Title: HIPAA Myths vs. Reality: A Guide to Safe Communication Practices in Healthcare
1E-mailing, Texting, and the Use of Personal
Devices By Health care Professionals HIPAA and
Privacy Myths vs Reality
Mark R. Brengelman, Attorney at Law,
PLLC Friday, February 16, 2024 100 p.m. Eastern
Time
Conference Panel
2About Mark R. Brengelman
- Holds Bachelor's and Master's Degrees in
Philosophy from Emory University, Atlanta,
Georgia - Earned a Juris Doctorate from the University of
Kentucky College of Law, Lexington, Kentucky - Served out a successful twenty-year career with
state government in Kentucky, including. now in
private practice since 2012 - Was a former Assistant Attorney General assigned
to multiple state licensure boards in health care
and other professions General Counsel and
Prosecuting Attorney - Has presented Continuing Education for over 50
national and state organizations and private
companies, including the Kentucky Office of the
Attorney General, the Kentucky Bar Association,
the National Attorneys General Training and
Research Institute, the Federation of
Associations of Regulatory Boards, and eight of
its member associations in psychology, physical
therapy, dentistry, nursing, veterinary medicine,
emergency medical services, state licensed
contractors, and athletic trainers - Has represented all three branches of state
government, a local municipality in governmental
ethics, and now two state licensure boards - Represents
- licensees before state licensure boards and in
other professional matters - two state licensure boards on the government
side - parents and kids in confidential child abuse and
neglect cases, termination of parental rights,
and adoption proceedings - I help health care practitioners, kids/parents,
and government agencies navigate the law and
ethics and make the rules understandable as
applied to them.
3E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Introduction - based upon the content of this
program, you will be able effectively to
identify - The basics of HIPAA privacy
- The basics of HIPAA and the use of electronic
communications - Examples of state licensure laws governing
protected health information - Elements of privacy notices and communications
practices with patients - Texting, e-mailing, and personal devices
- Bonus website confidentiality and privacy
disclaimers for the health care practitioner.
4E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Disclaimer! Goals of the content of this program
what this does and does not cover - Does provide a broad overview of HIPAA
confidentiality issues and electronic
communications for texting, e-mailing, and
personal devices - Does not cover everything about HIPAA, or HIPAA
as applied to any specific health care
profession, and - Does educate the person attending to ask the
right questions in their own state, health care
facility, and profession about compliance with
HIPAA confidentiality and the use of electronic
communications.
5E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- The basics of HIPAA privacy.
- The basics of HIPAA requirements for patient
records federal right of privacy. - Confidentiality also involves
- State law privacy rights
- Medical confidentiality as found in state
licensure laws, especially in mental health, less
in physical medicine (such as physical therapy) - Medical confidentiality found in national and
state codes of ethics (most usually non-binding!
Ex Elvis Presley impersonators code of ethics) - Employment policies and human resources manuals
of employers, and - State rules of evidence for privileged
communications.
6E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- The basics of HIPAA requirements for protected
health information - HIPAA was effective in April 2003 applied to
health care providers who submit payment requests
via electronic means - Protected Health Information (PHI) for covered
entities also covers independent contractors
who are business associates does include law
firms who hold medical records as PHI, and - General definition PHI is any information held
by a covered entity that concerns health status,
provision of health care, or payment for health
care that can be linked to an individual -
interpreted rather broadly as to include any part
of an individuals medical record or payment
history.
7E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- The basics of HIPAA and the use of electronic
communications. - Overview of HIPAA as applied to electronic
communication issues - Health care professionals and their patients
communicate among themselves and with each other - Unique to health care as opposed to the general
public, confidentiality of electronic
communications is an issue for all health care
practitioners - Exception there is private information and
there is confidential information, i.e.,
protected health information - E-mail for any business can be hacked creates
more of a problem for covered entities - State licensure boards take an interest in
patient confidentiality especially in mental
health.
8E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Overview of HIPAA as applied to electronic
communication issues - Why use texting and e-mail? Reported in media 5
Ways Home Healthcare Providers - Grow by Texting Clients, Employees by Kenneth
Burke (June 4, 2019) This is about texting. - Texting is quicker response time is quicker
- Only 20 of e-mails are read by the recipient
response time is slower. Example I ask that
legal clients review e-mail and respond at least
once per day, and if they go on vacation and
something is pending I confirm their frequency of
checking e-mail, or when they will be back to the
office/home to do so - A telephone call requires the recipient to be
available at the same time as the caller, and - A significant number of Americans depend on
medical apps as part of their medical care 58
of smartphone users have downloaded a health app.
9E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Overview of HIPAA as applied to electronic
communications common sense suggestions for the
employer - Do have an interdisciplinary team review your
employment policies relating to confidentiality
and electronic communications, including social
media and related topics - This should include an employment policy
governing the employees use of electronic
communications mentioning the employer or
patients that goes through an employers wi-fi or
computer system, as well as electronic
communications between the health care provider
and the patient - Do include representatives from Corporate
Compliance, Legal, IT, Human Resources, Risk
Management, Finance, and similar departments on
the interdisciplinary team - Consider basic security and privacy risk
prevention. For example issuing a smartphone
or other personal device to the health care
practitioner to minimize privacy risks devices
that have to be kept secure, are maintained by
your IT department, can be remotely accessed and
wiped clean if needed because they are lost
10E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Overview of HIPAA violations, with an emphasis on
state licensure boards and agencies - State licensure boards and agencies how state
laws may apply to violations of confidentiality
of Protected Health Information state laws as
applied to licensed health care professionals - Privacy interests in your root canal? Note
medical histories of patients have the most
private information (sexual history, medications,
etc.) current medical records of current
procedures may also be very confidential (current
medications, etc.) - Generic laws where HIPAA is never mentioned how
generic laws for state licensure agencies may
implicate HIPAA - HIPAA sanctions for violations
11E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Overview of HIPAA and electronic communications
some takeaways - Review the ways your staff may be using cell
phones that introduces risk to patients and to
the organization use of personal cell phones
for business use and data sharing, and use of
employer internet for personal use and data
sharing - Consider the best option for a cell phone service
provider moving forward work with a provider
experienced in government or health care
organizations, and under contract - Explore ways to train staff members who will be
using cell phones at work start with clear
employment policies and device-specific
agreements (i.e., business laptop, cell phone)
Im big on this - Decide which uses of cell phones should be
permitted by employees of different types of
organizations employment policy not to use
personal cell phone on employer internet service
and allowing business use of cell phone on
employees own internet service away from work
and apply to all workers
12E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Overview of HIPAA and electronic communications
some takeaways, cont. - Cover the essentials you need to include in your
HIPAA policy concerning smartphone access and
usage covers use of personal cell phones for
business use, and use of employer internet for
personal use - Plan an efficient way to implement new training
and policy on the use of cell phones and HIPAA
throughout the organization handing out new
business devices for employees will get their
attention! - What is a HIPAA compliant phone? May include a
Business Associate Agreement for a package of
services, including a telephone number that can
send and receive texts that is HIPAA secure and
compliant
13E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Overview of HIPAA and electronic communications
some takeaways, cont. - Data sharing covers personal internet for
business use and business internet for personal
use - Updates for 2022 see current enforcement
discretion - Business associate agreements should include
e-mailing and texting by specific reference - Call logs and PHI maintain these
- Texting and PHI use a secure and encrypted
method - Bring your own device (BYOD) cover this in
your human resources policy - Voice over internet protocol (VOIP) just
another way to use the internet for phone calls,
secure??? - Additional security measures IT specific
firewalls and other measures - Doctors and texting (i.e., physicians) same as
other health care professionals, same rules! - HIPAA policy for cell phones cover this in your
human resources policy.
14E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Overview of HIPAA and electronic communications
some takeaways, cont. - State licensure laws, professional codes of
ethics, and the concept of confidentiality should
be firmly ingrained in health care professionals
psyches and work habits by now - Direct communication with patients by the health
care practitioner or their employees is
relatively new - When misused, electronic communications also
carry legal risks that could negatively affect
the organization and result in personal
consequences for the individuals involved
misuse is just another example of a HIPAA
violation, and - Most common consequence seems to be losing ones
job.
15E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- What have we covered today?
- The basics of HIPAA privacy
- The basics of HIPAA and the use of electronic
communications - Examples of state licensure laws governing
protected health information - Elements of privacy notices and communications
practices with patients - Texting, e-mailing, and personal devices
- Bonus website confidentiality and privacy
disclaimers for the health care practitioner.
16E-mailing, texting, and the use of personal
devices by health care professionals HIPAA and
privacy myths vs reality
- Conclusions top takeaways
- HIPAA is not new - day-to-day basics of HIPAA
should be routine - Confidentiality is not new especially in mental
health practice - State licensure laws of health care professionals
are not new these contain the most basic of
mandates that can now be violated in new ways via
electronic communications - E-mail and texting are permitted with precautions
only encrypted messages and methods demonstrate
absolute compliance with privacy, and - Warn patients about e-mail risks and get their
informed consent, then limit the protected health
information that is shared electronically by
regular methods of e-mail and texting.
17 18(No Transcript)