March 3, 2022
Read on to learn more about why healthcare websites need to have up-to-date privacy policies.
The definition of personal data varies depending on the legislation but typically includes the following:
- Postal addresses
- Dates of birth
- Payment details such as credit card numbers
- Social insurance numbers
- Location details, such as geolocalization and IP addresses
Why Do You Need One?
Most notably, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires your healthcare company to create privacy policies and follow certain privacy standards and rules.
One of the tools we highly recommend and love to use is Termly, an all-in-one compliance software that empowers you to generate privacy policies, cookie banners, and more.
Termly will save you a lot of time and energy since you won’t have to write anything from scratch. You can also have peace of mind knowing that it’s a policy crafted by experts.
Be Clear and Concise
As tempting as it may be to include complex language, avoid using legalese. Although privacy policies are technically legal documents, they need to be easily understood by your clients.
So keep things simple and address the reader directly. This lets them know what their rights are and what they can do if they have any questions or concerns about the way you’re handling their data.
What Data Privacy Laws Impact Healthcare Websites?
The following data privacy laws impact healthcare websites:
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The HIPAA is a federal law that applies to the following types of organizations in the US:
Covered Entities: Any organization that transmits, creates, or maintains protected health information (PHI). PHI includes:
- Names, emails, and the other examples listed above
- Any dates (except years) that are directly associated with an individual, including date of discharge or admission, date of death, birthday, or the exact age of individuals older than 89
- Social security number
- Health plan beneficiary number
- Biometric identifiers such as voiceprints and fingerprints
- Full-face photos
Typical examples of covered entities include:
- Health care providers
- Health insurance providers
- Health care clearinghouses
Business Associates: Any organization that encounters PHI in any form over the course of work that it’s been contracted to perform for a covered entity. Examples include:
- Billing companies
- Faxing companies
- Shredding companies
- Management firms
- Cloud storage providers
Here are some of the HIPAA rules you need to follow if the HIPAA applies to you:
The Privacy Rule establishes national standards for protecting “individually identifiable health information,” including patients’ mental or physical health, payment history, and medical treatments.
Specifically, the Privacy Rule:
- Requires you to create and implement written and easily-accessible privacy policies for your organizations and to notify patients about these policies in writing
- Outlines how you should use patient data, when you can disclose patient data, and to whom
- Guarantees patients the right to access most of their personal healthcare information and get copies of their medical records
- Requires you to provide HIPAA training for staff
The Security Rule builds on the Privacy Rule and tells you how to secure PHI. It requires your healthcare business to have three types of data security safeguards: administrative, technical, and physical. It also sets national standards for protecting electronically protected health information (ePHI).
Breach Notification Rule
The Breach Notification Rule requires your business to notify the Office for Civil Rights (OCR) whenever ePHI has been breached. A breach is defined as an impermissible disclosure or use that compromises the privacy or security of PHI.
California Consumer Privacy Act (CCPA)
California’s CCPA imposes stringent consumer protections on companies, including healthcare companies. It is one of the most comprehensive data privacy regimes in the US.
The CCPA applies to companies that collect the information of California residents and meet one or more of the following thresholds:
- Have annual gross revenues of more than $25 million
- Make more than half of their revenue from selling Californian residents’ personal data
- Buy or sell personal data of more than 50,000 Californian residents per year
- What personal data you have about your clients
- How you use this data
- How your clients can opt out of you selling their data
Like the HIPAA and the GDPR, the CCPA has a broad definition of personal information, referring to it as information that relates to, describes, identifies, is capable of being associated with, or could reasonably be linked with a particular household or consumer.
General Data Protection Regulation (GDPR)
Although it’s an EU law, the GDPR applies to your healthcare website as long as you process the personal data of EU residents, regardless of your location. That means you need to follow the GDPR’s strict standards whether or not you have officers in the EU. So, for example, a small clinic in the US that treats EU citizens or otherwise stores their data must comply with the GDPR.
- Notify relevant authorities about personal data breaches that may result in risks to individuals’ rights. If the risk is high, you have to send notifications to the data subjects as well.
- Obtain freely given, informed, unambiguous, and affirmative consent from clients before processing their personal data.
- Follow other GDPR requirements for collecting, processing, storing, sharing, and destroying personal data.
Like the HIPAA, the GDPR includes various information in its definition of “personal information.” For the most part, it overlaps with the HIPAA’s definition of PHI, so if the HIPAA already applies to you, consider the GDPR as an extension of the HIPAA requirements.
Penalties for Not Complying With Privacy Laws
The various privacy laws each have different penalties for breaking their rules. It’s important to review and comply with their guidelines in order to avoid incurring these punishments.
There are two types of HIPAA penalties: civil and criminal.
Based on the level of negligence, civil penalties can range from $100 to a whopping $50,000 per record or violation, up to a maximum fine of $1.5 million per year.
Criminal violations of the HIPAA are handled by the Department of Justice. There are three levels of severity for criminal offenses:
- A $50,000 fine and one year in prison for covered entities and individuals who knowingly disclose or obtain individually identifiable health information
- A $100,000 fine and five years in prison for offenses committed under false pretense
- A $250,000 fine and 10 years in prison for offenses committed with the intent to use, sell, and transfer individually identifiable health information for malicious harm, personal gain, or commercial advantage
GDPR penalties vary depending on which EU member state or states are involved. However, depending on the severity of the violation, you could receive fines of up to 20 million euros or 4% of the total global turnover of the previous fiscal year, whichever is higher.
For less severe violations, you may receive fines of up to 10 million euros or 2% of your entire global turnover of the previous fiscal year, whichever is higher.
The CCPA imposes the following penalties for noncompliance:
- Maximum civil penalties of $7,500 for intentional violations: You will only have 30 days to resolve the violation after being notified by the Attorney General’s office.
- Maximum civil penalties of $2,500 for unintentional violations: You will also have 30 days to resolve the violation after being notified.
- Private lawsuits between $100 to $750: For each breach incident of their unencrypted or unredacted data.
The Right Tools for the Job
At Abra, we care deeply about our healthcare clients. Since 1999, Abra has brought state-of-the-art marketing to support them. Abra’s digital marketing program is designed to connect healthcare practices with patients they can help. It is also designed to provide practice owners and managers peace of mind.
In addition to making practices look great online, we are also vigilant about the less glamorous details that protect your practice. These details include website security, HIPAA compliance, and ensuring current protocols around online privacy are followed.
Abra uses several tools that use online data to help potential patients benefit from the information that could help them. However, we also follow best practices to protect visitor data and to inform visitors about how we use their data and how they can opt out.
Abra Marketing is a Bay Area healthcare marketing agency with focused digital marketing programs for orthopedic practices, medspas, cosmetic dermatology practices, mental health practices and general healthcare practices. We serve clients across the US since 1999.