Why Healthcare Websites Need An Up-To-Date Privacy Policy
March 3, 2022
A comprehensive privacy policy isn’t just a requirement by laws like the Health Insurance Portability and Accountability Act (HIPAA); it’s also the right thing to do since it protects your clients and informs them of their rights. Therefore, you need an up-to-date privacy policy if you operate a healthcare website.
Read on to learn more about why healthcare websites need to have up-to-date privacy policies.
What Is a Privacy Policy?
A privacy policy is a legal document that shows how a company collects, uses, discloses, and manages its clients’ data. It also explains how the company will meet its legal obligations and how customers can exercise their privacy rights if it fails to meet these responsibilities.
The definition of personal data varies depending on the legislation but typically includes the following:
- Names
- Postal addresses
- Emails
- Dates of birth
- Payment details such as credit card numbers
- Social insurance numbers
- Location details, such as geolocalization and IP addresses
Why Do You Need One?
You need a privacy policy for your healthcare website because it’s required by law.
Most notably, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires your healthcare company to create privacy policies and follow certain privacy standards and rules.
Additionally, other laws, such as the California Consumer Privacy Act (CCPA) and the European Economic Area’s General Data Protection Regulation (GDPR), require your company to have a privacy policy.
You should also have a privacy policy for your healthcare website because:
- It builds trust with clients: Having a solid privacy policy for your healthcare site will show existing and potential clients that you care about their privacy rights, which demonstrates you’re dedicated to transparency and ethics.
- It’s the right thing to do: Providing a privacy policy is the right thing to do as a healthcare provider. Clients need to know how they can change, add, or delete information they’ve given you and what you’ll be doing with their data.
Tips for Generating a Privacy Policy
Creating a robust privacy policy can be trying, particularly if you’ve never done it before. Here are some tips you should follow for generating a privacy policy:
Use a Privacy Policy Generator
One of the tools we highly recommend and love to use is Termly, an all-in-one compliance software that empowers you to generate privacy policies, cookie banners, and more.
If you don’t know where to start, consider using their privacy policy generator to create a privacy policy for your healthcare website. All you have to do is answer questions about how your healthcare business uses and handles customers’ data.
After you’ve answered all the questions, the generator will send you a finished privacy policy for your healthcare business.
Termly will save you a lot of time and energy since you won’t have to write anything from scratch. You can also have peace of mind knowing that it’s a policy crafted by experts.
Be Clear and Concise
As tempting as it may be to include complex language, avoid using legalese. Although privacy policies are technically legal documents, they need to be easily understood by your clients.
So keep things simple and address the reader directly. This lets them know what their rights are and what they can do if they have any questions or concerns about the way you’re handling their data.
Update Your Privacy Policy Regularly
Every time you change how you handle and process clients’ personal information, you’ll immediately need to update your privacy policy.
Let your customers know when the information is updated by sending out emails. You also need to state when the last review or update took place at the top of your privacy policy.
What Data Privacy Laws Impact Healthcare Websites?
The following data privacy laws impact healthcare websites:
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The HIPAA is a federal law that applies to the following types of organizations in the US:
Covered Entities: Any organization that transmits, creates, or maintains protected health information (PHI). PHI includes:
- Names, emails, and the other examples listed above
- Any dates (except years) that are directly associated with an individual, including date of discharge or admission, date of death, birthday, or the exact age of individuals older than 89
- Social security number
- Health plan beneficiary number
- Biometric identifiers such as voiceprints and fingerprints
- Full-face photos
Typical examples of covered entities include:
- Health care providers
- Health insurance providers
- Health care clearinghouses
Business Associates: Any organization that encounters PHI in any form over the course of work that it’s been contracted to perform for a covered entity. Examples include:
- Billing companies
- Faxing companies
- Shredding companies
- Management firms
- Cloud storage providers
- Attorneys
- Accountants
Here are some of the HIPAA rules you need to follow if the HIPAA applies to you:
Privacy Rule
The Privacy Rule establishes national standards for protecting “individually identifiable health information,” including patients’ mental or physical health, payment history, and medical treatments.
Specifically, the Privacy Rule:
- Requires you to create and implement written and easily-accessible privacy policies for your organizations and to notify patients about these policies in writing
- Outlines how you should use patient data, when you can disclose patient data, and to whom
- Guarantees patients the right to access most of their personal healthcare information and get copies of their medical records
- Requires you to provide HIPAA training for staff
Security Rule
The Security Rule builds on the Privacy Rule and tells you how to secure PHI. It requires your healthcare business to have three types of data security safeguards: administrative, technical, and physical. It also sets national standards for protecting electronically protected health information (ePHI).
Be sure to talk about these standards in your privacy policy. They will give your clients a better understanding of what standards you follow and how dedicated you are to protecting their ePHI and PHI.
Breach Notification Rule
The Breach Notification Rule requires your business to notify the Office for Civil Rights (OCR) whenever ePHI has been breached. A breach is defined as an impermissible disclosure or use that compromises the privacy or security of PHI.
Make sure to include information about how you will disclose breaches to the OCR in your privacy policy. This information will show that you care about your clients’ privacy rights and will give them a better idea of how your privacy practices work.
California Consumer Privacy Act (CCPA)
California’s CCPA imposes stringent consumer protections on companies, including healthcare companies. It is one of the most comprehensive data privacy regimes in the US.
The CCPA applies to companies that collect the information of California residents and meet one or more of the following thresholds:
- Have annual gross revenues of more than $25 million
- Make more than half of their revenue from selling Californian residents’ personal data
- Buy or sell personal data of more than 50,000 Californian residents per year
If the CCPA applies to you, you need to establish the following in your privacy policy:
- What personal data you have about your clients
- How you use this data
- How your clients can opt out of you selling their data
Like the HIPAA and the GDPR, the CCPA has a broad definition of personal information, referring to it as information that relates to, describes, identifies, is capable of being associated with, or could reasonably be linked with a particular household or consumer.
General Data Protection Regulation (GDPR)
Although it’s an EU law, the GDPR applies to your healthcare website as long as you process the personal data of EU residents, regardless of your location. That means you need to follow the GDPR’s strict standards whether or not you have officers in the EU. So, for example, a small clinic in the US that treats EU citizens or otherwise stores their data must comply with the GDPR.
- Have a GDPR-compliant privacy policy that clients can access at any time.
- Notify relevant authorities about personal data breaches that may result in risks to individuals’ rights. If the risk is high, you have to send notifications to the data subjects as well.
- Obtain freely given, informed, unambiguous, and affirmative consent from clients before processing their personal data.
- Follow other GDPR requirements for collecting, processing, storing, sharing, and destroying personal data.
Like the HIPAA, the GDPR includes various information in its definition of “personal information.” For the most part, it overlaps with the HIPAA’s definition of PHI, so if the HIPAA already applies to you, consider the GDPR as an extension of the HIPAA requirements.
Why Do You Need to Keep Your Privacy Policy Updated?
You need to keep your privacy policy updated because your clients need to know their rights — as well as how you handle their data — at all times.
If you change how you store, manage, and share their PHI without updating your privacy policy, users wouldn’t know how you’re currently processing their data. They also won’t know how to exercise the privacy rights they have.
Not keeping your privacy policy updated is also against most, if not all, privacy laws. As such, you can get heavy fines and other penalties for not updating your privacy policy.
Penalties for Not Complying With Privacy Laws
The various privacy laws each have different penalties for breaking their rules. It’s important to review and comply with their guidelines in order to avoid incurring these punishments.
HIPAA Penalties
There are two types of HIPAA penalties: civil and criminal.
Based on the level of negligence, civil penalties can range from $100 to a whopping $50,000 per record or violation, up to a maximum fine of $1.5 million per year.
Criminal violations of the HIPAA are handled by the Department of Justice. There are three levels of severity for criminal offenses:
- A $50,000 fine and one year in prison for covered entities and individuals who knowingly disclose or obtain individually identifiable health information
- A $100,000 fine and five years in prison for offenses committed under false pretense
- A $250,000 fine and 10 years in prison for offenses committed with the intent to use, sell, and transfer individually identifiable health information for malicious harm, personal gain, or commercial advantage
GDPR Penalties
GDPR penalties vary depending on which EU member state or states are involved. However, depending on the severity of the violation, you could receive fines of up to 20 million euros or 4% of the total global turnover of the previous fiscal year, whichever is higher.
For less severe violations, you may receive fines of up to 10 million euros or 2% of your entire global turnover of the previous fiscal year, whichever is higher.
CCPA Penalties
The CCPA imposes the following penalties for noncompliance:
- Maximum civil penalties of $7,500 for intentional violations: You will only have 30 days to resolve the violation after being notified by the Attorney General’s office.
- Maximum civil penalties of $2,500 for unintentional violations: You will also have 30 days to resolve the violation after being notified.
- Private lawsuits between $100 to $750: For each breach incident of their unencrypted or unredacted data.
The Right Tools for the Job
Every healthcare website needs to have a privacy policy. Not only is this required by privacy regimes around the world, but it’s also the right thing to do. Your clients deserve to know how you’re using their personal information and what their privacy rights are.
At Abra, we care deeply about our healthcare clients. Since 1999, Abra has brought state-of-the-art marketing to support them. Abra’s digital marketing program is designed to connect healthcare practices with patients they can help. It is also designed to provide practice owners and managers peace of mind.
In addition to making practices look great online, we are also vigilant about the less glamorous details that protect your practice. These details include website security, HIPAA compliance, and ensuring current protocols around online privacy are followed.
Abra uses several tools that use online data to help potential patients benefit from the information that could help them. However, we also follow best practices to protect visitor data and to inform visitors about how we use their data and how they can opt out.
—
Abra Marketing is a Bay Area healthcare marketing agency with focused digital marketing programs for orthopedic practices, medspas, cosmetic dermatology practices, mental health practices and general healthcare practices. We serve clients across the US since 1999.