Keeping Compliance in the Picture
Dear Compliance Corner,
Before-and-after pictures are the cornerstone of our marketing strategy. We always take pictures of our patients before using Clear Aligner Therapy and after the course of therapy is complete— and we use those photos in a variety of ways to market our practice. We post them on a bulletin board in our office, we use them on our website, and we post them on Instagram. We want everyone to see our patients' wonderful results! Unfortunately, a patient recently complained about the use of her photos in an Instagram post and threatened us with legal action. She looks gorgeous! What's the problem? Could I actually get into trouble for posting these pictures?
Not So Picture Perfect
Dear Not So Picture Perfect,
Given the increasing use of social media, your question is especially relevant to dentists that rely on before-and-after pictures to market their practices. Over the last several years, not only has government enforcement increased in the area of patient privacy, but also, patients themselves have become highly sensitive to these issues. While you might have been surprised that a patient complained about her picture being posted on your Instagram account without her consent, it does not surprise us at all.
Understanding the Risks
Managing an unhappy patient is difficult, but handling a privacy-based lawsuit could be a nightmare, resulting in a huge jury verdict for what might seem like a minor infraction. In 2013, a jury in Indiana awarded $1.4 million to a plaintiff who alleged that her privacy was violated when a Walgreens pharmacist inappropriately shared the plaintiff's prescription history with her ex-boyfriend.
Moreover, many patients now understand that they can report privacy issues to state and federal government agencies, leading to timely, costly, and aggravating government investigations. In 2016, Complete P.T. Pool & Land Physical Therapy, Inc., a physical therapy practice in California, agreed to pay $25,000 and adopt a corrective action plan requiring regular monitoring and reporting to the government, to settle an allegation that the practice violated HIPAA by posting patient testimonials, including names and photographs, to its website without obtaining valid, HIPAA-compliant authorizations. The government investigation was triggered by a patient complaint in 2012.
Implementing the Solution
Given these risks, in order to adequately protect your practice, it is essential to obtain legally compliant authorization forms from patients before disclosing their photos. Even obtaining verbal permission will not suffice; neither will a hastily scribbled consent form. In order to be considered legally valid, the authorization form must include all the elements required by HIPAA and any other applicable state and federal laws. Many of these laws mandate the inclusion of exact language, without which the authorization is not considered valid. For example, HIPAA requires that the form include, in part, a "specific and meaningful" description of the information to be disclosed, a statement notifying the individual of his/her right to revoke the authorization in writing, and a date on which the consent expires.
To read the full article, please click the PDF link below.