Privacy laws and regulations, the most important of which is HIPAA, are intended to protect patient information. This includes their medical information, photographs, lab results and correspondence. HIPAA provides many protections for the patient. The doctor has an obligation to explain and document the patient’s understanding and acceptance of the doctor’s duty to maintain patient privacy, and the patient’s rights and remedies. Your medical practice has a duty to secure patient information, and in some cases even pursue those who violate the regulations which provide such protections. Your practice also has an obligation to check a patient’s identify with their insurance coverage, in order to protect the patient against identity theft.
The commercial use of patient information or photographs in marketing your practice raises particular legal issues for plastic surgeons. Such information may inadvertently appear on a website, advertisement or patient outcome materials and pictures shown to new or prospective patients. Importantly, a breach of privacy is typically not covered by your malpractice insurance, so any judgments against you arising from such a breach of privacy are paid by you alone, and not paid by your insurance company. Breach of privacy claims are frequently made in conjunction with claims that the doctor (or the physician’s practice) was negligent in failing to protect private patient information. Because breach of privacy claims are not covered by insurance, the physician’s potential personal liability increases the pressure to settle the claim.
You must have specific written consent signed by the patient before you may use their protected information (including photographs) for commercial use. Your best protection is to diligently update forms and obtain the necessary consent forms for treatment, release of information, specific commercial use and photographic consent. Today’s marketing practices rely heavily on social media presence, online marketing and blogs to promote the doctor and the plastic surgery practice. Patients may recognize themselves in such materials and posts, even though their name is not mentioned.
As you will discover if you get sued by a patient, photographs contain digital metadata that remains tagged with the file, even though you may change the name of a file or photograph. It is imperative that you remove the metadata (“scrub it”) before posting or displaying any photograph, even if you have specific written commercial consent from the patient to use it. The metadata may become visible to the public in certain circumstances.
Also, keep in mind that the HIPAA consent for treatment and photographic documentation of their medical care is not sufficient and is not a satisfactory release when such photographs are used to promote the surgeon’s website, even if the photographs are intended to be used for educational value. The commercial use consent obtained from the patient must list specific uses of the photographs or other material, the length of time it will be used, where it is to be posted, and other distributions and uses of the photographs. Because a patient’s consent to use photographs may not cover all future mediums for commercial promotion and marketing, it is also useful to obtain permission from the patient to contact them by phone, texts or mail to renew the patient’s consent for such new uses of their photographs.