HIPAA-Compliant Blogging

Got any good patient stories? Of course you do. If you’re a medical professional, you will have interesting stories from your practice, and it may seem natural to use them in your blog. In fact, one medical blogger wrote, “My life – and my blog – would be boring without patient stories… But at the same time, I wouldn’t want my own doctor to be publishing the intimate details of my illness on the internet, for anyone and everyone to read.”

That was written a while back, and I’m not going to mention where, because this medical professional may have changed her mind since then. HIPAA has changed since then. Yet that article is still readily findable online.

And that’s part of the problem. Your blog continues to be visible online for many years, and things may change. But HIPAA-compliant blogging really isn’t a big problem, if you handle it right from the beginning.

Why blog?

Blogging is the single most important thing you can do for SEO, the easiest way to produce content in the quantity required for effective content marketing, and one of the most helpful things you can do for your patients. Giving great answers to patient questions makes you more valuable to your patients.

That’s enough reason to make sure you have a blog on your website.

Here’s what else blogging can do:

  • Increase your authority.
  • Improve your reputation.
  • Increase patient trust.
  • Establish thought leadership.
  • Reduce the amount of time you and your team spend answering common questions.
  • Correct patient misinformation.
  • Increase connections with patients.
  • Remind patients of the need for regular checkups and tests.
  • Encourage ongoing learning among staff members.
  • Encourage community connections.
  • Help your website rank for more keywords.
  • Bring visitors back to your website more often, so you’ll be top of mind when they need you.
  • Reach new patients.

Don’t be discouraged from blogging by HIPAA concerns. It’s extremely valuable for your practice.

HIPAA-Compliant Blogging

The most important issue for HIPAA compliance is making sure that your blog never includes identifiable patient information. Obviously, you don’t include photos of your patient, his name or her address. But recognizable information doesn’t have to be that blatant.

Consider a blog post that starts like this: “A tough case came my way this week. It involved a high school cheerleader who was getting pressured about her body size — her fellow cheerleaders thought her natural slimness might be a sign of an eating disorder.” Area students and parents are very likely to know who you’re talking about, or to make guesses that could result in embarrassment for your patient.

An individual might recognize snippets of conversation, or a patient’s friends and family might recognize a diagnosis and put two and two together.

What can you do?

  • Fictionalize. Keep the important core of your story. In the case of the cheerleader, it might be about accepting people regardless of their body mass, or it might be the difficulty of deciding when you should confront a friend if you suspect self-destructive behavior. Either way, your patient doesn’t need to be a female high school cheerleader. Change up the details and create a new character.
  • Aggregate. Unless the patient story you want to share is extremely unusual, you’ve probably had many cases that would let you make the same point. Put them all together and make the point by talking about patients rather than one patient. “Over the years, I’ve seen dozens of patients who struggle with taking their medication as directed. Here are some steps that have worked for these patients” doesn’t identify any individual.
  • Use the second person. “Should you have a full-body scan for melanomas?” speaks directly to your reader, with no worries about identifiable information.

Document your policy.

It isn’t practical for most health care professionals to do their own blogging. Choose a blogger with experience in the field of health care and set up a system that gives you oversight when you need it. But you should also document your policy on blogging and social media, to cover not just your regular blogging service but also any team members who have personal blogs and staff members who share their work lives on social media.

HIPAA training for your staff is required. If your blogger hasn’t received a certificate for HIPAA training (I have), you might want to include your blogger in that training. Share the list of HIPAA protected health information with your blogger and ask that it be included in proofreading as a regular practice.

Check out HIPAA-Compliant Social Media for other points to keep in mind.







2 responses to “HIPAA-Compliant Blogging”

  1. Melissa anderson Avatar
    Melissa anderson

    Have you checked out the ONC tool for HIPAA risk assessments? Or Medcurity? The federal tool is a starting point, but was good to switch to Medcurity. It supports multiple users is very comprehensive. And they have a lot of customizable policies.

    1. Rebecca Haden Avatar
      Rebecca Haden

      Thanks for sharing! Looks like the Medcurity tool has helpful automation for larger organizations, while the ONC tool is the classic for everyone.

Leave a Reply