Title: HIPAA, Texting, and E-mail in 2023
1HIPAA, Texting, and E-mail Using Appropriate
Patient and Professional Communications
- Jim Sheldon-Dean
- Director of Compliance Services
- Lewis Creek Systems, LLC
- www.lewiscreeksystems.com
2Agenda
- Discuss how to handle patient communications
- Discuss how E-mail and Texting can work under
HIPAA - Identify guidance from HHS for patient
communications - Identify HIPAA policies that may need to be
changed - Discuss rights for electronic copies of
electronic records - Learn about recent guidance and court decisions
affecting how access to PHI is provided, and the
allowable fees - Show the process that must be used in the event
of breach - Learn about being prepared for enforcement and
auditing - Learn how to approach compliance
- QA session
3HIPAA Privacy and Security Rules
- Privacy Rule
- 45 CFR 164.5xx Enforceable since 2003
- Establishes Rights of Individuals
- Controls on Uses and Disclosures
- Access of PHI is a hot button issue for HHS
- New changes proposed in December 2020
- Security Rule
- 45 CFR 164.3xx Enforceable since 2005
- Applies to all electronic PHI
- Flexible, customizable approach to health
information security - Uses Risk Analysis to identify and plan the
mitigation of security risks
4HIPAA Breach Notification Rule
- Breach Notification Rule
- 45 CFR 164.4xx Enforceable since February 2010
- Requires reporting of all PHI breaches to HHS and
individuals - Extensive/expensive obligations
- Provides examples of what not to do on the HHS
Wall of Shame https//ocrportal.hhs.gov/ocr/bre
ach/breach_report.jsf - Combined Rules as of March 2013 published by HHS
OCR http//www.hhs.gov/hipaa/for-professionals/pr
ivacy/laws-regulations/combined-regulation-text/in
dex.html - 2013 Omnibus Update Rule, with Preamble,
available at http//www.gpo.gov/fdsys/pkg/FR-2013
-01-25/pdf/2013-01073.pdf - 2020 Proposed changes for the Privacy
Rulehttps//www.hhs.gov/hipaa/for-professionals/
regulatory-initiatives/index.html
5How do patients want to use e-mail and texting
in health care?
- Manage Appointments
- Make/Change Appointments
- Keep Appointment Calendar
- Receive Test Results
- By Message
- By Secure Portal
- Ask Health Care Questions
- By phone, text message, e-mail, portal
- Provide Health Care Information
- By phone, message, portal, or App
- Query Medical Records
- Receive Detailed Records
6How do providers want to use e-mail and texting
in health care?
- Accessing/Receiving results and patient
information - Interacting with the Hospital
- Multitude of activities, schedules, requests,
meetings - Keeping appointment calendar
- Dictation
- By phone and App
- Personal Uses
7So, what are we allowed to do?
- Do what the patient (or their representative)
wants - Meet HIPAA Requirements
- Accommodate what you reasonably can
- Meet the Patients Needs
- Communication with the office for Prescription
Renewals, Scheduling etc. - Discussion of particular health issues
- Access of Medical Records, test results
- Do what you can handle properly
- For Patient Care
- For Medical Records
8Many Prefer E-mail to Telephone
- Scheduling
- Reporting of status
- Inquiries about issues, treatments
- Requesting copies of records
- Communication of test results
- Can be more accurate than the phone
- Provides a documented record of communication
9Three Issues with Plain SMS Texting
- Its a Privacy thing Patients may not appreciate
the risks of loss of privacy - HIPAA requires you to do your best to meet
patient preferences for communication method - Use Risk Analysis to evaluate and explain risks
- Its a new technology and people will not
understand it fully for quite some time - Its a Medical Records thing Documentation is
key to health care - Regular texting doesnt provide a paper trail of
conversations and contacts - If its part of patient care, it must be
documented properly - Secure, traceable texting is essential when
medical record information is texted - Its a patient safety thing Triage of incoming
messages is essential - Regular texting doesnt automatically route to
the most appropriate individual - Texts may arrive at all hours, 24/7 and may
include a variety of information and situations,
including emergencies - Texting with patients must be managed to protect
patients and provide appropriate service
10Preventing E-mail Texting Issues
- Educate the staff as to the risks and what MUST
NOT be sent via plain e-mail or text message - Establish secure, private e-mail and text
messaging for professional information that
includes PHI - Define policies for use of e-mail and texting
- Require Risk Analysis for any uses of any e-mail
or texting involving PHI - Include process for approving and monitoring uses
- Include standards for allowable interactions via
regular e-mail and texting - Identify secure services to be used where secure
e-mail and texting would be appropriate
11So, how do we handle texting with Patients?
- One of several options
- Insecure plain old texting with limited/no PHI
must be limited to simple reminders without
identifying details or provider information, may
be sent by 3rd party - Plain texting by preference of the individual
(Would you prefer to despite the risks?)
more flexibility but still should communicate
minimum necessary for the purpose - Using an informal but secure process secure but
may have limited ability to interact and document - Using a secure communications platform that
includes a secure texting App and process for
patient engagement
12Is it important to manage Individual Access of
records properly?
- Yes, it is one of only two circumstances when PHI
must be released, per Privacy Rule 164.502(a) - Yes, based on 43 enforcement actions since
September 2019 - http//www.hhs.gov/hipaa/for-professionals/complia
nce-enforcement/examples/cignet-health/index.html
- Yes, in the 2012 HIPAA Audits, 3 of the top 5
Privacy issues were individual access related - 1 Review process for denials of individual
access to records - 2 Failure to provide appropriate individual
access to records - 5 Disclosures to personal representatives
- Yes, it was one of the few areas focused on in
the 2016 Audits
13Individual Access of PHI
- Must have a process for individual to request
access for free, with copies for a reasonable
cost-based fee - Must have a process for managing denials of
access - Must provide the entire record in the Designated
Record Set if requested - Medical and Billing records used in whole or in
part to make decisions related to health care - Exceptions for Psychotherapy notes, information
for civil, criminal, or administrative
proceedings, if harm may result, other specific
exceptions - Information kept electronically must be available
in electronic format if requested - Lab results may be accessed by the individual
- Access of PHI by individuals is a HOT BUTTON
issue for HHS - Proposed Rule cuts the response time to just 15
days!
14Telemedicine and HIPAA
- Using HIPAA-compliant fully encrypted services
under a HIPAA Business Associate Agreement is
fully compliant for telemedicine use - Skype for Business, Updox, VSee, Zoom for
Healthcare, Doxy.me, and Google G Suite Hangouts
Meet - Can follow the usual processes for Risk Analysis
and secure implementation, including a HIPAA BAA - HIPAA has allowances for emergencies and life
threatening situations - Patients and providers LOVE Telemedicine! It
will be with us after the emergency
15Telemedicine, HIPAA and COVID-19
- HHS has issued an enforcement advisory on
telemedicine during the COVID-19 emergency
Relaxed enforcement for using services that are
non-public facing but may not meet HIPAA
requirements (such as a providing a BAA) - Apple FaceTime, Facebook Messenger video chat,
Google Hangouts video, or Skype - BUT Do NOT use public-facing services that are
not private - Facebook Live, Twitch, TikTok, and similar
- And Once the emergency is over you will need to
use HIPAA compliant services, under a Business
Associate Agreement, according to a HIPAA
Security Risk Analysis - See https//www.hhs.gov/hipaa/for-professionals/s
pecial-topics/emergency-preparedness/notification-
enforcement-discretion-telehealth/index.html
16What is a HIPAA Breach?
- 164.402 Breach is any acquisition, access, use,
or disclosure in violation of the Privacy Rule,
except if - Unintentional internal use, in good faith, with
no further use - Inadvertent internal use, within job scope
- Information cannot be retained (returned intact,
unopened, unviewed) - Not Reportable if
- Secured (encrypted) per HHS guidance, or
destroyed - Otherwise Reportable unless there is a low
probability of compromise based on a risk
assessment, examining at least - what was the info, how well identified was it,
and is its release adverse to the individual - to whom it was disclosed
- was it actually acquired or viewed
- the extent of mitigation
17What is a HIPAA Audit?
- HITECH 13411 requires HHS to conduct periodic
audits - Be able to show you have in place the policies
and procedures required by the HIPAA Privacy,
Security, and Breach Notification Rules - AND! Show you have been using them
- 2 week notice! You must be prepared in advance
or its too late! - Round 1 conducted in 2012
- For Round 2 in 2016-2017
- Desk Audits of 166 Covered Entities 41 HIPAA
Business Associates Completed - Patient Access of information was one of the few
areas examined - Future Audits have been cancelled but may be
resumed - http//www.hhs.gov/hipaa/for-professionals/complia
nce-enforcement/audit/index.html
18Where do we start?
- Find out what people are doing already
- Consider professional communications and patient
communications separately - Document your processes for proper methods of
communications with both patients and
professionals - Secure all professional communications with any
PHI - Offer secure patient communications
- Develop and document the process for adopting and
using insecure communications (plain e-mail or
texting) if patients desire - Have a clear process for discussion of risks and
indication of patient desires, with documentation
19Your to-do list
- Dont be in denial willful neglect costs more
than compliance - Accommodate individual rights
- Review and update your policies and procedures
per the rules - Establish your processes for Risk Analysis and
Documentation - Document your communications policies and
procedures - Update your Notice of Privacy Practices as
necessary - Train staff in new policies and procedures
- Document, document, document!
- Conduct drills in audit and breach response
- Make corrections based on results
- Always have a plan for moving forward, and follow
it!
20Thank you!
- Any Questions?
- For additional information, please contact
- Jim Sheldon-Dean
- Lewis Creek Systems, LLC
- 5675 Spear Street, Charlotte, VT 05445
- jim_at_lewiscreeksystems.com
- www.lewiscreeksystems.com
Register Now!!!