Online Reputation Management Blog

HIPPA Requirements Pose Problems for Applications Developers

abstract  technology line hexagon vector background

The healthcare industry is only one of many fields that has begun using mobile applications and other technology to improve communications and the use of data. Many American biobanks, for instance, are now investing in software that allows them to manage and share the more than 300 million tissue samples in their systems, increasing the chances the information can be used to create new therapies and treatments.

As interesting as this is, however, you will likely be more familiar with how doctors are using mobile apps and technology to interact with their patients and promote healthier choices. Whether your doctor has recommended that you buy a Fitbit to help you track your exercise or you have noticed your doctor jotting something down on Evernote, there is no doubt that smart technology is becoming a common tool for people concerned with their health. But what if those devices and apps fell under the protection of the Health Insurance Portability and Accountability Act (HIPPA)? Would this change how we were able to use them, or even how they were created?

HIPPA is designed to safeguard protected health information, or PHI. PHI is defined as information that must be personally identifiable data, which is created, used or disclosed during the process of health care, such as a diagnosis or treatment. For this reason, covered entities, which include doctors, clinics, and insurance companies, are naturally required to be compliant with HIPPA standards. However, following an update in September 2013, people or entities that perform certain functions or activities which assist covered entities are also subject to HIPPA. As a result, application developers may fall into this group without even being aware.

Take Evernote as an example: if a patient uses the app to take notes on their diet, exercise, medication or other information and then shares the information with their physician to help them make changes, the app is technically being used for PHI and must be HIPPA compliant, even if it was not intended for that purpose. This would require the application developers to adhere to a number of physical, technical and administrative safeguards to avoid substantial penalties.

But following these guidelines isn’t as easy as it might sound. While other data security standards, such as those for payment cards, specifically list what individuals and businesses must do to be compliant, HIPPA generally requires entities to follow certain steps where “reasonable and appropriate.” This makes it difficult to determine which steps should be followed in different situations. To make matters worse, there is no official certification for HIPPA compliance, which means companies cannot be recognized as adhering to the standards. Thus, even accidental violations will likely only be discovered if the entity is audited by the U.S. Department of Health and Human Services, the same group that imposes the fines.

In response to this uncertain terrain, application developers are turning to a number of different options to ensure their products are HIPPA-compliant. Many are choosing to hire services like TrueVault, a protected database that has been designed to meet HIPPA standards. Similarly, companies like Google and Apple have begun designing their own usage terms, protocols and policies to keep PHI off of their databases; the App Store even states it will reject apps that attempt to use the HealthKit programming interface to store users’ health information on iCloud. Unfortunately, this can make it difficult for developers who use APIs like Google and Apple to create health-based apps that are HIPPA-compliant.

Currently, applications developers, healthcare providers, and policy experts are trying to determine the best ways to ensure modern technology follows security standards set for medical information. How can compliance be shared between databases and companies, for example? How can users be protected? The answers aren’t always clear or easy. But as apps and devices continue to appear, the need for new decisions and innovation is clear.

The Death of the Press Release Has Been Greatly Exaggerated

Death of the Press ReleaseTo borrow (quite liberally) from the inimitable Mark Twain, the death of the press release has been greatly exaggerated.   Press releases have historically been a key tool for attracting favorable media attention, shaping public perception, highlighting events or professional achievements and increasing brand awareness via media.

The first press release, authored by PR specialist Ivy Lee on behalf of the Pennsylvania Railroad, offered an account of a fatal train derailment that occurred on October 28, 1906.  As a form of damage control, Lee shared the press release was shared with journalists at the scene of the accident.  The press release was also published by the New York Times two days later, in its entirety.  How is that for influence?

The press release, as a tool for shaping public opinion and disseminating news, albeit with some spin, was born.

Fast forward nearly a century.  The Internet revolution disrupted nearly a century of public relations strategy and tactics by disaggregating news distribution from traditional print, radio and television media.  Today individuals and companies are empowered to share real-time news updates online via a company blog, Facebook, Twitter, Reddit and other social channels – sometimes to an even greater PR effect.

Amid persistent reports of falling newspaper circulation (and falling newspapers), declining TV news viewership, diminished radio reach, consolidation in the broadcast communications industry, pundits wondered aloud whether press releases were dead.  Even the Public Relations Society of America, representing 21,000 public relations and communications professionals across the United States, published an article last spring bemoaning the end of the press release.

Google also launched an assault on press releases and the presumption of weak content or over- optimization by SEO firms with the recent Panda 4.0 algorithm change on May 20, 2014.  Barry Schwartz, an SEO expert and Search Engine Land contributor, published a widely shared article asking whether Google was specifically targeting press release sites, noting that a number of well-known  premium press release distribution sites saw Google visibility drop between 60 and 70 percent after Panda 4.0.

With alternate channels for distribution of real-time news and announcements, declining visibility and widespread reports of the press release’s imminent demise, the question remains: Are press releases dead?

The answer is NO.

For small and midsize businesses, the press release is still the preferred and usually the only channel for garnering widespread coverage across a wide range of news sources, from print and broadcast media, trade journals, websites (including Yahoo!,, CNet News, Forbes & and social media.

Small businesses do need to have reasonable expectations about what to expect from a press release.

In the absence of significant breaking news, don’t expect the phone to be ringing off the hook with reporters looking to turn your press release into a news story.  However, many of our clients have successfully followed up a press release with targeted media outreach and parlayed the press release into future news coverage.

Targeted media outreach doesn’t mean a mass email indiscriminately sent to a list of journalists.  I’m talking about a phone call or a customized email to one reporter at a time, pitching story ideas about their company, client or competitors in real-time, using the press release as an introduction for a news story.

For larger companies, even those that have an in-house marketing/communications department or press liaison, access to PR firms and consultants and a rolodex of journalist contacts, the much-maligned press release is still relevant.  Larger companies publish a press release to garner near-certain same-day Google Page 1 media coverage.  The press release is also still a preferred format for highlighting new hires and industry-specific news that may not be of interest to a consumer or general interest news audience and serves as a multichannel complement to a broader corporate messaging initiative that may include advertising, social media marketing and other promotional activities.

And although the SEO value is diminished, third-party sites that republish the press release, in whole or in part, sometimes include “do follow” links even if the press release distribution site did not.

If press releases are still alive and relevant, are they worth the money?  Most press release distribution companies charge for base story distribution, and then charge additional for video, images, expanded reach to social media distribution channels and prominent journalists.  The average price for a premium press release ranges from $299 -$500 for 400-word press releases.

The price-value gap has left an opening for upstarts seeking to provide a better service at a lower price.  Qamar Zaman, founder and CEO of Submit Press Release 123, launched a low-price press release service starting at only $10.

“Using the concept of ‘frugal innovation’ we stripped out what’s not needed and added only what is essential for exposure and brand building, says Zaman, “leveraging high traffic web newswires, social media, video, and using the right terms and phrases to get the right reads, we packaged a product called KISS, which stands for ‘Keep it Simple for Searcher’ by identifying search intent on Twitter and helping businesses improve conversion (with their press release).”

By focusing on relevancy, reach and conversion, rather than relying on press releases as the primary medium for disseminating news, PR and communications professionals and business owners can benefit from some of the clear advantages of a press release for a reasonable price and steer clear from the “anything goes” free press release sites that proliferated until Google devalued these sites almost completely with the Panda and Penguin updates.

The modern press release may serve a somewhat different role in today’s communications playbook, but it’s still very much alive and kicking!

Interview with Crisis Communications Expert Deborah Fiorito

Deborah Fiorito, President of 20K Group in Houston, Texas is the latest crisis communications expert to join us at the Online Reputation Management blog.  Debbie was executive vice president and chief communications officer of Dynegy, Inc., and before that, she was senior vice president, Public Affairs, Chase Bank of Texas (now JPMorgan Chase). In addition, she has held senior-level communications positions at Apache Corporation and Mitchell Energy & Development Corp. (now Devon Energy).

What is crisis communications?

Communicating reactively immediately after, or in the hours or days, following an incident that threatens your organization’s reputation or ability to operate. I would draw the line between when that communications is “reactive” and strategic—that is, when the outbound communications becomes part of an overall plan to influence customer or stakeholder thought and/or behavior about the organization or company.

What are the biggest mistakes you see people and companies make when dealing with the media?

Do we have 400 pages here? The list of mistakes I’ve made, my firm has made and that ALL organizational communicators make is endless, mostly because the risks associated with making choices about how, when and what to communicate are so high during the stressful, chaotic hours following an incident. [Read more…]

Interview with Crisis Communications Expert Mark Lambert

I’m excited to invite Mark Lambert to join us for an exclusive interview on our Online Reputation Management blog.  Mark is president of Lambert Media, a communications consulting firm based in Louisiana. Mark has nearly three decades of communications experience, including several years as a reporter, editor and news executive in the print and broadcast fields and as the communications director of a large Louisiana state agency during Hurricanes Katrina, Rita, Ike and Gustav.

What is crisis communications?

Crisis communications is the process of making people aware of your point of view and persuading them to accept it in the midst of circumstances that are harmful or have the potential to be harmful to your reputation.

What are the biggest mistakes you see people and companies make when dealing with the media?

There are many mistakes people make, but most of them boil down to a lack of respect for the people with whom they should be communicating. This manifests itself in several ways, including:

  • a terse “no comment”
  • a prepared, distributed statement full of “lawyer language,” i.e., a bunch of hedging and passive-voice phrases that serve no purpose but to give the client wiggle room.
  • lying
  • half-hearted attempts or no attempt to show sympathy for victims
  • hiding from the media or not making key executives available
  • finger-pointing, blame shifting or transparent attempts to downplay present or future damage

How important is social media to your reputation management strategy?

I find that my clients are interested in social media more as an ongoing marketing tool than as a key communications strategy tool. However, more people are starting to understand the power of social media, and as it becomes more evident to key executives and administrators that social media can be a powerful and versatile tool, they become more willing to allow it to be a part of their strategy. The issue often is that top executives tend to be older and not as adept to social media as are the middle managers. I find that I have to persuasively pull some of my clients into social media.

What is the first thing a company should do when there is a PR disaster?

Ha! In my media relations seminar, I tell people the first thing they should do when there’s a crisis is to lock the lawyers out of the room. Many CEOs, executives, administrators, etc., are so focused on some inevitable looming court battle years down the road that they fail to see the problem in front of them. They lawyer up and inevitably make the situation worse.

The first thing a company should do is to stop acting like a corporation and Be Human. Demonstrate sympathy and caring for any victims. Get the facts, identify who your stakeholders are and communicate to those stakeholders in an appropriate manner. It is important to have a crisis communications plan, but it’s more important to be flexible to changing events. Too many crisis communications plans are so detailed and rigid that they fail to take into consideration that a crisis is a dynamic event.

How can CEOs help build and repair corporate reputation?

They have to have a vision of what their company is, and they have to share that vision with their employees, customers, vendors, etc. If the CEO says his company wants to be involved in the community in a positive way, how can he show it? Does he give his employees paid time to volunteer in schools, work at a food bank or at an animal shelter? Does he encourage customers to do the same through company-sponsored programs? You can fake a reputation for awhile, but if it’s just a stunt, you will be busted. Be real, and walk the talk.

What can employees do to help their company during and after a PR crisis?

This may sound harsh, but I believe the best thing employees can do is to hold their company’s leadership accountable for doing the things the leadership says it is going to do.

What can companies do to better prepare for a public relations crisis?

A crisis communications plan is a must. A good plan should:

  • detail the various stakeholders and message vehicles
  • lay out a simple org chart with duties relative to the crisis so employees know what to do and what is expected of them
  • identify spokespersons and guidelines
  • identify a specific communications vehicle (newsletter, intranet, e-mail) for employees

Many plans overlook the importance of communicating internally in a crisis. You have to let your own people know what is going on, and you should give them a channel of communications that is separate from the general communications vehicle.