Your Website's Contact Us Form
by Dr. Jeff Brown
Websites are designed to be marketing tools, not HIPAA compliant patient communication platforms. As you know, this doesn't stop patients, or prospective patients, from sharing all kinds of personal information via your website. While you can't control what people submit, you can control how you respond.
This article focuses on the scenario in which patients use your website's contact form to submit health information and/or makes clinical inquires.
The technical problem
The typical website sends you an e-mail containing whatever information the person submits. If the e-mail used to capture the website submission is not a secure HIPAA compliant e-mail application (indicated by a business associate agreement) or an EHR patient portal, then you shouldn't use the e-mail to carry on a conversation.
The problem escalates if your website hosting service stores the submission data (i.e., archives messages).
The information problem
As soon as someone sends information considered protected health information (PHI) you have a responsibility to safeguard said information, especially if you continue the conversation. Patient inquires mentioning symptoms or treatment is PHI, as are questions regarding appointments (more on this later).
When the patient initiates a communication containing PHI, your best bet would be to transfer the communication to a secure channel, such as a phone call or in-person office visit. Do this and you'll be in good graces with the HIPAA.
Note: Make sure your Contact Us form requires a phone number so you always have the ability to call the person in lieu of responding with an e-mail message.
The appointment problem
People love to schedule appointments online, but appointment information is clinical in nature so you should treat it in the same manner you would other clinical PHI. Therefore, when patients try to schedule appointments using your website, don't e-mail the patient back, call instead.
The HIPAA does not intend to limit people's ability to contact your business, nor does it state you cannot have a Contact Us feature on your website. The law requires only that you take reasonable measures to safeguard PHI, in whatever form you receive it.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.