HIPAA, Texting, and E-mail in 2023

1
HIPAA, Texting, and E-mail Using Appropriate
Patient and Professional Communications

• Jim Sheldon-Dean
• Director of Compliance Services
• Lewis Creek Systems, LLC
• www.lewiscreeksystems.com

2
Agenda

• Discuss how to handle patient communications
• Discuss how E-mail and Texting can work under
  HIPAA
• Identify guidance from HHS for patient
  communications
• Identify HIPAA policies that may need to be
  changed
• Discuss rights for electronic copies of
  electronic records
• Learn about recent guidance and court decisions
  affecting how access to PHI is provided, and the
  allowable fees
• Show the process that must be used in the event
  of breach
• Learn about being prepared for enforcement and
  auditing
• Learn how to approach compliance
• QA session

3
HIPAA Privacy and Security Rules

• Privacy Rule
• 45 CFR 164.5xx Enforceable since 2003
• Establishes Rights of Individuals
• Controls on Uses and Disclosures
• Access of PHI is a hot button issue for HHS
• New changes proposed in December 2020
• Security Rule
• 45 CFR 164.3xx Enforceable since 2005
• Applies to all electronic PHI
• Flexible, customizable approach to health
  information security
• Uses Risk Analysis to identify and plan the
  mitigation of security risks

4
HIPAA Breach Notification Rule

• Breach Notification Rule
• 45 CFR 164.4xx Enforceable since February 2010
• Requires reporting of all PHI breaches to HHS and
  individuals
• Extensive/expensive obligations
• Provides examples of what not to do on the HHS
  Wall of Shame https//ocrportal.hhs.gov/ocr/bre
  ach/breach_report.jsf
• Combined Rules as of March 2013 published by HHS
  OCR http//www.hhs.gov/hipaa/for-professionals/pr
  ivacy/laws-regulations/combined-regulation-text/in
  dex.html
• 2013 Omnibus Update Rule, with Preamble,
  available at http//www.gpo.gov/fdsys/pkg/FR-2013
  -01-25/pdf/2013-01073.pdf
• 2020 Proposed changes for the Privacy
  Rulehttps//www.hhs.gov/hipaa/for-professionals/
  regulatory-initiatives/index.html

5
How do patients want to use e-mail and texting
in health care?

• Manage Appointments
• Make/Change Appointments
• Keep Appointment Calendar
• Receive Test Results
• By Message
• By Secure Portal
• Ask Health Care Questions
• By phone, text message, e-mail, portal
• Provide Health Care Information
• By phone, message, portal, or App
• Query Medical Records
• Receive Detailed Records

6
How do providers want to use e-mail and texting
in health care?

• Accessing/Receiving results and patient
  information
• Interacting with the Hospital
• Multitude of activities, schedules, requests,
  meetings
• Keeping appointment calendar
• Dictation
• By phone and App
• Personal Uses

7
So, what are we allowed to do?

• Do what the patient (or their representative)
  wants
• Meet HIPAA Requirements
• Accommodate what you reasonably can
• Meet the Patients Needs
• Communication with the office for Prescription
  Renewals, Scheduling etc.
• Discussion of particular health issues
• Access of Medical Records, test results
• Do what you can handle properly
• For Patient Care
• For Medical Records

8
Many Prefer E-mail to Telephone

• Scheduling
• Reporting of status
• Inquiries about issues, treatments
• Requesting copies of records
• Communication of test results
• Can be more accurate than the phone
• Provides a documented record of communication

9
Three Issues with Plain SMS Texting

• Its a Privacy thing Patients may not appreciate
  the risks of loss of privacy
• HIPAA requires you to do your best to meet
  patient preferences for communication method
• Use Risk Analysis to evaluate and explain risks
• Its a new technology and people will not
  understand it fully for quite some time
• Its a Medical Records thing Documentation is
  key to health care
• Regular texting doesnt provide a paper trail of
  conversations and contacts
• If its part of patient care, it must be
  documented properly
• Secure, traceable texting is essential when
  medical record information is texted
• Its a patient safety thing Triage of incoming
  messages is essential
• Regular texting doesnt automatically route to
  the most appropriate individual
• Texts may arrive at all hours, 24/7 and may
  include a variety of information and situations,
  including emergencies
• Texting with patients must be managed to protect
  patients and provide appropriate service

10
Preventing E-mail Texting Issues

• Educate the staff as to the risks and what MUST
  NOT be sent via plain e-mail or text message
• Establish secure, private e-mail and text
  messaging for professional information that
  includes PHI
• Define policies for use of e-mail and texting
• Require Risk Analysis for any uses of any e-mail
  or texting involving PHI
• Include process for approving and monitoring uses
• Include standards for allowable interactions via
  regular e-mail and texting
• Identify secure services to be used where secure
  e-mail and texting would be appropriate

11
So, how do we handle texting with Patients?

• One of several options
• Insecure plain old texting with limited/no PHI
  must be limited to simple reminders without
  identifying details or provider information, may
  be sent by 3rd party
• Plain texting by preference of the individual
  (Would you prefer to despite the risks?)
  more flexibility but still should communicate
  minimum necessary for the purpose
• Using an informal but secure process secure but
  may have limited ability to interact and document
• Using a secure communications platform that
  includes a secure texting App and process for
  patient engagement

12
Is it important to manage Individual Access of
records properly?

• Yes, it is one of only two circumstances when PHI
  must be released, per Privacy Rule 164.502(a)
• Yes, based on 43 enforcement actions since
  September 2019
• http//www.hhs.gov/hipaa/for-professionals/complia
  nce-enforcement/examples/cignet-health/index.html
  
• Yes, in the 2012 HIPAA Audits, 3 of the top 5
  Privacy issues were individual access related
• 1 Review process for denials of individual
  access to records
• 2 Failure to provide appropriate individual
  access to records
• 5 Disclosures to personal representatives
• Yes, it was one of the few areas focused on in
  the 2016 Audits

13
Individual Access of PHI

• Must have a process for individual to request
  access for free, with copies for a reasonable
  cost-based fee
• Must have a process for managing denials of
  access
• Must provide the entire record in the Designated
  Record Set if requested
• Medical and Billing records used in whole or in
  part to make decisions related to health care
• Exceptions for Psychotherapy notes, information
  for civil, criminal, or administrative
  proceedings, if harm may result, other specific
  exceptions
• Information kept electronically must be available
  in electronic format if requested
• Lab results may be accessed by the individual
• Access of PHI by individuals is a HOT BUTTON
  issue for HHS
• Proposed Rule cuts the response time to just 15
  days!

14
Telemedicine and HIPAA

• Using HIPAA-compliant fully encrypted services
  under a HIPAA Business Associate Agreement is
  fully compliant for telemedicine use
• Skype for Business, Updox, VSee, Zoom for
  Healthcare, Doxy.me, and Google G Suite Hangouts
  Meet
• Can follow the usual processes for Risk Analysis
  and secure implementation, including a HIPAA BAA
• HIPAA has allowances for emergencies and life
  threatening situations
• Patients and providers LOVE Telemedicine! It
  will be with us after the emergency

15
Telemedicine, HIPAA and COVID-19

• HHS has issued an enforcement advisory on
  telemedicine during the COVID-19 emergency
  Relaxed enforcement for using services that are
  non-public facing but may not meet HIPAA
  requirements (such as a providing a BAA)
• Apple FaceTime, Facebook Messenger video chat,
  Google Hangouts video, or Skype
• BUT Do NOT use public-facing services that are
  not private
• Facebook Live, Twitch, TikTok, and similar
• And Once the emergency is over you will need to
  use HIPAA compliant services, under a Business
  Associate Agreement, according to a HIPAA
  Security Risk Analysis
• See https//www.hhs.gov/hipaa/for-professionals/s
  pecial-topics/emergency-preparedness/notification-
  enforcement-discretion-telehealth/index.html

16
What is a HIPAA Breach?

• 164.402 Breach is any acquisition, access, use,
  or disclosure in violation of the Privacy Rule,
  except if
• Unintentional internal use, in good faith, with
  no further use
• Inadvertent internal use, within job scope
• Information cannot be retained (returned intact,
  unopened, unviewed)
• Not Reportable if
• Secured (encrypted) per HHS guidance, or
  destroyed
• Otherwise Reportable unless there is a low
  probability of compromise based on a risk
  assessment, examining at least
• what was the info, how well identified was it,
  and is its release adverse to the individual
• to whom it was disclosed
• was it actually acquired or viewed
• the extent of mitigation

17
What is a HIPAA Audit?

• HITECH 13411 requires HHS to conduct periodic
  audits
• Be able to show you have in place the policies
  and procedures required by the HIPAA Privacy,
  Security, and Breach Notification Rules
• AND! Show you have been using them
• 2 week notice! You must be prepared in advance
  or its too late!
• Round 1 conducted in 2012
• For Round 2 in 2016-2017
• Desk Audits of 166 Covered Entities 41 HIPAA
  Business Associates Completed
• Patient Access of information was one of the few
  areas examined
• Future Audits have been cancelled but may be
  resumed
• http//www.hhs.gov/hipaa/for-professionals/complia
  nce-enforcement/audit/index.html

18
Where do we start?

• Find out what people are doing already
• Consider professional communications and patient
  communications separately
• Document your processes for proper methods of
  communications with both patients and
  professionals
• Secure all professional communications with any
  PHI
• Offer secure patient communications
• Develop and document the process for adopting and
  using insecure communications (plain e-mail or
  texting) if patients desire
• Have a clear process for discussion of risks and
  indication of patient desires, with documentation

19
Your to-do list

• Dont be in denial willful neglect costs more
  than compliance
• Accommodate individual rights
• Review and update your policies and procedures
  per the rules
• Establish your processes for Risk Analysis and
  Documentation
• Document your communications policies and
  procedures
• Update your Notice of Privacy Practices as
  necessary
• Train staff in new policies and procedures
• Document, document, document!
• Conduct drills in audit and breach response
• Make corrections based on results
• Always have a plan for moving forward, and follow
  it!

20
Thank you!

• Any Questions?
• For additional information, please contact
• Jim Sheldon-Dean
• Lewis Creek Systems, LLC
• 5675 Spear Street, Charlotte, VT 05445
• jim_at_lewiscreeksystems.com
• www.lewiscreeksystems.com

Register Now!!!