinist, or a lawyer with numerous grandchildren. The details aren’t about the medication, but they might identify the individuals to readers in your neighborhood.
5. Snark alert! One thing we know about blogging — misery loves company! You can get all kinds of sympathy and support when you write about pet peeves or irritating experiences. This kind of story is another place where it’s easy to go overboard. Here’s an example from a recent blog post by a (sort of) anonymous physician: “Left their MRI reports/lab reports/small child in the car, has to go back to get them, and has no idea where they parked.” As a writer, you want to get all those intriguing details in. As a physician, you should notice that this is probably identifiable. In fact, this is the kind of thing that could cause several patients to decide it’s about them. Can you prove it isn’t?

If you check these potential HIPAA pitfalls, you are likely to catch any unintentional personal information.

And that brings us to one of the most important things about HIPAA-compliant blogging. Don’t dash off a post on your way out the door and publish it right quick. Set up an editing and compliance procedure that gives you time between writing and publishing. Your chances of catching any stray issues are much better.