Every center knows that patient brokering is illegal, but there are many other common addiction treatment marketing practices in the addiction treatment space that are also illegal. Most centers are doing at least 3 of the below and don’t even realize they’re illegal.
Some bad practices, like the HIPAA violations, come with a penalty of a $5,000 fine per violation. So if you send out a mass email to all 27,000 of your contacts, and it has a HIPAA violation in it, that’s a fine of $135 million!
We highly recommend you look over these common mistakes and conduct a full audit of your marketing practices to ensure you’re not doing anything that might get you in trouble. Remember, when it comes to the law, pleading ignorance is the same as pleading guilty. The onus of the law is on the center and its staff.
Caveat: I am not a lawyer and none of the below should be construed as actual legal advice. Consult an attorney whenever in doubt on compliance and risk.
1) Displaying Logos of Insurance Companies on Their Site
I can hear you already. “Everybody does this,” you say to yourself. And you’d be right.
But that doesn’t make it legal. Blue Cross Blue Shield (this includes Highmark, CareFirst, and other plans under the BCBS umbrella), in particular, is a stickler for this. You do not have legal permission to use the logos of other companies on your website unless they’ve given you express written permission to do so. Otherwise, it’s copyright infringement and a trademark violation.
Now, most insurance companies are actually going to ignore this. For them, it’s kind of free branding. But, if they wanted to, they could all sue for trademark violations.
We have had several clients contacted by BCBS with a cease and desist letter asking them to remove all mention of them from their website. And I don’t mean just the logo, I mean all mention of them from the site in reference to being an accepted insurance by our client center. We tried removing just the logo and BCBS sent a follow-up letter a week later stating that even the company name needed to be removed if it implied connection to treatment services.
2) Paying for Plane Tickets or Travel
This is a super common practice, but illegal. You cannot incentivize someone for a healthcare service. This is especially true if you take any kind of policy a federal employee might have, Blue Cross Blue Shield is a common one here.
Some centers will tell you that there is a loophole and you simply need to have the client provide a promissory note guaranteeing they will repay you for the cost. However, in a court of law, the intent is just as important as the written document.
So if a court audited your records and found that you had hundreds of these promissory notes, and not a single one had been collected upon, you would still be liable. In the eyes of the court, the clear-cut evidence showing you never collected on a single note proves that you had no intention of ever doing and had entered into the arrangement under false pretenses.
3) Using images from Google Image Search
This one should be obvious, but we still see it done fairly often. We’ll look at a new client’s website, Facebook cover photo, or other media and find images they don’t have copyright or licensing agreements for.
You cannot just do a Google image search and use whatever image you’d like. Images are automatically copyrighted to the creator under US law, even if they never actually filed to copyright that image.
However, the good news is that there are many copyright-free websites out there like Pixabay or Pexels. In addition, most stock images cost around $1, so there is simply no reason to expend time and effort sourcing free images.
4) Copying Testimonials from Other Sites
Another common practice is going to Yelp, Google Reviews, or Facebook, and then copying those reviews over to your site. This practice is expressly against the terms of service of said review sites and they could take legal action against you.
In addition, they have signed a user agreement with the review site, but not your center. What you need to do here is reach out to that person and get them to sign a consent waiver allowing you to use the quote on your site.
It can be the exact same quote. It’s OK to copy the words once you have permission, it’s just not OK to screenshot the image on the review site and then display that image.
5) Using Client Likeness or Testimonials without Proper Waivers
Related to number 4, you obviously cannot post client or staff quotes and images without their written consent.
A general practice here should be that all employees sign a waiver during their onboarding process as part of signing their employee handbook.
For patients, you should also have them signing something during intake, or at least upon discharge. If you would like to use a client image or testimonial, it is also best practice to have them sign another document with the exact images or words in question. This leaves no doubt that they were in agreement.
Another important element to note here is revocation. There should always be some form of revocation clause where the patient has the ability to request that their image or testimonials no longer be used. If such a request was ever made, this has no effect on any previous use, but you would not be able to use the content for anything new.
6) Admissions Team Sending Group Texts with PII and PHI
Most larger centers we work with have at least a couple people on their admissions team. A very common practice is group texting about potential patients. So an inquiry may come in from the website, then Jamie will take the call. After taking the call, she reports back in the group text with something like, “Joanna Statz inquiring for son. Addicted to OxyContin. Insurance verified.”
That’s a HIPAA violation and illegal. You are attaching Personal Identification Information (PII) to Personal Health Information (PHI). The same goes for emails by the way. Unless you’re running HIPAA compliant email with double-end encryption through a Microsoft Exchange Server, which I have yet to see a center doing, sending emails containing both PII and PHI is a large and unnecessary business risk.
The right way to handle this is to communicate the basic information, but leave out any health references. If you’re just transmitting their name and a verification of benefits, you should be OK.
Another way to do it would be to have codes. So maybe 13 stands for cocaine and 51 stands for alcohol. In that case, admissions staff just need to have a reference legend handy to decode the message.
7) Therapists and Counselors Emailing PHI and Health Information
Just like number 6 above, therapists and counselors cannot send personal information and health information in the same email. Any patient information needs to be conducted in person, on the phone, or through your EMR.
So it would be ok to send an email to the Director saying, “Please check my notes from today on Joanna Statz.” Or you could pick up the phone and call. Technically, you could also write a paper message if that somehow worked. The HIPAA compliance part comes into play whenever you transmit this information electronically.
That’s why patients have to sign separate waivers if you want to text them health-related information at any point.
8) Having a Comment or Message Section on Your Contact Us Page Form Fill
A lot of centers will have a standard Contact Us form like the one in the picture below.
This is putting you at risk for a HIPAA compliance violation unless the data transmission on your form is secured under HIPAA guidelines. Having reviewed dozens of client websites, I have yet to see a single one that had the necessary level of encryption already in place.
The issue here is that you have PII (name, email, phone), and the inquirer may add PHI, such as, “looking for rehab for a cocaine addiction.”
Even the How Can We Help box here is a violation if it contains drop down options like “inquiring for myself” or “inquiring for a loved one.”
There are really two problems here. The data transmitted after the form fill is most likely not encrypted to a HIPAA compliant standard and it also most likely goes into a CRM, which is again not HIPAA compliant data storage.
One of the main purposes of your EMR is to store PII and PHI together in a HIPAA compliant format. So anytime you’re storing or transmitting those two pieces of information outside your EMR, you’re putting your organization at risk.
And, remember, by law, you are required to self-report any HIPAA violations. This doesn’t mean that you can just go ahead and do it because everyone else is and nobody you know has gotten caught. Each time you fail to report, you’re actually committing a separate infraction.
Maintaining a HIPAA compliant site is very expensive. Most companies start their monthly hosting fees at $1,000 a month. So a much cheaper option here is simply to remove such open comment boxes from the website entirely. If the potential patient submits only their PII (name, email, phone) and nothing else, you’re OK.
I should also note here that, technically, any covered entity should have a HIPAA compliant website regardless of whether or not they are accepting and storing PHI on it.
9) Buying Calls from Marketing Agencies
This one technically only applies to Florida at this time, though there are both state and federal legislation under review to ban it outside of Florida. The problem here is not that you are paying for an agency to deliver calls, but that you are paying an agency for calls from unbranded ads.
The way most of these “marketing agencies” work is that they do large scale TV or radio buys with ads. Then, they sell the call volumes from those ads to the highest bidder. Sounds kind of like patient brokering, right? Legally, it’s not the same, but ethically it’s pretty close.
Some of these agencies will also run outbound call campaigns, often using an auto dialer, and then transfer those calls to a center.
So the potential patient has no idea who they’re talking to, they have no idea if your center is a good fit for them, it’s just generic calls. From an ethical standpoint, any advertising that drives inquiries for the center should be clearly branded by that center with their name, logo, and contact information.
Again, I am not a lawyer and none of the above should be interpreted as legal advice.