HIPAA Myths vs. Reality: A Guide to Safe Communication Practices in Healthcare

1
E-mailing, Texting, and the Use of Personal
Devices By Health care Professionals HIPAA and
Privacy Myths vs Reality
Mark R. Brengelman, Attorney at Law,
PLLC Friday, February 16, 2024 100 p.m. Eastern
Time
Conference Panel
2
About Mark R. Brengelman

• Holds Bachelor's and Master's Degrees in
  Philosophy from Emory University, Atlanta,
  Georgia
• Earned a Juris Doctorate from the University of
  Kentucky College of Law, Lexington, Kentucky
• Served out a successful twenty-year career with
  state government in Kentucky, including. now in
  private practice since 2012
• Was a former Assistant Attorney General assigned
  to multiple state licensure boards in health care
  and other professions General Counsel and
  Prosecuting Attorney
• Has presented Continuing Education for over 50
  national and state organizations and private
  companies, including the Kentucky Office of the
  Attorney General, the Kentucky Bar Association,
  the National Attorneys General Training and
  Research Institute, the Federation of
  Associations of Regulatory Boards, and eight of
  its member associations in psychology, physical
  therapy, dentistry, nursing, veterinary medicine,
  emergency medical services, state licensed
  contractors, and athletic trainers
• Has represented all three branches of state
  government, a local municipality in governmental
  ethics, and now two state licensure boards
• Represents
• licensees before state licensure boards and in
  other professional matters
• two state licensure boards on the government
  side
• parents and kids in confidential child abuse and
  neglect cases, termination of parental rights,
  and adoption proceedings
• I help health care practitioners, kids/parents,
  and government agencies navigate the law and
  ethics and make the rules understandable as
  applied to them.

3
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Introduction - based upon the content of this
  program, you will be able effectively to
  identify
• The basics of HIPAA privacy
• The basics of HIPAA and the use of electronic
  communications
• Examples of state licensure laws governing
  protected health information
• Elements of privacy notices and communications
  practices with patients
• Texting, e-mailing, and personal devices
• Bonus website confidentiality and privacy
  disclaimers for the health care practitioner.

4
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Disclaimer! Goals of the content of this program
  what this does and does not cover
• Does provide a broad overview of HIPAA
  confidentiality issues and electronic
  communications for texting, e-mailing, and
  personal devices
• Does not cover everything about HIPAA, or HIPAA
  as applied to any specific health care
  profession, and
• Does educate the person attending to ask the
  right questions in their own state, health care
  facility, and profession about compliance with
  HIPAA confidentiality and the use of electronic
  communications.

5
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• The basics of HIPAA privacy.
• The basics of HIPAA requirements for patient
  records federal right of privacy.
• Confidentiality also involves
• State law privacy rights
• Medical confidentiality as found in state
  licensure laws, especially in mental health, less
  in physical medicine (such as physical therapy)
• Medical confidentiality found in national and
  state codes of ethics (most usually non-binding!
  Ex Elvis Presley impersonators code of ethics)
• Employment policies and human resources manuals
  of employers, and
• State rules of evidence for privileged
  communications.

6
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• The basics of HIPAA requirements for protected
  health information
• HIPAA was effective in April 2003 applied to
  health care providers who submit payment requests
  via electronic means
• Protected Health Information (PHI) for covered
  entities also covers independent contractors
  who are business associates does include law
  firms who hold medical records as PHI, and
• General definition PHI is any information held
  by a covered entity that concerns health status,
  provision of health care, or payment for health
  care that can be linked to an individual -
  interpreted rather broadly as to include any part
  of an individuals medical record or payment
  history.

7
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• The basics of HIPAA and the use of electronic
  communications.
• Overview of HIPAA as applied to electronic
  communication issues
• Health care professionals and their patients
  communicate among themselves and with each other
• Unique to health care as opposed to the general
  public, confidentiality of electronic
  communications is an issue for all health care
  practitioners
• Exception there is private information and
  there is confidential information, i.e.,
  protected health information
• E-mail for any business can be hacked creates
  more of a problem for covered entities
• State licensure boards take an interest in
  patient confidentiality especially in mental
  health.

8
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Overview of HIPAA as applied to electronic
  communication issues
• Why use texting and e-mail? Reported in media 5
  Ways Home Healthcare Providers
• Grow by Texting Clients, Employees by Kenneth
  Burke (June 4, 2019) This is about texting.
• Texting is quicker response time is quicker
• Only 20 of e-mails are read by the recipient
  response time is slower. Example I ask that
  legal clients review e-mail and respond at least
  once per day, and if they go on vacation and
  something is pending I confirm their frequency of
  checking e-mail, or when they will be back to the
  office/home to do so
• A telephone call requires the recipient to be
  available at the same time as the caller, and
• A significant number of Americans depend on
  medical apps as part of their medical care 58
  of smartphone users have downloaded a health app.

9
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Overview of HIPAA as applied to electronic
  communications common sense suggestions for the
  employer
• Do have an interdisciplinary team review your
  employment policies relating to confidentiality
  and electronic communications, including social
  media and related topics
• This should include an employment policy
  governing the employees use of electronic
  communications mentioning the employer or
  patients that goes through an employers wi-fi or
  computer system, as well as electronic
  communications between the health care provider
  and the patient
• Do include representatives from Corporate
  Compliance, Legal, IT, Human Resources, Risk
  Management, Finance, and similar departments on
  the interdisciplinary team
• Consider basic security and privacy risk
  prevention. For example issuing a smartphone
  or other personal device to the health care
  practitioner to minimize privacy risks devices
  that have to be kept secure, are maintained by
  your IT department, can be remotely accessed and
  wiped clean if needed because they are lost

10
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Overview of HIPAA violations, with an emphasis on
  state licensure boards and agencies
• State licensure boards and agencies how state
  laws may apply to violations of confidentiality
  of Protected Health Information state laws as
  applied to licensed health care professionals
• Privacy interests in your root canal? Note
  medical histories of patients have the most
  private information (sexual history, medications,
  etc.) current medical records of current
  procedures may also be very confidential (current
  medications, etc.)
• Generic laws where HIPAA is never mentioned how
  generic laws for state licensure agencies may
  implicate HIPAA
• HIPAA sanctions for violations

11
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Overview of HIPAA and electronic communications
  some takeaways
• Review the ways your staff may be using cell
  phones that introduces risk to patients and to
  the organization use of personal cell phones
  for business use and data sharing, and use of
  employer internet for personal use and data
  sharing
• Consider the best option for a cell phone service
  provider moving forward work with a provider
  experienced in government or health care
  organizations, and under contract
• Explore ways to train staff members who will be
  using cell phones at work start with clear
  employment policies and device-specific
  agreements (i.e., business laptop, cell phone)
  Im big on this
• Decide which uses of cell phones should be
  permitted by employees of different types of
  organizations employment policy not to use
  personal cell phone on employer internet service
  and allowing business use of cell phone on
  employees own internet service away from work
  and apply to all workers

12
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Overview of HIPAA and electronic communications
  some takeaways, cont.
• Cover the essentials you need to include in your
  HIPAA policy concerning smartphone access and
  usage covers use of personal cell phones for
  business use, and use of employer internet for
  personal use
• Plan an efficient way to implement new training
  and policy on the use of cell phones and HIPAA
  throughout the organization handing out new
  business devices for employees will get their
  attention!
• What is a HIPAA compliant phone? May include a
  Business Associate Agreement for a package of
  services, including a telephone number that can
  send and receive texts that is HIPAA secure and
  compliant

13
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Overview of HIPAA and electronic communications
  some takeaways, cont.
• Data sharing covers personal internet for
  business use and business internet for personal
  use
• Updates for 2022 see current enforcement
  discretion
• Business associate agreements should include
  e-mailing and texting by specific reference
• Call logs and PHI maintain these
• Texting and PHI use a secure and encrypted
  method
• Bring your own device (BYOD) cover this in
  your human resources policy
• Voice over internet protocol (VOIP) just
  another way to use the internet for phone calls,
  secure???
• Additional security measures IT specific
  firewalls and other measures
• Doctors and texting (i.e., physicians) same as
  other health care professionals, same rules!
• HIPAA policy for cell phones cover this in your
  human resources policy.

14
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Overview of HIPAA and electronic communications
  some takeaways, cont.
• State licensure laws, professional codes of
  ethics, and the concept of confidentiality should
  be firmly ingrained in health care professionals
  psyches and work habits by now
• Direct communication with patients by the health
  care practitioner or their employees is
  relatively new
• When misused, electronic communications also
  carry legal risks that could negatively affect
  the organization and result in personal
  consequences for the individuals involved
  misuse is just another example of a HIPAA
  violation, and
• Most common consequence seems to be losing ones
  job.

15
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• What have we covered today?
• The basics of HIPAA privacy
• The basics of HIPAA and the use of electronic
  communications
• Examples of state licensure laws governing
  protected health information
• Elements of privacy notices and communications
  practices with patients
• Texting, e-mailing, and personal devices
• Bonus website confidentiality and privacy
  disclaimers for the health care practitioner.

16
E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality

• Conclusions top takeaways
• HIPAA is not new - day-to-day basics of HIPAA
  should be routine
• Confidentiality is not new especially in mental
  health practice
• State licensure laws of health care professionals
  are not new these contain the most basic of
  mandates that can now be violated in new ways via
  electronic communications
• E-mail and texting are permitted with precautions
  only encrypted messages and methods demonstrate
  absolute compliance with privacy, and
• Warn patients about e-mail risks and get their
  informed consent, then limit the protected health
  information that is shared electronically by
  regular methods of e-mail and texting.

17

• Thanks for Watching

• Register Now

18
(No Transcript)